Tepax Posted August 1, 2013 ID:709646 Share Posted August 1, 2013 http://forums.malwarebytes.org/index.php?showtopic=128151 Its the same virus as in this thread so im gona follow Maniac's steps and post my logs here , i hope ill get some replies from you guys and guides tru this Here is my first log , from Junkware Removal Tool ~~~ Services ~~~ Registry Values Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayNameSuccessfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL ~~~ Registry Keys Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\softonicSuccessfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\windows\currentversion\ext\stats\{3ca2f312-6f6e-4b53-a66e-4e65e497c8c0}Successfully deleted: [Registry Key] "hkey_current_user\software\apn pip"Successfully deleted: [Registry Key] "hkey_local_machine\software\pip" ~~~ Files ~~~ Folders Successfully deleted: [Folder] "C:\Documents and Settings\All Users\application data\boost_interprocess" End of JRT log~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Link to post Share on other sites More sharing options...
Tepax Posted August 1, 2013 Author ID:709650 Share Posted August 1, 2013 And here is my ADWcleaner log also fairly short # AdwCleaner v2.306 - Logfile created 08/01/2013 at 14:45:58# Updated 19/07/2013 by Xplode# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)# User : -------------# Boot Mode : Normal# Running from : C:\Documents and Settings\A\My Documents\Downloads\AdwCleaner.exe# Option [Delete] ***** [services] ***** ***** [Files / Folders] ***** ***** [Registry] ***** Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\IMKey Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IM ***** [internet Browsers] ***** -\\ Internet Explorer v8.0.6001.18702 [OK] Registry is clean. -\\ Google Chrome v28.0.1500.95 ************************* AdwCleaner[R1].txt - [866 octets] - [01/08/2013 14:45:18]AdwCleaner[s1].txt - [802 octets] - [01/08/2013 14:45:58] ########## EOF - C:\AdwCleaner[s1].txt - [861 octets] ########## Link to post Share on other sites More sharing options...
Tepax Posted August 1, 2013 Author ID:709706 Share Posted August 1, 2013 And here comes my Malwarebytes Anti-Malware log Malwarebytes Anti-Malware (Trial) 1.75.0.1300www.malwarebytes.org Database version: v2013.08.01.05 Windows XP Service Pack 3 x86 NTFSInternet Explorer 8.0.6001.18702A :: A-D3D92FB0F1304 [administrator] Protection: Enabled 1.8.2013 16:13:18mbam-log-2013-08-01 (16-13-18).txt Scan type: Full scan (C:\|)Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUMScan options disabled: P2PObjects scanned: 352931Time elapsed: 1 hour(s), 29 minute(s), 8 second(s) Memory Processes Detected: 0(No malicious items detected) Memory Modules Detected: 0(No malicious items detected) Registry Keys Detected: 0(No malicious items detected) Registry Values Detected: 0(No malicious items detected) Registry Data Items Detected: 4HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully. Folders Detected: 0(No malicious items detected) Files Detected: 2C:\Program Files\InstallShield Installation Information\{1998BD34-1AAB-4169-ACFF-67342E2AF9B4}\_Backup\Gothic3.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.C:\Documents and Settings\A\Local Settings\Temp\noir.art (Malware.Trace) -> Quarantined and deleted successfully. (end) Link to post Share on other sites More sharing options...
Tepax Posted August 1, 2013 Author ID:709708 Share Posted August 1, 2013 ROGUE KILLER log RogueKiller V8.6.4 [Jul 29 2013] by Tigzymail : tigzyRK<at>gmail<dot>comFeedback : http://www.adlice.com/forum/Website : http://www.adlice.com/softwares/roguekiller/Blog : http://tigzyrk.blogspot.com/ Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits versionStarted in : Normal modeUser : A [Admin rights]Mode : Scan -- Date : 08/01/2013 18:13:31| ARK || FAK || MBR | ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 10 ¤¤¤[RUN][sUSP PATH] HKCU\[...]\Run : DrvUpdater (C:\Documents and Settings\A\Application Data\DRPSu\DrvUpdater.exe /hide [7]) -> FOUND[RUN][sUSP PATH] HKUS\S-1-5-21-1645522239-115176313-1177238915-1003\[...]\Run : DrvUpdater (C:\Documents and Settings\A\Application Data\DRPSu\DrvUpdater.exe /hide [7]) -> FOUND[HJ POL] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND[HJ POL] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND[HJ SMENU] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> FOUND[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND[HJ SMENU] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND[HJ SMENU] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Scheduled tasks : 0 ¤¤¤ ¤¤¤ Startup Entries : 0 ¤¤¤ ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [LOADED] ¤¤¤ ¤¤¤ External Hives: ¤¤¤ ¤¤¤ Infection : ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤--> %SystemRoot%\System32\drivers\etc\hosts 127.0.0.1 localhost ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: WDC WD800JD-08MSA1 +++++--- User ---[MBR] 0a83436ad3e22a8d524e5b5ff359d508[bSP] a4faad5ee2f2eb880b75b6fb2b964865 : Windows XP MBR CodePartition table:0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 76316 MoUser = LL1 ... OK!User = LL2 ... OK! +++++ PhysicalDrive1: WDC WD800JD-08MSA1 +++++--- User ---[MBR] 7c27583587733d1c3e91babefdcc1db7[bSP] dea88f32dad325b26e08b4cec2b57676 : Windows XP MBR CodePartition table:0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 953867 MoUser = LL1 ... OK!User = LL2 ... OK! Finished : << RKreport[0]_S_08012013_181331.txt >> Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted August 2, 2013 Root Admin ID:709970 Share Posted August 2, 2013 Please stop running scans on your own. Using some tools at the wrong time can cause problems on your computer. Please visit this webpage and read the ComboFix User's Guide:Once you've read the article and are ready to use the program you can download it directly from the link below. Important! - Please make sure you save combofix to your desktop and do not run it from your browser Direct download link for: ComboFix.exe Please make sure you disable your security applications before running ComboFix. Once Combofix has completed it will produce and open a log file. Please be patient as it can take some time to load. Please attach that log file to your next reply. If needed the file can be located here: C:\combofix.txt NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer. Tanks Link to post Share on other sites More sharing options...
Tepax Posted August 2, 2013 Author ID:710115 Share Posted August 2, 2013 Please stop running scans on your own. Using some tools at the wrong time can cause problems on your computer. Please visit this webpage and read the ComboFix User's Guide:Once you've read the article and are ready to use the program you can download it directly from the link below.Important! - Please make sure you save combofix to your desktop and do not run it from your browserDirect download link for: ComboFix.exePlease make sure you disable your security applications before running ComboFix.Once Combofix has completed it will produce and open a log file. Please be patient as it can take some time to load.Please attach that log file to your next reply.If needed the file can be located here: C:\combofix.txtNOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer. Tanks After all this I used ESET online scaner, and then I got fed up and just deleted the folder where the virus is. None of these helped remove it or find the source. After reboot the virus is not poping up anymore.. which is good, but I wish to know what that virus exactly was, its purpouse its effect, etc ? Anyone help with this? Thanks for your reply AS Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted August 2, 2013 Root Admin ID:710362 Share Posted August 2, 2013 I'm sorry but if you're unable or unwilling to follow directions then we will not be able to assist you. Thank you Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted August 7, 2013 Root Admin ID:711882 Share Posted August 7, 2013 Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you. Link to post Share on other sites More sharing options...
Recommended Posts