Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91819 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Slow and freezing computer [Closed]


  • This topic is locked This topic is locked
41 replies to this topic

#16 Sarit

Sarit

    Authentic Member

  • Authentic Member
  • PipPip
  • 26 posts

Posted 14 June 2014 - 10:47 AM

Okay. I had no idea StopZilla was on here.  I went to go uninstall it per your instructions but it's not listed as a program that is installed.  

 

lol I forgot I had that on there.  That was for a project and I just forgot to delete it.

 

So, I looked where you said about the combofix file and it's not there.  Also, i did some research and apparently the files under that one directory are from Windows PC Defender.  This is a program I have never installed, so I'm assuming it was already on the system when I got the computer.  And again, it is not listed in the list for programs that can be uninstalled under control panel.

 

Fixlog Report

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version:12-06-2014 02
Ran by rac at 2014-06-14 12:35:53 Run:1
Running from C:\Users\rac\Desktop
Boot Mode: Normal
 
==============================================
 
Content of fixlist:
*****************
SearchScopes: HKLM - DefaultScope {41396b1b-447e-473b-a34b-bb583136c7fc} URL =
SearchScopes: HKLM - {7BCFC7A9-435C-46D7-917E-81F1A6B16947} URL = http://www.google.co...ge={startPage};
SearchScopes: HKCU - DefaultScope {171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E} URL =
SearchScopes: HKCU - {105E99FF-8B9A-4492-B155-06194B9056D2} URL = http://search-gala.c...q={searchTerms}
SearchScopes: HKCU - {7BCFC7A9-435C-46D7-917E-81F1A6B16947} URL = http://search-gala.c...q={searchTerms}
SearchScopes: HKCU - {DECA3892-BA8F-44b8-A993-A466AD694AE4} URL = http://search.yahoo....p={searchTerms}
Toolbar: HKLM - No Name - {95B7759C-8C7F-4BF1-B163-73684A933233} -  No File
Toolbar: HKCU - No Name - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} -  No File
Toolbar: HKCU - No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} -  No File
FF SearchEngineOrder.1: Ask.com
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\safeguard-secure-search.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\safeguard-secure-search.xml
FF Extension: BetterLinks - C:\Users\rac\AppData\Roaming\Mozilla\Firefox\Profiles\q8bpoqvj.default\Extensions\smartlinks@getsmartlinks.com [2036-09-02]
S2 xsewmzvga; \??\C:\Windows\system32\drivers\epwxtgux.sys [X]
2036-05-16 21:35 - 2036-05-16 21:35 - 00000432 _____ () C:\Windows\system32\Drivers\kgpfr2.cfg
2036-05-16 17:27 - 2036-05-16 21:36 - 00009640 _____ () C:\Windows\system32\Drivers\kgpcpy.cfg
2036-05-15 12:34 - 2036-05-15 12:34 - 00000000 _____ () C:\Windows\system32\REN9A6C.tmp
2036-05-15 12:34 - 2036-05-15 12:34 - 00000000 _____ () C:\Windows\system32\REN9A4C.tmp
2036-05-15 12:34 - 2036-05-15 12:34 - 00000000 _____ () C:\Windows\system32\REN9A3B.tmp
2036-05-15 10:20 - 2036-05-10 18:30 - 00000110 _____ () C:\Windows\system32\Drivers\etc\hosts.bak
2036-05-06 20:33 - 2036-05-10 18:20 - 00010756 ___SH () C:\Users\rac\AppData\Local\t0m8ctog368483w04675vl7l06dw6i5r6krf
2036-05-06 20:33 - 2036-05-10 18:20 - 00010756 ___SH () C:\ProgramData\t0m8ctog368483w04675vl7l06dw6i5r6krf
C:\Windows\system32\drivers\epwxtgux.sys
C:\Windows\system32\Drivers\kgpfr2.cfg
C:\Windows\system32\Drivers\kgpcpy.cfg
C:\Windows\system32\REN9A6C.tmp
C:\Windows\system32\REN9A4C.tmp
C:\Windows\system32\REN9A3B.tmp
C:\Windows\system32\Drivers\etc\hosts.bak
C:\Users\rac\AppData\Local\t0m8ctog368483w04675vl7l06dw6i5r6krf
C:\ProgramData\t0m8ctog368483w04675vl7l06dw6i5r6krf
C:\Users\rac\protect.dll
HKU\S-1-5-21-2030314185-2794812908-1279502003-1000\Software\Classes\.exe: exefile =>  <===== ATTENTION!
HKU\S-1-5-21-2030314185-2794812908-1279502003-1000\Software\Classes\exefile:  <===== ATTENTION!
*****************
 
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully.
'HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{7BCFC7A9-435C-46D7-917E-81F1A6B16947}' => Key deleted successfully.
'HKCR\Wow6432Node\CLSID\{7BCFC7A9-435C-46D7-917E-81F1A6B16947}'=> Key not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
'HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{105E99FF-8B9A-4492-B155-06194B9056D2}' => Key deleted successfully.
'HKCR\Wow6432Node\CLSID\{105E99FF-8B9A-4492-B155-06194B9056D2}'=> Key not found.
'HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{7BCFC7A9-435C-46D7-917E-81F1A6B16947}' => Key deleted successfully.
'HKCR\Wow6432Node\CLSID\{7BCFC7A9-435C-46D7-917E-81F1A6B16947}'=> Key not found.
'HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{DECA3892-BA8F-44b8-A993-A466AD694AE4}' => Key deleted successfully.
'HKCR\Wow6432Node\CLSID\{DECA3892-BA8F-44b8-A993-A466AD694AE4}'=> Key not found.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{95B7759C-8C7F-4BF1-B163-73684A933233} => value deleted successfully.
'HKCR\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}'=> Key not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} => value deleted successfully.
'HKCR\CLSID\{604BC32A-9680-40D1-9AC6-E06B23A1BA4C}'=> Key not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} => value deleted successfully.
'HKCR\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}'=> Key not found.
Firefox SearchEngineOrder.1 deleted successfully.
C:\Program Files\mozilla firefox\searchplugins\safeguard-secure-search.xml => Moved successfully.
C:\Program Files\mozilla firefox\browser\searchplugins\safeguard-secure-search.xml => Moved successfully.
C:\Users\rac\AppData\Roaming\Mozilla\Firefox\Profiles\q8bpoqvj.default\Extensions\smartlinks@getsmartlinks.com => Moved successfully.
xsewmzvga => Service deleted successfully.
C:\Windows\system32\Drivers\kgpfr2.cfg => Moved successfully.
C:\Windows\system32\Drivers\kgpcpy.cfg => Moved successfully.
C:\Windows\system32\REN9A6C.tmp => Moved successfully.
C:\Windows\system32\REN9A4C.tmp => Moved successfully.
C:\Windows\system32\REN9A3B.tmp => Moved successfully.
C:\Windows\system32\Drivers\etc\hosts.bak => Moved successfully.
C:\Users\rac\AppData\Local\t0m8ctog368483w04675vl7l06dw6i5r6krf => Moved successfully.
C:\ProgramData\t0m8ctog368483w04675vl7l06dw6i5r6krf => Moved successfully.
"C:\Windows\system32\drivers\epwxtgux.sys" => File/Directory not found.
"C:\Windows\system32\Drivers\kgpfr2.cfg" => File/Directory not found.
"C:\Windows\system32\Drivers\kgpcpy.cfg" => File/Directory not found.
"C:\Windows\system32\REN9A6C.tmp" => File/Directory not found.
"C:\Windows\system32\REN9A4C.tmp" => File/Directory not found.
"C:\Windows\system32\REN9A3B.tmp" => File/Directory not found.
"C:\Windows\system32\Drivers\etc\hosts.bak" => File/Directory not found.
"C:\Users\rac\AppData\Local\t0m8ctog368483w04675vl7l06dw6i5r6krf" => File/Directory not found.
"C:\ProgramData\t0m8ctog368483w04675vl7l06dw6i5r6krf" => File/Directory not found.
C:\Users\rac\protect.dll => Moved successfully.
'HKU\S-1-5-21-2030314185-2794812908-1279502003-1000\Software\Classes\exefile' => Key deleted successfully.
'HKU\S-1-5-21-2030314185-2794812908-1279502003-1000\Software\Classes\.exe' => Key deleted successfully.
'HKU\S-1-5-21-2030314185-2794812908-1279502003-1000\Software\Classes\exefile'=> Key not found.
 
==== End of Fixlog ====

    Advertisements

Register to Remove


#17 Satchfan

Satchfan

    SuperHelper

  • Malware Team
  • 6,344 posts
  • Interests:LFC, music, more LFC, more music

Posted 14 June 2014 - 03:14 PM

Uninstall Combofix

Follow these steps to uninstall Combofix

  • click START then RUN
  • now type Combofix /uninstall in the runbox and click OK.

Note the space between the X and the /, it needs to be there.

CFuninstall.jpg


  • please follow the prompts to uninstall Combofix.
  • once it's finished uninstalling itself you will receive a message saying Combofix was uninstalled successfully.

===================================================

Please re-run aswMBR according to the previous instructions and send me the resulting log.

Satchfan
 

 


NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

#18 Sarit

Sarit

    Authentic Member

  • Authentic Member
  • PipPip
  • 26 posts

Posted 14 June 2014 - 05:12 PM

Okay.  Combofix uninstalled.

 

New report:

 

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2014-06-14 17:56:48
-----------------------------
17:56:48.763    OS Version: Windows 6.0.6002 Service Pack 2
17:56:48.764    Number of processors: 1 586 0x1601
17:56:48.766    ComputerName: TOMOHISA  UserName: rac
17:56:50.059    Initialize success
18:09:17.085    AVAST engine defs: 14061401
18:10:31.513    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
18:10:31.529    Disk 0 Vendor: TOSHIBA_MK8037GSX DL230M Size: 76319MB BusType: 3
18:10:31.976    Disk 0 MBR read successfully
18:10:32.035    Disk 0 MBR scan
18:10:32.216    Disk 0 Windows VISTA default MBR code
18:10:32.247    Disk 0 Partition 1 00     27 Hidden NTFS WinRE NTFS         1500 MB offset 2048
18:10:32.301    Disk 0 Partition 2 80 (A) 07    HPFS/NTFS NTFS        69266 MB offset 3074048
18:10:32.345    Disk 0 Partition 3 00     17 Hidd HPFS/NTFS NTFS         5552 MB offset 144930816
18:10:32.394    Disk 0 scanning sectors +156301312
18:10:32.730    Disk 0 scanning C:\Windows\system32\drivers
18:10:56.016    Service scanning
18:11:59.379    Modules scanning
18:12:48.594    Disk 0 trace - called modules:
18:13:32.951    ntoskrnl.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS intelide.sys PCIIDEX.SYS atapi.sys tcpip.sys NETIO.SYS ndis.sys athr.sys dxgkrnl.sys igdkmd32.sys 
18:13:34.742    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x849f4208]
18:13:34.786    3 CLASSPNP.SYS[865ab8b3] -> nt!IofCallDriver -> [0x83a411e0]
18:13:34.852    5 acpi.sys[826536bc] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x83a4a528]
18:13:42.842    AVAST engine scan C:\Windows
18:13:49.066    AVAST engine scan C:\Windows\system32
18:14:14.529    File: C:\Windows\system32\cooper.mine  **INFECTED** Win32:Fraudo [Trj]
18:22:43.943    AVAST engine scan C:\Windows\system32\drivers
18:23:16.067    AVAST engine scan C:\Users\rac
18:25:49.397    File: C:\Users\rac\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\Users\rac\AppData\Local\Microsoft\Windows\TEMPOR~1\VIRTUA~1\C\Users\rac\protect.dll  **INFECTED** Win32:Malware-gen
18:37:36.674    File: C:\Users\rac\Downloads\FileZilla_3.7.4.1_win32-setup.exe  **INFECTED** Win32:Adware-gen [Adw]
18:40:38.421    AVAST engine scan C:\ProgramData
18:51:51.982    Scan finished successfully
19:08:06.092    Disk 0 MBR has been saved successfully to "C:\Users\rac\Desktop\MBR.dat"
19:08:06.120    The log file has been saved successfully to "C:\Users\rac\Desktop\aswMBR1.txt"


#19 Satchfan

Satchfan

    SuperHelper

  • Malware Team
  • 6,344 posts
  • Interests:LFC, music, more LFC, more music

Posted 15 June 2014 - 03:58 AM

Please delete the directory C:\ProgramData\e135217

 

===============================================
 

Clear all your temporary files

Download ATF Cleaner

  • double-click ATF-Cleaner.exe (on your desktop) to run the program.
  • under Main choose: Select All
  • click the Empty Selected button.

If you use Firefox browser

  • click Firefox at the top and choose: Select All
  • click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser


  • click Opera at the top and choose: Select All
  • click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

For Technical Support, double-click the e-mail address located at the bottom of each menu

NOTE: The last update came out before Chrome and the developer of ATF Cleaner hasn't updated it to deal with Chrome yet.

Google Chrome includes its own “Clear Browsing Data” tool that performs the same functions as ATF Cleaner. It clears browsing history, download history, empties Chrome’s cache, deletes cookies and removes all saved autofill entries and passwords.

You can toggle each of these options and select the date range of data you want to remove.


  • open Google Chrome
  • click on the Customize icon Chrome.gif, at the top right
  • choose Tools, Clear Browsing Data.

===============================================

Download Malwarebytes-Anti-Malware

Click here (at the top of the page, click on "Download Current Version")
 

  • double-click mbam-setup.exe and follow the prompts to install the program – (Note: Vista & Windows 7 users, please right-click and select “Run as Administrator”)
  • at the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware. and Launch Malwarebytes' Anti-Malware, then click Finish..
  • if an update is found, it will download and install the latest version.
  • once the program has loaded, select Perform quick scan, then click Scan.
  • when the scan is complete, click OK, then Show Results to view the results.
  • be sure that everything is checked, and click Remove Selected.
  • when removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • the log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • copy and paste the contents of that report in your next reply and exit MBAM.

NOTE: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Satchfan

 


NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

#20 Sarit

Sarit

    Authentic Member

  • Authentic Member
  • PipPip
  • 26 posts

Posted 15 June 2014 - 01:09 PM

Whoa two pages lol.

 

Okay.  Deleted that folder in the Program Data folder.  While doing so, I noticed there are a lot of program folders in there that I don't use (Napster for example).  Should I delete those too?

 

It generated two logs.  One called mbabm and one called protection.  I'll include both just in case.

 

Mbam Report

 

<?xml version="1.0" encoding="UTF-16" ?>
<mbam-log>
<header>
<date>2014/06/15 08:52:19 -0400</date>
<logfile>mbam-log-2014-06-15 (08-52-00).xml</logfile>
<isadmin>yes</isadmin>
</header>
<engine>
<version>2.00.2.1012</version>
<malware-database>v2014.03.04.09</malware-database>
<rootkit-database>v2014.02.20.01</rootkit-database>
<license>trial</license>
<file-protection>enabled</file-protection>
<web-protection>enabled</web-protection>
<self-protection>disabled</self-protection>
</engine>
<system>
<osversion>Windows Vista Service Pack 2</osversion>
<arch>x86</arch>
<username>rac</username>
<filesys>NTFS</filesys>
</system>
<summary>
<type>threat</type>
<result>completed</result>
<objects>243759</objects>
<time>2542</time>
<processes>0</processes>
<modules>0</modules>
<keys>10</keys>
<values>4</values>
<datas>2</datas>
<folders>3</folders>
<files>9</files>
<sectors>0</sectors>
</summary>
<options>
<memory>enabled</memory>
<startup>enabled</startup>
<filesystem>enabled</filesystem>
<archives>enabled</archives>
<rootkits>disabled</rootkits>
<deeprootkit>disabled</deeprootkit>
<heuristics>enabled</heuristics>
<pup>enabled</pup>
<pum>enabled</pum>
</options>
<items>
<key><path>HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\{19127AD2-394B-70F5-C650-B97867BAA1F7}</path><vendor>Backdoor.Bot</vendor><action>success</action><hash>68e120dfaad0e84eb2a257057092c13f</hash></key>
<key><path>HKU\S-1-5-21-2030314185-2794812908-1279502003-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\{19127AD2-394B-70F5-C650-B97867BAA1F7}</path><vendor>Backdoor.Bot</vendor><action>success</action><hash>68e120dfaad0e84eb2a257057092c13f</hash></key>
<key><path>HKU\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\{19127AD2-394B-70F5-C650-B97867BAA1F7}</path><vendor>Backdoor.Bot</vendor><action>success</action><hash>68e120dfaad0e84eb2a257057092c13f</hash></key>
<key><path>HKU\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\{19127AD2-394B-70F5-C650-B97867BAA1F7}</path><vendor>Backdoor.Bot</vendor><action>success</action><hash>68e120dfaad0e84eb2a257057092c13f</hash></key>
<key><path>HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}</path><vendor>Backdoor.Bot</vendor><action>success</action><hash>c4857a859fdb1b1be589ce8ee41ecc34</hash></key>
<key><path>HKU\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}</path><vendor>Backdoor.Bot</vendor><action>success</action><hash>c4857a859fdb1b1be589ce8ee41ecc34</hash></key>
<key><path>HKU\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}</path><vendor>Backdoor.Bot</vendor><action>success</action><hash>c4857a859fdb1b1be589ce8ee41ecc34</hash></key>
<key><path>HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{78919608-B066-4B5A-B248-38E12A783E05}</path><vendor>Adware.ArcadeWeb</vendor><action>success</action><hash>7fca7e8137436bcb1b37cb87f40e1de3</hash></key>
<key><path>HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{FE6F06FB-0FC0-4499-828F-EE48088F504F}</path><vendor>PUP.Optional.MyScrapNook.A</vendor><action>success</action><hash>b79220dfed8dac8af76e423309f9b64a</hash></key>
<key><path>HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\AvScan</path><vendor>Trojan.FakeAlert</vendor><action>success</action><hash>9cad5aa572083600a409ca37db2816ea</hash></key>
<value><path>HKU\S-1-5-21-2030314185-2794812908-1279502003-501-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\INTERNET EXPLORER\URLSEARCHHOOKS\{b3b5c47e-61f7-4d81-af06-461fc86686ce}</path><valuename></valuename><vendor>PUP.Optional.MyScrapNook.A</vendor><action>success</action><valuedata></valuedata><hash>58f1996685f58fa70957c3b27c8601ff</hash></value>
<value><path>HKU\S-1-5-21-2030314185-2794812908-1279502003-501-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\INTERNET EXPLORER\URLSEARCHHOOKS</path><valuename>{B3B5C47E-61F7-4D81-AF06-461FC86686CE}</valuename><vendor>PUP.Optional.MyScrapNook.A</vendor><action>success</action><valuedata></valuedata><hash>58f1996685f58fa70957c3b27c8601ff</hash></value>
<value><path>HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\NETWORK</path><valuename>UID</valuename><vendor>Malware.Trace</vendor><action>success</action><valuedata>RAC-PC_099F4867</valuedata><hash>77d2956a3e3c95a1a8f10a0e29daa858</hash></value>
<value><path>HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN</path><valuename>autochk</valuename><vendor>Trojan.Agent</vendor><action>success</action><valuedata>rundll32.exe C:\Windows\system32\config\SYSTEM~1\protect.dll,_IWMPEvents@16</valuedata><hash>c2875ba47802af871dfd0ff7778cf50b</hash></value>
<data><path>HKU\S-1-5-19-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES</path><valuename>URL</valuename><vendor>Hijack.SearchPage</vendor><action>replaced</action><valuedata>http://search-gala.c...8</hash></data>
<data><path>HKU\S-1-5-20-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES</path><valuename>URL</valuename><vendor>Hijack.SearchPage</vendor><action>replaced</action><valuedata>http://search-gala.c...3</hash></data>
<folder><path>C:\ProgramData\14617524</path><vendor>Rogue.Multiple</vendor><action>success</action><hash>0b3e3ec11169270f60793e384db5847c</hash></folder>
<folder><path>C:\ProgramData\94627516</path><vendor>Rogue.Multiple</vendor><action>success</action><hash>84c5af50176366d06c6de88e35cd748c</hash></folder>
<folder><path>C:\Windows\System32\lowsec</path><vendor>Stolen.data</vendor><action>success</action><hash>9aaf44bb4139e3536980552c49b924dc</hash></folder>
<file><path>C:\Users\rac\Downloads\Watermark_Software_6.3_Portable.rar_downloader.exe</path><vendor>PUP.Optional.YourFileDownloader</vendor><action>success</action><hash>4603728d62187cba1fca7bf0e31d29d7</hash></file>
<file><path>C:\Users\rac\Downloads\AIM_Install.exe</path><vendor>PUP.Optional.OpenCandy</vendor><action>success</action><hash>cc7d21de9dddb87e15d13021e222659b</hash></file>
<file><path>C:\Windows\System32\cooper.mine</path><vendor>Trojan.FakeAlert</vendor><action>success</action><hash>b396bc433d3d2e080806fbe332d0f010</hash></file>
<file><path>C:\Windows\System32\drivers\str.sys</path><vendor>Rootkit.Agent</vendor><action>success</action><hash>1e2ba659255592a4c1be934d5fa39967</hash></file>
<file><path>C:\ProgramData\14617524\14617524.glu</path><vendor>Rogue.Multiple</vendor><action>success</action><hash>0b3e3ec11169270f60793e384db5847c</hash></file>
<file><path>C:\ProgramData\14617524\pc14617524cnf</path><vendor>Rogue.Multiple</vendor><action>success</action><hash>0b3e3ec11169270f60793e384db5847c</hash></file>
<file><path>C:\ProgramData\14617524\pc14617524ins</path><vendor>Rogue.Multiple</vendor><action>success</action><hash>0b3e3ec11169270f60793e384db5847c</hash></file>
<file><path>C:\Windows\System32\lowsec\local.ds</path><vendor>Stolen.data</vendor><action>success</action><hash>9aaf44bb4139e3536980552c49b924dc</hash></file>
<file><path>C:\Windows\System32\lowsec\user.ds</path><vendor>Stolen.data</vendor><action>success</action><hash>9aaf44bb4139e3536980552c49b924dc</hash></file>
</items>
</mbam-log>
 
 
 
Protection Report
 
<?xml version="1.0" encoding="UTF-8" ?>
<logs>
   <record severity="debug" LoggingEventType="2" datetime="2014-06-15T08:47:31.609000-04:00" source="Protection" type="Protection" username="SYSTEM" systemname="TOMOHISA" last_modified_tag="9a5e7e2f-bd78-4837-87ff-593a519f5e12" result="Starting" subtype="Malware Protection"></record>
   <record severity="debug" LoggingEventType="2" datetime="2014-06-15T08:47:31.945000-04:00" source="Protection" type="Protection" username="SYSTEM" systemname="TOMOHISA" last_modified_tag="e629d0f1-0b55-4ff8-89c4-6fe571e03ea6" result="Started" subtype="Malware Protection"></record>
   <record severity="debug" LoggingEventType="2" datetime="2014-06-15T08:47:32.079000-04:00" source="Protection" type="Protection" username="SYSTEM" systemname="TOMOHISA" last_modified_tag="251376b9-731e-4a21-9176-9592ca0fb40e" result="Starting" subtype="Malicious Website Protection"></record>
   <record severity="debug" LoggingEventType="2" datetime="2014-06-15T08:48:59.114000-04:00" source="Protection" type="Protection" username="SYSTEM" systemname="TOMOHISA" last_modified_tag="72c61ce3-b920-4be6-816a-a3608332130b" result="Started" subtype="Malicious Website Protection"></record>
   <record severity="debug" LoggingEventType="1" datetime="2014-06-15T09:16:19.122000-04:00" source="Scheduler" type="Update" username="SYSTEM" systemname="TOMOHISA" fromVersion="2014.2.20.1" last_modified_tag="5df0f4a5-263b-4a82-a8bf-bf9c3e088e98" name="Rootkit Database" toVersion="2014.6.2.1"></record>
   <record severity="debug" LoggingEventType="1" datetime="2014-06-15T09:16:33.590000-04:00" source="Scheduler" type="Update" username="SYSTEM" systemname="TOMOHISA" fromVersion="2014.3.4.9" last_modified_tag="f300dfd0-b28b-4c98-ac7b-704a81d2b7e0" name="Malware Database" toVersion="2014.6.15.2"></record>
   <record severity="debug" LoggingEventType="2" datetime="2014-06-15T09:16:35.336000-04:00" source="Protection" type="Protection" username="SYSTEM" systemname="TOMOHISA" last_modified_tag="1af52d14-df75-4303-97fb-8780e629f21a" result="Starting" subtype="Refresh"></record>
   <record severity="debug" LoggingEventType="2" datetime="2014-06-15T09:16:35.364000-04:00" source="Protection" type="Protection" username="SYSTEM" systemname="TOMOHISA" last_modified_tag="7ac52e88-d9ed-48a4-9df3-ad9d4abbee0c" result="Stopping" subtype="Malicious Website Protection"></record>
   <record severity="debug" LoggingEventType="2" datetime="2014-06-15T09:16:41.092000-04:00" source="Protection" type="Protection" username="SYSTEM" systemname="TOMOHISA" last_modified_tag="2f1c8475-e00c-4b51-8651-3ec5bf98819d" result="Stopped" subtype="Malicious Website Protection"></record>
   <record severity="debug" LoggingEventType="2" datetime="2014-06-15T09:20:36.960000-04:00" source="Protection" type="Protection" username="SYSTEM" systemname="TOMOHISA" last_modified_tag="050f9fdd-143e-4c8b-8366-1587fbbbf67b" result="Success" subtype="Refresh"></record>
   <record severity="debug" LoggingEventType="2" datetime="2014-06-15T09:20:45.979000-04:00" source="Protection" type="Protection" username="SYSTEM" systemname="TOMOHISA" last_modified_tag="9c818bd1-ba1b-4feb-8d22-01a23e1a782b" result="Starting" subtype="Malicious Website Protection"></record>
   <record severity="debug" LoggingEventType="2" datetime="2014-06-15T09:23:27.537000-04:00" source="Protection" type="Protection" username="SYSTEM" systemname="TOMOHISA" last_modified_tag="e8042dc6-2e62-4f04-8852-d318630db256" result="Started" subtype="Malicious Website Protection"></record>
   <record severity="debug" LoggingEventType="2" datetime="2014-06-15T14:38:05.448193-04:00" source="Protection" type="Protection" username="SYSTEM" systemname="TOMOHISA" last_modified_tag="2603a32c-099e-481f-8ad8-a44f12ff3841" result="Starting" subtype="Malware Protection"></record>
   <record severity="debug" LoggingEventType="2" datetime="2014-06-15T14:38:06.555793-04:00" source="Protection" type="Protection" username="SYSTEM" systemname="TOMOHISA" last_modified_tag="c29314f8-abd1-4635-9dd8-7179291e5320" result="Started" subtype="Malware Protection"></record>
   <record severity="debug" LoggingEventType="2" datetime="2014-06-15T14:38:07.117393-04:00" source="Protection" type="Protection" username="SYSTEM" systemname="TOMOHISA" last_modified_tag="3c9a508b-0d2b-455f-9b7b-2a76668dd451" result="Starting" subtype="Malicious Website Protection"></record>
   <record severity="debug" LoggingEventType="2" datetime="2014-06-15T14:39:51.918193-04:00" source="Protection" type="Protection" username="SYSTEM" systemname="TOMOHISA" last_modified_tag="af401dc4-2146-48a2-8ab0-9c5fa704deb0" result="Started" subtype="Malicious Website Protection"></record>
   <record severity="debug" LoggingEventType="1" datetime="2014-06-15T14:57:23.629193-04:00" source="Scheduler" type="Update" username="SYSTEM" systemname="TOMOHISA" fromVersion="2014.6.15.2" last_modified_tag="7c624d1b-3d2e-4bbc-85b7-fb2eba53bef9" name="Malware Database" toVersion="2014.6.15.5"></record>
   <record severity="debug" LoggingEventType="2" datetime="2014-06-15T14:57:25.455193-04:00" source="Protection" type="Protection" username="SYSTEM" systemname="TOMOHISA" last_modified_tag="8b13490d-1b2c-418a-9bea-50deecff3216" result="Starting" subtype="Refresh"></record>
   <record severity="debug" LoggingEventType="2" datetime="2014-06-15T14:57:25.478193-04:00" source="Protection" type="Protection" username="SYSTEM" systemname="TOMOHISA" last_modified_tag="73ab7352-bd3e-4cce-aa8f-0f12fc45b70c" result="Stopping" subtype="Malicious Website Protection"></record>
   <record severity="debug" LoggingEventType="2" datetime="2014-06-15T14:57:28.633193-04:00" source="Protection" type="Protection" username="SYSTEM" systemname="TOMOHISA" last_modified_tag="d340c8ff-4f25-4138-b3a0-1ab75a10b93c" result="Stopped" subtype="Malicious Website Protection"></record>
   <record severity="debug" LoggingEventType="2" datetime="2014-06-15T14:58:34.759193-04:00" source="Protection" type="Protection" username="SYSTEM" systemname="TOMOHISA" last_modified_tag="b422d597-d0c6-44ff-a89e-a803da352f79" result="Success" subtype="Refresh"></record>
   <record severity="debug" LoggingEventType="2" datetime="2014-06-15T14:58:36.315193-04:00" source="Protection" type="Protection" username="SYSTEM" systemname="TOMOHISA" last_modified_tag="9062ec9b-5d14-4a7b-8337-d8f3a42c0da9" result="Starting" subtype="Malicious Website Protection"></record>
   <record severity="debug" LoggingEventType="2" datetime="2014-06-15T14:59:27.678193-04:00" source="Protection" type="Protection" username="SYSTEM" systemname="TOMOHISA" last_modified_tag="ab4dca67-984a-4196-b625-3dd6079c1c9c" result="Started" subtype="Malicious Website Protection"></record>
</logs>
 


#21 Satchfan

Satchfan

    SuperHelper

  • Malware Team
  • 6,344 posts
  • Interests:LFC, music, more LFC, more music

Posted 15 June 2014 - 03:38 PM

The logs you sent were not what I wanted,

The log I’m looking for will be located here:

C:\Users\rac\AppData\Roaming\Malwarebytes\Malwarebytes' Anti-Malware\Logs

If you have a problem locating it, let me know.

Satchfan


NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

#22 Sarit

Sarit

    Authentic Member

  • Authentic Member
  • PipPip
  • 26 posts

Posted 15 June 2014 - 03:47 PM

I looked and there is no folder under Malwarebytes under that location.  In the program, under History, those two files are the only ones listed.  They are in xml format and not txt, so maybe that's why they look so weird.  And it didn't delete the files, it just quarantined them.  I just selected them all for deletion but no new log was generated when I deleted them.  Should I try running another scan?



#23 Satchfan

Satchfan

    SuperHelper

  • Malware Team
  • 6,344 posts
  • Interests:LFC, music, more LFC, more music

Posted 15 June 2014 - 03:52 PM

Yes please and post the Mbam.txt file.


NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

#24 Sarit

Sarit

    Authentic Member

  • Authentic Member
  • PipPip
  • 26 posts

Posted 15 June 2014 - 05:39 PM

Okay!  Apparently they changed it.  It doesn't save the file automatically, you have to export it as a txt file.  I managed to get both logs for each scan I did.

 

#1

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 6/15/2014
Scan Time: 8:52:19 AM
Logfile: mbam1.txt
Administrator: Yes
 
Version: 2.00.2.1012
Malware Database: v2014.03.04.09
Rootkit Database: v2014.02.20.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled
 
OS: Windows Vista Service Pack 2
CPU: x86
File System: NTFS
User: rac
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 243759
Time Elapsed: 42 min, 22 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 10
Backdoor.Bot, HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\{19127AD2-394B-70F5-C650-B97867BAA1F7}, Quarantined, [68e120dfaad0e84eb2a257057092c13f], 
Backdoor.Bot, HKU\S-1-5-21-2030314185-2794812908-1279502003-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\{19127AD2-394B-70F5-C650-B97867BAA1F7}, Quarantined, [68e120dfaad0e84eb2a257057092c13f], 
Backdoor.Bot, HKU\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\{19127AD2-394B-70F5-C650-B97867BAA1F7}, Quarantined, [68e120dfaad0e84eb2a257057092c13f], 
Backdoor.Bot, HKU\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\{19127AD2-394B-70F5-C650-B97867BAA1F7}, Quarantined, [68e120dfaad0e84eb2a257057092c13f], 
Backdoor.Bot, HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}, Quarantined, [c4857a859fdb1b1be589ce8ee41ecc34], 
Backdoor.Bot, HKU\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}, Quarantined, [c4857a859fdb1b1be589ce8ee41ecc34], 
Backdoor.Bot, HKU\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}, Quarantined, [c4857a859fdb1b1be589ce8ee41ecc34], 
Adware.ArcadeWeb, HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{78919608-B066-4B5A-B248-38E12A783E05}, Quarantined, [7fca7e8137436bcb1b37cb87f40e1de3], 
PUP.Optional.MyScrapNook.A, HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{FE6F06FB-0FC0-4499-828F-EE48088F504F}, Quarantined, [b79220dfed8dac8af76e423309f9b64a], 
Trojan.FakeAlert, HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\AvScan, Quarantined, [9cad5aa572083600a409ca37db2816ea], 
 
Registry Values: 4
PUP.Optional.MyScrapNook.A, HKU\S-1-5-21-2030314185-2794812908-1279502003-501-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\INTERNET EXPLORER\URLSEARCHHOOKS\{b3b5c47e-61f7-4d81-af06-461fc86686ce}, Quarantined, [58f1996685f58fa70957c3b27c8601ff], 
PUP.Optional.MyScrapNook.A, HKU\S-1-5-21-2030314185-2794812908-1279502003-501-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\INTERNET EXPLORER\URLSEARCHHOOKS|{B3B5C47E-61F7-4D81-AF06-461FC86686CE}, Quarantined, [58f1996685f58fa70957c3b27c8601ff], 
Malware.Trace, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\NETWORK|UID, RAC-PC_099F4867, Quarantined, [77d2956a3e3c95a1a8f10a0e29daa858]
Trojan.Agent, HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|autochk, rundll32.exe C:\Windows\system32\config\SYSTEM~1\protect.dll,_IWMPEvents@16, Quarantined, [c2875ba47802af871dfd0ff7778cf50b]
 
Registry Data: 2
 
Folders: 3
Rogue.Multiple, C:\ProgramData\14617524, Quarantined, [0b3e3ec11169270f60793e384db5847c], 
Rogue.Multiple, C:\ProgramData\94627516, Quarantined, [84c5af50176366d06c6de88e35cd748c], 
Stolen.data, C:\Windows\System32\lowsec, Quarantined, [9aaf44bb4139e3536980552c49b924dc], 
 
Files: 9
PUP.Optional.YourFileDownloader, C:\Users\rac\Downloads\Watermark_Software_6.3_Portable.rar_downloader.exe, Quarantined, [4603728d62187cba1fca7bf0e31d29d7], 
PUP.Optional.OpenCandy, C:\Users\rac\Downloads\AIM_Install.exe, Quarantined, [cc7d21de9dddb87e15d13021e222659b], 
Trojan.FakeAlert, C:\Windows\System32\cooper.mine, Quarantined, [b396bc433d3d2e080806fbe332d0f010], 
Rootkit.Agent, C:\Windows\System32\drivers\str.sys, Quarantined, [1e2ba659255592a4c1be934d5fa39967], 
Rogue.Multiple, C:\ProgramData\14617524\14617524.glu, Quarantined, [0b3e3ec11169270f60793e384db5847c], 
Rogue.Multiple, C:\ProgramData\14617524\pc14617524cnf, Quarantined, [0b3e3ec11169270f60793e384db5847c], 
Rogue.Multiple, C:\ProgramData\14617524\pc14617524ins, Quarantined, [0b3e3ec11169270f60793e384db5847c], 
Stolen.data, C:\Windows\System32\lowsec\local.ds, Quarantined, [9aaf44bb4139e3536980552c49b924dc], 
Stolen.data, C:\Windows\System32\lowsec\user.ds, Quarantined, [9aaf44bb4139e3536980552c49b924dc], 
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
 
 
#2
 
Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 6/15/2014
Scan Time: 5:54:54 PM
Logfile: mbam.txt
Administrator: Yes
 
Version: 2.00.2.1012
Malware Database: v2014.06.15.06
Rootkit Database: v2014.06.02.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled
 
OS: Windows Vista Service Pack 2
CPU: x86
File System: NTFS
User: rac
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 280678
Time Elapsed: 45 min, 24 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 2
PUP.Optional.MindSpark.A, HKLM\SOFTWARE\OurBabyMaker_27, Quarantined, [05bda1d7691237ff691bf201ff04e41c], 
PUP.Optional.MindSpark.A, HKU\S-1-5-21-2030314185-2794812908-1279502003-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\APPDATALOW\SOFTWARE\OurBabyMaker_27, Quarantined, [ae14a1d7abd040f65b4c2e77fd050af6], 
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 1
PUP.Optional.InstalleRex, C:\Users\rac\Downloads\Watermark Software 6.3 Portable.rar.exe, Quarantined, [3c86f48436454ceaef59551ec938b64a], 
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)


#25 Satchfan

Satchfan

    SuperHelper

  • Malware Team
  • 6,344 posts
  • Interests:LFC, music, more LFC, more music

Posted 16 June 2014 - 01:52 AM

I’d like you to try ComboFix again.

Download and run ComboFix

Download Combofix from either of the links below, and save it to your desktop.  

Link 1
Link 2

**Note:  It MUST be saved directly to your desktop. Choose save as and then make sure you choose Desktop

--------------------------------------------------------------------

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link [url="http://forums.whatth...om/How_Disable_

If it still doesn’t work, try running it this way:

Click the Windows “Start” button, select Run, then copy/paste the following bolded text into the run box and click OK

"%userprofile%\desktop\combofix.exe" /killall

Satchfan


NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

    Advertisements

Register to Remove


#26 Sarit

Sarit

    Authentic Member

  • Authentic Member
  • PipPip
  • 26 posts

Posted 17 June 2014 - 03:13 PM

Still doesn't work and I tried using that kill all command.  It still just starts to run and then freezes the computer so I have to pull out the battery and restart it.



#27 Satchfan

Satchfan

    SuperHelper

  • Malware Team
  • 6,344 posts
  • Interests:LFC, music, more LFC, more music

Posted 17 June 2014 - 03:35 PM

Whatever is stopping ComboFix can’t be good but there may be another reason so we’ll look again.

Re-run RogueKiller

IMPORTANT: Please remove any usb or external drives from the computer before you run this scan!

Close all running programs.

  • for Windows Vista/Seven, right click -> run as administrator, for XP simply double-click on RogueKiller.exe
  • when the pre-scan is finished, click on Scan
  • click on Report and copy/paste the content in your next post

NOTE: DO NOT attempt to remove anything that the scan detects –everything that is reported is not necessarily bad


Satchfan

 

 


NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

#28 Sarit

Sarit

    Authentic Member

  • Authentic Member
  • PipPip
  • 26 posts

Posted 17 June 2014 - 04:31 PM

Here's the new log:

 

RogueKiller V9.0.3.0 [Jun 17 2014] by Adlice Software
 
Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : rac [Admin rights]
Mode : Scan -- Date : 06/17/2014  18:27:12
 
¤¤¤ Bad processes : 0 ¤¤¤
 
¤¤¤ Registry Entries : 14 ¤¤¤
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 8.8.8.8 8.8.4.4 209.55.27.13  -> FOUND
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 8.8.8.8 8.8.4.4 209.55.27.13  -> FOUND
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 75.75.75.75 75.75.76.76  -> FOUND
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B2F9A1A9-AF53-4C0C-97A1-3B90FDBF3E0C} | DhcpNameServer : 208.67.222.222 208.67.220.220 2.2.2.1  -> FOUND
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{CEB31E6C-AD0D-4A3B-A5DB-6267DEAC5809} | DhcpNameServer : 8.8.8.8 8.8.4.4 209.55.27.13  -> FOUND
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{B2F9A1A9-AF53-4C0C-97A1-3B90FDBF3E0C} | DhcpNameServer : 208.67.222.222 208.67.220.220 2.2.2.1  -> FOUND
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{CEB31E6C-AD0D-4A3B-A5DB-6267DEAC5809} | DhcpNameServer : 8.8.8.8 8.8.4.4 209.55.27.13  -> FOUND
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{B2F9A1A9-AF53-4C0C-97A1-3B90FDBF3E0C} | DhcpNameServer : 208.67.222.222 208.67.220.220 2.2.2.1  -> FOUND
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{CEB31E6C-AD0D-4A3B-A5DB-6267DEAC5809} | DhcpNameServer : 75.75.75.75 75.75.76.76  -> FOUND
[PUM.Policies] HKEY_USERS\S-1-5-21-2030314185-2794812908-1279502003-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0  -> FOUND
[PUM.Policies] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | EnableLUA : 0  -> FOUND
[PUM.DesktopIcons] HKEY_USERS\S-1-5-21-2030314185-2794812908-1279502003-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1  -> FOUND
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> FOUND
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> FOUND
 
¤¤¤ Scheduled tasks : 0 ¤¤¤
 
¤¤¤ Files : 0 ¤¤¤
 
¤¤¤ HOSTS File : 2 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 localhost
[C:\Windows\System32\drivers\etc\hosts] ::1 localhost
 
¤¤¤ Antirootkit : 0 ¤¤¤
 
¤¤¤ Web browsers : 1 ¤¤¤
[PUP][CHROME:Addon] Default : AVG Secure Search [ndibdjnfmopecpmkdieinmbadjfpblof] -> FOUND
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: TOSHIBA MK8037GSX ATA Device +++++
--- User ---
[MBR] ef1cf80a887d5867eac45cb539ae2f71
[BSP] 359adfaa6652908a617e4c101297499c : HP MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 3074048 | Size: 69266 MB
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 144930816 | Size: 5552 MB
User = LL1 ... OK
User = LL2 ... OK
 
 
============================================
RKreport_DEL_06112014_200156.log - RKreport_SCN_06112014_165654.log - RKreport_SCN_06112014_200111.log


#29 Satchfan

Satchfan

    SuperHelper

  • Malware Team
  • 6,344 posts
  • Interests:LFC, music, more LFC, more music

Posted 18 June 2014 - 01:48 PM

Hi Sarit

 

I’d like you to try running ComboFix again.

 

 

Download and run ComboFix

Download Combofix from either of the links below. You must rename it to Com123.exe before saving it.

Link 1
Link 2

**Note:  It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
--------------------------------------------------------------------

  • double click on ComboFix.exe & follow the prompts.
  • when finished, it will produce a report: please post the C:\ComboFix.txt log in your reply.

Satchfan
 


NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

#30 Sarit

Sarit

    Authentic Member

  • Authentic Member
  • PipPip
  • 26 posts

Posted 21 June 2014 - 12:51 PM

Tried shutting everything down and it didn't freeze the computer this time but the program itself froze and I had to manually restart the computer.


Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users