Jump to content

argzip

Members
  • Posts

    10
  • Joined

  • Last visited

Everything posted by argzip

  1. Seems to be running smoothly No evidence of the Trojan, or anything unusual. Thanks!
  2. RogueKiller and FRST are attached.. Thanks RKreport_DEL_10212014_143140.log FRST.txt
  3. RogueKiller log is attached..... RKreport_SCN_10212014_132156.log
  4. FRST will not run after clicking FIX. Windows (7) gives the "program has stopped working" message. Fixlist.txt is in the same folder as FSRT.
  5. Kevin, The logs are attached. Thanks ESET SCAN.txt Addition.txt FRST.txt
  6. Please see attached ComboFix text file. I also may have made a mistake - I deleted the Poweliks Trojan when RogueKiller detected it. I realized I did not follow your directions exactly after it was too late, sorry. However, the Malwarebytes blocking notifications of fff5ee.com and others have stopped. ComboFixLog.txt
  7. RKill: Rkill 2.6.8 by Lawrence Abrams (Grinler) http://www.bleepingcomputer.com/ Copyright 2008-2014 BleepingComputer.com More Information about Rkill can be found at this link: http://www.bleepingcomputer.com/forums/topic308364.html Program started at: 10/20/2014 12:01:21 PM in x64 mode. Windows Version: Windows 7 Home Premium Service Pack 1 Checking for Windows services to stop: * No malware services found to stop. Checking for processes to terminate: * No malware processes found to kill. Checking Registry for malware related settings: * No issues found in the Registry. Resetting .EXE, .COM, & .BAT associations in the Windows Registry. Performing miscellaneous checks: * No issues found. * No issues found. * No issues found. Checking Windows Service Integrity: * No issues found. Checking Windows Service Integrity: Checking Windows Service Integrity: * No issues found. Searching for Missing Digital Signatures: * No issues found. Searching for Missing Digital Signatures: Searching for Missing Digital Signatures: * No issues found. Checking HOSTS File: * No issues found. Program finished at: 10/20/2014 12:03:28 PM Execution time: 0 hours(s), 2 minute(s), and 7 seconds(s) * No issues found. Checking HOSTS File: * No issues found. Program finished at: 10/20/2014 12:03:28 PM Execution time: 0 hours(s), 4 minute(s), and 20 seconds(s) * No issues found. Checking HOSTS File: * No issues found. Program finished at: 10/20/2014 12:03:28 PM Execution time: 0 hours(s), 7 minute(s), and 8 seconds(s) RogueKiller: RogueKiller V10.0.2.0 [Oct 16 2014] by Adlice Software mail : http://www.adlice.com/contact/ Feedback : http://forum.adlice.com Website : http://www.adlice.com/softwares/roguekiller/ Blog : http://www.adlice.com Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version Started in : Normal mode User : Home [Administrator] Mode : Scan -- Date : 10/20/2014 12:30:18 ¤¤¤ Processes : 0 ¤¤¤ ¤¤¤ Registry : 16 ¤¤¤ [suspicious.Path] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | Unattend0000000001{BFA3D12B-66DD-4617-923A-E864BC7D20B5} : C:\Windows\test.bat -> Found [PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-3805995526-3241524187-455054265-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://yahoo.com/ -> Found [PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-3805995526-3241524187-455054265-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://yahoo.com/ -> Found [PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-3805995526-3241524187-455054265-1002\Software\Microsoft\Internet Explorer\Main | Start Page : http://yahoo.com/ -> Found [PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-3805995526-3241524187-455054265-1002\Software\Microsoft\Internet Explorer\Main | Start Page : http://yahoo.com/ -> Found [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 192.168.1.1 184.16.33.54 -> Found [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 192.168.1.1 184.16.33.54 -> Found [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 192.168.1.1 184.16.33.54 -> Found [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9B06CCA7-2ECA-4742-A628-46A7387A6520} | DhcpNameServer : 192.168.1.1 184.16.33.54 -> Found [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{9B06CCA7-2ECA-4742-A628-46A7387A6520} | DhcpNameServer : 192.168.1.1 184.16.33.54 -> Found [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{9B06CCA7-2ECA-4742-A628-46A7387A6520} | DhcpNameServer : 192.168.1.1 184.16.33.54 -> Found [PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found [PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found [PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found [PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found [Tr.Poweliks] (X64) HKEY_USERS\S-1-5-21-3805995526-3241524187-455054265-1002\Software\classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\LocalServer32 -> Found ¤¤¤ Tasks : 0 ¤¤¤ ¤¤¤ Files : 1 ¤¤¤ [suspicious.Path][File] Best Buy pc app.lnk -- C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk [LNK@] C:\PROGRA~3\BESTBU~1\CLICKO~1.EXE "C:\ProgramData\Best Buy pc app\Best Buy pc app.application" -> Found ¤¤¤ Hosts File : 0 ¤¤¤ ¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤ ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ MBR Check : ¤¤¤ +++++ PhysicalDrive0: ST31000528AS ATA Device +++++ --- User --- [MBR] 5141a8c3557b0fc8b94d42efd348e829 [bSP] 77dfb764539fae50b77dddc066f4970c : Windows Vista/7/8 MBR Code Partition table: 0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB 1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 928093 MB 2 - [XXXXXX] COMPAQ (0x12) [VISIBLE] Offset (sectors): 1900941312 | Size: 25675 MB User = LL1 ... OK User = LL2 ... OK
  8. I downloaded Fixlist.txt, ran FRST and clicked the Fix button once. I have attached the Fixlog.txt. FRST continues to say "Fixing is in progress, please wait...." It has been doing this for about 25 minutesThe Malwarebytes blocking pop ups continue about every few seconds. This is as far as I have gone Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 20-10-2014 Ran by Larry at 2014-10-20 10:45:31 Run:1 Running from C:\Users\Larry\Desktop\Malware Removal Tools Loaded Profiles: Home & Larry (Available profiles: Home & Larry & Rita & Anna & Guest) Boot Mode: Normal ============================================== Content of fixlist: ***************** Start HKLM\...\Run: [unattend0000000001{BFA3D12B-66DD-4617-923A-E864BC7D20B5}] => C:\Windows\test.bat C:\Windows\test.bat HKLM-x32\...\Run: [] => [X] HKU\S-1-5-21-3805995526-3241524187-455054265-1002\...\MountPoints2: {15176a33-4c0c-11e1-a970-4437e62020c4} - "E:\WD SmartWare.exe" autoplay=true HKU\S-1-5-21-3805995526-3241524187-455054265-1002\...A8F59079A8D5}\localserver32: <==== ATTENTION! C:\Users\Larry\AppData\Local\Temp\MSETUP4.EXE C:\Users\Larry\AppData\Local\Temp\SearchWithGoogleUpdate.exe Task: C:\windows\Tasks\Adobe Flash Player Updater.job => ? Task: C:\windows\Tasks\GoogleUpdateTaskMachineCore.job => ? Task: C:\windows\Tasks\GoogleUpdateTaskMachineUA.job => ? EmptyTemp: End ***************** HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\Unattend0000000001{BFA3D12B-66DD-4617-923A-E864BC7D20B5} => Value could not be deleted. "C:\Windows\test.bat" => File/Directory not found. HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => Value could not be deleted. "HKU\S-1-5-21-3805995526-3241524187-455054265-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{15176a33-4c0c-11e1-a970-4437e62020c4}" => Key not found. "HKCR\CLSID\{15176a33-4c0c-11e1-a970-4437e62020c4}" => Key not found. "HKU\S-1-5-21-3805995526-3241524187-455054265-1002\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32" => Key not found. "HKU\S-1-5-21-3805995526-3241524187-455054265-1002\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" => Key not found. C:\Users\Larry\AppData\Local\Temp\MSETUP4.EXE => Moved successfully. C:\Users\Larry\AppData\Local\Temp\SearchWithGoogleUpdate.exe => Moved successfully. Could not move "C:\windows\Tasks\Adobe Flash Player Updater.job" => Scheduled to move on reboot. Could not move "C:\windows\Tasks\GoogleUpdateTaskMachineCore.job" => Scheduled to move on reboot. Could not move "C:\windows\Tasks\GoogleUpdateTaskMachineUA.job" => Scheduled to move on reboot.
  9. Hello, I am experiencing the slowdowns and the Malwarebytes blocked messages for fff5ee.com and 95.215.1.57. I have run FRST and attached the logs. I could sure use some help. Thanks! Addition.txt FRST.txt
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.