Jump to content

I believe i'm infected, here are my DOS logs etc


Zynpol

Recommended Posts

:welcome: I am TheDarkKnight and will be assisting you. Please ask questions if anything is unclear. :)

Please follow these instructions to run ComboFix.exe. Please visit this webpage for download links and instructions for running this tool:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix (CF).

Please go here to see a list of programs that need to be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall.**

**Note 2: If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.**

Please include the C:\ComboFix.txt in your next reply for further review.

=====

Also, please download Malwarebytes Anti-Rootkit here.

  • Unzip the contents to a folder on the Desktop.
  • Open the folder where the contents were unzipped and run mbar.exe ( right-click and select Run as administrator for Vista and Windows 7).
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Please post the two logs produced.

Please note: This tool is still in BETA mode, so please ensure you have backed up any important files.

=====

In your reply I would like to see the contents of the following logs (please do not attach):

  • ComboFix.txt.
  • MBAR logs.

How is the computer running now?

Link to post
Share on other sites

Hello Zynpol,

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com).

  • There are 3 different versions. If one of them won't run then download and try to run the other one.
  • Vista and Win7 users need to right click and choose Run as Admin.
  • You only need to get one of them to run, not all of them.

rkill.exe

rkill.com

rkill.scr

It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested on another computer and then transfer them to the Desktop of the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.

Before proceeding any further the processes that belong to Windows Recovery need to be terminated so that it does not interfere with the cleaning procedure.

Double-click on the RKill.exe icon in order to automatically attempt to stop any processes associated with Windows Recovery and other Rogue programs.

===

Please do not reboot your computer.

Then try running the two tools.

Link to post
Share on other sites

I still cannot run either program

Here is my rkill log

Rkill 2.4.6 by Lawrence Abrams (Grinler)

http://www.bleepingcomputer.com/

Copyright 2008-2013 BleepingComputer.com

More Information about Rkill can be found at this link:

http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 01/18/2013 03:25:49 PM in x64 mode.

Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* Explorer Policy Removed: NoActiveDesktopChanges [HKLM]

Backup Registry file created at:

C:\Users\user\Desktop\rkill\rkill-01-18-2013-03-25-55.reg

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* No issues found.

Checking Windows Service Integrity:

* Windows Defender (WinDefend) is not Running.

Startup Type set to: Automatic (Delayed Start)

* Security Center (wscsvc) is not Running.

Startup Type set to: Automatic (Delayed Start)

* Windows Update (wuauserv) is not Running.

Startup Type set to: Automatic (Delayed Start)

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* HOSTS file entries found:

127.0.0.1 3dns.adobe.com

127.0.0.1 3dns-1.adobe.com

127.0.0.1 3dns-2.adobe.com

127.0.0.1 3dns-3.adobe.com

127.0.0.1 3dns-4.adobe.com

127.0.0.1 3dns-5.adobe.com

127.0.0.1 activate.adobe.com

127.0.0.1 activate.wip1.adobe.com

127.0.0.1 activate.wip2.adobe.com

127.0.0.1 activate.wip3.adobe.com

127.0.0.1 activate.wip4.adobe.com

127.0.0.1 activate-sea.adobe.com

127.0.0.1 activate-sjc0.adobe.com

127.0.0.1 adobe-dns.adobe.com

127.0.0.1 adobe-dns-1.adobe.com

127.0.0.1 adobe-dns-2.adobe.com

127.0.0.1 adobe-dns-3.adobe.com

127.0.0.1 adobe-dns-4.adobe.com

127.0.0.1 adobeereg.com

127.0.0.1 ereg.adobe.com

20 out of 136 HOSTS entries shown.

Please review HOSTS file for further entries.

Program finished at: 01/18/2013 03:26:05 PM

Execution time: 0 hours(s), 0 minute(s), and 15 seconds(s)

Link to post
Share on other sites

Hello Zynpol,

No. It could be that malware is blocking these tools.

Please download to the Desktop RogueKiller (by tigzy).

  • Please quit all programs.
  • Start RogueKiller.exe.
  • Wait until Prescan has finished.
  • Click on Scan.
  • Click on Report and copy/paste the contents of the report in your next reply.

Link to post
Share on other sites

That worked

Here is the report from RogueKiller

RogueKiller V8.4.3 _x64_ [Jan 10 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : user [Admin rights]

Mode : Scan -- Date : 01/18/2013 23:00:15

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 7 ¤¤¤

[HJPOL] HKCU\[...]\Services\Microsoft\System : disableregistrytools (0) -> FOUND

[HJ] HKLM\[...]\Services\Microsoft\System : ConsentPromptBehaviorAdmin (0) -> FOUND

[HJ] HKLM\[...]\Wow6432Node\Services\Microsoft\System : ConsentPromptBehaviorAdmin (0) -> FOUND

[HJ] HKLM\[...]\Services\Microsoft\System : EnableLUA (0) -> FOUND

[HJ] HKLM\[...]\Wow6432Node\Services\Microsoft\System : EnableLUA (0) -> FOUND

[HJ DESK] HKLM\[...]\Services\Microsoft\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\Services\Microsoft\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 3dns.adobe.com

127.0.0.1 3dns-1.adobe.com

127.0.0.1 3dns-2.adobe.com

127.0.0.1 3dns-3.adobe.com

127.0.0.1 3dns-4.adobe.com

127.0.0.1 3dns-5.adobe.com

127.0.0.1 activate.adobe.com

127.0.0.1 activate.wip1.adobe.com

127.0.0.1 activate.wip2.adobe.com

127.0.0.1 activate.wip3.adobe.com

127.0.0.1 activate.wip4.adobe.com

127.0.0.1 activate-sea.adobe.com

127.0.0.1 activate-sjc0.adobe.com

127.0.0.1 adobe-dns.adobe.com

127.0.0.1 adobe-dns-1.adobe.com

127.0.0.1 adobe-dns-2.adobe.com

127.0.0.1 adobe-dns-3.adobe.com

127.0.0.1 adobe-dns-4.adobe.com

127.0.0.1 adobeereg.com

127.0.0.1 ereg.adobe.com

[...]

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST1000DM003-9YN162 ATA Device +++++

--- User ---

[MBR] 07cf6788afff5590bbc7eaa0a225c717

[bSP] 3fb9bf4f479c9e087f690bf22a37e901 : Windows 7/8 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 425000 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 870402048 | Size: 528866 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1]_S_01182013_02d2300.txt >>

RKreport[1]_S_01182013_02d2300.txt

Link to post
Share on other sites

Zynpol,

My apologies for the delay as I was without internet these past two days.

  • Please re-run RogueKiller.
  • Click on the Delete button.
  • The report has been created on the Desktop. Please post it in your reply.

Then, please try ComboFix.

Link to post
Share on other sites

  • 2 weeks later...

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.