Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

a must see" now i see, Win32/Alureon.H


  • This topic is locked This topic is locked
92 replies to this topic

#1 MusiCALpuLLtoy

MusiCALpuLLtoy

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:AZ
  • Local time:11:03 AM

Posted 28 February 2017 - 09:44 AM

hello.

our cable company sent an alert,

 

 

Dear Subscriber,

XXXX has identified that one or more of the computers in your home may be infected with the Alureon / TDSS Virus.

Viruses can take control of your PC and gather your personal information such as passwords and credit card numbers, putting your data at risk

The following FREE security tools could help you detect and remove infections from your systems:

The Microsoft Safety Scanner


http://www.microsoft.com/security/scanner/

Norton Power Eraser

http://security.symantec.com/nbrt/npe.aspx
 
so ive tried windows, norton and kasperski tdss killers. windows said it got it,lol, kaspersky found nothing, noton found 7 combofix we know, zaprivacyservice, seal.exe(dell), avg secure search update 0913a, spchecker, one i have on disk renamed  and OE_OEM
 
so i come to you
 
thank you.
 
Attached File  unhide.txt   3.4KB   3 downloadsAttached File  Rkill.txt   4.49KB   8 downloadsAttached File  dds.txt   16.36KB   7 downloadsAttached File  attach.txt   22.7KB   7 downloads

Edited by hamluis, 28 February 2017 - 10:21 AM.


BC AdBot (Login to Remove)

 


#2 olgun52

olgun52

  • Malware Response Team
  • 3,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:03 PM

Posted 28 February 2017 - 04:07 PM

Hello MusiCALpuLLtoy and Welcome to the BleepingComputer. :welcome:

My name is Yılmaz and I'll help you with the cleanup of malware from your computer.

Before we move on, please read the following points carefully.

  • Please complete all steps in the specified order.
  • Even if tools don't find malware, I want you to post the logfiles anyway.
  • Please copy and paste the logfiles directly into your posts. Please do not attach them unless you are instructed to do so.
  • Read the instructions carefully. If you have problems, stop what you were doing and describe the problems you encountered as precisely as you can.
  • Don't install or uninstall software during the cleanup unless you are told to do so.
  • Ensure your external and/or USB drives are inserted during always the scan.
  • If you can't answer for the next few days, please let me know. If you haven't answered within 5 days, I am assuming that you don't need help anymore and your topic will be closed.
  • If you have illegal/cracked software, cracks, keygens, etc. on the system, please remove or uninstall them now!
  • I can not guarantee that we will find and be able to remove all malware. The cleaning process is not instant. Please continue to review my answers until I tell you that your computer is clean
  • Please reply to this thread. Do not start a new topic
  • As my first language is not English, please do not use slang or idioms. It could be hard for me to understand.
  • Please open as administrator the computer. How is open as administrator the computer?
  • Disable your AntiVirus and AntiSpyware applications, as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to get help here

Thanks
 

I see you have P2P software ( uTorrent ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

A reference for the risk of these programs is here

I would strongly recommend that you uninstall it. You can do so via Control Panel >> Programs and Features.

------------------------------------------------------
Step 1:
Please uninstall the following via Start->(or My Computer)->Control Panel->(Programs)->Programs and Features if it still exists:
 
c:\program files\Spybot - Search & Destroy
AVG-Secure
µTorrent
Adobe Flash Player 18 ActiveX
Adobe Flash Player 20 PPAPI
Adobe Flash Player 24 NPAPI
Java 8 Update 66
Opera 12.14
Opera 12.16
Opera Stable 15.0.1147.138
Opera Stable 27.0.1689.69
Opera Stable 29.0.1795.47
Opera Stable 36.0.2130.80
opera15

 
And PC restart now.
==================================================
 
Step 2:
MalwareBytes Anti-Rootkit scan:

  • Close all the running processes
  • Be sure to temporarily disable all antivirus/anti-spyware softwares
  • Caution: This is a beta version so please be sure to read the disclaimer and back up any important data before using.
  • Note: Malwarebytes Anti-Rootkit requires administrative privileges to function properly.

:step1: Download MalwareBytes Anti-Rootkit software from here to your desktop.

  • Right-click on Mbar 1.09.1.1004.exe and select Run As Administrator  to launch the application.

:step2: Open a folder with MBAR name on desktop.
:step3: The MBAR folder in the list you find.
:step4: Click once. :step5:  Now click the OK button. :step6: Click the OK button again.

Ashampoo_Snap_2015.05.21_21h16m53s_002__
 
:step7: Then Next and click on the Uptade button
:step8: Now click on the scan button

  • When finished updating, click 'Next' then 'Scan'.
  • If you are told you have the 'AppInit_Dlls rootkit', choose not to fix it and proceed with the scan.
  • With some infections, you may see two messages boxes:
  • Could not load protection driver'. Click 'OK'.
  • Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart, then continue with the rest of these instructions.
  • If malware is found, do NOT press the 'Cleanup' button yet. Click 'Exit'.
  • Please  attach the two log files created by the tool within the folder from which it was run.
  • The logs will be named mbar-log-YYYY-MM-DD (##-##-##).txt and system-log.txt

Step 3:
RogueKiller scan:

  • Please download and run RogueKiller  32/64 bit to your desktop
  • Quit all running programs.
  • For Windows XP, double-click to start.
  • For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.
  • Click Scan to scan the system.
  • When the scan completes > Close out the program > Don't Fix anything!
  • Don't run any other options, they're not all bad!
  • Post back the report which should be located on your desktop.

 

Sincerely . :hello:


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#3 MusiCALpuLLtoy

MusiCALpuLLtoy
  • Topic Starter

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:AZ
  • Local time:11:03 AM

Posted 28 February 2017 - 11:12 PM

hi, that was fast. i do thank you! read the rules p2p gone its been a few years since it was used. wireshark and diskclone?
no issues running the two programs. heres what started after windows msert was run. it had started to slow but its an old pc '04?

 


Your connection is not secure

The owner of www.google.com has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.

This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox may only connect to it securely. As a result, it is not possible to add an exception for this certificate.

Learn more…

Report errors like this to help Mozilla identify and block malicious sites

 

i am logged in as admin, always  and yes i know.

popup,

you do not have sufficient access to remove operastable  36.0~contact sys admin.
 but it shows gone

opera 15 was short cut for opera 27. deleted folder

deleted all java folders

there are some remnants of  spybot


avg secure? i hope you ment the whole program, free version no biggy

 

i work 4 - 12's starting wednesday but will try to answer.  there is no hurry.

 

thank you olgun

bill.

 

is that the rogue killer txt file? nothing on desktop??

Attached Files



#4 olgun52

olgun52

  • Malware Response Team
  • 3,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:03 PM

Posted 01 March 2017 - 04:29 AM

Hi again,
 
RogueKiller scan, not successful. Please try again.
====================================================
Step 1:
Scan with Malwarebytes Antimalware:

Please download Malwarebytes Anti-Malware to your desktop.

  • Double-click the downloaded setup file and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
  • Launch Malwarebytes Anti-Malware
  • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.

If the program is already installed:

  • Run Malwarebytes Antimalware
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply

Step 2:
Download zoek.exe to your Desktop:
http://hijackthis.nl/smeenk/

Disable your AntiVirus and AntiSpyware programs, so they do not interfere with the running of Zoek.exe. You can find instructions how to disable your security applications Here
http://www.bleepingc...opic114351.html

On Windows Vista, 7, and 8, right-click Zoek.exe and select: Run as Administrator
Give it a few seconds to appear

Next, copy/paste the entire script inside the codebox below to the input field of Zoek:


createsrpoint;
autoclean;
emptyalltemp;
emptyclsid;

emptyfolderscheck;delete
IEdefaults;
chrdefaults;
FFdefaults;
ielook;
firefoxlook;
chromelook;

ipconfig /flushdns;b

Now...
Close any open programs.
Click the Run script button, and wait. It takes a few minutes to run.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.
------------------------------------------------------------------------------------

Any issue ?


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#5 olgun52

olgun52

  • Malware Response Team
  • 3,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:03 PM

Posted 02 March 2017 - 06:30 AM

Are you still with me ?


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#6 MusiCALpuLLtoy

MusiCALpuLLtoy
  • Topic Starter

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:AZ
  • Local time:11:03 AM

Posted 02 March 2017 - 09:29 AM

yes, yes.
i work 6pm to 6am, just got home to find zoek still running . 12hours, stopped on firefox extensions. tried closing it to run roguekiller again and i opened back up still on the same line half hour now. malwarebytes ran with 0 threats found.
am on my phone to see what i should do.
thak you sir


ok , ive shut it down and running roguekiller. must sleep.

Edited by MusiCALpuLLtoy, 02 March 2017 - 11:26 AM.


#7 MusiCALpuLLtoy

MusiCALpuLLtoy
  • Topic Starter

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:AZ
  • Local time:11:03 AM

Posted 02 March 2017 - 05:53 PM

hello. heres what i got.

 

next time im able to do anything will be 7am.

 

 

 

zoek never finished.

Attached Files


Edited by MusiCALpuLLtoy, 02 March 2017 - 06:55 PM.


#8 olgun52

olgun52

  • Malware Response Team
  • 3,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:03 PM

Posted 03 March 2017 - 04:40 AM

Hello MusiCALpuLLtoy, thanks for the logs.

Please do this;

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Make sure the following option is checked: Additional.txt
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Sincerely  . :hello:

 

 


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#9 MusiCALpuLLtoy

MusiCALpuLLtoy
  • Topic Starter

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:AZ
  • Local time:11:03 AM

Posted 03 March 2017 - 10:52 AM

hello, 32bit, im literate enough to be dangerous but got tired of format c. if you could direct me to reg entry that states what number puts system idle process back to normal i would be much obliged. it wont do it in task manager. 

frst ran without  issue.

now, when i got home there was a ms error, the png attachment.

 

one other thing, when rebooting it comes up , no primary drive found and choose f1 to continue / choose os which is in in the mbr. . this has been going on for a long time. sys idle related ??

 

your requested files, good sir.

Attached Files



#10 olgun52

olgun52

  • Malware Response Team
  • 3,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:03 PM

Posted 03 March 2017 - 03:00 PM

now, when i got home there was a ms error, the png attachment.

You can say send error report.
===============================

one other thing, when rebooting it comes up ,
no primary drive found and choose f1 to continue / choose os which is in in the mbr. .

this has been going on for a long time. sys idle related ??

is the system  use too many CPU?

================================

C:\Program Files\29.0.1795.47
C:\Program Files\28.0.1750.51
C:\Program Files\installer_prefs.json
C:\Program Files\launcher.visualelementsmanifest.xml
C:\Program Files\Resources.pri

Are these familiar to you?

=========================================

C:\Program Files\k.bat

What is the bat file?

==============================================

Are you using Yahoo ?


Edited by olgun52, 03 March 2017 - 04:01 PM.

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#11 MusiCALpuLLtoy

MusiCALpuLLtoy
  • Topic Starter

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:AZ
  • Local time:11:03 AM

Posted 03 March 2017 - 06:14 PM

hi, trying to do this and get ready for work. thank you sir

 

does this help?

 

 

send error report. ,, got you.

s the system  use too many CPU?...

cpu celeron 2.53 ghz , single cpu

C:\Program Files\29.0.1795.47
C:\Program Files\28.0.1750.51
C:\Program Files\installer_prefs.json
C:\Program Files\launcher.visualelementsmanifest.xml
C:\Program Files\Resources.pri
NO i dont know them.(previously owned pc, '05 dell)


k bat md5

MD5: Message-Digest algorithm 5: 40678766C54747BA9CB2DD19151A28C2

file analyzer  
virus total shows this.[below]  now threat expert shows several pages of  backdoor trojan  entries. [attached]


MD5 40678766c54747ba9cb2dd19151a28c2
SHA1 364b94ac987e00fc1bf0f67d6d0df63abab89466
SHA256 402f41906b1aa551df2cf02904123acf97fc6c3da49b3da5bfad7eff644c1eba
ssdeep12:qR7TB7riqCjuFxJ8R7jkwjkFxJZB7jkQKRjHqzjMObTXLv:YXBnCidC9gdZBwR+zgub

File size 428 bytes ( 428 bytes )
File type Text
Magic literalASCII text

TrID file seems to be plain text/ASCII (0.0%)
 

Tagstext

VirusTotal metadata
First submission 2017-03-03 22:52:44 UTC ( 0 minutes ago )
Last submission 2017-03-03 22:52:44 UTC ( 0 minutes ago )
File names k.bat
 



oh, opera numbers that coinside with version. thats probably why these are there. i had some trouble when installing opera. trying different versions to accomodate a site.

29.0.1795 shows an opera installer then a resource folder with a thumbs . db file

28.0.1750 shows icudtl.dat.colors and resources folder with a thumbs . db file




Attached File  threatexpert.PNG   276.24KB   0 downloads

 

Attached File  kdotbat.bmp   2.99MB   2 downloads



#12 olgun52

olgun52

  • Malware Response Team
  • 3,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:03 PM

Posted 04 March 2017 - 05:47 AM

Hi MusiCALpuLLtoy,

AVG-Secure-Search
C:\Program Files\AVG

Please run: AVG Remover

=========================================
 

 

ZoneAlarm Firewall (Version: 11.0.768.000 - Check Point Software Technologies Ltd.) Hidden
ZoneAlarm Firewall (Version: 14.3.119.000 - Check Point Software Technologies Ltd.) Hidden
ZoneAlarm Free Firewall (HKLM\...\ZoneAlarm Free Firewall) (Version: 14.3.119.000 - Check Point)
ZoneAlarm Security (Version: 11.0.768.000 - Check Point Software Technologies Ltd.) Hidden
ZoneAlarm Security (Version: 14.3.119.000 - Check Point Software Technologies Ltd.) Hidden

My suggestion  you uninstall the software quite.
Then,ıf you want, you can install.

ZoneAlarm Uninstall Tool Download:

https://www.bleepingcomputer.com/download/zonealarm-uninstall-tool/

 

And PC restart:

==================================================================

Run FRST fixlist

  • Please open notepad (Start > All Programs > Accessories > Notepad)
  • Copy the entire contents of the code box below (Do not copy the word 'code') to Notepad.
  • Save it to the Desktop, and name it: fixlist.txt
CreateRestorePoint:
CloseProcesses:
CustomCLSID: HKU\S-1-5-21-1668751319-4250827956-263943839-1006_Classes\CLSID\{0507EEDE-3AE7-49c7-BF37-0EB4A62D8638}\localserver32 -> C:\Program Files\Google\Google Talk\googletalk.exe => No File
CustomCLSID: HKU\S-1-5-21-1668751319-4250827956-263943839-1006_Classes\CLSID\{33b07fd4-5917-43e1-968d-4c79231836bf}\localserver32 -> C:\Program Files\Google\Google Talk\googletalk.exe => No File
CustomCLSID: HKU\S-1-5-21-1668751319-4250827956-263943839-1006_Classes\CLSID\{A8F086C3-2497-4229-82FE-586F2D326F95}\localserver32 -> C:\Program Files\Google\Google Talk\googletalk.exe => No File
CustomCLSID: HKU\S-1-5-21-1668751319-4250827956-263943839-1006_Classes\CLSID\{d33f3ced-d7d5-44f1-a9fe-6927dabb1934}\localserver32 -> C:\Program Files\Google\Google Talk\googletalk.exe => No File
Task: C:\WINDOWS\Tasks\AVG-SSU_1116av.job => C:\Documents and Settings\All Users\Application Data\Avg_Update_1116av\AVG-Secure-Search-Update_1116av.exe
Task: C:\WINDOWS\Tasks\AVG-SSU_1216av.job => C:\Documents and Settings\All Users\Application Data\Avg_Update_1216av\AVG-Secure-Search-Update_1216av.exe
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PEVSystemStart => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart => ""="Service"
HKLM\...\Policies\Explorer: [NoCDBurning] 0
HKLM\...\Policies\Explorer: [LinkResolveIgnoreLinkInfo] 0
HKLM\...\Policies\Explorer: [NoResolveSearch] 1
HKU\S-1-5-21-1668751319-4250827956-263943839-1006\...\Policies\Explorer: [LinkResolveIgnoreLinkInfo] 0
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-19\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-20\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1668751319-4250827956-263943839-1006\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-1668751319-4250827956-263943839-1006\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
FF ProfilePath: C:\Documents and Settings\DAD\Application Data\Mozilla\SeaMonkey\Profiles\6ce181y2.default [2017-03-01]
FF NewTab: C:\Documents and Settings\DAD\Application Data\Mozilla\SeaMonkey\Profiles\6ce181y2.default -> about:newtab
FF Homepage: C:\Documents and Settings\DAD\Application Data\Mozilla\SeaMonkey\Profiles\6ce181y2.default -> about:home
FF NewTab: C:\Documents and Settings\DAD\Application Data\Mozilla\Firefox\Profiles\fn2dlw99.default -> about:newtab
FF Homepage: C:\Documents and Settings\DAD\Application Data\Mozilla\Firefox\Profiles\fn2dlw99.default -> about:home
FF NetworkProxy: C:\Documents and Settings\DAD\Application Data\Mozilla\Firefox\Profiles\fn2dlw99.default -> type", 0
FF Extension: (1-Click YouTube Video Downloader) - C:\Documents and Settings\DAD\Application Data\Mozilla\Firefox\Profiles\fn2dlw99.default\Extensions\YoutubeDownloader@PeterOlayev.com.xpi [2017-01-22]
FF Plugin: @java.com/DTPlugin,version=11.66.2 -> C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\npDeployJava1.dll [No File]
FF Plugin: @java.com/JavaPlugin,version=11.66.2 -> C:\Program Files\Java\jre1.8.0_66\bin\plugin2\npjp2.dll [No File]
FF Plugin: @messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6 -> C:\Program Files\Yahoo!\Shared\npYState.dll [No File]
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-16] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-16] (Google Inc.)
CHR HKLM\...\Chrome\Extension: [jmfkcklnlgedgbglfkkgedjfmejoahla] - C:\Program Files\AVG\AVG2012\Chrome\safesearch.crx <not found>
CHR HKLM\...\Chrome\Extension: [ndibdjnfmopecpmkdieinmbadjfpblof] - C:\Documents and Settings\All Users\Application Data\AVG SafeGuard toolbar\ChromeExt\17.0.1.4\avg.crx <not found>
OPR StartupUrls: "hxxp://blank/"
OPR Extension: (Translate) - C:\Documents and Settings\DAD\Application Data\Opera Software\Opera Stable\Extensions\ibnombjmjocaccigcefonnipcnlaeaed [2015-12-19]
S4 avgtp; \??\C:\WINDOWS\system32\drivers\avgtpx86.sys [X]
S3 bvrp_pci; no ImagePath
S3 eapihdrv; \??\C:\DOCUME~1\DAD\LOCALS~1\Temp\ehdrv.sys [X]
U5 klflt; C:\Windows\System32\Drivers\klflt.sys [74584 2013-02-21] (Kaspersky Lab)
U3 TlntSvr; no ImagePath
U1 WS2IFSL; no ImagePath
C:\WINDOWS\system32\Drivers\etc\hosts.ics
C:\Program Files\AVG
C:\Program Files\AVG\AVG2015
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
C:\Documents and Settings\DAD\Local Settings\Application Data\AvgSetupLog
2017-03-01 16:33 - 2017-03-01 16:33 - 00000000 ____D C:\zoek
2017-03-01 16:00 - 2017-03-01 16:38 - 00003190 _____ C:\runcheck.txt
2017-03-01 15:58 - 2017-03-01 15:58 - 00001042 _____ C:\Documents and Settings\DAD\Desktop\scanlog.txt
2017-03-01 06:59 - 2017-03-01 06:59 - 04186040 _____ C:\Documents and Settings\DAD\Desktop\zoek.zip
2017-02-28 03:23 - 2017-02-28 07:52 - 00000000 ____D C:\Documents and Settings\DAD\Local Settings\Application Data\NPE
2017-02-28 03:22 - 2017-02-28 03:22 - 03423928 _____ (Symantec Corporation) C:\Documents and Settings\DAD\Desktop\NPE.exe
2017-02-27 23:39 - 2017-02-27 23:40 - 00000000 ____D C:\KVRT_Data
2017-02-27 23:36 - 2017-02-27 23:38 - 109996576 _____ (Kaspersky Lab ZAO) C:\Documents and Settings\DAD\Desktop\KVRT.exe
C:\Documents and Settings\All Users\Application Data\Norton
C:\Documents and Settings\DAD\Desktop\unhide.txt
2016-06-12 14:45 - 2016-06-12 14:45 - 0000057 _____ () C:\Documents and Settings\All Users\Application Data\Ament.ini
2017-03-01 16:00 - 2017-03-01 16:00 - 0256512 _____ () C:\Documents and Settings\DAD\Local Settings\temp\PEVZ.EXE
2017-03-01 16:00 - 2017-03-01 16:00 - 0069632 _____ () C:\Documents and Settings\DAD\Local Settings\temp\remove.exe
2017-03-01 16:00 - 2017-03-01 16:00 - 0098816 _____ () C:\Documents and Settings\DAD\Local Settings\temp\sed.exe
C:\Documents and Settings\DAD\Local Settings\temp
ShortcutWithArgument: C:\Documents and Settings\DAD\Application Data\Microsoft\Internet Explorer\Quick Launch\Yahoo! Mail.lnk -> C:\WINDOWS\system32\rundll32.exe (Microsoft Corporation) -> C:\PROGRA~1\Yahoo!\Common\YMMAPI.dll,OpenURL hxxp://mail.yahoo.com/?.intl=us&.redir=ymmapi10
ShortcutWithArgument: C:\Documents and Settings\All Users\Start Menu\Programs\Yahoo! Mail.lnk -> C:\WINDOWS\system32\rundll32.exe (Microsoft Corporation) -> C:\PROGRA~1\Yahoo!\Common\YMMAPI.dll,OpenURL hxxp://mail.yahoo.com/?.intl=us&.redir=ymmapi11
C:\Program Files\k.bat
Folder: C:\e8834fa59e50456ab5
C:\Program Files\29.0.1795.47
C:\Program Files\28.0.1750.51
C:\Program Files\installer_prefs.json
File: C:\Program Files\launcher.visualelementsmanifest.xml
File: C:\Program Files\Resources.pri
Reg: Reg Delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F
Reg: Reg Add "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F
Reg: reg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\eapihdrv" /f
Reg: reg delete "HKEY_LOCAL_MACHINE\System\ControlSet002\Services\eapihdrv" /f
HKEY_CLASSES_ROOT\CLSID\{6E40017D-FB6A-4804-BDE4-3BB09F1719C1}
CMD: bitsadmin /reset /allusers
CMD: ipconfig /flushdns
EmptyTemp:
Hosts:

NOTICE: This script is written specifically for this computer!!!

  • Running this on another computer may cause damage to the Operating System.
  • Now, please run FRST, and press the Fix button, just once, and wait.
  • When done, the tool creates a report on the Desktop called: Fixlog.txt

>> Please post the Fixlog.txt in your reply.
======================================================

Scan with ESET Online Scanner

Temporarily disable your AntiVirus and AntiSpyware protection - instructions here.

  • Please visit the ESET Online Scanner website
  • Click the SCAN NOW button to download the esetonlinescanner_enu.exe file to the Desktop
  • Double click esetonlinescanner_enu.exe. Accept the Terms of Use
  • Select Enable detection of potentially unwanted applications
  • In Advanced Settings: make sure that Clean threats automatically is unchecked 
  • And Enable detection of potentially unsafe applications, Enable detection of suspicious applications, Scan archives, and Enable Anti-Stealth technology are all checked.
  • Click Scan
  • The program will begin to download it's virus database. The speed may vary depending on your Internet connection.
  • When completed, the program will begin to scan. This may take several hours. Please, be patient.
  • Do not do anything on your machine as it may interrupt the scan.
  • When completed it'll show a list of "Threats found", click beneath it on Save to text file.... and save it as ESET log.txt on your Desktop.
  • Then click Do not clean. Place a checkmark at Delete application's data on close, click Finish and close the program.

Don't forget to re-enable previously switched-off protection software!

 

 


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#13 MusiCALpuLLtoy

MusiCALpuLLtoy
  • Topic Starter

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:AZ
  • Local time:11:03 AM

Posted 04 March 2017 - 12:47 PM

morning,

i was wondering about the "code" text. my bad.

 

avg was uninstalled first post, there were a few files left in program files , avg, gone now. winpatrol exited any others running i am unaware of. the three i use seem to get along fine. ran those two removal files, will put them back later..

long list of  fixes, and its running better. the boot issue is still there

im going run eset after i send this, i ran it a month or so ago, nothing.

 

any idea on the system idle reg key to put it back todefault?

another  i forgot, in system32 there are several .dll files that have up to (7) duplicates. is this normal?

 

during the frst fix after reboot  a winpatrol popup, someone istrying to change  your page (start page) to "http://go.microsoft.com/fwlink/?linkid=69157"

im leaving it up till eset run or your idea tonight or tomorrow.

 

 

was this just fyi?

Quote

 

ZoneAlarm Firewall (Version: 11.0.768.000 - Check Point Software Technologies Ltd.) Hidden
ZoneAlarm Firewall (Version: 14.3.119.000 - Check Point Software Technologies Ltd.) Hidden
ZoneAlarm Free Firewall (HKLM\...\ZoneAlarm Free Firewall) (Version: 14.3.119.000 - Check Point)
ZoneAlarm Security (Version: 11.0.768.000 - Check Point Software Technologies Ltd.) Hidden
ZoneAlarm Security (Version: 14.3.119.000 - Check Point Software Technologies Ltd.) Hidden

 

 

much thanks to you.

 

Attached File  Fixlog.txt   19.57KB   4 downloads



#14 olgun52

olgun52

  • Malware Response Team
  • 3,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:03 PM

Posted 04 March 2017 - 03:21 PM

during the frst fix after reboot  a winpatrol popup, someone istrying to change  your page (start page) to

This is normal.No problem

-------------------------------------

another  i forgot, in system32 there are several .dll files that have up to (7) duplicates. is this normal?

Which files, for example ?

-----------------------------------

any idea on the system idle reg key to put it back todefault?

I'm not sure what you mean.

--------------------------------------

long list of  fixes, and its running better. the boot issue is still there

Can not boot,now?  Can not entering normal mode? When did this problem start?

Zoek Log:
Running in: Normal Mode No Internet Access Detected

??

=======================================================================================

Please do this.

===================================================

Troubleshooting in Clean Boot Environment

--------------------

  • While in a Clean Boot Environment place a check mark in half of the unchecked items and reboot your computer
  • If your symptoms reappear, uncheck an item, reboot your computer and see if your symptoms disappear. Repeat the process as necessary
  • If your symptoms do not appear, check an additional item, reboot your computer and see if your symptoms reappear. Repeat the process as necessary
  • Note: It is possible the unchecking and rechecking of items resolves the underlying issue without a particular item being identified as the culprit
  • List the program(s) causing your difficulties in your reply

Edited by olgun52, 04 March 2017 - 03:27 PM.

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#15 MusiCALpuLLtoy

MusiCALpuLLtoy
  • Topic Starter

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:AZ
  • Local time:11:03 AM

Posted 04 March 2017 - 06:52 PM

hi,
 ok accepted winpatrol.

i have no security till i reinstall them. you said remove them, yes?  there were several from updates i guess?


"Which files, for example ?"

ill attach a screen shot, they have been like this for years, im just curious, the attached is from when i took all but original file and moved them to another folder to see if they were needed, there was problems after the move so i put them back.

"I'm not sure what you mean."

in task manager you can changr the "priority" i did this and after that it would not open drop down again. system idle process . xp here. so in the regedit i should be able to change it to normal.

"Can not boot,now?  Can not entering normal mode? When did this problem start?"

yes it boots all the way, after bios load it goes into full window dos?, says no primary drive and secondary drive found
press f 1 to continue. then the three boot  options that did when i first got this pc 1 recovry 2 debug 3 xp home edition

iknow xp best so ill keep it as long as i can.

now there is a winpatrol host file popup new or old? new has only 127.0.0.1       localhost
old has the whole list. ???

eset found two pups

attached

thank you sir..
Attached File  ESET log.txt   588bytes   4 downloads

 

Attached File  dllcopies.bmp   2.99MB   1 downloads






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users