Infected computer need help

girly_blue · November 20, 2013

Hi!

I hope you don't mind me hijacking your thread, but I'm having the same problem, and have followed the steps outlined above. Here is the output I've generated:

via Rkill:

Rkill 2.6.2 by Lawrence Abrams (Grinler)

http://www.bleepingcomputer.com/

More Information about Rkill can be found at this link:

http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 11/20/2013 12:17:07 PM in x64 mode.

Windows Version: Windows 8

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* Explorer Policy Removed: NoActiveDesktopChanges [HKLM]

Backup Registry file created at:

C:\Users\Naima\Desktop\rkill\rkill-11-20-2013-12-17-15.reg

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* Windows Defender Disabled

[HKLM\SOFTWARE\Microsoft\Windows Defender]

"DisableAntiSpyware" = dword:00000001

Checking Windows Service Integrity:

* No issues found.

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* No issues found.

Program finished at: 11/20/2013 12:18:55 PM

Execution time: 0 hours(s), 1 minute(s), and 48 seconds(s)

and via Rogue Killer:

RogueKiller V8.7.8 _x64_ [Nov 14 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.adlice.com/forum/

Website : http://www.adlice.com/softwares/roguekiller/

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 8 (6.2.9200 ) 64 bits version

Started in : Normal mode

User : Naima [Admin rights]

Mode : Scan -- Date : 11/20/2013 12:32:50

| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 3 ¤¤¤

[PROXY IE][PUM] HKCU\[...]\Internet Settings : ProxyServer (hxxp=127.0.0.1:49280;hxxps=127.0.0.1:49280 [Country: (Private Address) (XX), City: (Private Address)]) -> FOUND

[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> %SystemRoot%\System32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) WDC WD5000AAKX-22ERMA0 +++++

--- User ---

[MBR] f7a04f3e15587fab8bfae5d99b01237b

[bSP] eb91e1a3123f4f6989d4b0b321b3318a : Empty MBR Code

Partition table:

0 - [XXXXXX] UNKNOWN (0x00) [VISIBLE] Offset (sectors): 1 | Size: 2097152 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[0]_S_11202013_123250.txt >>

How should I proceed?

I notice that it says Windows Defender is deactivated in the registry, but I've tried multiple times to activate it, even before the bug, it seemed to say it was active in some places, and inactive in others.

Should I simply edit the registry value' "DisableAntiSpyware" = dword:00000001' to 00000000 ?

TIA!

kevinf80 · November 21, 2013

Hello and

P2P/Piracy Warning:

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.
Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.
If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Next,

Download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Next,

Download Security Check by screen317 from either of the following:
http://screen317.spywareinfoforum.org/SecurityCheck.exe or http://screen317.changelog.fr/SecurityCheck.exe
Save it to your Desktop. (If your security alerts either accept the alert, or turn the security off while Secuirity Check runs)
Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Post those logs...

Kevin

girly_blue · November 23, 2013

from Farbar:

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 23-11-2013

Ran by Naima (administrator) on NAIMAS on 23-11-2013 04:14:00

Running from C:\Users\Naima\Desktop

Windows 8 (X64) OS Language: English(US)

Internet Explorer Version 10

Boot Mode: Normal

==================== Processes (Whitelisted) =================

() C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.0.4555.0\AdAwareService.exe

(AMD) C:\Windows\System32\atiesrxx.exe

(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe

(Microsoft Corporation) C:\Windows\System32\dasHost.exe

(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

(Symantec Corporation) C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe

(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe

(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.21.165\GoogleCrashHandler.exe

(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.21.165\GoogleCrashHandler64.exe

(Acer Incorporated) C:\Program Files\Gateway\Gateway Power Management\ePowerSvc.exe

(WildTangent) C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe

(Realsil Microelectronics Inc.) C:\Program Files (x86)\Realtek\Realtek USB 2.0 Card Reader\RIconMan.exe

(Nero AG) C:\Program Files (x86)\Nero\Update\NASvc.exe

(AMD) C:\Windows\System32\atieclxx.exe

(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe

(Microsoft Corporation) C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.0.1119.516_x64__8wekyb3d8bbwe\LiveComm.exe

(Acer Incorporated) C:\Program Files (x86)\Gateway\Hotkey Utility\HotkeyUtility.exe

(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

() C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.0.4555.0\AdAwareTray.exe

(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

(Acer Incorporated) C:\Program Files\Gateway\Gateway Power Management\ePowerTray.exe

(Microsoft Corporation) C:\Windows\System32\backgroundTaskHost.exe

(Symantec Corporation) C:\Program Files (x86)\Norton Internet Security\Engine\21.1.0.18\NIS.exe

(AMD) C:\Windows\System32\atieclxx.exe

(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe

(Acer Incorporated) C:\Program Files (x86)\Gateway\Hotkey Utility\HotkeyUtility.exe

(Symantec Corporation) C:\Program Files (x86)\Norton Internet Security\Engine\21.1.0.18\NIS.exe

(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

() C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.0.4555.0\AdAwareTray.exe

(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

(Acer Incorporated) C:\Program Files\Gateway\Gateway Power Management\ePowerTray.exe

(CyberLink) C:\Program Files (x86)\CyberLink\MediaEspresso\DeviceDetector\DeviceDetector.exe