Jump to content

Recommended Posts

Hello and help please!  :unsure:    Malwarebytes found two instances of "Trojan.Agent.STIED" on my PC. They were quarantined, but I think whatever virus this is has moved around.

 

A few hours ago, while I was trying to copy/backup data to an internal drive (which I subsequently removed for safekeeping), I literally saw two folders created- one with multiple alphanumeric characters and a single file inside named "mrtstub.exe". I didn't have the proper rights to delete the folder, despite the fact that I am supposed to be the only Admin on this PC. This folder still exists

 

Another folder named something like "___A500___" appeared and then disappeared. 

 

I'm able to boot into Safe Mode (Windows 8.1) and can run MWB Anti-Malware and MWB Anti-Rootkit (MBAR found no issues). But like many others, I have noticed, I'm not able to run either DDS program- "incompatible operating system".

 

I will paste the log from Anti-Malware, as well as a log from RogueKill, if it helps.  I'm so lost as to any next steps and would be most appreciative of any possible help! Thank you very, very much!

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org
 
Database version: v2014.01.14.01
 
Windows 8 x86 NTFS
Internet Explorer 11.0.9600.16476
Steve :: HOME-PC [administrator]
 
1/14/2014 2:11:36 AM
mbam-log-2014-01-14 (02-11-36).txt
 
Scan type: Full scan (C:\|D:\|F:\|M:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled: 
Objects scanned: 767742
Time elapsed: 1 hour(s), 12 minute(s), 39 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 2
C:\Users\Steve\AppData\Local\Temp\sync_upgrader.exe (Trojan.Agent.STIED) -> Quarantined and deleted successfully.
C:\Users\Steve\AppData\Local\Temp\Box Sync - 4.0.4167 (Trojan.Agent.STIED) -> Quarantined and deleted successfully.
 
(end)
 
 
*******ROGUEKILLER Report*****
 
RogueKiller V8.8.0 [Dec 27 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
 
Operating System : Windows 8.1 (6.3.9200 ) 32 bits version
Started in : Normal mode
User : Steve [Admin rights]
Mode : Scan -- Date : 01/13/2014 05:08:38
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 2 ¤¤¤
[sUSP PATH][DLL] explorer.exe -- C:\Users\Steve\AppData\Roaming\Copy\overlay\CopyShExt.dll [x] -> UNLOADED
[sUSP PATH][DLL] explorer.exe -- C:\Users\Steve\AppData\Roaming\Copy\overlay\Brt.dll [x] -> UNLOADED
[sUSP PATH] CopyAgent.exe -- C:\Users\Steve\AppData\Roaming\Copy\CopyAgent.exe [7] -> KILLED [TermProc]
 
¤¤¤ Registry Entries : 8 ¤¤¤
[RUN][sUSP PATH] HKCU\[...]\Run : Copy ("C:\Users\Steve\AppData\Roaming\Copy\CopyAgent.exe" [7]) -> FOUND
[RUN][sUSP PATH] HKLM\[...]\Run : MFARestart ("C:\ProgramData\MFAData\pack\avgrunasx.exe" /usereg [x]) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ DESK][PUM] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DESK][PUM] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[EXT RUN][sUSP PATH] HKLM\fbwuser_ON_F:\[...]\Run : googletalk (C:\Users\fbwuser\AppData\Roaming\Google\Google Talk\googletalk.exe /autostart [x][x]) -> FOUND
 
¤¤¤ Scheduled tasks : 4 ¤¤¤
[V1][sUSP PATH] DSite.job : C:\Users\Steve\AppData\Roaming\DSite\UPDATE~1\UPDATE~1.EXE - /Check [x] -> FOUND
[V1][sUSP PATH] ROC_REG_JAN_DELETE.job : C:\ProgramData\AVG January 2013 Campaign\ROC.exe - /DELETE_FROM_SYSTEM=1 [7] -> FOUND
[V2][sUSP PATH] DSite : C:\Users\Steve\AppData\Roaming\DSite\UPDATE~1\UPDATE~1.EXE - /Check [x] -> FOUND
[V2][sUSP PATH] ROC_REG_JAN_DELETE : C:\ProgramData\AVG January 2013 Campaign\ROC.exe - /DELETE_FROM_SYSTEM=1 [7] -> FOUND
 
¤¤¤ Startup Entries : 0 ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ Browser Addons : 0 ¤¤¤
 
¤¤¤ Particular Files / Folders: ¤¤¤
 
¤¤¤ Driver : [NOT LOADED 0xc0000033] ¤¤¤
 
¤¤¤ External Hives: ¤¤¤
-> F:\Documents and Settings\Default\NTUSER.DAT | DRVINFO [Drv - F:] | SYSTEMINFO [sys - NO_SYS] [sys32 - NOT_FOUND] | USERINFO [startup - NOT_FOUND]
-> F:\Documents and Settings\Default User\NTUSER.DAT | DRVINFO [Drv - F:] | SYSTEMINFO [sys - NO_SYS] [sys32 - NOT_FOUND] | USERINFO [startup - NOT_FOUND]
-> F:\Documents and Settings\fbwuser\NTUSER.DAT | DRVINFO [Drv - F:] | SYSTEMINFO [sys - NO_SYS] [sys32 - NOT_FOUND] | USERINFO [startup - FOUND]
-> F:\Documents and Settings\Public\NTUSER.DAT | DRVINFO [Drv - F:] | SYSTEMINFO [sys - NO_SYS] [sys32 - NOT_FOUND] | USERINFO [startup - NOT_FOUND]
-> F:\Documents and Settings\Steve\NTUSER.DAT | DRVINFO [Drv - F:] | SYSTEMINFO [sys - NO_SYS] [sys32 - NOT_FOUND] | USERINFO [startup - NOT_FOUND]
 
¤¤¤ Infection :  ¤¤¤
 
¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts
 
 
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 100sexlinks.com
[...]
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) M4-CT128M4SSD2 +++++
--- User ---
[MBR] 53ed68d336b5dbceba78a36f68d54df4
[bSP] b2f694e6de703df4c546ab9b286830a8 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 113810 Mo
2 - [XXXXXX] OS/2-HIBER (0x84) [HIDDEN!] Offset (sectors): 233289728 | Size: 8192 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
+++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ IDE) ST3000DM001-9YN166 +++++
--- User ---
[MBR] b8f66e00a2daa373f5cc218ea1716d39
[bSP] 9e3b3c473b1db0daa516427cdae6e1cc : Windows 7/8 MBR Code
Partition table:
0 - [XXXXXX] UNKNOWN (0x00) [VISIBLE] Offset (sectors): 1 | Size: 2097151 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
+++++ PhysicalDrive2: (\\.\PHYSICALDRIVE2 @ IDE) ST2000DL003-9VT166 +++++
--- User ---
[MBR] aa8ea4a5ca52c1d1ffb66c37a36020e0
[bSP] 46364c0343a9641c4485752a03dce1fa : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 1907726 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
+++++ PhysicalDrive3: (\\.\PHYSICALDRIVE3 @ USB) pny USB 2.0 FD USB Device +++++
--- User ---
[MBR] 988746e6ada614f289ae592cdf623b65
[bSP] ec038f3ca5091360f60d743d6f1c7fdb : MBR Code unknown
Partition table:
0 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 51304 | Size: 30646 Mo
Error reading LL1 MBR! ([0x5aa] Insufficient system resources exist to complete the requested service. )
Error reading LL2 MBR! ([0x32] The request is not supported. )
 
Finished : << RKreport[0]_S_01132014_050838.txt >>
 
 
 
 
 
Link to post
Share on other sites

Hello and post-32477-1261866970.gif

 

P2P/Piracy Warning:

 

   

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 

Download Farbar Recovery Scan Tool and save it to your desktop.

 

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

Kevin....

Link to post
Share on other sites

Can you either stop or fully install uTorrent to comply with forum protocol,

 

Next,

 

Disable teatimer and leave off for now.

 

1. Right click Spybot in the System Tray (looks like a calendar with a padlock symbol ) and choose Exit Spybot S&D Resident

2. Run Spybot S&D

3. Go to the Mode menu, and make sure Advanced Mode is selected.

4. On the left hand side, choose Tools > Resident > uncheck Resident TeaTimer and OK any prompt and Restart your computer.

 

Note: If TeaTimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

 

Next,

 

Download attached fixlist.txt file and save it to the Desktop, or the folder you saved FRST into.

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

 

Run FRST and press the Fix button just once and wait.


The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

Next,

 

Boot into normal mode and re-run RogueKiller, post the log. Full instruction follow:

 

Please download RogueKiller from here:

http://www.sur-la-toile.com/RogueKiller/RogueKiller.exe  <- 32 bit version

http://www.sur-la-toile.com/RogueKiller/RogueKillerX64.exe  <- 64 bit version

                                     

  • Make sure to get the correct version for your system.
  • Quit all running programs
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
  • Wait until Prescan has finished...
  • The following EULA will appear, please select accept
     
    RKLicence.png
     
  • Ensure MBR scan, Check faked and AntiRootkit are checked
  • Select Scan
     
    RK1A.png
     
  • When the scan completes select Report, copy and paste that to your reply.
     
    RK2A.png
     
  • The log should be found in RKreport[?].txt on your Desktop
  • Exit/Close RogueKiller


     
    Post logs from FRST and RogueKiller..
     
    Thanks,
     
    Kevin
     
    fixlist.txt
Link to post
Share on other sites

Here is the fixlog.txt reply:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 15-01-2014
Ran by Steve at 2014-01-15 11:25:35 Run:1
Running from D:\Downloads
Boot Mode: Safe Mode (with Networking)
 
==============================================
 
Content of fixlist:
*****************
Start
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
U3 idsvc; 
U3 TrueSight; \??\ [x]
C:\Users\Steve\AppData\Roaming\CamLayout.ini
C:\Users\Steve\AppData\Roaming\CamShapes.ini
C:\ProgramData\ewRi5v0f.exe
AlternateDataStreams: C:\ProgramData\TEMP:5C321E34
AlternateDataStreams: C:\ProgramData\TEMP:E7833B2E
AlternateDataStreams: C:\Users\Steve\SkyDrive:ms-properties
End
*****************
 
HKLM\SOFTWARE\Policies\Google => Key deleted successfully.
idsvc => Service deleted successfully.
TrueSight => Service deleted successfully.
C:\Users\Steve\AppData\Roaming\CamLayout.ini => Moved successfully.
C:\Users\Steve\AppData\Roaming\CamShapes.ini => Moved successfully.
C:\ProgramData\ewRi5v0f.exe => Moved successfully.
C:\ProgramData\TEMP => ":5C321E34" ADS removed successfully.
C:\ProgramData\TEMP => ":E7833B2E" ADS removed successfully.
"C:\Users\Steve\SkyDrive" => ":ms-properties" ADS not found.
 
==== End of Fixlog ====
Link to post
Share on other sites

And here is the RogueKiller log:

 

RogueKiller V8.8.1 [Jan 14 2014] by Tigzy
mail : tigzyRK<at>gmail<dot>com
 
Operating System : Windows 8.1 (6.3.9200 ) 32 bits version
Started in : Normal mode
User : Steve [Admin rights]
Mode : Scan -- Date : 01/15/2014 11:42:17
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 1 ¤¤¤
[sUSP PATH][DLL] explorer.exe -- C:\Users\Steve\AppData\Roaming\Copy\overlay\CopyShExt.dll [x] -> UNLOADED
[sUSP PATH][DLL] explorer.exe -- C:\Users\Steve\AppData\Roaming\Copy\overlay\Brt.dll [x] -> UNLOADED
 
¤¤¤ Registry Entries : 6 ¤¤¤
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ DESK][PUM] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DESK][PUM] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[sCREENSVR][sUSP PATH] HKCU\[...]\Desktop : SCRNSAVE.EXE (C:\Users\Steve\Desktop\DDS(1)~1.SCR [-]) -> FOUND
 
¤¤¤ Scheduled tasks : 4 ¤¤¤
[V1][sUSP PATH] DSite.job : C:\Users\Steve\AppData\Roaming\DSite\UPDATE~1\UPDATE~1.EXE - /Check [x] -> FOUND
[V1][sUSP PATH] ROC_REG_JAN_DELETE.job : C:\ProgramData\AVG January 2013 Campaign\ROC.exe - /DELETE_FROM_SYSTEM=1 [7] -> FOUND
[V2][sUSP PATH] DSite : C:\Users\Steve\AppData\Roaming\DSite\UPDATE~1\UPDATE~1.EXE - /Check [x] -> FOUND
[V2][sUSP PATH] ROC_REG_JAN_DELETE : C:\ProgramData\AVG January 2013 Campaign\ROC.exe - /DELETE_FROM_SYSTEM=1 [7] -> FOUND
 
¤¤¤ Startup Entries : 0 ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ Browser Addons : 0 ¤¤¤
 
¤¤¤ Particular Files / Folders: ¤¤¤
 
¤¤¤ Driver : [NOT LOADED 0xc0000033] ¤¤¤
 
¤¤¤ External Hives: ¤¤¤
 
¤¤¤ Infection :  ¤¤¤
 
¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts
 
 
127.0.0.1 007guard.com
127.0.0.1 www.007guard.com
127.0.0.1 008i.com
127.0.0.1 008k.com
127.0.0.1 www.008k.com
127.0.0.1 00hq.com
127.0.0.1 www.00hq.com
127.0.0.1 010402.com
127.0.0.1 032439.com
127.0.0.1 www.032439.com
127.0.0.1 0scan.com
127.0.0.1 www.0scan.com
127.0.0.1 1-2005-search.com
127.0.0.1 www.1-2005-search.com
127.0.0.1 1-domains-registrations.com
127.0.0.1 www.1-domains-registrations.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
Link to post
Share on other sites

One initial question is whether there are any suspect applications residing on my PC that you may think I should get rid of. My son has used my PC in the past for video capture and editing of his sports videos. So there are numerous video apps that I'm not really familiar with.

 

Also, the PC has run fairly smoothly for quite some time until a series of unfortunate circumstances in the last few weeks. While trying to format a USB stick to enable it to boot up another spare computer, I accidentally deleted hard drive partitions for my D: and M: drives, which reside on a single drive. Frantic, I researched this and ended up downloading a few helper apps to restore these partitions: iCare Recovery, Mini Tool Partition Wizard and Test Disk. I ended up using Test Disk which was able to recreate those partitions, though there still is unallocated space (129 MB) on the drive. I was thinking of moving all that data onto another drive; reformatting and then moving it back. Not sure if that's the best solution, so any input would be appreciated.

 

Then several days ago, the power in my house went out while working on the computer. When rebooting, my C: drive (an SSD) was not initially seen. I was able to eventually make it work, but I'm not sure if it's set up properly.

 

Lastly, when I realized that I had a virus a few days ago, I got really nervous about losing all my data, especially after reading about CrypoLocker recently. I tried to attach an external USB drive for backup, but my computer wouldn't recognize any external storage. (Seemed like I was being take over). So I saved as much data as I could onto a third internal drive (my backup F: drive), then disconnected the Sata cable. As soon as the data from my D: and M: drives was backed up to this drive, and immediately before I disconnected it, I tried to check the data to see if everything was intact. But I received an error that said I didn't have the permission to view that drive. 

 

Fearing the loss of my data- years of family photos and videos- I simply disconnected. My PC seemed to be slowly-but-surely locking me out. So I figured that i might be able to salvage data off of this drive in case the rest of the PC became unusable. So if I am - we are  ;) - able to clean up the rest of the PC, I'd like to reconnect that drive and scan it, if possible.

 

Any advice or help is so much appreciated!

Link to post
Share on other sites

I use Aomei Partition Manager to set up original partitions etc, the free version is available at the following link:

 

http://www.disk-partition.com/free-partition-manager.html

 

Aomei is really simple to use, all required instructions are available at the website link.

 

Regarding software, I do not see any software that will cause issues, Run the following dross cleaners and see what the logs show us:

 

Download AdwCleaner by Xplode from here: http://www.bleepingcomputer.com/download/adwcleaner/ and save to your Desktop.

 

  • Double click on AdwCleaner.exe to run the tool.
  • Vista/Windows 7/8 users right-click and select Run As Administrator
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • When it's done you'll see: Pending: Uncheck any elements you don't want removed.
  • Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • Look over the log especially under Files/Folders for any program you want to save.
  • If there's a program you want to save, just uncheck it from AdwCleaner.
  • If you're not sure, post the log for review.
  • If you're ready to clean it all up.....click the Clean button.
  • After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
  • Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
  • To restore an item that has been deleted (if necessary):
  • Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.

 

Next,

 

thisisujrt.gif Please download Junkware Removal Tool to your desktop.


Shut down your protection software now to avoid potential conflicts.
Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.

 

Next,

 

We still need to run an online AV scan to ensure there are no remnants of any infection left on your system that we may have missed. This scan is very thorough and well worth running, it can take several hours please be patient and let it complete:

 

Run Eset Online Scanner

 

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

 

Go to Eset web page http://www.eset.com/us/online-scanner/ to run an online scan from ESET.

 

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    Click Start
  • When asked, allow the add/on to be installed
    Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings, ensure the options
  • Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
    Click Scan
  • wait for the virus definitions to be downloaded
  • Wait for the scan to finish

 

When the scan is complete

 

  • If no threats were found
  • put a checkmark in "Uninstall application on close"
  • close program
  • report to me that nothing was found

 

If threats were found

 

  • click on "list of threats found"
  • click on "export to text file" and save it as ESET SCAN and save to the desktop
  • Click on back
  • put a checkmark in "Uninstall application on close"
  • click on finish

 

close program

 

copy and paste the report in next reply

 

Post those logs, also give another update..

Link to post
Share on other sites

Hi Kevin. I'm a little stumped over what to remove via the AdwCleaner. Here is the report (My questions are after the report:

 

 

# AdwCleaner v3.017 - Report created 15/01/2014 at 16:15:49
# Updated 12/01/2014 by Xplode
# Operating System : Windows 8.1 Pro with Media Center  (32 bits)
# Username : Steve - HOME-PC
# Running from : C:\Users\Steve\Desktop\AdwCleaner.exe
# Option : Scan
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
File Found : C:\WINDOWS\system32\Uninstall.exe
Folder Found C:\ProgramData\DeviceVM
Folder Found C:\Users\Steve\AppData\Roaming\DeviceVM
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Found : HKCU\Software\APN PIP
Key Found : HKCU\Software\dsiteproducts
Key Found : HKCU\Software\hotspotshield
Key Found : HKCU\Software\InstallCore
Key Found : HKLM\SOFTWARE\Classes\AppID\{0A18A436-2A7A-49F3-A488-30538A2F6323}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{007EFBDF-8A5D-4930-97CC-A4B437CBA777}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Found : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Found : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
Key Found : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Found : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\DSite
Key Found : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B1FAB20E-957B-453B-BBB4-67CF4B629028}
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\08121C32A9C319F4CB0C11FF059552A4
Key Found : HKLM\Software\PIP
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v11.0.9600.16384
 
 
-\\ Mozilla Firefox v26.0 (en-US)
 
[ File : C:\Users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\2e0ctlsr.default\prefs.js ]
 
-\\ Google Chrome v
 
[ File : C:\Users\Steve\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
*************************
 
AdwCleaner[R0].txt - [1993 octets] - [15/01/2014 16:15:49]
 
########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [2053 octets] ##########
 
 
MY QUESTIONS:
-"Uninstall" appears harmless, but I don't know what it's for. Should I go ahead and delete? I'm guessing yes.
 
- Not sure what DeviceVM is either. I Googled it and it appears to be a sort of remote control application...scary, if so!
 
-Don't understand any of the Registry entries.  All the entries I was able to Google seemed bad so I'm happy to delete. The only exception is "Hotspotshield", a VPN application from AnchorFree. I actually don't even use this app- I only downloaded it because my son had it on his laptop and I wanted to see what it did/how it worked. It generally has good reviews. Do you think this program was hijacked or should I just not worry about it and just delete it?
 
-Lastly, user preferences from Firefox and Chrome are listed. Should I delete those? I can always recreate. Thanks!
Link to post
Share on other sites

I went ahead and cleaned up everything that AdwCleaner found. Since it's all quarantined anyway, I can always add it back, if needed. Sorry for all my questions in last post! 

 

Here is the logfile:

 

# AdwCleaner v3.017 - Report created 15/01/2014 at 16:48:16
# Updated 12/01/2014 by Xplode
# Operating System : Windows 8.1 Pro with Media Center  (32 bits)
# Username : Steve - HOME-PC
# Running from : C:\Users\Steve\Desktop\AdwCleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\ProgramData\DeviceVM
Folder Deleted : C:\Users\Steve\AppData\Roaming\DeviceVM
File Deleted : C:\WINDOWS\system32\Uninstall.exe
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
[#] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{B1FAB20E-957B-453B-BBB4-67CF4B629028}
[#] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B1FAB20E-957B-453B-BBB4-67CF4B629028}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{0A18A436-2A7A-49F3-A488-30538A2F6323}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{007EFBDF-8A5D-4930-97CC-A4B437CBA777}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKCU\Software\APN PIP
Key Deleted : HKCU\Software\dsiteproducts
Key Deleted : HKCU\Software\hotspotshield
Key Deleted : HKCU\Software\InstallCore
Key Deleted : HKLM\Software\PIP
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\08121C32A9C319F4CB0C11FF059552A4
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v11.0.9600.16384
 
 
-\\ Mozilla Firefox v26.0 (en-US)
 
[ File : C:\Users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\2e0ctlsr.default\prefs.js ]
 
 
-\\ Google Chrome v
 
[ File : C:\Users\Steve\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
 
*************************
 
AdwCleaner[R0].txt - [2133 octets] - [15/01/2014 16:15:49]
AdwCleaner[s0].txt - [2135 octets] - [15/01/2014 16:48:16]
 
########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [2195 octets] ##########
Link to post
Share on other sites

Just finished the JRT scan. Here is that log:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.0 (01.07.2014:1)
OS: Windows 8.1 Pro with Media Center x86
Ran by Steve on Wed 01/15/2014 at 16:59:28.98
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Registry Values
 
 
 
~~~ Registry Keys
 
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\caphyon
 
 
 
~~~ Files
 
 
 
~~~ Folders
 
Successfully deleted: [Folder] "C:\Users\Steve\AppData\Roaming\red kawa"
Failed to delete: [Folder] "C:\Program Files\red kawa"
 
 
 
~~~ FireFox
 
Emptied folder: C:\Users\Steve\AppData\Roaming\mozilla\firefox\profiles\2e0ctlsr.default\minidumps [27 files]
 
 
 
~~~ Event Viewer Logs were cleared
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 01/15/2014 at 17:01:18.29
Computer was rebooted
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
Link to post
Share on other sites

Hey Kevin- question while the ESET scanner is running:

 

My PC protection software I've been running/using for years now consists of: AVG Antivirus, Spybot, Malwarebytes, SuperAntiSpyware and Spyware Blaster. Would you recommend I get rid of any of these? Overkill perhaps :unsure: ? And would you suggest others to run on a daily basis?  Thanks for your opinion?  

Link to post
Share on other sites

OK ESET finished. Here are those results:

 

C:\ProgramData\Win7codecs\{33AA44E6-08F1-42B2-A511-B5C957214049}\Win7codecs.msi a variant of Win32/Bundled.Toolbar.Ask application
C:\Users\All Users\Win7codecs\{33AA44E6-08F1-42B2-A511-B5C957214049}\Win7codecs.msi a variant of Win32/Bundled.Toolbar.Ask application
D:\zBackups\Maxtor Backup\Max Bkup 8_7_2011\GZIP compression file\1501-1800\FILE1511.GZ a variant of Android/Walien.F application
D:\zBackups\Maxtor Backup\Max Bkup 8_7_2011\GZIP compression file\1501-1800\FILE1592.GZ a variant of Android/Walien.F application
Link to post
Share on other sites

Wow-  it's clean?!? Great!  From the logs is it possible to tell what the major culprit was or what program it may have tagged along to get into my system?  If not, no big deal- just don't want to see a repeat performance!

 

As far as reconnecting my other internal hard drive (the one I backed everything up to then disconnected)...What's the best way to go about reconnecting that? I'd hate to reintroduce any malware.

 

Most everything else is secure on my other drives, except for a little bit of data. I could possibly just reformat and wipe it clean. If I did  reconnect, should I do so under Safemode, along with some sort of drive scan?

Link to post
Share on other sites

Use Panda USB vaccine to protect system when external USB flash drives or HDD are connected to your system, this will disable autorun feature to protect your PC, you can then scan such drives with your AV or/and Malwarebytes to make sure are safe....

 

Get here: http://www.pcworld.com/article/232030/panda_usb_vaccine.html Instructions also at that site....

 

Regarding infection, I did not see any major infection or remnants of same, only adware (still malicious and unwanted) but easily removed. Maybe you already catch the bad guys before you post?

 

We can clean up tools:

 

We need to remove FRST,  first it is very important to deal with its own Quarantine folder by using FRST itself..

 

OK, we continue:

 

Delete any fixlist.txt file previously used, continue:

 

Download attached fixlist.txt file and save it to the Desktop, or the folder you saved FRST into.

 

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

 

Run FRST and press the Fix button just once and wait.

The tool will make a log on the Desktop (Fixlog.txt). That will confirm the removal action, delete if successful.

 

Next,

 

Delete FRST.exe from your Desktop or the folder it was saved to, navigate to and delete its folder C:\FRST

 

Next,

 

Download "Delfix by Xplode" and save it to your desktop.

 

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

 

Make Sure the following items are checked:

 


  •    
  • Activate UAC
       
  • Remove disinfection tools
       
  • Purge System Restore
       
  • Reset system settings

 

Now click on "Run" and wait patiently until the tool has completed.

 

The tool will create a log when it has completed. We don't need you to post this.

 

Next,

 

When Defix completes also navigate to and delete (if present) C:\zoek_backup folder

 

You can also delete tools such as DDS, RogueKiller + folder RK_Quarantine....

 

Let me know if those steps complete, also if any remaining issues or concerns....

 

Regarding security.  I run Windows 8.1 Pro, for security I use the native Firewall, Windows Defender (has an AV component) and Malwarebytes Pro. I also use WinPatrol as an extra layer.

Understanding/using Windows 8 Firewall http://www.online-tech-tips.com/windows-8/adjust-windows-8-firewall-settings/

Widows Defender and Windows 8 http://experts.windows.com/w/experts_wiki/163.aspx

Understanding WinPatrol - http://www.winpatrol.com/features.html

For my browser I use Firefox with these addons: Web of Trust, Adblock Plus, Flash Block, NoScipt, Ghostery. When Firefox is open select these keys together :- Ctrl - Shift - A that will access Addons manger, this gives access to find addons, use, start, stop or disable those features etc....
Before using NoScript read from this link http://noscript.net/ makes it easy to understand....

 

Read the following link to fully understand PC security and best practices, you may find it useful....

 

http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/#entry2316629

 

Kevin.... ;)

 

 

fixlist.txt

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.