Jump to content

Recommended Posts

Hello,

 

I am having issues with my computer ever since i ran Malwarebytes anti-malware on my x64 machine running windows 8. The program removed several infections, however, now when I turn on my computer I get error messages for every program that tries to run:

 

C:\progra~so0cb7~1.boo is either not designed to run on Windows or it contains an error. Try installing the program again using the original installation media or contact your system administrator or the software vendor for support. Error status 0xc000012f.

 

I have not noticed any programs that have had problems running. It's just really annoying. I'm assuming it's the same issue as:

https://forums.malwarebytes.org/index.php?/topic/145506-bad-image-errors-after-running-malwarebytes-to-clean-up-infections/

 

Any help is much appreciated! I have already downloaded Farbar recover scan tool and ran it. I have attached the two files if that helps.

 

Thanks,

TroyFRST.txtAddition.txt

Link to post
Share on other sites

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 
 
 
Scan with Gmer rootkit scanner

Please download Gmer from here by clicking on the "Download EXE" Button.
  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Show All ( should be unchecked by default )

    [*]Leave everything else as it is. [*]Close all other running programs as well as your Browser. [*]Click the Scan button & wait for it to finish. [*]Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post. [*]Save it where you can easily find it, such as your desktop. [*]Please post the content of the ark.txt here.


**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Link to post
Share on other sites

Thank you very much for assisting me Marius. Here is the log file:

 

GMER 2.1.19357 - http://www.gmer.net
Rootkit scan 2014-08-08 10:09:36
Windows 6.2.9200  x64 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP3T1L0-6 Samsung_SSD_840_EVO_250GB rev.EXT0BB6Q 232.89GB
Running: 26y4wfdg.exe; Driver: C:\Users\Troy\AppData\Local\Temp\kwdiiuog.sys
 
 
---- Threads - GMER 2.1 ----
 
Thread   C:\WINDOWS\system32\csrss.exe [6816:204]                                                                                                                                                                                         fffff960009cbb90
---- Processes - GMER 2.1 ----
 
Library  C:\Users\Troy\AppData\Local\Temp\_MEI43722\python27.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3904] (Python Core/Python Software Foundation)(2014-08-08 13:24:43)                      000000001e000000
Library  C:\Users\Troy\AppData\Local\Temp\_MEI43722\win32api.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3904](2014-08-08 13:24:42)                                                               000000001e8c0000
Library  C:\Users\Troy\AppData\Local\Temp\_MEI43722\pywintypes27.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3904](2014-08-08 13:24:43)                                                           000000001e7a0000
Library  C:\Users\Troy\AppData\Local\Temp\_MEI43722\pythoncom27.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3904](2014-08-08 13:24:42)                                                            0000000000630000
Library  C:\Users\Troy\AppData\Local\Temp\_MEI43722\_socket.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3904](2014-08-08 13:24:42)                                                                00000000003d0000
Library  C:\Users\Troy\AppData\Local\Temp\_MEI43722\_ssl.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3904](2014-08-08 13:24:43)                                                                   0000000010000000
Library  C:\Users\Troy\AppData\Local\Temp\_MEI43722\win32com.shell.shell.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3904](2014-08-08 13:24:42)                                                   000000001e800000
Library  C:\Users\Troy\AppData\Local\Temp\_MEI43722\_hashlib.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3904](2014-08-08 13:24:43)                                                               0000000002b60000
Library  C:\Users\Troy\AppData\Local\Temp\_MEI43722\wx._core_.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3904](2014-08-08 13:24:42)                                                              0000000002f00000
Library  C:\Users\Troy\AppData\Local\Temp\_MEI43722\wxbase294u_vc90.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3904] (wxWidgets for MSW/wxWidgets development team)(2014-08-08 13:24:43)         0000000003030000
Library  C:\Users\Troy\AppData\Local\Temp\_MEI43722\wxbase294u_net_vc90.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3904] (wxWidgets for MSW/wxWidgets development team)(2014-08-08 13:24:43)     00000000006a0000
Library  C:\Users\Troy\AppData\Local\Temp\_MEI43722\wxmsw294u_core_vc90.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3904] (wxWidgets for MSW/wxWidgets development team)(2014-08-08 13:24:43)     0000000003220000
Library  C:\Users\Troy\AppData\Local\Temp\_MEI43722\wxmsw294u_adv_vc90.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3904] (wxWidgets for MSW/wxWidgets development team)(2014-08-08 13:24:43)      00000000036c0000
Library  C:\Users\Troy\AppData\Local\Temp\_MEI43722\wx._gdi_.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3904](2014-08-08 13:24:43)                                                               0000000003800000
Library  C:\Users\Troy\AppData\Local\Temp\_MEI43722\wx._windows_.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3904](2014-08-08 13:24:43)                                                           00000000040d0000
Library  C:\Users\Troy\AppData\Local\Temp\_MEI43722\wxmsw294u_html_vc90.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3904] (wxWidgets for MSW/wxWidgets development team)(2014-08-08 13:24:43)     00000000041a0000
Library  C:\Users\Troy\AppData\Local\Temp\_MEI43722\wx._controls_.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3904](2014-08-08 13:24:42)                                                          00000000043d0000
Library  C:\Users\Troy\AppData\Local\Temp\_MEI43722\wx._misc_.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3904](2014-08-08 13:24:42)                                                              00000000044e0000
Library  C:\Users\Troy\AppData\Local\Temp\_MEI43722\_elementtree.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3904](2014-08-08 13:24:42)                                                           000000001d100000
Library  C:\Users\Troy\AppData\Local\Temp\_MEI43722\pyexpat.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3904](2014-08-08 13:24:42)                                                                0000000000740000
Library  C:\Users\Troy\AppData\Local\Temp\_MEI43722\pysqlite2._sqlite.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3904](2014-08-08 13:24:42)                                                      0000000001e50000
Library  C:\Users\Troy\AppData\Local\Temp\_MEI43722\hashobjs_ext.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3904](2014-08-08 13:24:43)                                                           0000000000770000
Library  C:\Users\Troy\AppData\Local\Temp\_MEI43722\_ctypes.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3904](2014-08-08 13:24:42)                                                                000000001d1a0000
Library  C:\Users\Troy\AppData\Local\Temp\_MEI43722\win32file.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3904](2014-08-08 13:24:42)                                                              000000001ea10000
Library  C:\Users\Troy\AppData\Local\Temp\_MEI43722\win32security.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3904](2014-08-08 13:24:42)                                                          000000001ec80000
Library  C:\Users\Troy\AppData\Local\Temp\_MEI43722\win32event.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3904](2014-08-08 13:24:42)                                                             000000001e9b0000
Library  C:\Users\Troy\AppData\Local\Temp\_MEI43722\win32inet.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3904](2014-08-08 13:24:42)                                                              000000001eaa0000
Library  C:\Users\Troy\AppData\Local\Temp\_MEI43722\wx._html2.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3904](2014-08-08 13:24:43)                                                              0000000000790000
Library  C:\Users\Troy\AppData\Local\Temp\_MEI43722\wxmsw294u_webview_vc90.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3904] (wxWidgets for MSW/wxWidgets development team)(2014-08-08 13:24:43)  0000000002700000
Library  C:\Users\Troy\AppData\Local\Temp\_MEI43722\win32gui.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3904](2014-08-08 13:24:42)                                                               000000001ea40000
Library  C:\Users\Troy\AppData\Local\Temp\_MEI43722\win32crypt.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3904](2014-08-08 13:24:42)                                                             000000001e980000
Library  C:\Users\Troy\AppData\Local\Temp\_MEI43722\_multiprocessing.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3904](2014-08-08 13:24:43)                                                       0000000002730000
Library  C:\Users\Troy\AppData\Local\Temp\_MEI43722\wx._wizard.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3904](2014-08-08 13:24:42)                                                             0000000005570000
Library  C:\Users\Troy\AppData\Local\Temp\_MEI43722\select.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3904](2014-08-08 13:24:42)                                                                 00000000055a0000
Library  C:\Users\Troy\AppData\Local\Temp\_MEI43722\win32pipe.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3904](2014-08-08 13:24:43)                                                              000000001eb90000
Library  C:\Users\Troy\AppData\Local\Temp\_MEI43722\unicodedata.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3904](2014-08-08 13:24:42)                                                            00000000055b0000
Library  C:\Users\Troy\AppData\Local\Temp\_MEI43722\win32pdh.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3904](2014-08-08 13:24:43)                                                               000000001eb60000
Library  C:\Users\Troy\AppData\Local\Temp\_MEI43722\win32process.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3904](2014-08-08 13:24:42)                                                           000000001ebf0000
Library  C:\Users\Troy\AppData\Local\Temp\_MEI43722\win32profile.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3904](2014-08-08 13:24:42)                                                           000000001ec20000
Library  C:\Users\Troy\AppData\Local\Temp\_MEI43722\win32ts.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3904](2014-08-08 13:24:42)                                                                000000001ed40000
Library  C:\Users\Troy\AppData\Local\Temp\_MEI43722\wx._animate.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3904](2014-08-08 13:24:42)                                                            0000000005670000
 
---- Services - GMER 2.1 ----
 
Service  C:\Program Files (x86)\Google\Chrome Remote Desktop\36.0.1985.102\remoting_host.exe (*** hidden *** )                                                                                                                            [AUTO] chromoting                                                                                                                                                           <-- ROOTKIT !!!
 
---- Registry - GMER 2.1 ----
 
Reg      HKLM\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings@StringCacheGeneration                                                                                                                                              381
Reg      HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed                                                                                                                                                153060022
Reg      HKLM\SYSTEM\CurrentControlSet\Services\chromoting@ImagePath                                                                                                                                                                      "C:\Program Files (x86)\Google\Chrome Remote Desktop\36.0.1985.102\remoting_host.exe" --type=daemon --host-config="C:\ProgramData\Google\Chrome Remote Desktop\host.json"
Reg      HKLM\SYSTEM\CurrentControlSet\Services\chromoting@DisplayName                                                                                                                                                                    @C:\Program Files (x86)\Google\Chrome Remote Desktop\36.0.1985.102\remoting_core.dll,-101
Reg      HKLM\SYSTEM\CurrentControlSet\Services\chromoting@Description                                                                                                                                                                    @C:\Program Files (x86)\Google\Chrome Remote Desktop\36.0.1985.102\remoting_core.dll,-102
Reg      HKLM\SYSTEM\CurrentControlSet\Services\chromoting                                                                                                                                                                                
Reg      HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\chromoting@EventMessageFile                                                                                                                                          C:\Program Files (x86)\Google\Chrome Remote Desktop\36.0.1985.102\remoting_core.dll
Reg      HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\chromoting@CategoryMessageFile                                                                                                                                       C:\Program Files (x86)\Google\Chrome Remote Desktop\36.0.1985.102\remoting_core.dll
Reg      HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch                                                                                                                                                                  2509
Reg      HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{C7823457-C3C8-458E-8D1F-C5B28A1E7712}                                                                                               v2.22|Action=Allow|Active=TRUE|Dir=In|App=C:\Program Files (x86)\Google\Chrome Remote Desktop\36.0.1985.102\remoting_host.exe|Name=Chrome Remote Desktop Host|Edge=TRUE|
Reg      HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw                                                                                                                                                                               0x64 0x62 0x03 0x00 ...
Reg      HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask                                                                                                                                                                           0x64 0x62 0x03 0x00 ...
Reg      HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014072820140729                                                                                                             
Reg      HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014072820140729@CachePrefix                                                                                                 :2014072820140729: 
Reg      HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014072820140729@CachePath                                                                                                   %USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012014072820140729
Reg      HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014072820140729@CacheOptions                                                                                                11
Reg      HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014072820140729@CacheRepair                                                                                                 0
Reg      HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014072820140729@CacheLimit                                                                                                  1
Reg      HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014080320140804                                                                                                             
Reg      HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014080320140804@CachePrefix                                                                                                 :2014080320140804: 
Reg      HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014080320140804@CachePath                                                                                                   %USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012014080320140804
Reg      HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014080320140804@CacheOptions                                                                                                11
Reg      HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014080320140804@CacheRepair                                                                                                 0
Reg      HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014080320140804@CacheLimit                                                                                                  1
Reg      HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsRequestBucketDrainTime                                                                                                                         0x89 0x26 0x51 0x58 ...
Reg      HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsLargeRequestBucketDrainTime                                                                                                                    0x89 0x26 0x51 0x58 ...
Reg      HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastOtherRequestBucketDrainTime                                                                                                                           0x89 0x26 0x51 0x58 ...
Reg      HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastGlobalRequestBucketDrainTime                                                                                                                          0x89 0x26 0x51 0x58 ...
Reg      HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\RegistrarData@LastRenewCollectionsInterest                                                                                                                           0x93 0x5B 0x1A 0x7D ...
 
---- EOF - GMER 2.1 ----
Link to post
Share on other sites

Combofix

Combofix should only be run when adviced by a team member!

Link


Important - Save the file to your desktop!


  • Deactivate any and all of your antivirus programs /spyware scanners - they can prevent CF from doing its work.
  • Run Combofix.exe



When finished, Combofix creates a log file named C:\Combofix.txt. Please post its content in your next reply.

Note: When receiving an error message containing ""Illegal operation attempted on a registry key that has been marked for deletion" simply restart your computer to fix this.

Link to post
Share on other sites

My mistake.

 

While processing your log files, I´ve found evidence of cracked software:

 

 

Your logs show obvious signs of having cracked software on your system. This is the main reason your computer is infected. Visiting cracksites/warezsites - and other questionable/illegal sites is always a risk.

Even a single click on the site can drop multiple forms of very serious malware, many of which disable your onboard protection, and System Restore.

If you install the cracked software, you are running executable files from these dubious, unknown sources. You are in effect giving these sources access to information on your hard disk, and potential control over the operation of your computer.

Additionally, cracked programs are illegal. Referring to the Forum Rules which you should have read at the time of Registering at this forum, this forum does not support illegal activity. As such, be advised that any request for assistance in removing malware may go unanswered, or may be discontinued, if the cracked (illegal) software is still present on the machine

Having said that we can help you clean your machine this time BUT this would be a ONCE ONLY offer on the understanding that all cracks are removed. This would apply not only here but at many other Malware Support forums if you were to appear again with cracks onboard, as many of us analysts work at multiple support sites. Please remove all cracked software and illegally obtained copyrighted material you have on the system so we may continue with the clean up.

Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.