25 replies to this topic

[porew]

RogueKiller V8.8.7 [Feb 11 2014] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://forum.adlice.com

Website : http://www.adlice.co...es/roguekiller/

Blog : http://www.adlice.com

 

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version

Started in : Normal mode

User : Porew [Admin rights]

Mode : Scan -- Date : 02/13/2014 23:53:34

| ARK || FAK || MBR |

 

¤¤¤ Bad processes : 3 ¤¤¤

[SUSP PATH] UnsignedThemesSvc.exe -- C:\Windows\UnsignedThemesSvc.exe [7] -> KILLED [TermProc]

[SUSP PATH][DLL] explorer.exe -- C:\Users\Porew\AppData\Roaming\Copy\overlay\CopyShExt.dll [x] -> UNLOADED

[SUSP PATH][DLL] explorer.exe -- C:\Users\Porew\AppData\Roaming\Copy\overlay\Brt.dll [x] -> UNLOADED

[SUSP PATH] CopyAgent.exe -- C:\Users\Porew\AppData\Roaming\Copy\CopyAgent.exe [7] -> KILLED [TermProc]

 

¤¤¤ Registry Entries : 12 ¤¤¤

[RUN][SUSP PATH] HKCU\[...]\Run : Copy ("C:\Users\Porew\AppData\Roaming\Copy\CopyAgent.exe" [7]) -> FOUND

[RUN][SUSP PATH] HKCU\[...]\Run : 37wanﾎ葫 ("C:\Users\Porew\AppData\Roaming\37wan\wz\wz.exe" /autorun [x]) -> FOUND

[RUN][SUSP PATH] HKCU\[...]\Run : websuns4 ("C:\ProgramData\suns4\89AM005Y" [x]) -> FOUND

[RUN][SUSP PATH] HKUS\S-1-5-21-2480959248-112055760-2502070270-1001\[...]\Run : Copy ("C:\Users\Porew\AppData\Roaming\Copy\CopyAgent.exe" [7]) -> FOUND

[RUN][SUSP PATH] HKUS\S-1-5-21-2480959248-112055760-2502070270-1001\[...]\Run : 37wanﾎ葫 ("C:\Users\Porew\AppData\Roaming\37wan\wz\wz.exe" /autorun [x]) -> FOUND

[RUN][SUSP PATH] HKUS\S-1-5-21-2480959248-112055760-2502070270-1001\[...]\Run : websuns4 ("C:\ProgramData\suns4\89AM005Y" [x]) -> FOUND

[HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND

[HJ POL][PUM] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND

[HJ POL][PUM] HKLM\[...]\System : EnableLUA (0) -> FOUND

[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND

[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

 

¤¤¤ Scheduled tasks : 0 ¤¤¤

 

¤¤¤ Startup Entries : 0 ¤¤¤

 

¤¤¤ Web browsers : 0 ¤¤¤

 

¤¤¤ Browser Addons : 0 ¤¤¤

 

¤¤¤ Particular Files / Folders: ¤¤¤

 

¤¤¤ Driver : [LOADED] ¤¤¤

 

¤¤¤ External Hives: ¤¤¤

 

¤¤¤ Infection :  ¤¤¤

 

¤¤¤ HOSTS File: ¤¤¤

--> %SystemRoot%\System32\drivers\etc\hosts

 

 

127.0.0.1       localhost

 

 

¤¤¤ MBR Check: ¤¤¤

 

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) WDC WD5000AADS-00S9B0 ATA Device +++++

--- User ---

[MBR] db4fc93eb935bc2a186c8378019ca14c

[BSP] c565a66beeec48d6ee4cac02a5387a30 : Windows 7/8 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476929 Mo

User = LL1 ... OK!

User = LL2 ... OK!

 

+++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ IDE) WDC WD3200AAKS-00B3A0 ATA Device +++++

--- User ---

[MBR] a91ef942f8e39d4cb6c465f4cfa0bf4b

[BSP] dbb4ef9907f757e4b216a99d73f75686 : Windows XP MBR Code

Partition table:

0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 305242 Mo

User = LL1 ... OK!

User = LL2 ... OK!

 

Finished : << RKreport[0]_S_02132014_235334.txt >>

 

 

RogueKiller V8.8.7 [Feb 11 2014] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://forum.adlice.com

Website : http://www.adlice.co...es/roguekiller/

Blog : http://www.adlice.com

 

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version

Started in : Normal mode

User : Porew [Admin rights]

Mode : Remove -- Date : 02/13/2014 23:54:02

| ARK || FAK || MBR |

 

¤¤¤ Bad processes : 3 ¤¤¤

[SUSP PATH] UnsignedThemesSvc.exe -- C:\Windows\UnsignedThemesSvc.exe [7] -> KILLED [TermProc]

[SUSP PATH][DLL] explorer.exe -- C:\Users\Porew\AppData\Roaming\Copy\overlay\CopyShExt.dll [x] -> UNLOADED

[SUSP PATH][DLL] explorer.exe -- C:\Users\Porew\AppData\Roaming\Copy\overlay\Brt.dll [x] -> UNLOADED

[SUSP PATH] CopyAgent.exe -- C:\Users\Porew\AppData\Roaming\Copy\CopyAgent.exe [7] -> KILLED [TermProc]

 

¤¤¤ Registry Entries : 12 ¤¤¤

[RUN][SUSP PATH] HKCU\[...]\Run : Copy ("C:\Users\Porew\AppData\Roaming\Copy\CopyAgent.exe" [7]) -> DELETED

[RUN][SUSP PATH] HKCU\[...]\Run : 37wanﾎ葫 ("C:\Users\Porew\AppData\Roaming\37wan\wz\wz.exe" /autorun [x]) -> DELETED

[RUN][SUSP PATH] HKCU\[...]\Run : websuns4 ("C:\ProgramData\suns4\89AM005Y" [x]) -> DELETED

[RUN][SUSP PATH] HKUS\S-1-5-21-2480959248-112055760-2502070270-1001\[...]\Run : Copy ("C:\Users\Porew\AppData\Roaming\Copy\CopyAgent.exe" [7]) -> [0x2] The system cannot find the file specified. 

[RUN][SUSP PATH] HKUS\S-1-5-21-2480959248-112055760-2502070270-1001\[...]\Run : 37wanﾎ葫 ("C:\Users\Porew\AppData\Roaming\37wan\wz\wz.exe" /autorun [x]) -> [0x2] The system cannot find the file specified. 

[RUN][SUSP PATH] HKUS\S-1-5-21-2480959248-112055760-2502070270-1001\[...]\Run : websuns4 ("C:\ProgramData\suns4\89AM005Y" [x]) -> [0x2] The system cannot find the file specified. 

[HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED

[HJ POL][PUM] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> REPLACED (2)

[HJ POL][PUM] HKLM\[...]\System : EnableLUA (0) -> REPLACED (1)

[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> REPLACED (1)

[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)

[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

 

¤¤¤ Scheduled tasks : 0 ¤¤¤

 

¤¤¤ Startup Entries : 0 ¤¤¤

 

¤¤¤ Web browsers : 0 ¤¤¤

 

¤¤¤ Browser Addons : 0 ¤¤¤

 

¤¤¤ Particular Files / Folders: ¤¤¤

 

¤¤¤ Driver : [LOADED] ¤¤¤

 

¤¤¤ External Hives: ¤¤¤

 

¤¤¤ Infection :  ¤¤¤

 

¤¤¤ HOSTS File: ¤¤¤

--> %SystemRoot%\System32\drivers\etc\hosts

 

 

127.0.0.1       localhost

 

 

¤¤¤ MBR Check: ¤¤¤

 

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) WDC WD5000AADS-00S9B0 ATA Device +++++

--- User ---

[MBR] db4fc93eb935bc2a186c8378019ca14c

[BSP] c565a66beeec48d6ee4cac02a5387a30 : Windows 7/8 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476929 Mo

User = LL1 ... OK!

User = LL2 ... OK!

 

+++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ IDE) WDC WD3200AAKS-00B3A0 ATA Device +++++

--- User ---

[MBR] a91ef942f8e39d4cb6c465f4cfa0bf4b

[BSP] dbb4ef9907f757e4b216a99d73f75686 : Windows XP MBR Code

Partition table:

0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 305242 Mo

User = LL1 ... OK!

User = LL2 ... OK!

 

Finished : << RKreport[0]_D_02132014_235402.txt >>

RKreport[0]_S_02132014_235334.txt

 

RogueKiller V8.8.7 [Feb 11 2014] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://forum.adlice.com

Website : http://www.adlice.co...es/roguekiller/

Blog : http://www.adlice.com

 

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version

Started in : Normal mode

User : Porew [Admin rights]

Mode : Shortcuts HJfix -- Date : 02/13/2014 23:54:25

| ARK || FAK || MBR |

 

¤¤¤ Bad processes : 3 ¤¤¤

[SUSP PATH] UnsignedThemesSvc.exe -- C:\Windows\UnsignedThemesSvc.exe [7] -> KILLED [TermProc]

[SUSP PATH][DLL] explorer.exe -- C:\Users\Porew\AppData\Roaming\Copy\overlay\CopyShExt.dll [x] -> UNLOADED

[SUSP PATH][DLL] explorer.exe -- C:\Users\Porew\AppData\Roaming\Copy\overlay\Brt.dll [x] -> UNLOADED

[SUSP PATH] CopyAgent.exe -- C:\Users\Porew\AppData\Roaming\Copy\CopyAgent.exe [7] -> KILLED [TermProc]

 

¤¤¤ Driver : [LOADED] ¤¤¤

 

¤¤¤ External Hives: ¤¤¤

 

¤¤¤ File attributes restored: ¤¤¤

Desktop: Success 0 / Fail 0

Quick launch: Success 0 / Fail 0

Programs: Success 0 / Fail 0

Start menu: Success 0 / Fail 0

User folder: Success 0 / Fail 0

My documents: Success 0 / Fail 0

My favorites: Success 0 / Fail 0

My pictures: Success 0 / Fail 0

My music: Success 0 / Fail 0

My videos: Success 0 / Fail 0

Local drives: Success 12 / Fail 4

Backup: [NOT FOUND]

 

Drives:

[C:] \Device\HarddiskVolume1 -- 0x3 --> Restored

[D:] \Device\HarddiskVolume2 -- 0x3 --> Restored

[E:] \Device\CdRom0 -- 0x5 --> Skipped

[F:] \Device\CdRom1 -- 0x5 --> Skipped

 

¤¤¤ Infection :  ¤¤¤

 

Finished : << RKreport[0]_SC_02132014_235425.txt >>

RKreport[0]_D_02132014_235402.txt;RKreport[0]_S_02132014_235334.txt

 

 

 

 

[Tomk]

Please update me on how things appear to be running now?

[porew]

OK!! the pop up is gone now !   
 

[Tomk]

Give it a little test drive then we will do some housekeeping.

[porew]

test drive ?

[Tomk]

Test drive = use it and make sure everything seems to be running correctly.

 

I'm guessing that you have done that by now so lets clean up.

 

 

• Click START then RUN
•  
• Now type ComboFix /Uninstall in the runbox  and click OK.
• Note the space between the X and the U, it needs to be there.
• 

The above procedure will:

• Implement some cleanup procedures.
• Reset System Restore.

 

 

We need to remove the tools we've used during cleaning your machine
 

• Download Delfix from here
• Ensure Remove disinfection tools is ticked
  Also tick:
  • Create registry backup
  • Purge system restore
  
• Click Run

The program will run for a few moments and then notepad will open with a log. Please paste the log in your next reply

 

Please re-enable any security that was disabled.

 

 

[porew]

# DelFix v10.6 - Logfile created 15/02/2014 at 08:40:23

# Updated 11/11/2013 by Xplode

# Username : Porew - POREW-PC

# Operating System : Windows 7 Professional Service Pack 1 (32 bits)

 

~ Removing disinfection tools ...

 

Deleted : C:\Qoobox

Deleted : C:\_OTL

Deleted : C:\AdwCleaner

Deleted : C:\Users\Porew\Desktop\RK_Quarantine

Deleted : C:\ComboFix.txt

Deleted : C:\Users\Porew\Desktop\RogueKiller.exe

Deleted : C:\Users\Porew\Downloads\esetsmartinstaller_enu.exe

Deleted : C:\Windows\NIRCMD.exe

Deleted : HKLM\SOFTWARE\OldTimer Tools

Deleted : HKLM\SOFTWARE\AdwCleaner

Deleted : HKLM\SOFTWARE\Swearware

 

~ Creating registry backup ... OK

 

~ Cleaning system restore ...

 

 

New restore point created !

 

########## - EOF - ##########

[Tomk]

Great.

 

If you have any tools or logs left... you can just delete them.

 

The following is my standard advice for the future.  Use what you can and pat yourself on the back for what you're already doing.

Please take time to read Preventing Malware - Tools and Practices for Safe Computing.  Very important information for your consideration is contained therein.

I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein


Also: "How to prevent malware" 
by miekiemoes

Please respond back that you understand the above and let me know if you have any questions.  Otherwise, this thread will be closed Resolved. 
 

[porew]

thanks i understand now.

[Tomk]

You are very welcome.

 

Good Luck and be well.

[Tomk]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please follow the instructions here http://forums.whatth...ed_t106388.html
and start a New Topic.