Jump to content

Recommended Posts

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 
 
 
 
 
HijackThis is not the preferred initial scanning tool in this forum. With today's malware, a more comprehensive set of logs is required to determine the presence of malware.
 
 
 
 
Scan with FRST in normal mode

Please download Farbar's Recovery Scan Tool to your desktop: FRST 32bit or FRST 64bit (If not sure: Start --> Computer (right click) --> properties)
 
  • Run FRST.
  • Don´t change one of the checkboxes and hit Scan.
  • Logfiles are created on your desktop.
  • Poste the FRST.txt and (after the first scan only!) the Addition.txt.


 
 
 
 
 
Scan with TDSS-Killer

Please read and follow these instructions carefully. We do not want it to fix anything yet (if found), we need to see a report first.

Download TDSSKiller.zip and extract to your desktop

  • Execute TDSSKiller.exe by doubleclicking on it.
  • Press Start Scan
  • If Malicious objects are found, do NOT select Copy to quarantine. Change the action to Skip, and save the log.
  • Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt




Please attach this file to your next reply.

Link to post
Share on other sites

Diagnostic Report (1.9.0027.0):

-----------------------------------------

Windows Validation Data-->

 

Validation Code: 0

Cached Online Validation Code: N/A, hr = 0xc004f012

Windows Product Key: *****-*****-Q6MMK-KYK6X-VKM6G

Windows Product Key Hash: 289NoAWl2ZoVfuieux/315WkDIc=

Windows Product ID: 00426-OEM-8992662-00173

Windows Product ID Type: 2

Windows License Type: OEM SLP

Windows OS version: 6.1.7601.2.00010100.1.0.001

ID: {4CDC4F44-2368-4E0C-868F-C8D13D345180}(1)

Is Admin: Yes

TestCab: 0x0

LegitcheckControl ActiveX: N/A, hr = 0x80070002

Signed By: N/A, hr = 0x80070002

Product Name: Windows 7 Ultimate

Architecture: 0x00000009

Build lab: 7601.win7sp1_gdr.130801-1533

TTS Error: 

Validation Diagnostic: 

Resolution Status: N/A

 

Vista WgaER Data-->

ThreatID(s): N/A, hr = 0x80070002

Version: N/A, hr = 0x80070002

 

Windows XP Notifications Data-->

Cached Result: N/A, hr = 0x80070002

File Exists: No

Version: N/A, hr = 0x80070002

WgaTray.exe Signed By: N/A, hr = 0x80070002

WgaLogon.dll Signed By: N/A, hr = 0x80070002

 

OGA Notifications Data-->

Cached Result: N/A, hr = 0x80070002

Version: N/A, hr = 0x80070002

OGAExec.exe Signed By: N/A, hr = 0x80070002

OGAAddin.dll Signed By: N/A, hr = 0x80070002

 

OGA Data-->

Office Status: 109 N/A

OGA Version: N/A, 0x80070002

Signed By: N/A, hr = 0x80070002

Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

 

Browser Data-->

Proxy settings: N/A

User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)

Default Browser: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

Download signed ActiveX controls: Prompt

Download unsigned ActiveX controls: Disabled

Run ActiveX controls and plug-ins: Allowed

Initialize and script ActiveX controls not marked as safe: Disabled

Allow scripting of Internet Explorer Webbrowser control: Disabled

Active scripting: Allowed

Script ActiveX controls marked as safe for scripting: Allowed

 

File Scan Data-->

 

Other data-->

Office Details: <GenuineResults><MachineData><UGUID>{4CDC4F44-2368-4E0C-868F-C8D13D345180}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.001</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-VKM6G</PKey><PID>00426-OEM-8992662-00173</PID><PIDType>2</PIDType><SID>S-1-5-21-2686238728-4054486362-3622791382</SID><SYSTEM><Manufacturer>MSI</Manufacturer><Model>MS-7640</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>V11.13</Version><SMBIOSVersion major="2" minor="7"/><Date>20121009000000.000000+000</Date></BIOS><HWID>014F3707018400F2</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Mountain Standard Time(GMT-07:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>MSI_NB</OEMID><OEMTableID>MEGABOOK</OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>  

 

Spsys.log Content: 0x80070002

 

Licensing Data-->

Software licensing service version: 6.1.7601.17514

 

Name: Windows® 7, Ultimate edition

Description: Windows Operating System - Windows® 7, OEM_SLP channel

Activation ID: 7cfd4696-69a9-4af7-af36-ff3d12b6b6c8

Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f

Extended PID: 00426-00178-926-600173-02-1033-7601.0000-0732013

Installation ID: 011131844156342422510894602691533354662936551440144706





Partial Product Key: VKM6G

License Status: Licensed

Remaining Windows rearm count: 3

Trusted time: 4/4/2014 7:21:52 AM

 

Windows Activation Technologies-->

HrOffline: 0x00000000

HrOnline: N/A

HealthStatus: 0x0000000000000000

Event Time Stamp: N/A

ActiveX: Registered, Version: 7.1.7600.16395

Admin Service: Not Registered - 0x80070005

HealthStatus Bitmask Output:

 

 

HWID Data-->

HWID Hash Current: OgAAAAIABgABAAEAAAADAAAAAQABAAEAln1csAPbdxZ4Gbr5VPL8jTqHEDOoaDiSipueBMHjePdudQ==

 

OEM Activation 1.0 Data-->

N/A

 

OEM Activation 2.0 Data-->

BIOS valid for OA 2.0: yes

Windows marker version: 0x20001

OEMID and OEMTableID Consistent: yes

BIOS Information: 

  ACPI Table Name OEMID Value OEMTableID Value

  APIC ALASKA A M I

  FACP ALASKA A M I

  HPET ALASKA A M I

  MCFG ALASKA A M I

  SSDT AMD   POWERNOW

  BGRT ALASKA A M I

  SLIC MSI_NB MEGABOOK
Link to post
Share on other sites

Your logs show obvious signs of having cracked software on your system. This is the main reason your computer is infected. Visiting cracksites/warezsites - and other questionable/illegal sites is always a risk.

Even a single click on the site can drop multiple forms of very serious malware, many of which disable your onboard protection, and System Restore.

If you install the cracked software, you are running executable files from these dubious, unknown sources. You are in effect giving these sources access to information on your hard disk, and potential control over the operation of your computer.

Additionally, cracked programs are illegal. Referring to the Forum Rules which you should have read at the time of Registering at this forum, this forum does not support illegal activity. As such, be advised that any request for assistance in removing malware may go unanswered, or may be discontinued, if the cracked (illegal) software is still present on the machine

Having said that we can help you clean your machine this time BUT this would be a ONCE ONLY offer on the understanding that all cracks are removed. This would apply not only here but at many other Malware Support forums if you were to appear again with cracks onboard, as many of us analysts work at multiple support sites. Please remove all cracked software and illegally obtained copyrighted material you have on the system so we may continue with the clean up.

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.