mearon0 Posted July 19, 2013 ID:705030 Share Posted July 19, 2013 Hello, I updated Malwarebytes today and when after I scanned in quick mode, some Trojan.Fakealerts came up, so I removed them.However, I was doing the full scan for Malwarebytes, when I got the BSOD.Attach.txtDDS.txt Link to post Share on other sites More sharing options...
Maniac Posted July 19, 2013 ID:705069 Share Posted July 19, 2013 Hello mearon0 and ! My name is Borislav and I will be glad to help you solve your malware problem. Please note:If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.Make sure you read all of the instructions and fixes thoroughly before continuing with them.Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.Do not perform any kind of scanning and fixing without my instructions. If you want to proceed on your own, please let me know.Step 1 Please uninstall this application: Crossrider Web Apps Step 2 Please download Junkware Removal Tool to your desktop.Shut down your protection software now to avoid potential conflicts.Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.The tool will open and start scanning your system.Please be patient as this can take a while to complete depending on your system's specifications.On completion, a log (JRT.txt) is saved to your desktop and will automatically open.Post the contents of JRT.txt into your next message.Step 3 Please download AdwCleaner by Xplode onto your desktop.Close all open programs and internet browsers.Double click on AdwCleaner.exe to run the tool.Click on Delete.Confirm each time with Ok.Your computer will be rebooted automatically. A text file will open after the restart.Please post the content of that logfile with your next answer.You can find the logfile at C:\AdwCleaner[s1].txt as well.Step 4Download on the desktop RogueKillerQuit all programsStart RogueKiller.exeWait until Prescan has finished ...Click on Scan. Click on Report and copy/paste the content of the notepad in your next reply.In your next reply, post the following log files:Junkware Removal Tool logAdwCleaner logRogueKiller log Link to post Share on other sites More sharing options...
mearon0 Posted July 19, 2013 Author ID:705081 Share Posted July 19, 2013 The post was too long for the JRT so I will attach it to the next post instead. Here are the logs for the other two: AdwCleaner# AdwCleaner v2.306 - Logfile created 07/19/2013 at 19:34:12# Updated 19/07/2013 by Xplode# Operating system : Windows 7 Home Premium Service Pack 1 (32 bits)# Boot Mode : Normal# Running from : C:\Users\B\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7X6400BA\AdwCleaner.exe# Option [Delete]***** [services] ********** [Files / Folders] ********** [Registry] *****Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966***** [internet Browsers] *****-\\ Internet Explorer v10.0.9200.16635[OK] Registry is clean.*************************AdwCleaner[s1].txt - [1466 octets] - [19/07/2013 19:34:12]########## EOF - C:\AdwCleaner[s1].txt - [1526 octets] ########## RK report RogueKiller V8.6.3 [Jul 17 2013] by Tigzymail : tigzyRK<at>gmail<dot>comFeedback : http://www.adlice.com/forum/Website : http://www.adlice.com/softwares/roguekiller/Blog : http://tigzyrk.blogspot.com/Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits versionStarted in : Normal modeUser : B [Admin rights]Mode : Scan -- Date : 07/19/2013 19:45:04| ARK || FAK || MBR |¤¤¤ Bad processes : 0 ¤¤¤¤¤¤ Registry Entries : 8 ¤¤¤[HJ POL] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND[HJ POL] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND[HJ SMENU] HKCU\[...]\Advanced : Start_ShowUser (0) -> FOUND[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND[HJ SMENU] HKCU\[...]\Advanced : Start_ShowHelp (0) -> FOUND[HJ SMENU] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND¤¤¤ Scheduled tasks : 0 ¤¤¤¤¤¤ Startup Entries : 0 ¤¤¤¤¤¤ Web browsers : 0 ¤¤¤¤¤¤ Particular Files / Folders: ¤¤¤¤¤¤ Driver : [LOADED] ¤¤¤[Address] SSDT[50] : NtClose @ 0x836629DE -> HOOKED (C:\Windows\System32\drivers\AhnRghNt.sys @ 0xBC297C00)[Address] SSDT[70] : NtCreateKey @ 0x83642780 -> HOOKED (C:\Windows\System32\drivers\AhnRghNt.sys @ 0xBC297A30)[Address] SSDT[103] : NtDeleteKey @ 0x835F617F -> HOOKED (C:\Windows\System32\drivers\AhnRghNt.sys @ 0xBC297E20)[Address] SSDT[106] : NtDeleteValueKey @ 0x835FBE2F -> HOOKED (C:\Windows\System32\drivers\AhnRghNt.sys @ 0xBC298000)[Address] SSDT[116] : NtEnumerateKey @ 0x8364381D -> HOOKED (C:\Windows\System32\drivers\AhnRghNt.sys @ 0xBC2983A0)[Address] SSDT[119] : NtEnumerateValueKey @ 0x83661D50 -> HOOKED (C:\Windows\System32\drivers\AhnRghNt.sys @ 0xBC2985F0)[Address] SSDT[126] : NtFlushKey @ 0x835FD86E -> HOOKED (C:\Windows\System32\drivers\AhnRghNt.sys @ 0xBC297D30)[Address] SSDT[156] : NtLoadKey @ 0x835A7F76 -> HOOKED (C:\Windows\System32\drivers\AhnRghNt.sys @ 0xBC2988C0)[Address] SSDT[182] : NtOpenKey @ 0x8366EF8B -> HOOKED (C:\Windows\System32\drivers\AhnRghNt.sys @ 0xBC2978E0)[Address] SSDT[244] : NtQueryKey @ 0x83647199 -> HOOKED (C:\Windows\System32\drivers\AhnRghNt.sys @ 0xBC2984D0)[Address] SSDT[266] : NtQueryValueKey @ 0x8367E13B -> HOOKED (C:\Windows\System32\drivers\AhnRghNt.sys @ 0xBC298720)[Address] SSDT[290] : NtRenameKey @ 0x836B1005 -> HOOKED (C:\Windows\System32\drivers\AhnRghNt.sys @ 0xBC297F10)[Address] SSDT[358] : NtSetValueKey @ 0x836809B5 -> HOOKED (C:\Windows\System32\drivers\AhnRghNt.sys @ 0xBC2981A0)[Address] SSDT[380] : NtUnloadKey @ 0x836999DE -> HOOKED (C:\Windows\System32\drivers\AhnRghNt.sys @ 0xBC2989A0)[inline] SSDT[155] : NtLoadDriver @ 0x835BF474 -> HOOKED (C:\Windows\System32\drivers\AhnRghNt.sys @ 0xBC292290)[inline] SSDT[350] : NtSetSystemInformation @ 0x83602664 -> HOOKED (C:\Windows\System32\drivers\AhnRghNt.sys @ 0xBC2922F0)¤¤¤ External Hives: ¤¤¤¤¤¤ Infection : ¤¤¤¤¤¤ HOSTS File: ¤¤¤--> %SystemRoot%\System32\drivers\etc\hosts¤¤¤ MBR Check: ¤¤¤+++++ PhysicalDrive0: WDC WD5000BEVT-22A0RT0 ATA Device +++++--- User ---[MBR] ff61da8fefaca5fdb8e60780be0e337f[bSP] 21d8b8bd290dea9d536b1751d1d52568 : Windows 7/8 MBR CodePartition table:0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 102300 Mo2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 209717248 | Size: 374538 MoUser = LL1 ... OK!User = LL2 ... OK!Finished : << RKreport[0]_S_07192013_194504.txt >> Link to post Share on other sites More sharing options...
mearon0 Posted July 20, 2013 Author ID:705082 Share Posted July 20, 2013 JRT.txt Link to post Share on other sites More sharing options...
Maniac Posted July 20, 2013 ID:705181 Share Posted July 20, 2013 Note: Please do not run this tool without special supervision and instructions of someone authorized to do so. Otherwise, you could end up with serious problems. For more details, read this article: ComboFix usage, Questions, Help? - Look here Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingc...to-use-combofix * Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Please post the C:\ComboFix.txt in your next reply for further review. Note: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted July 27, 2013 Root Admin ID:707616 Share Posted July 27, 2013 Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts