Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 92790 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Norton detecting Boot.Cidox, Spybot detecting Mayachok.B [Closed]


  • This topic is locked This topic is locked
22 replies to this topic

#16 Robbulator

Robbulator

    New Member

  • Authentic Member
  • Pip
  • 13 posts

Posted 18 November 2014 - 08:54 PM

Once again I thank you for your ongoing support


    Advertisements

Register to Remove


#17 LiquidTension

LiquidTension

    SuperMember

  • Retired Classroom Teacher
  • 2,566 posts

Posted 19 November 2014 - 07:48 AM

Once again I thank you for your ongoing support

That's quite alright, Matt.
 
Please let me know how your PC is performing after completing the steps below. 
 
STEP 1
BY4dvz9.png AdwCleaner

  • Please download AdwCleaner and save the file to your Desktop.
  • Right-Click AdwCleaner.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Follow the prompts. 
  • Click Scan
  • Upon completion, click Report. A log (AdwCleaner[R0].txt) will open. Briefly check the log for anything you know to be legitimate. 
  • Ensure anything you know to be legitimate does not have a checkmark, and click Clean
  • Follow the prompts and allow your computer to reboot
  • After rebooting, a log (AdwCleaner[S0].txt) will open. Copy the contents of the log and paste in your next reply.

-- File and registry key backups are made for anything removed using this tool. Should a legitimate entry be removed (otherwise known as a 'false-positive'), simple steps can be taken to restore the entry. Please do not overly concern yourself with the contents of AdwCleaner[R0].txt.
 

STEP 2
E3feWj5.png Junkware Removal Tool (JRT)

  • Please download Junkware Removal Tool and save the file to your Desktop.
  • Note: If you unchecked any items in AdwCleaner, please backup the associated folders/files before running JRT.
  • Temporarily disable your anti-virus software. For instructions, please refer to the following link.
  • Right-Click JRT.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Follow the prompts and allow the scan to run uninterrupted. 
  • Upon completion, a log (JRT.txt) will open on your desktop.
  • Re-enable your anti-virus software.
  • Copy the contents of JRT.txt and paste in your next reply.
     

STEP 3
mlEX1wH.png RogueKiller

  • Please download RogueKiller (x32) and save the file to your Desktop.
  • Close any running programmes.
  • Right-Click RogueKiller.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Allow the Prescan to complete. Upon completion, a window will open. Click Accept.
  • A browser window may open. Close the browser window.
  • Click jpgUwzp.png. Upon completion, click phPvmc6.png.
  • Close the programme. Do not fix anything!
  • A log (RKreport.txt) will be open. Copy the contents of the log and paste in your next reply.
     

======================================================

STEP 4
pfNZP4A.png Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

  • AdwCleaner[S0].txt
  • JRT.txt
  • RKreport.txt
  • Update on computer

50QfLth.png

 

Would you like to help others with malware removal? Join our Classroom and learn how!


#18 Robbulator

Robbulator

    New Member

  • Authentic Member
  • Pip
  • 13 posts

Posted 19 November 2014 - 06:18 PM

Ok here is the ADwCleaner report

 

***** [ Scheduled Tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****


***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17420


-\\ Mozilla Firefox v33.1 (x86 en-US)


-\\ Google Chrome v


*************************

AdwCleaner[R0].txt - [3072 octets] - [10/11/2014 12:17:43]
AdwCleaner[R1].txt - [3132 octets] - [10/11/2014 12:21:40]
AdwCleaner[R2].txt - [994 octets] - [10/11/2014 12:37:04]
AdwCleaner[R3].txt - [1112 octets] - [12/11/2014 19:52:10]
AdwCleaner[R4].txt - [1133 octets] - [19/11/2014 15:41:22]
AdwCleaner[R5].txt - [1193 octets] - [19/11/2014 15:56:13]
AdwCleaner[S0].txt - [3210 octets] - [10/11/2014 12:23:39]
AdwCleaner[S1].txt - [1021 octets] - [10/11/2014 12:39:20]
AdwCleaner[S2].txt - [1115 octets] - [19/11/2014 15:57:11]

########## EOF - C:\AdwCleaner\AdwCleaner[S2].txt - [1175 octets] ##########
 

 

 

 

 

JRT report

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.3.9 (11.15.2014:2)
OS: Windows 7 Ultimate x64
Ran by Spence on Wed 11/19/2014 at 16:03:10.74
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Default_Page_URL



~~~ Registry Keys



~~~ Files



~~~ Folders



~~~ FireFox

Emptied folder: C:\Users\Spence\AppData\Roaming\mozilla\firefox\profiles\gk7p8ik8.default\minidumps [40 files]



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 11/19/2014 at 16:05:59.78
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

 

 

 

RK report

RogueKiller V10.0.6.0 [Nov 13 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.co...es/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : Spence [Administrator]
Mode : Delete -- Date : 11/19/2014  16:14:53

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 23 ¤¤¤
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\catchme -> Deleted
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme -> Deleted
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\catchme (\??\C:\Users\Spence\AppData\Local\Temp\catchme.sys) -> Not selected
[PUM.HomePage] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : -> Not selected
[PUM.HomePage] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : -> Not selected
[PUM.SearchPage] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : -> Not selected
[PUM.SearchPage] HKEY_USERS\S-1-5-21-2870170206-3492351646-2857493554-1000\Software\Microsoft\Internet Explorer\Main | Search Page : -> Not selected
[PUM.SearchPage] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : -> Not selected
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 192.168.1.254 75.153.176.1 [UNITED STATES (US)]  -> Not selected
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 192.168.1.254 75.153.176.1 [UNITED STATES (US)]  -> Not selected
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 192.168.1.254 75.153.176.1 [UNITED STATES (US)]  -> Not selected
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{15D75A77-8154-4116-ADCF-55CBDFF62DF1} | DhcpNameServer : 192.168.1.254 75.153.176.9 [UNITED STATES (US)]  -> Not selected
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1B2C7988-AA25-48EF-A8E2-37433436D649} | DhcpNameServer : 192.168.1.254 75.153.176.1 [UNITED STATES (US)]  -> Not selected
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AC3BE074-AA61-4128-BB68-B1C0AFFDE6A0} | NameServer : 8.8.8.8,8.8.4.4,4.2.2.1,4.2.2.2,208.67.222.222,208.67.220.220,8.26.56.26,8.20.247.20,156.154.70.1,156.154.71.1 [UNITED STATES (US)][UNITED STATES (US)][PHILIPPINES (PH)][UNITED STATES (US)]  -> Not selected
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{15D75A77-8154-4116-ADCF-55CBDFF62DF1} | DhcpNameServer : 192.168.1.254 75.153.176.9 [UNITED STATES (US)]  -> Not selected
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{1B2C7988-AA25-48EF-A8E2-37433436D649} | DhcpNameServer : 192.168.1.254 75.153.176.1 [UNITED STATES (US)]  -> Not selected
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{AC3BE074-AA61-4128-BB68-B1C0AFFDE6A0} | NameServer : 8.8.8.8,8.8.4.4,4.2.2.1,4.2.2.2,208.67.222.222,208.67.220.220,8.26.56.26,8.20.247.20,156.154.70.1,156.154.71.1 [UNITED STATES (US)][UNITED STATES (US)][PHILIPPINES (PH)][UNITED STATES (US)]  -> Not selected
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{15D75A77-8154-4116-ADCF-55CBDFF62DF1} | DhcpNameServer : 192.168.1.254 75.153.176.9 [UNITED STATES (US)]  -> Not selected
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{1B2C7988-AA25-48EF-A8E2-37433436D649} | DhcpNameServer : 192.168.1.254 75.153.176.1 [UNITED STATES (US)]  -> Not selected
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{AC3BE074-AA61-4128-BB68-B1C0AFFDE6A0} | NameServer : 8.8.8.8,8.8.4.4,4.2.2.1,4.2.2.2,208.67.222.222,208.67.220.220,8.26.56.26,8.20.247.20,156.154.70.1,156.154.71.1 [UNITED STATES (US)][UNITED STATES (US)][PHILIPPINES (PH)][UNITED STATES (US)]  -> Not selected
[PUM.Policies] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Not selected
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Not selected
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Not selected

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 1 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1       localhost

¤¤¤ Antirootkit : 13 (Driver: Loaded) ¤¤¤
[SSDT:Addr(Hook.SSDT)] NtAlpcConnectPort[22] : Unknown @ 0x88b4a5c8
[ShwSSDT:Addr(Hook.Shadow)] NtUserAttachThreadInput[318] : Unknown @ 0x899fb098
[ShwSSDT:Addr(Hook.Shadow)] NtUserGetAsyncKeyState[402] : Unknown @ 0x89ff31a8
[ShwSSDT:Addr(Hook.Shadow)] NtUserGetKeyboardState[434] : Unknown @ 0x89fdfcf0
[ShwSSDT:Addr(Hook.Shadow)] NtUserGetKeyState[436] : Unknown @ 0x89fea3f0
[ShwSSDT:Addr(Hook.Shadow)] NtUserGetRawInputData[448] : Unknown @ 0x8a167230
[ShwSSDT:Addr(Hook.Shadow)] NtUserMessageCall[490] : Unknown @ 0x89f9b598
[ShwSSDT:Addr(Hook.Shadow)] NtUserPostMessage[508] : Unknown @ 0x8a182500
[ShwSSDT:Addr(Hook.Shadow)] NtUserPostThreadMessage[509] : Unknown @ 0x8a1699f8
[ShwSSDT:Addr(Hook.Shadow)] NtUserSetWindowsHookEx[585] : Unknown @ 0x8a156218
[ShwSSDT:Addr(Hook.Shadow)] NtUserSetWinEventHook[588] : Unknown @ 0x8a15dda8
[IAT:Inl] (explorer.exe @ vcl150.bpl) rtl150.bpl - @Classes@TReader@ : Unknown @ 0xb45933bc (call 0x64500a34)
[IAT:Inl] (explorer.exe @ Jcl150.bpl) rtl150.bpl - @Classes@TReader@ : Unknown @ 0xb45933bc (call 0x64500a34)

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: Hitachi HTS542512K9SA00 +++++
--- User ---
[MBR] 2952b8c5dc8e2ffd6693c2bca4cdaaaf
[BSP] cdc60383eea6fb8edb77a091eda19d9f : Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 111900 MB
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 229378048 | Size: 2471 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_SCN_11192014_161207.log

 

 

I removed a few suspicious looking registry keys after the RW scan, that were odviously dodgy, didn't touch anything else though, thanks Adam



#19 LiquidTension

LiquidTension

    SuperMember

  • Retired Classroom Teacher
  • 2,566 posts

Posted 19 November 2014 - 06:54 PM

Hi Matt,

Those were related to ComboFix, so there was no need.

How is your PC performing?

50QfLth.png

 

Would you like to help others with malware removal? Join our Classroom and learn how!


#20 Robbulator

Robbulator

    New Member

  • Authentic Member
  • Pip
  • 13 posts

Posted 20 November 2014 - 03:56 PM

Hi Adam,

 

Seems to be running ok, though the when shutting down or restarting it takes forever. In the RK scan there was a lot of stuff picked up in the registry that was probably related to Norton's files, but there was quite a lot of other stuff in there that I'm not sure if I should be worried about?

 

Thanks

 

It's great to have a working PC again



#21 LiquidTension

LiquidTension

    SuperMember

  • Retired Classroom Teacher
  • 2,566 posts

Posted 20 November 2014 - 07:18 PM

Hi Matt, 
 

In the RK scan there was a lot of stuff picked up in the registry that was probably related to Norton's files, but there was quite a lot of other stuff in there that I'm not sure if I should be worried about?

There's nothing related to Norton, and nothing to be concerned about. Reset assured, if anything malicious was flagged you would have been instructed to remove it. 
 
Please run the following scans to check for remnants. 
We can address your slow boot/shut down afterwards. 
 
STEP 1
GfiJrQ9.png Malwarebytes Anti-Malware (MBAM)

  • Please download the Malwarebytes Anti-Malware setup file to your Desktop.
  • Open mbam-setup.x.x.xxxx.exe (x represents the version #) and follow the prompts to install the programme. 
  • Open Malwarebytes Anti-Malware and click Update Now.
  • Once updated, click the Settings tab, followed by Detection and Protection and tick Scan for rootkits.
  • Click the Scan tab, ensure Threat Scan is checked and click Scan Now.
  • Note: You may see the following message, "Could not load DDA driver". Click Yes, allow your PC to reboot and continue afterwards. 
  • If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
  • Upon completion of the scan (or after the reboot), click the History tab.
  • Click Application Logs and double-click the Scan Log.
  • Click Copy to Clipboard and paste the log in your next reply. 
     

STEP 2
GzlsbnV.png ESET Online Scan
Note: This scan may take a long time to complete. Please do not browse the Internet whilst your Anti-Virus is disabled.

  • Please download ESET Online Scan and save the file to your Desktop.
  • Temporarily disable your anti-virus software. For instructions, please refer to the following link.
  • Double-click esetsmartinstaller_enu.exe to run the programme. 
  • Agree to the EULA by placing a checkmark next to Yes, I accept the Terms of Use. Then click Start.
  • Agree to the Terms of Use once more and click Start. Allow components to download.
  • Place a checkmark next to Enable detection of potentially unwanted applications.
  • Click Hide advanced settings. Place a checkmark next to:
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Ensure Remove found threats is unchecked.
  • Click Start.
  • Wait for the scan to finish. Please be patient as this can take some time.
  • Upon completion, click esetListThreats.png. If no threats were found, skip the next two bullet points. 
  • Click esetExport.png and save the file to your Desktop, naming it something such as "MyEsetScan".
  • Push the Back button.
  • Place a checkmark next to xKN1w2nv.png.pagespeed.ic.JWqIaEgZi7.png and click SzOC1p0.png.pagespeed.ce.OWDP45O6oG.png.
  • Re-enable your anti-virus software.
  • Copy the contents of the log and paste in your next reply.
     

======================================================
 
STEP 3
pfNZP4A.png Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

  • MBAM Scan log
  • ESET Online Scan log

50QfLth.png

 

Would you like to help others with malware removal? Join our Classroom and learn how!


#22 LiquidTension

LiquidTension

    SuperMember

  • Retired Classroom Teacher
  • 2,566 posts

Posted 25 November 2014 - 01:41 PM

Hello Matt, 

 

How are you getting on?


50QfLth.png

 

Would you like to help others with malware removal? Join our Classroom and learn how!


#23 LiquidTension

LiquidTension

    SuperMember

  • Retired Classroom Teacher
  • 2,566 posts

Posted 26 November 2014 - 07:20 PM

Due to inactivity this topic will be closed.
If you need help please start a new thread.

New members follow the instructions here http://forums.whatth...ed_t106388.html and start a new topic

50QfLth.png

 

Would you like to help others with malware removal? Join our Classroom and learn how!

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users