Daniel3618 Posted October 5, 2013 ID:737990 Share Posted October 5, 2013 dds.txtattach.txt I'm have a reoccurnace of:C:\Users\Owner\AppData\Roaming\Microsoft\Credentials\Credentials.exe (Trojan.Agent)C:\Users\Owner\AppData\Roaming\Microsoft\Credentials\firstrun.png (Stolen.Data)Even after reinstalling Windows 7, included deleting partitions and a quick format of C:\ and Sysem Reserved. I left D:\ intact. The folder uses some sort of steatlh technology. It deletes itself why I try to mess with it. Link to post Share on other sites More sharing options...
kevinf80 Posted October 5, 2013 ID:738063 Share Posted October 5, 2013 Download Farbar Recovery Scan Tool and save it to your desktop. Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.Double-click to run it. When the tool opens click Yes to disclaimer.Press Scan button.It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply. Next, Please download RogueKiller from here: http://www.sur-la-toile.com/RogueKiller/RogueKiller.exe <- 32 bit version http://www.sur-la-toile.com/RogueKiller/RogueKillerX64.exe <- 64 bit version Make sure to get the correct version for your system. Quit all running programs Please disconnect any USB or external drives from the computer before you run this scan! For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe Wait until Prescan has finished... The following EULA will appear, please select accept Ensure MBR scan, Check faked and AntiRootkit are checked Select Scan When the scan completes select Report, copy and paste that to your reply. The log should be found in RKreport[?].txt on your Desktop Exit/Close RogueKiller Let see those logs... Kevin Link to post Share on other sites More sharing options...
Daniel3618 Posted October 5, 2013 Author ID:738240 Share Posted October 5, 2013 Addition.txtFRST.txtRKreport0_S_10052013_130624.txtAdditional scan result of Farbar Recovery Scan Tool (x64) Version: 02-10-2013Ran by Owner at 2013-10-05 12:57:58Running from C:\Users\Owner\DesktopBoot Mode: Normal============================================================================== Security Center ========================AV: Microsoft Security Essentials (Enabled - Up to date) {641105E6-77ED-3F35-A304-765193BCB75F}AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}AS: Microsoft Security Essentials (Enabled - Up to date) {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}==================== Installed Programs ======================7-Zip 9.20 (x64 edition) (Version: 9.20.00.0)Adobe Flash Player 11 Plugin (x32 Version: 11.8.800.168)AutoHotkey 1.1.13.00 (Version: 1.1.13.00)CCleaner (Version: 4.05)Defraggler (Version: 2.15)eReg (x32 Version: 1.20.138.34)GIMP 2.8.6 (Version: 2.8.6)ImgBurn (x32 Version: 2.5.8.0)Java 7 Update 40 (64-bit) (Version: 7.0.400)Java 7 Update 40 (x32 Version: 7.0.400)Java Auto Updater (x32 Version: 2.1.9.8)Logitech SetPoint 6.61 (Version: 6.61.15)Malwarebytes Anti-Malware version 1.75.0.1300 (x32 Version: 1.75.0.1300)Microsoft Security Client (Version: 4.3.0216.0)Microsoft Security Essentials (Version: 4.3.216.0)Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (Version: 9.0.30729)Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (Version: 9.0.30729.6161)Mozilla Firefox 24.0 (x86 en-US) (x32 Version: 24.0)Mozilla Maintenance Service (x32 Version: 24.0)Roadkil's Unstoppable Copier Version 5.2 (x32)Spotify (HKCU Version: 0.9.4.178.g259772ba)Unlocker 1.9.2 (Version: 1.9.2)VLC media player 2.0.8 (x32 Version: 2.0.8)==================== Restore Points =========================26-09-2013 08:15:11 Tweaking.com - Windows Repair==================== Hosts content: ==========================2013-09-25 20:55 - 2013-09-25 20:54 - 00000855 ____A C:\Windows\system32\Drivers\etc\hosts 127.0.0.1 google-analytics.com==================== Scheduled Tasks (whitelisted) =============Task: {2218B8F3-5143-4F5C-B662-A6EEC4D7A500} - System32\Tasks\Games\UpdateCheck_S-1-5-21-2846198479-2662733381-2614574030-1000Task: {2D0F4152-49A6-4727-8FE3-F9518469CD9C} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2013-09-25] (Piriform Ltd)Task: {66604569-A719-4C1D-9221-C3E42AA677C6} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-09-25] (Adobe Systems Incorporated)Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe==================== Loaded Modules (whitelisted) =============2010-07-14 23:44 - 2010-07-14 23:44 - 00020032 _____ () C:\Program Files\Unlocker\UnlockerCOM.dll2013-09-25 20:54 - 2013-09-25 20:54 - 03279768 _____ () C:\Program Files (x86)\Mozilla Firefox\mozjs.dll2013-09-25 20:54 - 2013-09-25 20:54 - 01019904 _____ () C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\2irzh7ly.default\extensions\support@lastpass.com\platform\WINNT_x86-msvc\components\lpxpcom.dll2013-09-26 23:49 - 2013-10-02 14:36 - 34604032 _____ () C:\Users\Owner\AppData\Roaming\Spotify\Data\libcef.dll2013-09-26 23:49 - 2013-10-02 14:36 - 00747008 _____ () C:\Users\Owner\AppData\Roaming\Spotify\Data\libglesv2.dll2013-09-26 23:49 - 2013-10-02 14:36 - 00137216 _____ () C:\Users\Owner\AppData\Roaming\Spotify\Data\libegl.dll==================== Safe Mode (whitelisted) ======================================= Faulty Device Manager Devices ================================= Event log errors: =========================Application errors:==================System errors:=============Error: (10/04/2013 07:27:32 PM) (Source: Microsoft Antimalware) (User: )Description: %NT AUTHORITY60 has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.159.733.0 Update Source: %NT AUTHORITY59 Update Stage: 4.3.0216.00 Source Path: 4.3.0216.01 Signature Type: %NT AUTHORITY602 Update Type: %NT AUTHORITY604 User: NT AUTHORITY\SYSTEM Current Engine Version: %NT AUTHORITY605 Previous Engine Version: %NT AUTHORITY606 Error code: %NT AUTHORITY607 Error description: %NT AUTHORITY608Microsoft Office Sessions:============================================= Memory info =========================== Percentage of memory in use: 48%Total physical RAM: 4094.49 MBAvailable physical RAM: 2110.04 MBTotal Pagefile: 8187.17 MBAvailable Pagefile: 6140.07 MBTotal Virtual: 8192 MBAvailable Virtual: 8191.81 MB==================== Drives ================================Drive c: () (Fixed) (Total:151.27 GB) (Free:134.25 GB) NTFSDrive d: () (Fixed) (Total:780.14 GB) (Free:140.79 GB) NTFSDrive e: (BartPE) (CDROM) (Total:0.15 GB) (Free:0 GB) CDFSDrive f: (WINDOWS 7) (Removable) (Total:3.93 GB) (Free:0.82 GB) FAT32==================== MBR & Partition Table ==========================================================================Disk: 0 (MBR Code: Windows 7 or 8) (Size: 932 GB) (Disk ID: E2C3B021)Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)Partition 2: (Not Active) - (Size=151 GB) - (Type=07 NTFS)Partition 3: (Not Active) - (Size=780 GB) - (Type=07 NTFS)========================================================Disk: 1 (MBR Code: Windows 7 or 8) (Size: 4 GB) (Disk ID: 00000000)Partition 1: (Active) - (Size=4 GB) - (Type=0B)==================== End Of Log ============================RogueKiller V8.7.1 _x64_ [Oct 3 2013] by Tigzymail : tigzyRK<at>gmail<dot>comFeedback : http://www.adlice.com/forum/Website : http://www.adlice.com/softwares/roguekiller/Blog : http://tigzyrk.blogspot.com/Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits versionStarted in : Normal modeUser : Owner [Admin rights]Mode : Scan -- Date : 10/05/2013 13:06:24| ARK || FAK || MBR |¤¤¤ Bad processes : 0 ¤¤¤¤¤¤ Registry Entries : 7 ¤¤¤[HJ POL][PUM] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND[HJ POL][PUM] HKLM\[...]\System : EnableLUA (0) -> FOUND[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : EnableLUA (0) -> FOUND[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND[SCREENSVR][SUSP PATH] HKCU\[...]\Desktop : SCRNSAVE.EXE (C:\Users\Owner\Desktop\dds.scr [x]) -> FOUND¤¤¤ Scheduled tasks : 0 ¤¤¤¤¤¤ Startup Entries : 0 ¤¤¤¤¤¤ Web browsers : 0 ¤¤¤¤¤¤ Particular Files / Folders: ¤¤¤¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤¤¤¤ External Hives: ¤¤¤¤¤¤ Infection : ¤¤¤¤¤¤ HOSTS File: ¤¤¤--> %SystemRoot%\System32\drivers\etc\hosts 127.0.0.1 google-analytics.com¤¤¤ MBR Check: ¤¤¤+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) (Standard disk drives) - ST31000528AS ATA Device +++++--- User ---[MBR] dcc8f8d866d3caf4c54e9e340736b7c2[BSP] 68cb4271eea695d6519b0e29581b5c9f : Windows 7/8 MBR CodePartition table:0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 154900 Mo2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 317442048 | Size: 798867 MoUser = LL1 ... OK!User = LL2 ... OK!Finished : << RKreport[0]_S_10052013_130624.txt >> Link to post Share on other sites More sharing options...
Daniel3618 Posted October 5, 2013 Author ID:738241 Share Posted October 5, 2013 Link to post Share on other sites More sharing options...
kevinf80 Posted October 5, 2013 ID:738257 Share Posted October 5, 2013 Download attached fixlist.txt file and save it to the Desktop, or the folder you saved FRST into.NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work. Run FRST/FRST64 and press the Fix button just once and wait.The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply. Next, Download AdwCleaner by Xplode from here: http://www.bleepingcomputer.com/download/adwcleaner/ and save to your Desktop. Double click on AdwCleaner.exe to run the tool. Vista/Windows 7/8 users right-click and select Run As Administrator Click on the Scan button. AdwCleaner will begin...be patient as the scan may take some time to complete. When it's done you'll see: Pending: Uncheck any elements you don't want removed. Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review. Look over the log especially under Files/Folders for any program you want to save. If there's a program you want to save, just uncheck it from AdwCleaner. If you're not sure, post the log for review. If you're ready to clean it all up.....click the Clean button. After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically. Copy and paste the contents of that logfile in your next reply. A copy of that logfile will also be saved in the C:\AdwCleaner folder. Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine To restore an item that has been deleted (if necessary): Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.[/list Next, Download Dr Web Cureit from here http://www.freedrweb.com/cureit save to your desktop. (Scroll to bottom of page) The file will be randomly named Reboot to safe mode Run Dr Web Tick the I agree box and select continue Click select objects for scanning Tick all boxes as shown Click the wrench and select automatically apply actions to threats Press start scan The scan will now commence Once the scan has finished click open report A notepad will open Select File > Save as.. Save it to your desktop This log will be excessive, Attach it to your next reply…fixlist.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 7, 2013 Root Admin ID:739211 Share Posted October 7, 2013 Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts