Jump to content

T.R Kazy Infected and can't remove


Recommended Posts

Long story short i downloaded a few torrents that i shouldnt have and ended up picking up a T.R Kazy virus that has embedded itself into my computer. Avira picks it up about once a day and quarantines it. I do a full scan with malwarebytes in safe mode and remove but it always comes back. Any ideas? Seems to always show up in my Temp folder and a exe file with a large scrambled filename. I would really hate to loose all of my TB's of video game software on this machine to a format. Im out of ideas. 

Thanks in advance,
 

Tim

Link to post
Share on other sites

Hello,


They call me TwinHeadedEagle around here, and I'll be working with you.




Before we start please read and note the following:

icon_arrow.gif Limit your internet access to posting here, some infections just wait to steal typed-in passwords.
icon_arrow.gif Please be patient. I know it is frustrating when your PC isn't working properly, but malware removal takes time.
icon_arrow.gif Don't run any scripts or tools on your own, unsupervised usage may cause more harm than good.
icon_arrow.gif Do not paste the logs in your posts, attachments make my work easier. There is a Attach Files option below which you can use to attach your reports. Always attach reports from all tools.
icon_arrow.gif Stay with me to the end, the absence of symptoms doesn't mean that your machine is fully operational.
icon_arrow.gif Note that we may live in totally different time zones, what may cause some delays between answers.
icon_arrow.gif Do not ask for help for your business PC. Companies are making revenue via computers, so it is good thing to pay someone to repair it.
icon_arrow.gif If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.

icon_idea.gif I can't foresee everything, so if anything unexpected happens, please stop and inform me!
icon_idea.gif There are no silly questions. Never be afraid to ask if in doubt!





P2P/Piracy Warning:

  • If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.
  • Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.
  • If you have illegal/cracked software, cracks, keygens, etc. on the system, please remove or uninstall them now and read the policy on Piracy.

*
*
*
*
51a46ae42d560-malwarebytes_anti_malware. Scan with Malwarebytes' Anti-Malware


Please download Malwarebytes Anti-Malware and save it to your desktop.

  • Install the progam and select update.
  • Once updated, click the Settings tab, in the left panel choose Detctions & protection and tick Scan for rootkits.
  • Click the Scan tab, choose Threat Scan is checked and click Scan Now.
  • If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
  • Upon completion of the scan (or after the reboot), click the History tab.
  • Click Application Logs and double-click the Scan Log.
  • At the bottom click Export and choose Text file.

Save the file to your desktop and include its content in your next reply.

fixlist.txt

Link to post
Share on other sites

Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.
Link to post
Share on other sites

FRST.gif Fix with Farbar Recovery Scan Tool

icon_exclaim.gif This fix was created for this user for use on that particular machine. icon_exclaim.gif

icon_exclaim.gif Running it on another one may cause damage and render the system unstable. icon_exclaim.gif

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.

    (XP users click run after receipt of Windows Security Warning - Open File).

  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.
  • Please attach it to your reply.

     

     

     

     

    Download ADWCleaner by Xplode to your desktop.

    • Close all programs and right-click on the adwcleaner.png icon - select Run as Administrator.

      (Users of Windows XP please just double-click).

    • You will be presented with the console like the one below:

      adwcleaner-start.jpg

    • Click on Scan and follow the prompts.
    • Let it run unhindered.
    • When done, click on the Clean button, and follow the prompts.
    • Allow the system to reboot.
    After that, you will then be presented with the report. Copy & Paste this report on your next reply.

    icon_idea.gif The report will be saved in the C:\AdwCleaner folder, as AdwCleaner[s0].txt.

fixlist.txt

Link to post
Share on other sites

Fix log attached and now every webpage i open put a full screen popup on screen. Looks like its digging deeper.

 

# AdwCleaner v3.216 - Report created 25/07/2014 at 09:25:26

# Updated 17/07/2014 by Xplode

# Operating System : Windows 7 Ultimate Service Pack 1 (64 bits)

# Username : Kingdomkroz - KINGDOMKROZ-PC

# Running from : C:\Users\Kingdomkroz\Downloads\AdwCleaner.exe

# Option : Clean

 

***** [ Services ] *****

 

Service Deleted : IePluginServices

 

***** [ Files / Folders ] *****

 

Folder Deleted : C:\ProgramData\IePluginServices

Folder Deleted : C:\ProgramData\WindowsMangerProtect

Folder Deleted : C:\Program Files (x86)\Conduit

Folder Deleted : C:\Program Files (x86)\GetPrivate

Folder Deleted : C:\Program Files (x86)\predm

Folder Deleted : C:\Users\Kingdomkroz\AppData\Local\Conduit

Folder Deleted : C:\Users\Kingdomkroz\AppData\LocalLow\Conduit

Folder Deleted : C:\Users\Kingdomkroz\AppData\Roaming\GetPrivate

Folder Deleted : C:\Users\Kingdomkroz\AppData\Roaming\Mozilla\Firefox\Profiles\fbu3rlfq.default\Extensions\staged\{ad9a41d2-9a49-4fa6-a79e-71a0785364c8}

File Deleted : C:\Users\Kingdomkroz\AppData\Roaming\Mozilla\Firefox\Profiles\fbu3rlfq.default\user.js

File Deleted : C:\Users\Kingdomkroz\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.superfish.com_0.localstorage

File Deleted : C:\Users\Kingdomkroz\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.superfish.com_0.localstorage-journal

File Deleted : C:\Users\Kingdomkroz\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_inst.shoppingate.info_0.localstorage

File Deleted : C:\Users\Kingdomkroz\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_inst.shoppingate.info_0.localstorage-journal

 

***** [ Shortcuts ] *****

 

Shortcut Disinfected : C:\Users\Kingdomkroz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk

Shortcut Disinfected : C:\Users\Kingdomkroz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google Chrome\Google Chrome.lnk

Shortcut Disinfected : C:\Users\Kingdomkroz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk

Shortcut Disinfected : C:\Users\Kingdomkroz\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk

Shortcut Disinfected : C:\Users\Kingdomkroz\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk

Shortcut Disinfected : C:\Users\Kingdomkroz\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\Google Chrome.lnk

 

***** [ Registry ] *****

 

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASAPI32

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASMANCS

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\au__rasapi32

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\au__rasmancs

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\MYSEAR~1_RASAPI32

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\MYSEAR~1_RASMANCS

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\MySearchDial_RASAPI32

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\MySearchDial_RASMANCS

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SupTab_Setup302_RASAPI32

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SupTab_Setup302_RASMANCS

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\UpdateTask_RASAPI32

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\UpdateTask_RASMANCS

Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2790392

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{968EDCE0-C10A-47BB-B3B6-FDF09F2A417D}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}

Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}

Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}

Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}

Data Restored : HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command

Data Restored : HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Google Chrome\shell\open\command

Key Deleted : HKCU\Software\powerpack

Key Deleted : HKCU\Software\Tutorials

Key Deleted : HKCU\Software\TutoTag

Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar

Key Deleted : HKLM\Software\Conduit

Key Deleted : HKLM\Software\SupDp

Key Deleted : HKLM\Software\SupTab

Key Deleted : HKLM\Software\supWindowsMangerProtect

Key Deleted : HKLM\Software\supWPM

Key Deleted : HKLM\Software\Tutorials

Key Deleted : HKLM\Software\V9Software

Key Deleted : HKLM\Software\Wpm

 

***** [ Browsers ] *****

 

-\\ Internet Explorer v11.0.9600.17207

 

Setting Restored : HKCU\Software\Microsoft\Internet Explorer\Main [start Page]

Setting Restored : HKCU\Software\Microsoft\Internet Explorer\Main [Default_Page_URL]

Setting Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Default_Page_URL]

Setting Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [start Page]

Setting Restored : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Default_Page_URL]

Setting Restored : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [start Page]

 

-\\ Mozilla Firefox v

 

[ File : C:\Users\Kingdomkroz\AppData\Roaming\Mozilla\Firefox\Profiles\fbu3rlfq.default\prefs.js ]

 

Line Deleted : user_pref("CT2790392.autoDisableScopes", -1);

 

-\\ Google Chrome v

 

[ File : C:\Users\Kingdomkroz\AppData\Local\Google\Chrome\User Data\Default\preferences ]

 

Deleted [startup_urls] : hxxp://www.istart123.com/?type=hp&ts=1406288803&from=irs&uid=WDCXWD1002FAEX-00Z3A0_WD-WCATR526793067930

Deleted [Homepage] : hxxp://www.istart123.com/?type=hp&ts=1406288803&from=irs&uid=WDCXWD1002FAEX-00Z3A0_WD-WCATR526793067930

Deleted [Extension] : booedmolknjekdopkepjjeckmjkdpfgl

Deleted [Extension] : flpcjncodpafbgdpnkljologafpionhb

 

*************************

 

AdwCleaner[R0].txt - [8119 octets] - [25/07/2014 09:24:35]

AdwCleaner[s0].txt - [6310 octets] - [25/07/2014 09:25:26]

 

########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [6370 octets] ##########

 

Fixlog.txt

Link to post
Share on other sites

WARNING: I noticed you have more than one antivirus installed.
 
Never install more than one Antivirus! Rather than giving you extra protection, it will decrease the reliability of it seriously! The reason for this is that if both products have their automatic (Real-Time) protection switched on, your system may lock up due to both software products attempting to access the same file at the same time. Also because more than one Antivirus installed are not compatible with each other, it can cause system performance problems and a serious system slowdown.
 
Please uninstall either Avira or Microsoft.
 
 
 

First, go to Control Panel and uninstall following (skip lines that cannot be uninstalled):
- Adobe Reader X
- Java 6 Update 29
- Java 7 Update 
 
Latest versions of Adobe Reader available here -->  http://get.adobe.com/uk/reader/
Make sure to uncheck optional offers.

 

 

 

We need one last FRST fix. Tell me how is the situation now?

 

 

FRST.gif Fix with Farbar Recovery Scan Tool
 

icon_exclaim.gif This fix was created for this user for use on that particular machine. icon_exclaim.gif

icon_exclaim.gif Running it on another one may cause damage and render the system unstable. icon_exclaim.gif

 

 
Download attached fixlist.txt file and save it to the Desktop:
 
Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!
 
  •  
  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
(XP users click run after receipt of Windows Security Warning - Open File).
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.
 
Please post it to your reply.

fixlist.txt

Link to post
Share on other sites

Things seem to be back to normal, i will do one last mbam scan. Avira no longer detects T.R Kazy. 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 24-07-2014

Ran by Kingdomkroz at 2014-07-26 17:14:19 Run:2

Running from C:\Users\Kingdomkroz\Downloads

Boot Mode: Normal

==============================================

 

Content of fixlist:

*****************

S2 WindowsMangerProtect; C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe -service [X]

C:\ProgramData\WindowsMangerProtect

C:\Users\Kingdomkroz\AppData\Local\Temp\avgnt.exe

C:\Users\Kingdomkroz\AppData\Local\Temp\GPUpd53D0F1F61.exe

C:\Users\Kingdomkroz\AppData\Local\Temp\GPUpd53D0F1F72.exe

C:\Users\Kingdomkroz\AppData\Local\Temp\GPUpd53D243782.exe

C:\Users\Kingdomkroz\AppData\Local\Temp\GPUpd53D243793.exe

C:\Users\Kingdomkroz\AppData\Local\Temp\jre-7u65-windows-i586-iftw.exe

C:\Users\Kingdomkroz\AppData\Local\Temp\Quarantine.exe

cmd: ipconfig /flushdns

*****************

 

WindowsMangerProtect => Service deleted successfully.

"C:\ProgramData\WindowsMangerProtect" => File/Directory not found.

C:\Users\Kingdomkroz\AppData\Local\Temp\avgnt.exe => Moved successfully.

C:\Users\Kingdomkroz\AppData\Local\Temp\GPUpd53D0F1F61.exe => Moved successfully.

C:\Users\Kingdomkroz\AppData\Local\Temp\GPUpd53D0F1F72.exe => Moved successfully.

C:\Users\Kingdomkroz\AppData\Local\Temp\GPUpd53D243782.exe => Moved successfully.

C:\Users\Kingdomkroz\AppData\Local\Temp\GPUpd53D243793.exe => Moved successfully.

C:\Users\Kingdomkroz\AppData\Local\Temp\jre-7u65-windows-i586-iftw.exe => Moved successfully.

C:\Users\Kingdomkroz\AppData\Local\Temp\Quarantine.exe => Moved successfully.

 

=========  ipconfig /flushdns =========

 

 

Windows IP Configuration

 

Successfully flushed the DNS Resolver Cache.

 

========= End of CMD: =========

 

 

==== End of Fixlog ====

Link to post
Share on other sites

Very good, then we're done here :)
 

 

 

Below you will find my thoughts about securing your machine. Go ahead through it, you will benefit from some useful advice about safe computing.
 
 

Recommended reading:

icon_exclaim.gifMUST READ - general maintenance: What to do if your Computer is running slowly?
 
 
 

Recommended additional software:

icon_arrow.gifTFC - to clean unneeded temporary files.
icon_arrow.gifMalwarebytes' Anti-Malware - to scan your system from time to time in search for malware.
icon_arrow.gifMalwarebytes' Anti-Exploit - to prevent plenty of mostly exploited vulnerabilities.
icon_arrow.gifMcShield - to prevent infections spread by removable media.
icon_arrow.gifCryptoPrevent - to secure yourself from very severe CryptoLocker infection.
icon_arrow.gifUnchecky - to prevent from installing additional foistware, implemented in legitimate installations.
 
 
The following will implement some post-cleanup procedures:
 
=> Please download DelFix by Xplode to your Desktop.
 
Run the tool and check the following boxes below;
checkmark.png Remove disinfection tools
checkmark.png Create registry backup
checkmark.png Purge System Restore
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:\DelFix.txt)
 
The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.
 
 
 
Stay safe,
TwinHeadedEagle :)
Link to post
Share on other sites

  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.