AEITS Posted November 8, 2014 Author ID:904949 Share Posted November 8, 2014 Thanks again. Donation sent. Link to post Share on other sites More sharing options...
MrCharlie Posted November 8, 2014 ID:904952 Share Posted November 8, 2014 Thanks...MrC Link to post Share on other sites More sharing options...
AEITS Posted November 9, 2014 Author ID:905124 Share Posted November 9, 2014 I just logged in, and ran FRST as admin under the affected user's account. Apparently there are a few traces left. I was going to remove them manually with REGEDIT unless you think I should give FRST a shot at them again.FRST.txtAddition.txtFRST.txt Link to post Share on other sites More sharing options...
AEITS Posted November 9, 2014 Author ID:905125 Share Posted November 9, 2014 One of those files was supposed to be my attempt at a fixlist. Trying to minimize the time I tie you up in the forum. Link to post Share on other sites More sharing options...
AEITS Posted November 9, 2014 Author ID:905126 Share Posted November 9, 2014 HKU\S-1-5-21-3542812387-3794330035-1786331983-1003\...\Run: [ivijios] => rundll32 "C:\Users\Gary_2\AppData\Local\ivijios.dll",ivijios <===== ATTENTION HKU\S-1-5-21-3542812387-3794330035-1786331983-1003\...\Run: [Olfoegbaba] => C:\Users\Gary_2\AppData\Roaming\Paquyru\siami.exe HKU\S-1-5-21-3542812387-3794330035-1786331983-1003\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks! HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION HKU\S-1-5-21-3542812387-3794330035-1786331983-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION CustomCLSID: HKU\S-1-5-21-3542812387-3794330035-1786331983-1003_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks? Link to post Share on other sites More sharing options...
MrCharlie Posted November 9, 2014 ID:905240 Share Posted November 9, 2014 Download the attached fixlist.txt to the same folder as FRST.exe/FRST64.exe. Run FRST.exe/FRST64.exe and click Fix only once and wait The tool will create a log (Fixlog.txt) in the folder, please post it to your reply. MrC Link to post Share on other sites More sharing options...
AEITS Posted November 9, 2014 Author ID:905295 Share Posted November 9, 2014 Didn't see an attached fixlist, so I ran mine. It still didn't find one of the keys. I found it with regedit. I did a search for "rundll32.exe javascript", and deleted any keys I found. I found the remaining one, and it's gone now. Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 08-11-2014 01 Ran by admin at 2014-11-09 01:06:20 Run:1 Running from C:\Users\Gary_2\Desktop Loaded Profiles: admin & Gary_2 (Available profiles: admin & Gary & Gary_2) Boot Mode: Normal ============================================== Content of fixlist: ***************** HKU\S-1-5-21-3542812387-3794330035-1786331983-1003\...\Run: [ivijios] => rundll32 "C:\Users\Gary_2\AppData\Local\ivijios.dll",ivijios <===== ATTENTION HKU\S-1-5-21-3542812387-3794330035-1786331983-1003\...\Run: [Olfoegbaba] => C:\Users\Gary_2\AppData\Roaming\Paquyru\siami.exe HKU\S-1-5-21-3542812387-3794330035-1786331983-1003\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks! HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION HKU\S-1-5-21-3542812387-3794330035-1786331983-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION CustomCLSID: HKU\S-1-5-21-3542812387-3794330035-1786331983-1003_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks? ***************** HKU\S-1-5-21-3542812387-3794330035-1786331983-1003\Software\Microsoft\Windows\CurrentVersion\Run\\ivijios => value deleted successfully. HKU\S-1-5-21-3542812387-3794330035-1786331983-1003\Software\Microsoft\Windows\CurrentVersion\Run\\Olfoegbaba => value deleted successfully. "HKU\S-1-5-21-3542812387-3794330035-1786331983-1003\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32" => Key Deleted Successfully. "HKU\S-1-5-21-3542812387-3794330035-1786331983-1003\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" => Key deleted successfully. "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully. "HKU\S-1-5-21-3542812387-3794330035-1786331983-1000\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully. "HKU\S-1-5-21-3542812387-3794330035-1786331983-1003_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" => Key not found. ==== End of Fixlog ==== Link to post Share on other sites More sharing options...
MrCharlie Posted November 9, 2014 ID:905325 Share Posted November 9, 2014 I'm not sure what happened to it but here it is again...please use it: MrC Link to post Share on other sites More sharing options...
AEITS Posted November 9, 2014 Author ID:905331 Share Posted November 9, 2014 Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 08-11-2014 01 Ran by admin at 2014-11-09 11:12:38 Run:2 Running from C:\Users\Gary_2\Desktop Loaded Profiles: admin & Gary_2 (Available profiles: admin & Gary & Gary_2) Boot Mode: Normal ============================================== Content of fixlist: ***************** HKU\S-1-5-21-3542812387-3794330035-1786331983-1003\...\Run: [ivijios] => rundll32 "C:\Users\Gary_2\AppData\Local\ivijios.dll",ivijios <===== ATTENTION HKU\S-1-5-21-3542812387-3794330035-1786331983-1003\...\Run: [Olfoegbaba] => C:\Users\Gary_2\AppData\Roaming\Paquyru\siami.exe HKU\S-1-5-21-3542812387-3794330035-1786331983-1003\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks! HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION HKU\S-1-5-21-3542812387-3794330035-1786331983-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION 2014-10-30 17:30 - 2014-10-30 17:51 - 00000000 ____D () C:\20141024 CustomCLSID: HKU\S-1-5-21-3542812387-3794330035-1786331983-1003_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks? C:\Users\Gary_2\AppData\Local\ivijios.dll C:\Users\Gary_2\AppData\Roaming\Paquyru ***************** HKU\S-1-5-21-3542812387-3794330035-1786331983-1003\Software\Microsoft\Windows\CurrentVersion\Run\\ivijios => Value not found. HKU\S-1-5-21-3542812387-3794330035-1786331983-1003\Software\Microsoft\Windows\CurrentVersion\Run\\Olfoegbaba => Value not found. "HKU\S-1-5-21-3542812387-3794330035-1786331983-1003\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32" => Key not found. "HKU\S-1-5-21-3542812387-3794330035-1786331983-1003\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" => Key not found. "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key not found. "HKU\S-1-5-21-3542812387-3794330035-1786331983-1000\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key not found. C:\20141024 => Moved successfully. "HKU\S-1-5-21-3542812387-3794330035-1786331983-1003_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" => Key not found. "C:\Users\Gary_2\AppData\Local\ivijios.dll" => File/Directory not found. "C:\Users\Gary_2\AppData\Roaming\Paquyru" => File/Directory not found. ==== End of Fixlog ==== Link to post Share on other sites More sharing options...
MrCharlie Posted November 9, 2014 ID:905340 Share Posted November 9, 2014 OK..How is it???? MrC Link to post Share on other sites More sharing options...
AEITS Posted November 9, 2014 Author ID:905341 Share Posted November 9, 2014 I think it was fine before. I've just been checking on it periodically to make sure. I saw the registry keys come up, so I removed them. Link to post Share on other sites More sharing options...
MrCharlie Posted November 9, 2014 ID:905343 Share Posted November 9, 2014 Would you do me a favor and run this scan:Please download SystemLook from the link below and save it to your Desktop.http://jpshortstuff.247fixes.com/SystemLook_x64.exeDouble-click SystemLook.exe to run it.Copy the content of the following codebox into the main textfield::regfindAB8902B4-09CA-4bb6-B78D-A8F59079A8D5Click the Look button to start the scan.When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.Note: The log can also be found on your Desktop entitled SystemLook.txtMrC Link to post Share on other sites More sharing options...
AEITS Posted November 9, 2014 Author ID:905365 Share Posted November 9, 2014 SystemLook 30.07.11 by jpshortstuff Log created at 12:28 on 09/11/2014 by admin Administrator - Elevation successful ========== regfind ========== Searching for "AB8902B4-09CA-4bb6-B78D-A8F59079A8D5" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}] "AppID"="{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}] "AppID"="{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}] [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}] [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}] "AppID"="{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\AppID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}] -= EOF =- Link to post Share on other sites More sharing options...
MrCharlie Posted November 9, 2014 ID:905368 Share Posted November 9, 2014 That looks OK...How is it????? MrC Link to post Share on other sites More sharing options...
AEITS Posted November 9, 2014 Author ID:905369 Share Posted November 9, 2014 Still fine. I'm just checking in on it when I can. I noticed that you quarantined my restore point 20141024 folder. I don't think I'll need it, but if I uninstall FRST, will I have to move it first? Link to post Share on other sites More sharing options...
AEITS Posted November 9, 2014 Author ID:905371 Share Posted November 9, 2014 Can that last tool be used to find text in the registry? I was thinking that a scan for "rundll32.exe javascript" would be a quick way to check all the PCs on the network. Can it get into the other hives if it's not run as the administrator? Link to post Share on other sites More sharing options...
MrCharlie Posted November 9, 2014 ID:905374 Share Posted November 9, 2014 Give it a try....the one I used should work. I have some other people who are infected running it to see. Just started doing this because then infection seems to infected different users. Mr Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 30, 2014 Root Admin ID:914167 Share Posted November 30, 2014 Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts