Jump to content

Noodlestein

Members
  • Posts

    16
  • Joined

  • Last visited

Everything posted by Noodlestein

  1. Awesome, Thanks a bunch for the help. I really do appreciate it
  2. Awesome, it's running fine, I don't see the host process popping up anymore in the volume control so I imagine thats fixed So in MBAM, should I have it delete those two quarenteened files?
  3. And the log from MBAM I assume they're not bad since it's in quarentine files? Malwarebytes Anti-Malware 1.62.0.1300 www.malwarebytes.org Database version: v2012.08.02.07 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 9.0.8112.16421 Yuki Onna :: YUKIONNA-PC [administrator] Protection: Enabled 8/2/2012 7:38:54 AM mbam-log-2012-08-02 (08-40-12).txt Scan type: Full scan (C:\|D:\|) Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 467676 Time elapsed: 55 minute(s), 57 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 2 C:\FRST\Quarantine\DAT9D5C.tmp.exe (Trojan.Phex.THAGen6) -> No action taken. C:\Users\Yuki Onna\Desktop\RK_Quarantine\DAT9D5C.tmp.exe.vir (Trojan.Phex.THAGen6) -> No action taken. (end)
  4. Done, and the log file. Hopefully everything went well. ComboFix.txt
  5. Yes, I just got done following it. I had issues with my bios as I couldn't find a repair, so I had to locate my windows cd which took much longer than I had hoped. In anycase here are the files. FRST.txt Search.txt
  6. Sorry if it came off as if I was upset, or if I upset you as well as that was not my intent. and I do appriciate you taking your time to help myself with my issue. I truely am appriciative. In anycase, I have also removed utorrent so it shouldn't cause any further issues.
  7. Rogue Killer log: RogueKiller V7.6.4 [07/17/2012] by Tigzy mail: tigzyRK<at>gmail<dot>com Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/ Blog: http://tigzyrk.blogspot.com Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version Started in : Normal mode User: Yuki Onna [Admin rights] Mode: Scan -- Date: 08/02/2012 05:29:08 ¤¤¤ Bad processes: 1 ¤¤¤ [sUSP PATH] DAT9D5C.tmp.exe -- C:\Users\YUKION~1\AppData\Local\Temp\DAT9D5C.tmp.exe -> KILLED [TermProc] ¤¤¤ Registry Entries: 5 ¤¤¤ [HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND [HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND [ZeroAccess] HKCR\[...]\InprocServer32 : (C:\Users\Yuki Onna\AppData\Local\{bbef532c-91fd-9765-4494-451f599585da}\n.) -> FOUND [HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND [HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Particular Files / Folders: ¤¤¤ [ZeroAccess][FILE] @ : c:\windows\installer\{bbef532c-91fd-9765-4494-451f599585da}\@ --> FOUND [ZeroAccess][FOLDER] U : c:\windows\installer\{bbef532c-91fd-9765-4494-451f599585da}\U --> FOUND [ZeroAccess][FOLDER] L : c:\windows\installer\{bbef532c-91fd-9765-4494-451f599585da}\L --> FOUND [ZeroAccess][FILE] @ : c:\users\yuki onna\appdata\local\{bbef532c-91fd-9765-4494-451f599585da}\@ --> FOUND [ZeroAccess][FOLDER] U : c:\users\yuki onna\appdata\local\{bbef532c-91fd-9765-4494-451f599585da}\U --> FOUND [ZeroAccess][FOLDER] L : c:\users\yuki onna\appdata\local\{bbef532c-91fd-9765-4494-451f599585da}\L --> FOUND ¤¤¤ Driver: [NOT LOADED] ¤¤¤ ¤¤¤ Infection : ZeroAccess ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ 127.0.0.1 3dns.adobe.com 3dns-1.adobe.com 3dns-2.adobe.com 3dns-3.adobe.com 3dns-4.adobe.com activate.adobe.com activate-sea.adobe.com activate-sjc0.adobe.com activate.wip.adobe.com 127.0.0.1 activate.wip1.adobe.com activate.wip2.adobe.com activate.wip3.adobe.com activate.wip4.adobe.com adobe-dns.adobe.com adobe-dns-1.adobe.com adobe-dns-2.adobe.com adobe-dns-3.adobe.com adobe-dns-4.adobe.com 127.0.0.1 adobeereg.com practivate.adobe practivate.adobe.com practivate.adobe.newoa practivate.adobe.ntp practivate.adobe.ipp ereg.adobe.com ereg.wip.adobe.com ereg.wip1.adobe.com 127.0.0.1 ereg.wip2.adobe.com ereg.wip3.adobe.com ereg.wip4.adobe.com hl2rcv.adobe.com wip.adobe.com wip1.adobe.com wip2.adobe.com wip3.adobe.com wip4.adobe.com 127.0.0.1 www.adobeereg.com wwis-dubc1-vip60.adobe.com www.wip.adobe.com www.wip1.adobe.com 127.0.0.1 www.wip2.adobe.com www.wip3.adobe.com www.wip4.adobe.com wwis-dubc1-vip60.adobe.com crl.verisign.net CRL.VERISIGN.NET ood.opsource.net ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: WDC WD1600JS-75NCB1 ATA Device +++++ --- User --- [MBR] ead600fe48778e0a1597305584b1e8d9 [bSP] 3e7564a16314eedcfdb13b7a54325ed2 : Windows 7 MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo 1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 152485 Mo User = LL1 ... OK! User = LL2 ... OK! +++++ PhysicalDrive1: ST3300622AS ATA Device +++++ --- User --- [MBR] 07892dcc05f6682b15f7e22933ca05b4 [bSP] e24cb1d96bb0435339ae2e20363bf06b : Windows XP MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 286157 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[1].txt >> RKreport[1].txt
  8. Thank you for the quick response. As for uTorrent, not all P2P is used for pirating. Last I used it for was to download DayZ updates (Arma II Mod) I personally have a decent enough income to purchase any games I want to play (Whether you want to believe it or not). In anycase to not cause any issues with this site I'll uninstall it. no skin off my back etc. I'll use get Roguekiller In the meantime MBAM just finished its scan again and these roots still are there after restarting/telling it to delete em. Malwarebytes Anti-Malware 1.62.0.1300 www.malwarebytes.org Database version: v2012.08.02.04 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 9.0.8112.16421 Yuki Onna :: YUKIONNA-PC [administrator] Protection: Enabled 8/2/2012 4:03:25 AM mbam-log-2012-08-02 (05-21-18).txt Scan type: Full scan (C:\|D:\|) Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 472506 Time elapsed: 1 hour(s), 15 minute(s), 28 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 2 C:\Windows\System32\drivers\str.sys (Rootkit.Agent) -> No action taken. C:\Windows\SysWOW64\drivers\str.sys (Rootkit.Agent) -> No action taken. (end)
  9. Ended up waking up this morning to some god awful music playing from my PC, assumed it was some SC2 Stream I had left open only to realize that in the volume mixer it was showing multiple instances of "Host Process for Windows Services" After this happened I ran mbam to find out what it was and after the scan, came up with a few trojans so I had them deleted(restart required) and after the restart I am still seeing Host processes inside volume mixer so I can only assume that it's still not quite taken care of. Screen of the VM. (Over time more and more host processes will show up) DDS.txt Attach.txt
  10. Sorry for double post but the edit button suddenly disappeared and one of the images wasn't linked properly
  11. First off, my apologize if this isn't the right area to be posting this in. Anyways, Over the past couple weeks I've been noticing my computer slowing down at random times, only to look through my processes to find "msi___.exe(don't quite remember all of it, standard install file)), Hotfixinstaller.exe, and another one that starts with ND______.*. I've always forcequit the process since it never got anywhere, about the 5th time it came up I let it run it's course just to see if anything would happen and nothing ever would This is being downloaded and attempted to install without myself telling it to do so. Also, the "temp" files are being saved onto my slave harddrive which I do not believe any normal windows updates to save itself to. Some screenshots of the Dir's & whats inside them not all the files have the exact same files in them, but they all have at least one of the same (I assume when I would quit the progress it would stop wherever it was(clearly)) I know they have something to do with .net framework(or so I've read) and recently did a windows update and had nothing left to install. -edit- Oh, my system stuff might be usefull ;P Microsoft Windows XP Pro Service Pack 3 AMD Sempron 2600+ (ew) 1.76GHz 2GB Kingston
  12. So, I was just infected by Antivir Solution Pro (Used deletemalware.blogspot.com/2010/07/how-to-remove-antivir-solution-pro.html guide to help me get rid of it) Anyways, I did the the guide said, ran malwarebytes in safemode etc. now I can access stuff again and went looking through my "msconfig/startup" after running Malwarebytes again and found 4 items in there that I know I didnt put on here. rundll32 "zgiup" (What tipped me off saying that it couldn't find the file to run when starting up.. assumed MB got rid of it) then there's: mgiup (C:\Windows\System32\mgiup.exe) jr1o0rtb3.exe (C:\Docume~1\-user-\Locals~1\Temp\jr1o0rtb3.exe) mswxtnd (RUNDLL32.EXE C:\WINDOWS\system32\mswyxtnd.dll,w) etugiyelov (rundll32.exe "C:\WINDOWS\etugiyelov.dll",Startup) So what should I do, I turned them off at startup, I've kept the files incase someone wants me to look at them with something or wants me to give them to them so they can check em out. first time doing this. I wasn't able to get "DDS.SRC" to work properly since it's not recognized by windows or something like that. so it only has the GMER logs in it. attach.zip
  13. I've been doing what it says, I got to the "Download DDS" part, but none of the fails are exe's or anything that my computer will run. I have both dds.src & dds.com on my desktop, the third one just took me to a page with a bunch of random symbols... what do I do?
  14. So, I was just infected by Antivir Solution Pro (Used deletemalware.blogspot.com/2010/07/how-to-remove-antivir-solution-pro.html guide to help me get rid of it) Anyways, I did the the guide said, ran malwarebytes in safemode etc. now I can access stuff again and went looking through my "msconfig/startup" after running Malwarebytes again and found 4 items in there that I know I didnt put on here. rundll32 "zgiup" (What tipped me off saying that it couldn't find the file to run when starting up.. assumed MB got rid of it) then there's: mgiup (C:\Windows\System32\mgiup.exe) jr1o0rtb3.exe (C:\Docume~1\-user-\Locals~1\Temp\jr1o0rtb3.exe) mswxtnd (RUNDLL32.EXE C:\WINDOWS\system32\mswyxtnd.dll,w) etugiyelov (rundll32.exe "C:\WINDOWS\etugiyelov.dll",Startup) So what should I do, I turned them off at startup, I've kept the files incase someone wants me to look at them with something or wants me to give them to them so they can check em out. first time doing this.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.