Jump to content

cozahost.exe and other zoomify files


Recommended Posts

Can you run RK again as before, only hit delete key once.... we need to kill of Vosteran..

 

Next,

 

Go here http://www.adobe.com/shockwave/welcome/ and have Adobe Flashplayer checked. Accept new version if required.

There maybe an offer of Google Chrome etc, untick those options if offered...

 

Let me know if there are any remaining issues or concerns...

 

Thanks,

 

Kevin

Link to post
Share on other sites

  • Replies 133
  • Created
  • Last Reply

Top Posters In This Topic

I didnt press delete or check anything on the list

 

 

 

 

 

 

RogueKiller V10.1.1.0 [Dec 23 2014] by Adlice Software





 

Operating System : Windows 8.1 (6.3.9200 ) 64 bits version

Started in : Normal mode

User : Patrick [Administrator]

Mode : Scan -- Date : 01/05/2015  10:32:28

 

¤¤¤ Processes : 0 ¤¤¤

 

¤¤¤ Registry : 8 ¤¤¤

[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 168.28.176.11 168.28.176.253 198.72.72.10 [uNITED STATES (US)][uNITED STATES (US)][uNITED STATES (US)]  -> Found

[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 168.28.176.11 168.28.176.253 198.72.72.10 [uNITED STATES (US)][uNITED STATES (US)][uNITED STATES (US)]  -> Found

[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0FCC9FF9-FBA9-4F58-BA21-0341370EF0DD} | DhcpNameServer : 168.28.176.11 168.28.176.253 198.72.72.10 [uNITED STATES (US)][uNITED STATES (US)][uNITED STATES (US)]  -> Found

[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0FCC9FF9-FBA9-4F58-BA21-0341370EF0DD} | DhcpNameServer : 168.28.176.11 168.28.176.253 198.72.72.10 [uNITED STATES (US)][uNITED STATES (US)][uNITED STATES (US)]  -> Found

[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found

[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found

[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found

[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found

 

¤¤¤ Tasks : 0 ¤¤¤

 

¤¤¤ Files : 0 ¤¤¤

 

¤¤¤ Hosts File : 0 ¤¤¤

 

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0x20]) ¤¤¤

 

¤¤¤ Web browsers : 0 ¤¤¤

 

¤¤¤ MBR Check : ¤¤¤

+++++ PhysicalDrive0: TOSHIBA MQ01ABD075 +++++

--- User ---

[MBR] a84dd93b5b19931ceaddbccc47850486

[bSP] df4f83c1f72e36823a12b0dfc7617313 : Empty MBR Code

Partition table:

0 - [XXXXXX] UNKNOWN (0x0) [VISIBLE] Offset (sectors): 1 | Size: 2097151 MB

User = LL1 ... OK

User = LL2 ... OK

 

 

============================================

RKreport_DEL_01032015_191747.log - RKreport_DEL_01052015_101403.log - RKreport_DEL_01052015_101416.log - RKreport_SCN_01032015_175659.log

RKreport_SCN_01032015_190556.log - RKreport_SCN_01032015_192105.log - RKreport_SCN_01052015_081301.log - R

Link to post
Share on other sites

Log is clean this time, what is the cuurent status of your system, any remaining issues or concerns?

 

Open Malwarebytes Anti-Malware, from the Dashboard please Check for Updates by clicking the Update Now... link

When the update completes select > Settings > Detection and Protection > Enable Scan for rootkit and Under Non Malware Protection set both PUP and PUM to Treat detections as malware.

 

 

Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button.

 

When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.

 

 

In most cases, a restart will be required.

 

 

Wait for the prompt to restart the computer to appear, then click on Yes.

 

 

When the scan is completed from the main GUI click on History > Application Logs. Find your scan log, the date when run will identify it. Checkmark "select" box > then hit the "view" button. The history log window will open. At the bottom of that window are two options, "Copy to clipboard" and "Export"

Select > "Copy to clipboard" that copies the full log to the windows clipboard, so at your reply you right click into the text field and select "Paste" the log is pasted (copied) to  your reply.

 

Or select "Export" you are given the option to export as a Text file (*.txt) or XML file (*.xml) Choose text file, save the exported file to a place of your choice. That file can be attached to your reply...

 

Kevin...

Link to post
Share on other sites

Malwarebytes Anti-Malware

www.malwarebytes.org

 

Scan Date: 1/5/2015

Scan Time: 11:13:02 AM

Logfile: 

Administrator: Yes

 

Version: 2.00.4.1028

Malware Database: v2015.01.05.06

Rootkit Database: v2014.12.30.01

License: Trial

Malware Protection: Enabled

Malicious Website Protection: Enabled

Self-protection: Disabled

 

OS: Windows 8.1

CPU: x64

File System: NTFS

User: Patrick

 

Scan Type: Threat Scan

Result: Completed

Objects Scanned: 397049

Time Elapsed: 34 min, 33 sec

 

Memory: Enabled

Startup: Enabled

Filesystem: Enabled

Archives: Enabled

Rootkits: Enabled

Heuristics: Enabled

PUP: Enabled

PUM: Enabled

 

Processes: 0

(No malicious items detected)

 

Modules: 0

(No malicious items detected)

 

Registry Keys: 9

PUP.Optional.Vosteran, HKLM\SOFTWARE\CLASSES\APPID\{4CB3598A-82E8-4D1F-983F-061238AE696E}, Quarantined, [a25f5c0da7d54fe7a0dec715857df10f], 

PUP.Optional.Vosteran, HKLM\SOFTWARE\WOW6432NODE\CLASSES\APPID\{4CB3598A-82E8-4D1F-983F-061238AE696E}, Quarantined, [a25f5c0da7d54fe7a0dec715857df10f], 

PUP.Optional.Vosteran.A, HKLM\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\oilkkkefbalmbfppgjmgjoefbclebkce, Quarantined, [cd346dfcf389e254c0f172f40ef59868], 

PUP.Optional.Vosteran.A, HKLM\SOFTWARE\WOW6432NODE\GOOGLE\CHROME\EXTENSIONS\oilkkkefbalmbfppgjmgjoefbclebkce, Quarantined, [2cd56405d6a62c0ae0d1b0b6996a9868], 

PUP.Optional.InstallCore.A, HKLM\SOFTWARE\WOW6432NODE\INSTALLCORE\WSE_Vosteran, Quarantined, [6b966dfccbb19b9bd94b5e13946f649c], 

PUP.Optional.Vosteran.A, HKU\S-1-5-21-2150100393-3706727894-453651403-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\wse_vosteran, Quarantined, [30d177f2ea922b0b72c0a34458ac35cb], 

PUP.Optional.Vosteran.A, HKU\S-1-5-21-2150100393-3706727894-453651403-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\oilkkkefbalmbfppgjmgjoefbclebkce, Quarantined, [1ae76cfd90ec42f409a996d03ec525db], 

PUP.Optional.InstallCore.A, HKU\S-1-5-21-2150100393-3706727894-453651403-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\INSTALLCORE\1I1T1Q1S, Quarantined, [3fc276f3c2badf570e45d9cf778cd729], 

PUP.Optional.InstallCore.A, HKU\S-1-5-21-2150100393-3706727894-453651403-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\INSTALLCORE, Quarantined, [fb069ccd96e6c472c8a56a547f85aa56], 

 

Registry Values: 2

PUP.Optional.Vosteran, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY|AppPath, C:\Program Files (x86)\WSE_Vosteran\\, Quarantined, [b15005647efed066fb0435b357adb24e]

PUP.Optional.InstallCore.A, HKU\S-1-5-21-2150100393-3706727894-453651403-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\INSTALLCORE|tb, 0X1L1C1C1J2Z, Quarantined, [fb069ccd96e6c472c8a56a547f85aa56]

 

Registry Data: 4

Trojan.DNSChanger, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS|DhcpNameServer, 168.28.176.11 168.28.176.253 198.72.72.10, Good: (), Bad: (168.28.176.11),Replaced,[12efed7cf884b08627441e6d6b9ab44c]

Trojan.DNSChanger, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS|DhcpNameServer, 168.28.176.11 168.28.176.253 198.72.72.10, Good: (), Bad: (168.28.176.253),Replaced,[c938fa6fa9d395a17deefa916d9841bf]

Trojan.DNSChanger, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{0FCC9FF9-FBA9-4F58-BA21-0341370EF0DD}|DhcpNameServer, 168.28.176.11 168.28.176.253 198.72.72.10, Good: (), Bad: (168.28.176.11),Replaced,[5ea31f4ab3c99b9b036835564fb69868]

Trojan.DNSChanger, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{0FCC9FF9-FBA9-4F58-BA21-0341370EF0DD}|DhcpNameServer, 168.28.176.11 168.28.176.253 198.72.72.10, Good: (), Bad: (168.28.176.253),Replaced,[e31e155487f570c699d2503bac5901ff]

 

Folders: 4

PUP.Optional.Vosteran.A, C:\Users\Patrick\AppData\Roaming\WSE_Vosteran, Quarantined, [926fa5c4ceae092d24ac5408fd060bf5], 

PUP.Optional.Vosteran.A, C:\Users\Patrick\AppData\Roaming\WSE_Vosteran\UpdateProc, Quarantined, [926fa5c4ceae092d24ac5408fd060bf5], 

PUP.Optional.Vosteran.A, C:\Program Files (x86)\WSE_Vosteran, Quarantined, [907179f0daa248eed3ffef6d58abf709], 

PUP.Optional.Vosteran.A, C:\Program Files (x86)\WSE_Vosteran\bh, Quarantined, [907179f0daa248eed3ffef6d58abf709], 

 

Files: 6

PUP.Optional.Vosteran.A, C:\Users\Patrick\AppData\Roaming\WSE_Vosteran\UpdateProc\bkup.dat, Quarantined, [926fa5c4ceae092d24ac5408fd060bf5], 

PUP.Optional.Vosteran.A, C:\Users\Patrick\AppData\Roaming\WSE_Vosteran\UpdateProc\config.dat, Quarantined, [926fa5c4ceae092d24ac5408fd060bf5], 

PUP.Optional.Vosteran.A, C:\Program Files (x86)\WSE_Vosteran\astcnfg.dat, Quarantined, [907179f0daa248eed3ffef6d58abf709], 

PUP.Optional.Vosteran.A, C:\Program Files (x86)\WSE_Vosteran\FavIcon.ico, Quarantined, [907179f0daa248eed3ffef6d58abf709], 

PUP.Optional.Vosteran.A, C:\Program Files (x86)\WSE_Vosteran\Sqlite3.dll, Quarantined, [907179f0daa248eed3ffef6d58abf709], 

PUP.Optional.Vosteran.A, C:\Program Files (x86)\WSE_Vosteran\uninst.dat, Quarantined, [907179f0daa248eed3ffef6d58abf709], 

 

Physical Sectors: 0

(No malicious items detected)

 

 

(end)

Link to post
Share on other sites

How is your system responding, are there any remaining issues or concerns.....

 

Run this please:

 

Download SystemLook from the following link below and save it to your Desktop. Use the correct version 32bit or 64bit.

http://jpshortstuff.247fixes.com/SystemLook_x64.exe     <<-   64 bit….

http://images.malwareremoval.com/jpshortstuff/SystemLook.exe  <<-  32 bit

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :filefind*vosteran*:folderfind*vosteran*:regfind*vosteran*
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.


Note: The log can also be found on your Desktop entitled SystemLook.txt
 

Link to post
Share on other sites

SystemLook 30.07.11 by jpshortstuff

Log created at 15:21 on 05/01/2015 by Patrick

Administrator - Elevation successful

 

========== filefind ==========

 

Searching for "*vosteran*"

No files found.

 

========== folderfind ==========

 

Searching for "*vosteran*"

No folders found.

 

========== regfind ==========

 

Searching for "*vosteran*"

No data found.

 

-= EOF =-

Link to post
Share on other sites

Please read carefully and follow these steps.

 


Download TDSSKiller from here  http://support.kaspersky.com/downloads/utils/tdsskiller.exe and save it to your Desktop.
 
Doubleclick on tdssk.jpg to run the application.
 
The "Ready to scan" window will open, Click on "Change parameters" 
 
 
tda.png
 
 
Place a checkmark next to Verify Driver Digital Signature  and Detect TDLFS file system, (Leave "Service & Drivers" and "Boot Sectors" ticked. Click OK.
 
 
 
td1.png
 
 
Select "Start Scan"
 
 
tdb.png
 
 
If an infected file is detected, the default action will be Cure, click on Continue.
 
 
td2.png
 
 
If a suspicious file is detected, the default action will be Skip, click on Continue.
 
 
td3.png
 
 
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
 
 
td4.png
 
 
If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Link to post
Share on other sites

What do you mean it doesnt work? we are checking for a specific infection, if the log is clean that is good news....

 

Please click on START and type in CMD.EXE and when it shows on the menu right click and choose "Run as administrator"

Copy the following command:

reg query "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces" >C:\NetWorkCards.txt

Right click at the command prompt and select paste. Hit the enter key.

NetWorkCards.txt will be saved to the root of C:\ as such: C:\NetWorkCards.txt

Copy that .txt file to your next reply.....

 

Next,

 

Run another threat scan with Malwarebytes, post that log.

Link to post
Share on other sites

HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{0f749c37-4689-11e3-824f-806e6f6e6963}

HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{0FCC9FF9-FBA9-4F58-BA21-0341370EF0DD}

HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{6DD690CB-897B-4DD9-A862-1ECD62DEABB9}

HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{78A02721-E11A-4285-8ED5-CE5887497FCF}

HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{8718928D-CBEB-45EA-A621-800A9249001D}

HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{9246AFA5-61DE-4A52-BE10-AD08F8FE3449}

HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{B4E41B12-4663-4DD2-9059-802F6C898C19}

HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{E1940936-F7A1-4617-BCE8-6E3DD811205A}
Link to post
Share on other sites

Malwarebytes has flagged the ip addresses previously, i`ve checked them myself and do not actually see anything wrong, the following is the registrant, does it mean anything to you?

 

University System of Georgia, Board of Regents
University System of Georgia, Board of Regents
2500 Daniells Bridge Road
Athens, GA 30606
UNITED STATES

 

and this one...

 

Registrant

Southern Polytechnic State University
1100 South Marietta Parkway
Marietta, GA 30060-2896
UNITED STATES

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.