Jump to content

Trojans, trackers, etc.

Recommended Posts

Hello Bobbie2836, welcome to Malwarebytes' Malware Removal forum!
My username is LiquidTension, but you can call me Adam. I will be assisting you with your malware-related problems.
If you would allow me to call you by your first name I would prefer that. xsmile.png.pagespeed.ic.CwSpBGGvqN.png
General P2P/Piracy Notice: 

If you are using Peer to Peer (P2P) filesharing software such as uTorrent, BitTorrent or similar you must either fully uninstall or completely disable the programme(s) from running whilst receiving assistance at this forum. 
Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.
If you have illegal/cracked/keygen or similar software on the computer, please remove/uninstall the software now and read the policy on Piracy. Failure to do so will also result in your topic being closed.

Please read through the points below to ensure this process moves as quickly and efficiently as possible.

  • Please ensure you read through my instructions thoroughly, and carry out each step in the order specified.
  • If you are unable to copy/paste your logs directly into your post, please attach the file. 
  • Please do not run any tools or take any steps other than those I provide for you. Independent efforts may make matters worse, and will affect my ability in ascertaining the current situation and providing the best set of instructions for you.
  • Please backup important files before proceeding with my instructions. Malware removal can be unpredictable.
  • If you come across any issues whilst following my instructions, please stop and inform me of the issue in as much detail as possible. Please do not hesitate to ask before proceeding.
  • Topics are locked if no response is made after 4 days. Please inform me if you will require additional time to complete my instructions.
  • Ensure you are following this topic. Click xetYzdbu.png.pagespeed.ic.U7AjmRUewW.png at the top of the page. 


Can Joe's computer be saved?

Is Joe a friend? You can tell him his computer can be saved. 

Using a clean device or machine, he should change details and passwords for accounts recently used.
xlK5Hdb.png Farbar Recovery Scan Tool (FRST) Script

  • Press the Windows Key pdKOQKY.png + r on your keyboard at the same time. Type Notepad and click OK.
  • Copy the entire contents of the codebox below and paste into the Notepad document.
    startHKLM-x32\...\Run: [] => [X]HKU\S-1-5-21-149522449-3685137170-1245344636-1000\...\Run: [Iwfyap] => "C:\Users\OWNER\AppData\Roaming\Uqalalfu\hynena.exe"HKU\S-1-5-21-149522449-3685137170-1245344636-1000\...\Run: [ucilluo] => rundll32 "C:\Users\OWNER\AppData\Local\ucilluo.dll",ucilluo <===== ATTENTIONC:\Users\OWNER\AppData\Local\ucilluo.dllC:\Users\OWNER\AppData\Roaming\UqalalfuHKU\S-1-5-21-149522449-3685137170-1245344636-1000\...\MountPoints2: D - D:\Run.exeURLSearchHook: HKCU - Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)BHO-x32: &Yahoo! Toolbar Helper -> {02478D38-C3F9-4efb-9B51-7695ECA05670} -> C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)Toolbar: HKLM-x32 - Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} -  No FileS1 UsbCharger; C:\Windows\System32\DRIVERS\UsbCharger.sys [22240 2013-10-24] ()S1 gaphdyme; \??\C:\Windows\system32\drivers\gaphdyme.sys [X]S3 gdrv; \??\C:\Windows\gdrv.sys [X]S1 lzcnkwyq; \??\C:\Windows\system32\drivers\lzcnkwyq.sys [X]2014-11-14 21:09 - 2014-11-14 21:10 - 00000000 ____D () C:\Program Files (x86)\GUM4CD.tmp2014-11-14 21:09 - 2014-11-14 21:09 - 06000640 _____ () C:\Program Files (x86)\GUT50D.tmp2014-11-14 16:41 - 2014-11-14 16:41 - 00004190 _____ () C:\Users\OWNER\DECRYPT_INSTRUCTION.TXT2014-11-14 16:41 - 2014-11-14 16:41 - 00000264 _____ () C:\Users\OWNER\DECRYPT_INSTRUCTION.URL2014-11-14 16:16 - 2014-11-14 16:16 - 00004190 _____ () C:\Users\OWNER\Downloads\DECRYPT_INSTRUCTION.TXT2014-11-14 16:16 - 2014-11-14 16:16 - 00004190 _____ () C:\Users\OWNER\Documents\DECRYPT_INSTRUCTION.TXT2014-11-14 16:16 - 2014-11-14 16:16 - 00000264 _____ () C:\Users\OWNER\Downloads\DECRYPT_INSTRUCTION.URL2014-11-14 16:16 - 2014-11-14 16:16 - 00000264 _____ () C:\Users\OWNER\Documents\DECRYPT_INSTRUCTION.URL2014-11-14 16:12 - 2014-11-14 16:12 - 00004190 _____ () C:\Users\OWNER\AppData\Roaming\DECRYPT_INSTRUCTION.TXT2014-11-14 16:12 - 2014-11-14 16:12 - 00004190 _____ () C:\Users\OWNER\AppData\DECRYPT_INSTRUCTION.TXT2014-11-14 16:12 - 2014-11-14 16:12 - 00000264 _____ () C:\Users\OWNER\AppData\Roaming\DECRYPT_INSTRUCTION.URL2014-11-14 16:12 - 2014-11-14 16:12 - 00000264 _____ () C:\Users\OWNER\AppData\DECRYPT_INSTRUCTION.URL2014-11-14 16:09 - 2014-11-14 16:09 - 00004190 _____ () C:\Users\OWNER\AppData\Local\DECRYPT_INSTRUCTION.TXT2014-11-14 16:09 - 2014-11-14 16:09 - 00000264 _____ () C:\Users\OWNER\AppData\Local\DECRYPT_INSTRUCTION.URL2014-11-14 16:08 - 2014-11-15 17:30 - 00000000 ____D () C:\Users\OWNER\AppData\Roaming\FrameworkUpdate72014-11-14 16:08 - 2014-11-14 20:54 - 00000520 _____ () C:\ProgramData\@system.temp2014-11-14 16:08 - 2014-11-14 20:54 - 00000256 ____H () C:\ProgramData\@system3.att2014-11-14 16:08 - 2014-11-14 16:08 - 00004190 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.TXT2014-11-14 16:08 - 2014-11-14 16:08 - 00000480 ____H () C:\Users\OWNER\AppData\Roaming\麽鎒駓覜2014-11-14 16:08 - 2014-11-14 16:08 - 00000264 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.URL2014-11-09 21:57 - 2014-11-14 16:08 - 00000000 ____D () C:\ProgramData\TissuRzolu2014-11-09 21:57 - 2014-11-14 16:08 - 00000000 ____D () C:\ProgramData\EaviFubye2014-11-09 12:18 - 2014-11-14 16:04 - 00000000 ____D () C:\ProgramData\Windows Genuine Advantage2014-11-14 15:37 - 2014-03-15 21:38 - 00003006 _____ () C:\Windows\System32\Tasks\{B1D728F1-C0FF-446F-A05D-C0D66DB1F986}CustomCLSID: HKU\S-1-5-21-149522449-3685137170-1245344636-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks?Task: {0612A032-B73D-4FD1-B206-5BE878CE858D} - \Security Center Update - 587045245 No Task File <==== ATTENTIONTask: {A24DD012-4E48-4E68-97F7-EB32D9663003} - \Security Center Update - 2423390018 No Task File <==== ATTENTIONTask: {BECB864B-EEB6-4391-A1B4-8050340A7210} - \Security Center Update - 4184184043 No Task File <==== ATTENTIONTask: {D8F0CA5F-757F-4459-889C-7801C031D010} - \Security Center Update - 452539669 No Task File <==== ATTENTIONFolder: C:\Users\OWNER\AppDataFolder: C:\ProgramDataCMD: ipconfig /flushdnsCMD: netsh winsock reset allEmptyTemp:end
  • Click FileSave As and type fixlist.txt as the File Name.
  • Important: In the Encoding: drop-down box, select Unicode.
  • Important: The file must be saved in the same location as FRST64.exe.

NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System.

  • Right-Click FRST64.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Click Fix.
  • A log (Fixlog.txt) will open on your desktop. This log will be very large. Ensure you attach the file in your next reply.

GfiJrQ9.png Malwarebytes Anti-Malware (MBAM)

  • Open Malwarebytes Anti-Malware and click Update Now.
  • Once updated, click the Settings tab, followed by Detection and Protection and tick Scan for rootkits.
  • Click the Scan tab, ensure Threat Scan is checked and click Scan Now.
  • Note: You may see the following message, "Could not load DDA driver". Click Yes, allow your PC to reboot and continue afterwards.
  • If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
  • Upon completion of the scan (or after the reboot), click the History tab.
  • Click Application Logs and double-click the Scan Log.
  • Click Copy to Clipboard and paste the log in your next reply. 

9SN2ePL.png ComboFix

  • Note: Please read through these instructions before running ComboFix. 
  • Please download ComboFix and save the file to your Desktop. << Important!
  • Temporarily disable your anti-virus software. For instructions, please refer to the following link.
  • Right-Click ComboFix.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Follow the prompts. 
  • Allow ComboFix to complete it's removal routine (please refer to Important Notes:).
  • Upon completion, a log (ComboFix.txt) will be created in the root directory (C:\). Copy the contents of the log and paste in your next reply.
  • Re-enable your anti-virus software.

Important Notes:

  • Do NOT mouse click ComboFix's window whilst it is running. This may cause the programme to stall.
  • Do NOT use your computer whilst ComboFix is running.
  • Your Desktop/taskbar may disappear whilst ComboFix is running; this is normal.
  • If you get the message Illegal operation attempted on registry key that has been marked for deletion please reboot your computer.
  • ComboFix will disconnect your machine from the Internet as soon as it starts.
  • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
  • If you are unable to access the Internet after running ComboFix, please reboot your computer. 

YARWD1t.png TDSSKiller Scan

  • Please download TDSSKiller and save the file to your Desktop.
  • Right-Click TDSSKiller.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Click Change parameters. Place a checkmark next to:
    • Loaded Modules
    • Detect TDLFS file system
    • Verify file digital signatures
  • Note: If you receive the following message: Extended Monitoring Driver is required, click Reboot now, and continue from here following the reboot.
  • ​Click Start Scan. Do not use the computer during the scan.
  • If objects are found, change the action to skip.
  • Click Continue and close the window.
  • A log will be created and saved to the root directory (usually C:\). Attach the log in your next reply.

pfNZP4A.png Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

  • Fixlog.txt (attached!)
  • MBAM log
  • ComboFix.txt
  • TDSSKiller log (attached!)
Link to post
Share on other sites

Yes, Joe is a friend - and he's going to be so glad to get his computer working again.


I ran the Fix, but the Fixlog.txt is 41,929 kb, so I doubt if I can send it.


I've zipped it, and its now just over 2 MB.  I'll send this one along with the mbam log,  then get the other stuff done and send all of those reports at the same time - tomorrow.




Malwarebytes Anti-Malware

Scan Date: 11/16/2014
Scan Time: 8:37:40 PM
Administrator: Yes

Malware Database: v2014.11.17.01
Rootkit Database: v2014.11.12.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 318818
Time Elapsed: 8 min, 47 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.