Help removing Trojan.Ransom and PUM.UserWLoad

one1nee · March 29, 2013

Repost, since i mistakenly post this in General Forum (sorry, admins, i'm panicked and havent read the whole rules in here).

hi, i'm a newbie and am not a computer savvy.

last night while using my laptop, i found out that since March 24th, my Avira antivirus automatically update has failed to update and till now wont do the automatic update. since i just got a BSoD on the same day, i thought maybe because i was did the system Recovery. so then i did the update manually and for safety, i ran it.

It came back with 2 virus, which i really forgot the name since i just clicked remove. Then i ran Malwarebytes and found 2 trojan/virus: Trojan.Ransom and PUM.UserWLoad. I removed right away. after restarted my computer, i ran HitmanPro and Malwarebytes again. HitmanPro came back clean, but in Malwarebytes, those 2 were back again. i removed and restart my computer and scanned it again, and both Trojan.Ransom and PUM.UserWLoad keep coming back. i have done it for 3 times.

i have uninstall Avira (since it still failed to automatically update) and instal Avast and i also have installed RogueKiller. here are the result :

Malwarebytes Anti-Malware 1.70.0.1100

www.malwarebytes.org

Database version: v2013.03.29.01

Windows 7 x86 NTFS

Internet Explorer 8.0.7600.16385

maria :: MARIA-PC [administrator]

3/29/2013 12:20:07 PM

mbam-log-2013-03-29 (12-20-07).txt

Scan type: Quick scan

Scan options disabled: P2P

Objects scanned: 191348

Time elapsed: 4 minute(s), 39 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 2

HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|Load (PUM.UserWLoad) -> Data: C:\Users\maria\LOCALS~1\Temp\msoufzi.bat -> Delete on reboot.

HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|Load (Trojan.Ransom) -> Data: C:\Users\maria\LOCALS~1\Temp\msoufzi.bat -> Delete on reboot.

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

I ran RogueKiller, here's the result :

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo...13-roguekiller/

Website : http://tigzy.geeksto...roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7600 ) 32 bits version

Started in : Normal mode

User : maria [Admin rights]

Mode : Scan -- Date : 03/29/2013 12:28:55

| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 12 ¤¤¤

[RUN][sUSP PATH] HKCU\[...]\Run : Insomnia Live (C:\Users\maria\qzcxotl.exe) [x] -> FOUND

[RUN][sUSP PATH] HKCU\[...]\Run : QzcxOTlGRkZFNjg4RjVGQ0 (C:\ProgramData\kmmmoanh.exe) [x] -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-3632183951-932135029-350098339-1000[...]\Run : Insomnia Live (C:\Users\maria\qzcxotl.exe) [x] -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-3632183951-932135029-350098339-1000[...]\Run : QzcxOTlGRkZFNjg4RjVGQ0 (C:\ProgramData\kmmmoanh.exe) [x] -> FOUND

[sHELL][sUSP PATH] HKCU\[...]\Windows : Load (C:\Users\maria\Local Settings\Temp\msoufzi.bat) [x] -> FOUND

[sHELL][sUSP PATH] HKUS\S-1-5-21-3632183951-932135029-350098339-1000[...]\Windows : Load (C:\Users\maria\Local Settings\Temp\msoufzi.bat) [x] -> FOUND

[DNS] HKLM\[...]\ControlSet001\Services\Tcpip\Interfaces\{756A48EC-DCE8-4153-B027-94306FA03BCE} : NameServer (202.134.0.155,208.67.222.222) -> FOUND

[DNS] HKLM\[...]\ControlSet002\Services\Tcpip\Interfaces\{756A48EC-DCE8-4153-B027-94306FA03BCE} : NameServer (202.134.0.155,208.67.222.222) -> FOUND

[HJ DESK] HKCU\[...]\ClassicStartMenu : {59031A47-3F72-44A7-89C5-5595FE6B30EE} (1) -> FOUND

[HJ DESK] HKCU\[...]\NewStartPanel : {59031A47-3F72-44A7-89C5-5595FE6B30EE} (1) -> FOUND

[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST9250315AS ATA Device +++++

--- User ---

[MBR] 428f8d519c5427dc22265cec51d1a069

[bSP] c8496c40e90cbc7dfd19b1c9015414c6 : Windows 7/8 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 49900 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 102402048 | Size: 188472 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1]_S_03292013_02d1228.txt >>

RKreport[1]_S_03292013_02d1228.txt

Please help me. and pardon me for my poor English.

Attached Files

dds.txt

attach.txt

RKreport1_S_03292013_02d1228.txt

Larusso · March 29, 2013

Hy there and no worries. I also miss that you posted in the wrong subforum. It happens.

I replied to your topic, so please follow the instructions outlined in your first topic

http://forums.malwarebytes.org/index.php?showtopic=124409&view=findpost&p=662319

( note: have to go to bed now, was a long nightshift for me )

one1nee · March 29, 2013

hi..

yes, i'm sorry

i have go to the link you provided. but i cant copy-paste it since it brought me to choose from my C folder. while i tried to copy paste it just typed A366641351.exe only. i tried to look for the c:\users\maria\appdata\roaming\microsoft\windows\start menu\programs\startup\A366641351.exe. but it seems it not exist.

but, i tried to scan A366641351.exe and here is the result :

SHA256: 3168d495ac5954cc549589d583e6b335835de8ada3c6003292d0cda56a265590 SHA1: 487412d06e299fe0af47ccb932e78662d4ebb9bf MD5: bdc16e98ea13b1ebebcf49385394f05b File size: 31.3 KB ( 32064 bytes ) File name: CVTRES.EXE File type: Win32 EXE Detection ratio: 0 / 46 Analysis date:

2013-03-29 06:04:04 UTC ( 1 minute ago )

i hope i dont do any mistake. sorry id i did. and thank you dor so kind replying me eventho you are so tired already.

Larusso · March 29, 2013

Good Morning ( Well, 5pm here )

Okay, lets see if the file will be detected by our tools, otherwise I need a copy of it.

Download ComboFix from this location:

Link 1

* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================

Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to this topic How to disable your security applications

====================================================

Double click on combofix.exe & follow the prompts.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.

*Note - if after running ComboFix you see a message similar to 'registry key marked for deletion..' rebooting the machine will resolve that.

one1nee · March 29, 2013

um.. i cant seems to find Stop On-Access protection in the avast. i thought i already disabled it. but when i clicked ok in Combo Fix its gave me warning that it hasnt turn off. so i'm afraid to click ok in the Combo Fix. i just download Avast this morning...

Larusso · March 29, 2013

Hy there. Please do a right-click on the Systemtray Icon ( should look like an "A" as far as I know ) and click 'Stop on-access protection'

Re-Run Combofix. If it still gives you the warning, simply click OK.

one1nee · March 29, 2013

hi..

just found out how.. it seems i need to disable the shield from the system tray =)

here's the result :

ComboFix 13-03-28.01 - maria 03/29/2013 23:40:15.1.2 - x86

Microsoft Windows 7 Ultimate 6.1.7600.0.1252.62.1033.18.1979.838 [GMT 7:00]

Running from: c:\users\maria\ComboFix.exe

AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}

AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}

SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}

SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\users\maria\7z920.exe

c:\users\maria\AppData\Roaming\A366641351.exe

c:\users\maria\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\A366641351.exe

c:\users\maria\avast_free_antivirus_setup.exe

c:\users\maria\avira_free_antivirus.exe

c:\users\maria\avira_free_antivirus_en.exe

c:\users\maria\bluescreenview_setup.exe

c:\users\maria\ccsetup400.exe

c:\users\maria\ComboFix.exe

c:\users\maria\dds.com

c:\users\maria\Documents\~WRL1779.tmp

c:\users\maria\Documents\~WRL2240.tmp

c:\users\maria\Documents\~WRL2498.tmp

c:\users\maria\GOMPLAYERENSETUP.EXE

c:\users\maria\HitmanPro.exe

c:\users\maria\iTunesSetup.exe

c:\users\maria\mbam-setup-1.70.0.1100.exe

c:\users\maria\mp3cutter.exe

c:\users\maria\RogueKiller.exe

c:\users\maria\sendspace_downloader_uy2eji.exe

c:\users\maria\SkypeSetupFull.exe

c:\users\maria\vlc-2.0.5-win32.exe

C:\x

c:\x\6. PAPI (Perception and Preference Inventory ).ppt

c:\x\alat tes.pptx

c:\x\Coon_11.ppt

c:\x\papi lbr jwban large.jpg

c:\x\papi lbr jwban.jpg

c:\x\PENAWARAN IBU RINI.xls

c:\x\Penawaran Ibu Titiek Soeharto.xlsx

c:\x\Personality_Ch8.doc

c:\x\rochassesscrosscult.ppt

c:\x\scorecard papi large.jpg

c:\x\scorecard papi.jpg

c:\x\transfer stie trisakti.doc

.

((((((((((((((((((((((((( Files Created from 2013-02-28 to 2013-03-29 )))))))))))))))))))))))))))))))

.

2013-03-29 16:47 . 2013-03-29 16:47 -------- d-----w- c:\users\Default\AppData\Local\temp

2013-03-29 08:13 . 2013-03-29 08:13 -------- d-----w- c:\users\maria\AppData\Roaming\Avira

2013-03-29 08:12 . 2013-03-29 08:11 37352 ----a-w- c:\windows\system32\drivers\avkmgr.sys

2013-03-29 08:12 . 2013-03-29 08:11 84744 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2013-03-29 08:12 . 2013-03-29 08:11 135136 ----a-w- c:\windows\system32\drivers\avipbb.sys

2013-03-29 08:12 . 2013-03-29 08:12 -------- d-----w- c:\programdata\Avira

2013-03-29 08:12 . 2013-03-29 08:12 -------- d-----w- c:\program files\Avira

2013-03-29 07:53 . 2013-03-29 07:53 -------- d-----w- c:\program files\Common Files\Skype

2013-03-29 04:57 . 2013-03-06 23:33 368176 ----a-w- c:\windows\system32\drivers\aswSP.sys

2013-03-29 04:57 . 2013-03-06 23:33 29816 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2013-03-29 04:57 . 2013-03-06 23:33 60656 ----a-w- c:\windows\system32\drivers\aswRdr2.sys

2013-03-29 04:57 . 2013-03-06 23:33 765736 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2013-03-29 04:57 . 2013-03-06 23:33 62376 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2013-03-29 04:57 . 2013-03-06 23:33 164736 ----a-w- c:\windows\system32\drivers\aswVmm.sys

2013-03-29 04:57 . 2013-03-06 23:33 49248 ----a-w- c:\windows\system32\drivers\aswRvrt.sys

2013-03-29 04:57 . 2013-03-06 23:33 66336 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys

2013-03-29 04:57 . 2013-03-06 23:32 228600 ----a-w- c:\windows\system32\aswBoot.exe

2013-03-29 04:56 . 2013-03-06 23:32 41664 ----a-w- c:\windows\avastSS.scr

2013-03-29 04:56 . 2013-03-29 04:56 -------- d-----w- c:\program files\AVAST Software

2013-03-29 04:55 . 2013-03-29 04:56 -------- d-----w- c:\programdata\AVAST Software

2013-03-28 16:38 . 2013-03-29 04:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2013-03-28 16:38 . 2012-12-14 09:49 21104 ----a-w- c:\windows\system32\drivers\mbam.sys

2013-03-25 18:06 . 2013-03-25 18:06 -------- d-----w- c:\program files\NirSoft

2013-03-21 12:12 . 2013-03-21 12:12 -------- d-----w- c:\program files\7-Zip

2013-03-17 17:51 . 2013-03-29 16:00 -------- d-----w- c:\users\maria\AppData\Roaming\vlc

2013-03-17 17:51 . 2013-03-17 17:51 -------- d-----w- c:\program files\VideoLAN

2013-03-01 18:56 . 2013-03-29 07:53 -------- d-----r- c:\program files\Skype

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-04-15 03:00 . 2011-04-18 13:00 1384479 ----a-w- c:\program files\msvbvm60.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{83BD144C-5E53-4E12-8E99-5A7F1BBF3EA0}]

2010-03-12 14:16 815104 ----a-w- c:\program files\Video Download Toolbar\v3.3.0.3\Video_Download_Toolbar.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{E52BE12D-A44A-4F51-9DC1-34F37A488CC7}"= "c:\program files\Video Download Toolbar\v3.3.0.3\Video_Download_Toolbar.dll" [2010-03-12 815104]

.

[HKEY_CLASSES_ROOT\clsid\{e52be12d-a44a-4f51-9dc1-34f37a488cc7}]

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{E52BE12D-A44A-4F51-9DC1-34F37A488CC7}"= "c:\program files\Video Download Toolbar\v3.3.0.3\Video_Download_Toolbar.dll" [2010-03-12 815104]

.

[HKEY_CLASSES_ROOT\clsid\{e52be12d-a44a-4f51-9dc1-34f37a488cc7}]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]

@="{472083B0-C522-11CF-8763-00608CC02F24}"

[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]

2013-03-06 23:32 121968 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-03-12 39408]

"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]

"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-02-16 5244216]

"Software Informer"="c:\program files\Software Informer\softinfo.exe" [2010-06-28 2322501]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2013-02-28 18672232]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]

"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2012-12-14 824232]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]

"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2013-03-06 4767304]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2013-03-29 345312]

.

c:\users\maria\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

ViiKiiDesktopPlugin.lnk - [N/A]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux1"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]

@=""

.

R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [x]

R3 aswVmm;aswVmm; [x]

R3 clwvd;CyberLink WebCam Virtual Driver;c:\windows\system32\DRIVERS\clwvd.sys [x]

S0 aswRvrt;aswRvrt; [x]

S1 aswSnx;aswSnx; [x]

S1 aswSP;aswSP; [x]

S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys [x]

S2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [x]

S2 aswFsBlk;aswFsBlk; [x]

S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]

S2 HitmanProScheduler;HitmanPro Scheduler;c:\program files\HitmanPro\hmpsched.exe [x]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]

.

Contents of the 'Scheduled Tasks' folder

.

2013-03-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-12 15:04]

.

2013-03-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-12 15:04]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

mStart Page = hxxp://www.bigseekpro.com/videodownloadtoolbar/{178F6920-22BE-4CF0-A6D0-2F4A0A74D66A}

IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201

IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204

IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203

IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html

TCP: DhcpNameServer = 202.73.99.4 61.247.0.2 202.73.99.2 61.247.0.4

TCP: Interfaces\{756A48EC-DCE8-4153-B027-94306FA03BCE}: NameServer = 202.134.0.155,208.67.222.222

FF - ProfilePath - c:\users\maria\AppData\Roaming\Mozilla\Firefox\Profiles\ihkzovo3.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2463487&SearchSource=3&q={searchTerms}

FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.id/

FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=

FF - prefs.js: network.proxy.type - 0

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}

FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\AVAST Software\Avast\WebRep\FF

.

- - - - ORPHANS REMOVED - - - -

.

URLSearchHooks-{1392b8d2-5c05-419f-a8f6-b9f15a596612} - (no file)

WebBrowser-{1392B8D2-5C05-419F-A8F6-B9F15A596612} - (no file)

HKCU-Run-EasyDVDMon - (no file)

HKCU-Run-fsm - (no file)

HKCU-Run-Insomnia Live - c:\users\maria\qzcxotl.exe

HKCU-Run-QzcxOTlGRkZFNjg4RjVGQ0 - c:\programdata\kmmmoanh.exe

HKLM-Run-WinampAgent - c:\program files\Winamp 5.58\winampa.exe

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-3632183951-932135029-350098339-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A9CE7AE9-4CA2-7E2A-BDF0-13773A9A8A2D}*]

"hadpadnlkekkiahp"=hex:69,61,6e,67,65,63,69,70,6c,6b,67,6b,6d,6c,67,6d,69,62,

00,dc

"gakmcdejejgmdh"=hex:61,63,68,61,6c,64,67,64,6e,70,63,67,67,67,6d,70,61,6a,66,

6d,62,6b,6c,6f,61,63,6c,69,70,6e,67,67,6d,63,6c,69,6d,6d,6f,6b,6b,64,6e,69,\

"iajnkcomhgmhnfoldc"=hex:6a,61,6d,67,6c,63,61,61,66,6b,64,6e,6f,6d,6f,63,6e,63,

70,69,00,00

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

"MSCurrentCountry"=dword:000000b5

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2013-03-29 23:49:31

ComboFix-quarantined-files.txt 2013-03-29 16:49

.

Pre-Run: 26,584,682,496 bytes free

Post-Run: 26,546,790,400 bytes free

.

- - End Of File - - C7A908C0FB7B7B09DE41439AE50F7657

umm.. i just seen some new folders in my C Folders (Config.Msi, Qoobox) are those folders are normally added after we ran Combofix? and i noticed it deleted programs/files like bluescreenview, hitmanpro, roguekiller, etc. are those means i have to downloaded all of those again?

thx.

ps : can i enable my antivirus again now?

Larusso · March 29, 2013

Hy there.

Yes these folders are OK.

Whats this one ? C:\x

There is a reason why Combofix deleted these files. No .exe file has something to do in the Users Folder and is a common location for malware.

For me it looks like all your Downloads will be saved in this folder. Not a good idea

Why did you install Avira ?

Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.

Running from: c:\users\maria\ComboFix.exe

* IMPORTANT- Save ComboFix.exe to your Desktop

Do me and yourself a favor and carefully follow my instructions.

I see more than one Anti Virus Programm installed. In your case Avast and Avira

Having 2 AVs may sound great but they can cause conflicts with each other, can lead to system slow-downs, instability, crashes and will provide less protection, not more.

So I highly recommend to uninstall one of them via Start > Control Panel > Add / Remove Programs and let me know which one you have removed.

I notice you have Malwarebytes' Anti-Malware installed on your machine. Please launch the program and select the update tab, then click on the check for updates button.

If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform Quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Save it to your desktop.

Note: Malwarebytes' Anti-Malware may require a reboot to complete removals. After a reboot, if required, post that saved log in your next reply.

one1nee · March 29, 2013

hi..

oh, about the avira, i really forgot to tell you, that i was telling my bestfriend about the problem i have and about how the avira wont/failed to updated. i told her i uninstalled avira bcoz of that. turns out while i was in the shower, she re-installed avira (my computer was on when she was here). i was meant to ask you if should i uninstalled it again or just let it be, since i'm afraid if i uninstalled it, it would made another change and yes, i do remember you told me to not made any changes. thats why i let it be and not made any changes. i really forgot to told you about it and to ask you. sorry.

and about the Combofix, i thought that the Combofix you meant was supposed to be the result one that i should put it in the desktop (like the dds.txt). thats why after i download it, i just click run and saved it to program files. but soon after it finished running, i realised the combofix wasnt in the desktop, and that the .exe you meant was the program, not the result. so i download it again n see how to put it in desktop (which is just found out how to do that). sorry. i never really put any programs in the desktop. i only put program shortcuts and recycle bin there.

i'm really sorry. like i said, i'm not computer savvy.

here's the result of Malwarebytes :

Malwarebytes Anti-Malware 1.70.0.1100

www.malwarebytes.org

Database version: v2013.03.29.01

Windows 7 x86 NTFS

Internet Explorer 8.0.7600.16385

maria :: MARIA-PC [administrator]

3/30/2013 3:00:25 AM

mbam-log-2013-03-30 (03-00-25).txt

Scan type: Quick scan

Scan options disabled: P2P

Objects scanned: 200558

Time elapsed: 4 minute(s), 31 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

um, about the antivirus. do you know which one should i uninstalled? Avira or Avast?

thx u. and please pardon me for any mistake i did.

Larusso · March 30, 2013

No problem. I dont want to sound offended in anyway. Everybody of us had a time where he was not computersavy. Also Experts and I still can remember on this time

about the antivirus. do you know which one should i uninstalled? Avira or Avast?

Between these both, I recommend to keep Avast. Avira cooperates with some companies where a lot of Experts, MVPs... were discussing a long time and we decided, to not recommend Avira anymore.

I still need to know if you need this folder C:\x ( never name folders like this, when you are looking for the docs inside, you may search a little bit longer. Give all folders a unique name. It is only a hint )

Go here to run an online scannner from ESET. Windows Vista/Windows 7 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator

Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.
Turn off the real time scanner of any existing antivirus program while performing the online scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
Click Scan
Wait for the scan to finish
When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.
Close the ESET online scan, and let me know how things are now.

one1nee · March 31, 2013

hi. thank you for your understanding =)

C:\x is a folder contain various file documents i was planning to read someday. not really important. it just it was named X in my computer work and i didnt changed the name when i copied it to my computer.

and here's the result of ESET :

C:\Qoobox\Quarantine\C\Users\maria\avira_free_antivirus_en.exe.vir a variant of Win32/Bundled.Toolbar.Ask application

C:\Users\maria\fdminst.exe Win32/OpenCandy application

C:\Users\maria\OrbitSetup4.1.01.exe Win32/OpenCandy application

C:\Users\maria\AppData\Local\Temp\AskSLib.dll a variant of Win32/Bundled.Toolbar.Ask application

C:\Users\maria\AppData\Local\TempImages\AutoUpdate.exe a variant of Win32/Agent.SZW trojan

i moslty used Mozilla. thats why i have follow your instruction for IE (run for asministrator) and also installed esetsmartinstaller_enu.exe. (i sav it to Drive D:) the result is just the same with the one with IE.

oh, after it finished, it asked if i want to unsintalled the ESET. i didnt know what to do so i just closed it. should i uninstalled it?

and thank you for the info about antvirus. i have uninstallled Avira.

if its ok with you, please help me with some question :

- You said it wasnt good idea to save installed programs in Users Folder. I usually tried to save the installed program in Program Files. but it said i cant and asked if i want to saved it to User Folder instead. so i just clicked yes. but when i installed the program, it installed to Program Files Folder. my question is, where should i save the .exe program if in User Folder is not wise thing to do?

- after ran ComboFix last time, i found out not only it added new folders in Drive C: but it also added new folder to Drive D: ($RECYCLE.BIN and Config.Msi) and both folder are empty folder. Would it be fine if i delete those 2?

- and Combofix deleted alot of my .exe files (mbam-setup-1.70.0.1100.exe, vlc-2.0.5-win32.exe, avast_free_antivirus_setup.exe, bluescreenview_setup.exe, ccsetup400.exe, ComboFix.exe, dds.com, HitmanPro.exe, mp3cutter.exe, RogueKiller.exe, SkypeSetupFull.exe, etc). should i download n save those again?

thank you for sticking with me =)

Larusso · March 31, 2013

C:\x is a folder contain various file documents i was planning to read someday. not really importan

Lets restore them

oh, after it finished, it asked if i want to unsintalled the ESET. i didnt know what to do so i just closed it. should i uninstalled it?

I am aware of this feature but as far as know, this will also delete the logfile if it has not been saved in a different location than the default one. Some users forget to save it

mbam-setup-1.70.0.1100.exe, vlc-2.0.5-win32.exe, avast_free_antivirus_setup.exe, bluescreenview_setup.exe, ccsetup400.exe, ComboFix.exe, dds.com, HitmanPro.exe, mp3cutter.exe, RogueKiller.exe, SkypeSetupFull.exe, etc

You dont need most of these files. Setupfiles are a kind of Softwareinstaller and a few tools you should not use without supervision.

but it also added new folder to Drive D: ($RECYCLE.BIN

So let me explain what this folder does.

You have this folder for each partition on your system, like C: and so on. It is, if you delete a file on C:, it will be stored in the Recyler, so if you choose "Restore" Windows knows on which partition this file was.

The same if you delete something from D:

Do not delete anything if you dont know what it is.

I usually tried to save the installed program in Program Files

The Programfiles directory only allows folders and not files

Please look for this logfile and post its content here --> C:\Qoobox\ComboFix-quarantined-files.txt

one1nee · March 31, 2013

here's the log from C:\Qoobox\ComboFix-quarantined-files.txt :

2013-03-29 16:48:15 . 2013-03-29 16:48:15 145 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-WinampAgent.reg.dat

2013-03-29 16:48:14 . 2013-03-29 16:48:14 137 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-QzcxOTlGRkZFNjg4RjVGQ0.reg.dat

2013-03-29 16:48:14 . 2013-03-29 16:48:14 128 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-Insomnia Live.reg.dat

2013-03-29 16:48:14 . 2013-03-29 16:48:14 89 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-fsm.reg.dat

2013-03-29 16:48:14 . 2013-03-29 16:48:14 96 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-EasyDVDMon.reg.dat

2013-03-29 16:48:13 . 2013-03-29 16:48:13 171 ----a-w- C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{1392B8D2-5C05-419F-A8F6-B9F15A596612}.reg.dat

2013-03-29 16:48:10 . 2013-03-29 16:48:10 118 ----a-w- C:\Qoobox\Quarantine\Registry_backups\URLSearchHooks-{1392b8d2-5c05-419f-a8f6-b9f15a596612}.reg.dat

2013-03-29 16:44:31 . 2013-03-29 16:44:31 8,638 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg

2013-03-29 16:38:47 . 2013-03-29 16:40:15 62 ----a-w- C:\Qoobox\Quarantine\catchme.log

2013-03-29 16:07:08 . 2013-03-29 16:09:05 5,044,813 ----a-w- C:\Qoobox\Quarantine\C\Users\maria\ComboFix.exe.vir

2013-03-29 07:48:20 . 2013-03-29 07:48:23 2,092,792 ----a-w- C:\Qoobox\Quarantine\C\Users\maria\avira_free_antivirus.exe.vir

2013-03-29 05:00:09 . 2013-03-29 05:00:21 688,992 ----a-w- C:\Qoobox\Quarantine\C\Users\maria\dds.com.vir

2013-03-29 04:43:07 . 2013-03-29 04:52:16 111,691,960 ----a-w- C:\Qoobox\Quarantine\C\Users\maria\avast_free_antivirus_setup.exe.vir

2013-03-29 04:37:12 . 2013-03-29 04:41:09 10,156,344 ----a-w- C:\Qoobox\Quarantine\C\Users\maria\mbam-setup-1.70.0.1100.exe.vir

2013-03-29 01:18:50 . 2013-03-29 01:20:05 4,316,280 ----a-w- C:\Qoobox\Quarantine\C\Users\maria\ccsetup400.exe.vir

2013-03-27 14:50:51 . 2013-03-27 14:50:52 140,800 ----a-w- C:\Qoobox\Quarantine\C\Users\maria\bluescreenview_setup.exe.vir

2013-03-21 12:11:45 . 2013-03-21 12:11:58 1,110,476 ----a-w- C:\Qoobox\Quarantine\C\Users\maria\7z920.exe.vir

2013-03-17 16:41:01 . 2013-03-17 16:43:34 22,916,830 ----a-w- C:\Qoobox\Quarantine\C\Users\maria\vlc-2.0.5-win32.exe.vir

2013-03-17 09:10:37 . 2013-03-17 09:15:40 13,167,824 ----a-w- C:\Qoobox\Quarantine\C\Users\maria\GOMPLAYERENSETUP.EXE.vir

2013-03-01 18:53:53 . 2013-03-01 18:55:33 29,760,104 ----a-w- C:\Qoobox\Quarantine\C\Users\maria\SkypeSetupFull.exe.vir

2013-01-08 13:07:42 . 2009-06-10 21:22:50 32,064 ----a-w- C:\Qoobox\Quarantine\C\Users\maria\AppData\Roaming\A366641351.exe.vir

2013-01-08 13:07:42 . 2009-06-10 21:22:50 32,064 ----a-w- C:\Qoobox\Quarantine\C\Users\maria\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\A366641351.exe.vir

2012-12-26 13:44:27 . 2013-02-23 15:44:04 8,984,048 ----a-w- C:\Qoobox\Quarantine\C\Users\maria\HitmanPro.exe.vir

2012-12-14 19:03:20 . 2012-12-14 19:23:04 105,603,488 ----a-w- C:\Qoobox\Quarantine\C\Users\maria\avira_free_antivirus_en.exe.vir

2012-10-01 18:39:37 . 2013-03-29 04:27:32 816,128 ----a-w- C:\Qoobox\Quarantine\C\Users\maria\RogueKiller.exe.vir

2011-03-13 09:38:18 . 2011-03-13 09:58:40 2,363,465 ----a-w- C:\Qoobox\Quarantine\C\Users\maria\iTunesSetup.exe.vir

2011-03-12 16:56:33 . 2011-03-12 17:11:57 44,544 ----a-w- C:\Qoobox\Quarantine\C\Users\maria\sendspace_downloader_uy2eji.exe.vir

2011-02-01 16:58:31 . 2011-02-01 17:17:09 2,611,865 ----a-w- C:\Qoobox\Quarantine\C\Users\maria\mp3cutter.exe.vir

2010-11-22 12:48:24 . 2010-11-22 12:48:26 43,520 ----a-w- C:\Qoobox\Quarantine\C\x\transfer stie trisakti.doc.vir

2010-09-01 16:27:37 . 2010-09-03 15:40:37 270,061 ----a-w- C:\Qoobox\Quarantine\C\x\scorecard papi large.jpg.vir

2010-09-01 16:25:30 . 2010-09-03 15:51:41 144,597 ----a-w- C:\Qoobox\Quarantine\C\x\papi lbr jwban large.jpg.vir

2010-08-21 21:15:02 . 2010-08-18 06:45:18 3,736,064 ----a-w- C:\Qoobox\Quarantine\C\x\PENAWARAN IBU RINI.xls.vir

2010-08-21 21:15:01 . 2009-07-10 09:41:02 7,092,440 ----a-w- C:\Qoobox\Quarantine\C\x\Penawaran Ibu Titiek Soeharto.xlsx.vir

2010-07-27 19:20:06 . 2010-07-27 19:20:11 80,310 ----a-w- C:\Qoobox\Quarantine\C\x\scorecard papi.jpg.vir

2010-07-27 19:19:51 . 2010-09-01 16:25:34 134,778 ----a-w- C:\Qoobox\Quarantine\C\x\papi lbr jwban.jpg.vir

2010-07-27 19:09:14 . 2010-07-27 19:09:14 193,024 ----a-w- C:\Qoobox\Quarantine\C\x\6. PAPI (Perception and Preference Inventory ).ppt.vir

2010-07-27 18:32:31 . 2010-07-27 18:32:31 56,321 ----a-w- C:\Qoobox\Quarantine\C\x\Personality_Ch8.doc.vir

2010-07-27 18:31:45 . 2010-07-27 18:31:45 530,432 ----a-w- C:\Qoobox\Quarantine\C\x\Coon_11.ppt.vir

2010-07-27 18:31:15 . 2010-07-27 18:31:15 241,152 ----a-w- C:\Qoobox\Quarantine\C\x\rochassesscrosscult.ppt.vir

2010-07-27 18:29:31 . 2010-07-27 18:29:33 2,010,625 ----a-w- C:\Qoobox\Quarantine\C\x\alat tes.pptx.vir

2010-06-22 16:52:21 . 2010-06-22 17:04:04 37,888 ----a-w- C:\Qoobox\Quarantine\C\Users\maria\Documents\~WRL1779.tmp.vir

2010-06-22 16:52:21 . 2010-06-22 16:59:38 33,280 ----a-w- C:\Qoobox\Quarantine\C\Users\maria\Documents\~WRL2240.tmp.vir

2010-06-22 16:52:21 . 2010-06-22 16:56:58 33,280 ----a-w- C:\Qoobox\Quarantine\C\Users\maria\Documents\~WRL2498.tmp.vir

and oh, you havent answer me, if it wasn a good idea to save .exe in User Folders. so what is a better way to save those? still in Drive C or Drive D?

and thx for ansering me. i just got confused with those 2 empty folder =)

Larusso · April 1, 2013

if it wasn a good idea to save .exe in User Folder

Create an own folder for Downloads would be an idea. On which drive you want to save it, is up to you. I use C only for system related files and folders and D: for Software, Musik and other non systemrelated things.

Open notepad and copy/paste the text in the Code-box below into it:


DeQuarantine::
C:\Qoobox\Quarantine\C\x

Save this as CFScript.txt, in the same location as ComboFix.exe.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Please note any open issues

one1nee · April 1, 2013

umm.. not really sure by any open issues you mentioned. so far it seems my computer just fine =)

here's the log you ask, i hope i did it right :

ComboFix 13-03-28.01 - maria 04/01/2013 23:09:30.2.2 - x86

Microsoft Windows 7 Ultimate 6.1.7600.0.1252.62.1033.18.1979.1217 [GMT 7:00]

Running from: c:\users\maria\Desktop\ComboFix.exe

Command switches used :: c:\users\maria\Desktop\CFScript.txt

AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}

SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}

SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\x

c:\x\6. PAPI (Perception and Preference Inventory ).ppt

c:\x\alat tes.pptx

c:\x\Coon_11.ppt

c:\x\papi lbr jwban large.jpg

c:\x\papi lbr jwban.jpg

c:\x\PENAWARAN IBU RINI.xls

c:\x\Penawaran Ibu Titiek Soeharto.xlsx

c:\x\Personality_Ch8.doc

c:\x\rochassesscrosscult.ppt

c:\x\scorecard papi large.jpg

c:\x\scorecard papi.jpg

c:\x\transfer stie trisakti.doc

.

((((((((((((((((((((((((( Files Created from 2013-03-01 to 2013-04-01 )))))))))))))))))))))))))))))))

.

2013-04-01 16:15 . 2013-04-01 16:15 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp

2013-04-01 16:15 . 2013-04-01 16:15 -------- d-----w- c:\users\Default\AppData\Local\temp

2013-03-30 23:47 . 2013-03-30 23:47 -------- d-----w- c:\program files\ESET