Jump to content

Build Theme!
  •  
  • Infected?

big grin WE'RE SURE THAT YOU'LL LOVE US!

We invite you to ask questions, share experiences, and learn. It's 100% free. Did we mention that it's free. It is. It's free. Join 91603 other members! Anybody can ask, anybody can answer. Consistently helpful members with best answers are invited to staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

mshta pop-up [Solved]


  • This topic is locked This topic is locked
25 replies to this topic

#16 porew

porew

    New Member

  • Authentic Member
  • Pip
  • 13 posts

Posted 13 February 2014 - 09:55 AM

RogueKiller V8.8.7 [Feb 11 2014] by Tigzy
mail : tigzyRK<at>gmail<dot>com
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : Porew [Admin rights]
Mode : Scan -- Date : 02/13/2014 23:53:34
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 3 ¤¤¤
[SUSP PATH] UnsignedThemesSvc.exe -- C:\Windows\UnsignedThemesSvc.exe [7] -> KILLED [TermProc]
[SUSP PATH][DLL] explorer.exe -- C:\Users\Porew\AppData\Roaming\Copy\overlay\CopyShExt.dll [x] -> UNLOADED
[SUSP PATH][DLL] explorer.exe -- C:\Users\Porew\AppData\Roaming\Copy\overlay\Brt.dll [x] -> UNLOADED
[SUSP PATH] CopyAgent.exe -- C:\Users\Porew\AppData\Roaming\Copy\CopyAgent.exe [7] -> KILLED [TermProc]
 
¤¤¤ Registry Entries : 12 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : Copy ("C:\Users\Porew\AppData\Roaming\Copy\CopyAgent.exe" [7]) -> FOUND
[RUN][SUSP PATH] HKCU\[...]\Run : 37wanホ葫 ("C:\Users\Porew\AppData\Roaming\37wan\wz\wz.exe" /autorun [x]) -> FOUND
[RUN][SUSP PATH] HKCU\[...]\Run : websuns4 ("C:\ProgramData\suns4\89AM005Y" [x]) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-2480959248-112055760-2502070270-1001\[...]\Run : Copy ("C:\Users\Porew\AppData\Roaming\Copy\CopyAgent.exe" [7]) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-2480959248-112055760-2502070270-1001\[...]\Run : 37wanホ葫 ("C:\Users\Porew\AppData\Roaming\37wan\wz\wz.exe" /autorun [x]) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-2480959248-112055760-2502070270-1001\[...]\Run : websuns4 ("C:\ProgramData\suns4\89AM005Y" [x]) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
 
¤¤¤ Scheduled tasks : 0 ¤¤¤
 
¤¤¤ Startup Entries : 0 ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ Browser Addons : 0 ¤¤¤
 
¤¤¤ Particular Files / Folders: ¤¤¤
 
¤¤¤ Driver : [LOADED] ¤¤¤
 
¤¤¤ External Hives: ¤¤¤
 
¤¤¤ Infection :  ¤¤¤
 
¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts
 
 
127.0.0.1       localhost
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) WDC WD5000AADS-00S9B0 ATA Device +++++
--- User ---
[MBR] db4fc93eb935bc2a186c8378019ca14c
[BSP] c565a66beeec48d6ee4cac02a5387a30 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476929 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
+++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ IDE) WDC WD3200AAKS-00B3A0 ATA Device +++++
--- User ---
[MBR] a91ef942f8e39d4cb6c465f4cfa0bf4b
[BSP] dbb4ef9907f757e4b216a99d73f75686 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 305242 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
Finished : << RKreport[0]_S_02132014_235334.txt >>
 
 
RogueKiller V8.8.7 [Feb 11 2014] by Tigzy
mail : tigzyRK<at>gmail<dot>com
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : Porew [Admin rights]
Mode : Remove -- Date : 02/13/2014 23:54:02
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 3 ¤¤¤
[SUSP PATH] UnsignedThemesSvc.exe -- C:\Windows\UnsignedThemesSvc.exe [7] -> KILLED [TermProc]
[SUSP PATH][DLL] explorer.exe -- C:\Users\Porew\AppData\Roaming\Copy\overlay\CopyShExt.dll [x] -> UNLOADED
[SUSP PATH][DLL] explorer.exe -- C:\Users\Porew\AppData\Roaming\Copy\overlay\Brt.dll [x] -> UNLOADED
[SUSP PATH] CopyAgent.exe -- C:\Users\Porew\AppData\Roaming\Copy\CopyAgent.exe [7] -> KILLED [TermProc]
 
¤¤¤ Registry Entries : 12 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : Copy ("C:\Users\Porew\AppData\Roaming\Copy\CopyAgent.exe" [7]) -> DELETED
[RUN][SUSP PATH] HKCU\[...]\Run : 37wanホ葫 ("C:\Users\Porew\AppData\Roaming\37wan\wz\wz.exe" /autorun [x]) -> DELETED
[RUN][SUSP PATH] HKCU\[...]\Run : websuns4 ("C:\ProgramData\suns4\89AM005Y" [x]) -> DELETED
[RUN][SUSP PATH] HKUS\S-1-5-21-2480959248-112055760-2502070270-1001\[...]\Run : Copy ("C:\Users\Porew\AppData\Roaming\Copy\CopyAgent.exe" [7]) -> [0x2] The system cannot find the file specified. 
[RUN][SUSP PATH] HKUS\S-1-5-21-2480959248-112055760-2502070270-1001\[...]\Run : 37wanホ葫 ("C:\Users\Porew\AppData\Roaming\37wan\wz\wz.exe" /autorun [x]) -> [0x2] The system cannot find the file specified. 
[RUN][SUSP PATH] HKUS\S-1-5-21-2480959248-112055760-2502070270-1001\[...]\Run : websuns4 ("C:\ProgramData\suns4\89AM005Y" [x]) -> [0x2] The system cannot find the file specified. 
[HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ POL][PUM] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> REPLACED (2)
[HJ POL][PUM] HKLM\[...]\System : EnableLUA (0) -> REPLACED (1)
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> REPLACED (1)
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
 
¤¤¤ Scheduled tasks : 0 ¤¤¤
 
¤¤¤ Startup Entries : 0 ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ Browser Addons : 0 ¤¤¤
 
¤¤¤ Particular Files / Folders: ¤¤¤
 
¤¤¤ Driver : [LOADED] ¤¤¤
 
¤¤¤ External Hives: ¤¤¤
 
¤¤¤ Infection :  ¤¤¤
 
¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts
 
 
127.0.0.1       localhost
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) WDC WD5000AADS-00S9B0 ATA Device +++++
--- User ---
[MBR] db4fc93eb935bc2a186c8378019ca14c
[BSP] c565a66beeec48d6ee4cac02a5387a30 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476929 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
+++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ IDE) WDC WD3200AAKS-00B3A0 ATA Device +++++
--- User ---
[MBR] a91ef942f8e39d4cb6c465f4cfa0bf4b
[BSP] dbb4ef9907f757e4b216a99d73f75686 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 305242 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
Finished : << RKreport[0]_D_02132014_235402.txt >>
RKreport[0]_S_02132014_235334.txt
 
RogueKiller V8.8.7 [Feb 11 2014] by Tigzy
mail : tigzyRK<at>gmail<dot>com
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : Porew [Admin rights]
Mode : Shortcuts HJfix -- Date : 02/13/2014 23:54:25
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 3 ¤¤¤
[SUSP PATH] UnsignedThemesSvc.exe -- C:\Windows\UnsignedThemesSvc.exe [7] -> KILLED [TermProc]
[SUSP PATH][DLL] explorer.exe -- C:\Users\Porew\AppData\Roaming\Copy\overlay\CopyShExt.dll [x] -> UNLOADED
[SUSP PATH][DLL] explorer.exe -- C:\Users\Porew\AppData\Roaming\Copy\overlay\Brt.dll [x] -> UNLOADED
[SUSP PATH] CopyAgent.exe -- C:\Users\Porew\AppData\Roaming\Copy\CopyAgent.exe [7] -> KILLED [TermProc]
 
¤¤¤ Driver : [LOADED] ¤¤¤
 
¤¤¤ External Hives: ¤¤¤
 
¤¤¤ File attributes restored: ¤¤¤
Desktop: Success 0 / Fail 0
Quick launch: Success 0 / Fail 0
Programs: Success 0 / Fail 0
Start menu: Success 0 / Fail 0
User folder: Success 0 / Fail 0
My documents: Success 0 / Fail 0
My favorites: Success 0 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 0 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 12 / Fail 4
Backup: [NOT FOUND]
 
Drives:
[C:] \Device\HarddiskVolume1 -- 0x3 --> Restored
[D:] \Device\HarddiskVolume2 -- 0x3 --> Restored
[E:] \Device\CdRom0 -- 0x5 --> Skipped
[F:] \Device\CdRom1 -- 0x5 --> Skipped
 
¤¤¤ Infection :  ¤¤¤
 
Finished : << RKreport[0]_SC_02132014_235425.txt >>
RKreport[0]_D_02132014_235402.txt;RKreport[0]_S_02132014_235334.txt
 
 
 
 

    Advertisements

Register to Remove


#17 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,134 posts

Posted 13 February 2014 - 10:04 AM

Please update me on how things appear to be running now?


Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png


#18 porew

porew

    New Member

  • Authentic Member
  • Pip
  • 13 posts

Posted 13 February 2014 - 10:18 AM

OK!! the pop up is gone now !  :clap: 
 



#19 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,134 posts

Posted 13 February 2014 - 10:44 AM

Give it a little test drive then we will do some housekeeping.


Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png


#20 porew

porew

    New Member

  • Authentic Member
  • Pip
  • 13 posts

Posted 14 February 2014 - 04:25 AM

test drive ?



#21 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,134 posts

Posted 14 February 2014 - 10:37 AM

Test drive = use it and make sure everything seems to be running correctly.

 

I'm guessing that you have done that by now so lets clean up.

 

 

  • Click START then RUN
  •  
  • Now type ComboFix /Uninstall in the runbox  and click OK.
  • Note the space between the X and the U, it needs to be there.
  • Combofix_uninstall_image.jpg

The above procedure will:

  • Implement some cleanup procedures.
  • Reset System Restore.

 

 

We need to remove the tools we've used during cleaning your machine
 

  • Download Delfix from here
  • Ensure Remove disinfection tools is ticked
    Also tick:
    • Create registry backup
    • Purge system restore
    delfix.jpg
  • Click Run

The program will run for a few moments and then notepad will open with a log. Please paste the log in your next reply

 

Please re-enable any security that was disabled.

 


 


Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png


#22 porew

porew

    New Member

  • Authentic Member
  • Pip
  • 13 posts

Posted 14 February 2014 - 06:41 PM

# DelFix v10.6 - Logfile created 15/02/2014 at 08:40:23
# Updated 11/11/2013 by Xplode
# Username : Porew - POREW-PC
# Operating System : Windows 7 Professional Service Pack 1 (32 bits)
 
~ Removing disinfection tools ...
 
Deleted : C:\Qoobox
Deleted : C:\_OTL
Deleted : C:\AdwCleaner
Deleted : C:\Users\Porew\Desktop\RK_Quarantine
Deleted : C:\ComboFix.txt
Deleted : C:\Users\Porew\Desktop\RogueKiller.exe
Deleted : C:\Users\Porew\Downloads\esetsmartinstaller_enu.exe
Deleted : C:\Windows\NIRCMD.exe
Deleted : HKLM\SOFTWARE\OldTimer Tools
Deleted : HKLM\SOFTWARE\AdwCleaner
Deleted : HKLM\SOFTWARE\Swearware
 
~ Creating registry backup ... OK
 
~ Cleaning system restore ...
 
 
New restore point created !
 
########## - EOF - ##########


#23 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,134 posts

Posted 14 February 2014 - 07:12 PM

Great.

 

If you have any tools or logs left... you can just delete them.

 

The following is my standard advice for the future.  Use what you can and pat yourself on the back for what you're already doing.

Please take time to read Preventing Malware - Tools and Practices for Safe Computing.  Very important information for your consideration is contained therein.

I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein


Also: "How to prevent malware" 
by miekiemoes

Please respond back that you understand the above and let me know if you have any questions.  Otherwise, this thread will be closed Resolved.  :thumbup:
 


Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png


#24 porew

porew

    New Member

  • Authentic Member
  • Pip
  • 13 posts

Posted 15 February 2014 - 04:01 AM

thanks i understand now.



#25 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,134 posts

Posted 15 February 2014 - 08:15 AM

You are very welcome.

 

Good Luck and be well. :adios:


Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png

    Advertisements

Register to Remove


#26 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,134 posts

Posted 15 February 2014 - 08:15 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please follow the instructions here http://forums.whatth...ed_t106388.html
and start a New Topic.

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users