Jump to content

Recommended Posts

I'm actually helping my friend out. The process tries to duplicate itself after trying to shut it down (sits in NTKernel). I think it's also responsible for preventing malwarebytes and all chameleons from running. We actually have an issue with being charged money from her paypal account.

 

I'm going to attach the logs below. 

 

Addition.txt

FRST.txt

Link to post
Share on other sites

Hello and welome,

 

P2P/Piracy Warning:

 

 

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 

 

Next,

 

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

 

Run FRST and press the Fix button just once and wait.

The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

 

Next,

 

Open Malwarebytes Anti-Malware, from the Dashboard please Check for Updates by clicking the Update Now... link

When the update completes select > Settings > Detection and Protection > Enable Scan for rootkit and Under Non Malware Protection set both PUP and PUM to Treat detections as malware.

 

 

Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button.

 

When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.

 

 

In most cases, a restart will be required.

 

 

Wait for the prompt to restart the computer to appear, then click on Yes.

 

 

When the scan is completed from the main GUI click on History > Application Logs. Find your scan log, the date when run will identify it. Checkmark "select" box > then hit the "view" button. The history log window will open. At the bottom of that window are two options, "Copy to clipboard" and "Export"

Select > "Copy to clipboard" that copies the full log to the windows clipboard, so at your reply you right click into the text field and select "Paste" the log is pasted (copied) to  your reply.

 

Or select "Export" you are given the option to export as a Text file (*.txt) or XML file (*.xml) Choose text file, save the exported file to a place of your choice. That file can be attached to your reply...

 

Next,

 

Download AdwCleaner by Xplode onto your Desktop.


Double click on Adwcleaner.exe to run the tool.
Click on Scan
Once the scan is done, click on the Clean button.
You will get a prompt asking to close all programs. Click OK.
Click OK again to reboot your computer.
A text file will open after the restart. Please post the content of that logfile in your reply.
You can also find the logfile at C:\AdwCleaner[sn].txt. Where n in the scan reference number

 

Next,

 

thisisujrt.gif Please download Junkware Removal Tool to your desktop.


Shut down your protection software now to avoid potential conflicts. (re-enable when done)
Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.

 

Next,

 

Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktop

Ensure to get the correct version for your system....

32 Bit version:

https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en

64 Bit version:

https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en'>https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en

 

Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window

In the "Scan Type" window, select Quick Scan

Perform a scan and  Click Finish when the scan is done.

Retrieve the MSRT log as follows, and post it in your next reply:

 

1) Select the Windows key and R key together to open the "Run" function

2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

 

notepad c:\windows\debug\mrt.log

 

Let me see those logs, also give an update on any remaining issues or concerns....

 

Kevin...

 

 

 

 

 

Fixlist.txt

Link to post
Share on other sites

Yes, that's correct, my mistake, I think my friend was uninstalling something at the moment and I thought it would be better if it didnt index that. My bad. 

Nothing happens when I try to run it. It does start slight activity on disc from two malwares i found, at least I think those are the two responsible. 

Link to post
Share on other sites

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

 

Run FRST and press the Fix button just once and wait.

The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

 

Next,

 

Try Malwarebytes again, post log if successful

 

Next,

 

Run the following regardless whether MB runs or not..

 

Please download RogueKiller and save it to your desktop from the following link: http://www.bleepingcomputer.com/download/roguekiller/

 


Quit all running programs.
For Windows XP, double-click to start.
For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
Read and accept the EULA (End User Licene Agreement)
Click Scan to scan the system.
When the scan completes select "Report", log will open. Close the program > Don't Fix anything!
Post back the report which should also be located here:

 

C:\Programdata\RogueKiller\Logs <-------- W7/8

C:\Documents and Settings\All Users\Application Data\RogueKiller\Logs <------XP

 

Kevin...

 

 

 

Fixlist.txt

Link to post
Share on other sites

Double-click RogueKiller.exe to run again. (Vista/7/8 right-click and select Run as Administrator)

When "initializing/pre-scan" completes  press the Scan button, this may take a few minutes to complete.

When the scan completes open the Registry tab and locate the following detections:

[PUP] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{26B19FA4-E8A1-4A1B-A163-1A1E46F830DD} -> Found
[suspicious.Path] (X64) HKEY_USERS\S-1-5-21-1893051573-1822416700-2810159976-1001\Software\Microsoft\Windows\CurrentVersion\Run | Add Plugin.jar : C:\Users\nikola\Add Plugin.jar  -> Found
[suspicious.Path] (X64) HKEY_USERS\S-1-5-21-1893051573-1822416700-2810159976-1001\Software\Microsoft\Windows\CurrentVersion\Run | sstunnel.exe : C:\Users\nikola\AppData\Roaming\sslunnel\kNL6GTEgiI6F.exe  -> Found
[suspicious.Path] (X64) HKEY_USERS\S-1-5-21-1893051573-1822416700-2810159976-1001\Software\Microsoft\Windows\CurrentVersion\Run | sstunnel.exemY : C:\Users\nikola\AppData\Roaming\sslunnel\mYgtba8MWAxx.exe  -> Found
[suspicious.Path] (X64) HKEY_USERS\S-1-5-21-1893051573-1822416700-2810159976-1001\Software\Microsoft\Windows\CurrentVersion\Run | sstunnel.exeRN : C:\Users\nikola\AppData\Roaming\sslunnel\RNjdNw8aULaf.exe  -> Found
[suspicious.Path] (X64) HKEY_USERS\S-1-5-21-1893051573-1822416700-2810159976-1001\Software\Microsoft\Windows\CurrentVersion\Run | sstunnel.exehT : C:\Users\nikola\AppData\Roaming\sslunnel\mzq8zDhPUVUA.exe  -> Found
[suspicious.Path] (X64) HKEY_USERS\S-1-5-21-1893051573-1822416700-2810159976-1001\Software\Microsoft\Windows\CurrentVersion\Run | ssl.exe : C:\Users\nikola\AppData\Roaming\tunnel\mzq8zDhPUVUA.exe  -> Found
[suspicious.Path] (X64) HKEY_USERS\S-1-5-21-1893051573-1822416700-2810159976-1001\Software\Microsoft\Windows\CurrentVersion\Run | NAT Subsystem : C:\Users\nikola\AppData\Roaming\BE147C12-CEB9-4186-8B00-215FD963C03C\NAT Subsystem\natss.exe  -> Found
[suspicious.Path] (X64) HKEY_USERS\S-1-5-21-1893051573-1822416700-2810159976-1001\Software\Microsoft\Windows\CurrentVersion\Run | ssl.exeQI : C:\Users\nikola\AppData\Roaming\tunnel\QIJL3iHvwkTF.exe  -> Found
[suspicious.Path] (X64) HKEY_USERS\S-1-5-21-1893051573-1822416700-2810159976-1001\Software\Microsoft\Windows\CurrentVersion\Run | ssl.exe5k : C:\Users\nikola\AppData\Roaming\tunnel\5kk0fblJZe7m.exe  -> Found
[suspicious.Path] (X64) HKEY_USERS\S-1-5-21-1893051573-1822416700-2810159976-1001\Software\Microsoft\Windows\CurrentVersion\Run | ssl.exelz : C:\Users\nikola\AppData\Roaming\tunnel\lzD5PVbCrhdu.exe  -> Found
[suspicious.Path] (X64) HKEY_USERS\S-1-5-21-1893051573-1822416700-2810159976-1001\Software\Microsoft\Windows\CurrentVersion\Run | ssl.exewZ : C:\Users\nikola\AppData\Roaming\tunnel\wZIBhk32BBqV.exe  -> Found
[suspicious.Path] (X64) HKEY_USERS\S-1-5-21-1893051573-1822416700-2810159976-1001\Software\Microsoft\Windows\CurrentVersion\Run | ssl.exeMH : C:\Users\nikola\AppData\Roaming\tunnel\MH5ZUPCW06hl.exe  -> Found
[suspicious.Path] (X64) HKEY_USERS\S-1-5-21-1893051573-1822416700-2810159976-1001\Software\Microsoft\Windows\CurrentVersion\Run | ssl.exe6b : C:\Users\nikola\AppData\Roaming\tunnel\ltvUgHMTGwns.exe  -> Found
[suspicious.Path] (X64) HKEY_USERS\S-1-5-21-1893051573-1822416700-2810159976-1001\Software\Microsoft\Windows\CurrentVersion\Run | ssl.exefJ : C:\Users\nikola\AppData\Roaming\tunnel\fJnhJTRgnJon.exe  -> Found
[suspicious.Path] (X86) HKEY_USERS\S-1-5-21-1893051573-1822416700-2810159976-1001\Software\Microsoft\Windows\CurrentVersion\Run | Add Plugin.jar : C:\Users\nikola\Add Plugin.jar  -> Found
[suspicious.Path] (X86) HKEY_USERS\S-1-5-21-1893051573-1822416700-2810159976-1001\Software\Microsoft\Windows\CurrentVersion\Run | sstunnel.exe : C:\Users\nikola\AppData\Roaming\sslunnel\kNL6GTEgiI6F.exe  -> Found
[suspicious.Path] (X86) HKEY_USERS\S-1-5-21-1893051573-1822416700-2810159976-1001\Software\Microsoft\Windows\CurrentVersion\Run | sstunnel.exemY : C:\Users\nikola\AppData\Roaming\sslunnel\mYgtba8MWAxx.exe  -> Found
[suspicious.Path] (X86) HKEY_USERS\S-1-5-21-1893051573-1822416700-2810159976-1001\Software\Microsoft\Windows\CurrentVersion\Run | sstunnel.exeRN : C:\Users\nikola\AppData\Roaming\sslunnel\RNjdNw8aULaf.exe  -> Found
[suspicious.Path] (X86) HKEY_USERS\S-1-5-21-1893051573-1822416700-2810159976-1001\Software\Microsoft\Windows\CurrentVersion\Run | sstunnel.exehT : C:\Users\nikola\AppData\Roaming\sslunnel\mzq8zDhPUVUA.exe  -> Found
[suspicious.Path] (X86) HKEY_USERS\S-1-5-21-1893051573-1822416700-2810159976-1001\Software\Microsoft\Windows\CurrentVersion\Run | ssl.exe : C:\Users\nikola\AppData\Roaming\tunnel\mzq8zDhPUVUA.exe  -> Found
[suspicious.Path] (X86) HKEY_USERS\S-1-5-21-1893051573-1822416700-2810159976-1001\Software\Microsoft\Windows\CurrentVersion\Run | NAT Subsystem : C:\Users\nikola\AppData\Roaming\BE147C12-CEB9-4186-8B00-215FD963C03C\NAT Subsystem\natss.exe  -> Found
[suspicious.Path] (X86) HKEY_USERS\S-1-5-21-1893051573-1822416700-2810159976-1001\Software\Microsoft\Windows\CurrentVersion\Run | ssl.exeQI : C:\Users\nikola\AppData\Roaming\tunnel\QIJL3iHvwkTF.exe  -> Found
[suspicious.Path] (X86) HKEY_USERS\S-1-5-21-1893051573-1822416700-2810159976-1001\Software\Microsoft\Windows\CurrentVersion\Run | ssl.exe5k : C:\Users\nikola\AppData\Roaming\tunnel\5kk0fblJZe7m.exe  -> Found
[suspicious.Path] (X86) HKEY_USERS\S-1-5-21-1893051573-1822416700-2810159976-1001\Software\Microsoft\Windows\CurrentVersion\Run | ssl.exelz : C:\Users\nikola\AppData\Roaming\tunnel\lzD5PVbCrhdu.exe  -> Found
[suspicious.Path] (X86) HKEY_USERS\S-1-5-21-1893051573-1822416700-2810159976-1001\Software\Microsoft\Windows\CurrentVersion\Run | ssl.exewZ : C:\Users\nikola\AppData\Roaming\tunnel\wZIBhk32BBqV.exe  -> Found
[suspicious.Path] (X86) HKEY_USERS\S-1-5-21-1893051573-1822416700-2810159976-1001\Software\Microsoft\Windows\CurrentVersion\Run | ssl.exeMH : C:\Users\nikola\AppData\Roaming\tunnel\MH5ZUPCW06hl.exe  -> Found
[suspicious.Path] (X86) HKEY_USERS\S-1-5-21-1893051573-1822416700-2810159976-1001\Software\Microsoft\Windows\CurrentVersion\Run | ssl.exe6b : C:\Users\nikola\AppData\Roaming\tunnel\ltvUgHMTGwns.exe  -> Found
[suspicious.Path] (X86) HKEY_USERS\S-1-5-21-1893051573-1822416700-2810159976-1001\Software\Microsoft\Windows\CurrentVersion\Run | ssl.exefJ : C:\Users\nikola\AppData\Roaming\tunnel\fJnhJTRgnJon.exe  -> Found
[suspicious.Path] (X64) HKEY_USERS\S-1-5-21-1893051573-1822416700-2810159976-1001\Software\Microsoft\Windows NT\CurrentVersion\Winlogon | shell : explorer.exe,"C:\ProgramData\NT Kernel\NTKernel.exe"  -> Found
[suspicious.Path] (X86) HKEY_USERS\S-1-5-21-1893051573-1822416700-2810159976-1001\Software\Microsoft\Windows NT\CurrentVersion\Winlogon | shell : explorer.exe,"C:\ProgramData\NT Kernel\NTKernel.exe"  -> Found


Make sure those entries are Checkmarked (ticked) also ensure that all other entries are not Checkmarked.

Hit the Delete button, when complete select "Report" post that log...

 

Next,

 

Run FRST once again, no need to checkmark "Addition.txt" but do checkmark all boxes under "Whitelist" only one log will be produced....

 

If the infection returns we have to maybe run a scanner from outside of windows...

 

Kevin...

Link to post
Share on other sites

Roguekiller gives error because some entries are repeated, no big deal... not all entries return this time.....

 

Continue:

 

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

 

Run FRST and press the Fix button just once and wait.

The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

 

Next,

 

1.Download Malwarebytes Anti-Rootkit from this link:

 

 http://www.malwarebytes.org/products/mbar/

 

2. Unzip the File to a convenient location. (Recommend the Desktop)

3. Open the folder where the contents were unzipped to run mbar.exe

 

Image1.png

 

4. Double-click on the mbar.exe file, you may receive a User Account Control prompt asking if you are sure you wish to allow the program to run. Please allow the program to run and MBAR will now start to install any necessary drivers that are required for the program to operate correctly. If a rootkit is interfering with the installation of the drivers you will see a message that states that the DDA driver was not installed and that you should reboot your computer to install it. You will see this image:

 

mbarwm.png

 

5. If you receive this message, please click on the Yes button and Malwarebytes Anti-Rootkit will now restart your computer. Once the computer is rebooted and you login, MBAR will automatically start and you will now be at the start screen. (If no Rootkit warning you will go from step 4 to 6.)

 

6. The following image opens, select Next.

 

Image2.png

 

7. The following image opens, select Update

 

Image3.png

 

8. When the update completes select Next.

 

Image4.png

 

9. In the following window ensure "Targets" are ticked. Then select "Scan"

 

Image5.png

 

10. If an infection is found select the "Cleanup Button" to remove threats, Reboot if prompted. Wait while the system shuts down and the cleanup process is performed.

 

MBAntiRKcleanA.png

 

11. Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click "Cleanup Button" once more and repeat the process.

12. If no threats were found you will see the following image, Select Exit:

 

Image6.png

 

13. Verify that your system is now running normally, making sure that the following items are functional:

 


      Internet access
      Windows Update
      Windows Firewall

 

14.  If there are additional problems with your system, such as any of those listed above or other system issues, then run the 'fixdamage' tool included within Malwarebytes Anti-Rootkit folder.

 

15. Select "Y" from your Keyboard, tap Enter.

 

16. The fix will be applied, select any key to Exit.

 

17. Let me know how your system now responds. Copy and paste the two following logs from the mbar folder:

 

System - log

Mbar - log   Date and time of scan will also be shown

 

Thanks,

 

Kevin...

Fixlist.txt

Link to post
Share on other sites

Run FRST one more time, no need to checkmark "Addition.txt" but do checkmark all boxes under "Whitelist" select scan, post that log....

 

Next,

 

Open Malwarebytes Anti-Malware, from the Dashboard please Check for Updates by clicking the Update Now... link

When the update completes select > Settings > Detection and Protection > Enable Scan for rootkit and Under Non Malware Protection set both PUP and PUM to Treat detections as malware.

 

 

Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button.

 

When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.

 

 

In most cases, a restart will be required.

 

 

Wait for the prompt to restart the computer to appear, then click on Yes.

 

 

When the scan is completed from the main GUI click on History > Application Logs. Find your scan log, the date when run will identify it. Checkmark "select" box > then hit the "view" button. The history log window will open. At the bottom of that window are two options, "Copy to clipboard" and "Export"

Select > "Copy to clipboard" that copies the full log to the windows clipboard, so at your reply you right click into the text field and select "Paste" the log is pasted (copied) to  your reply.

 

Or select "Export" you are given the option to export as a Text file (*.txt) or XML file (*.xml) Choose text file, save the exported file to a place of your choice. That file can be attached to your reply...

 

Next,

 

Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktop

Ensure to get the correct version for your system....

32 Bit version:

https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en

64 Bit version:

https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en'>https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en

 

Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window

In the "Scan Type" window, select Quick Scan

Perform a scan and  Click Finish when the scan is done.

Retrieve the MSRT log as follows, and post it in your next reply:

 

1) Select the Windows key and R key together to open the "Run" function

2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

 

notepad c:\windows\debug\mrt.log

 

Post those logs, also giv an update on any remaining issues or concerns.....

 

If these new logs are clean it will be a good idea to chang all passwords normally used on this system, especially any that are for online banking, credit card transactions, paypal, ebay etc etc....

 

Thanks,

 

Kevin....

Link to post
Share on other sites

Ok if logs are clean we can remove tools etc... continue as follows:

 

Download "Delfix by Xplode" and save it to your desktop.

 

Or use the following if first link is down:

 

"Delfix link mirror"

 

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

 

Make Sure the following items are checked:

 

 


    Remove disinfection tools
    Create registry backup
    Purge System Restore
    Reset system settings

 

Now click on "Run" and wait patiently until the tool has completed.

 

The tool will create a log when it has completed. We don't need you to post this.

 

Part of the routine will be to create a registry back up with ERUNT,  the back up will be created here:

 

C:\Windows\ERUNT

 

When all is known to be well with your system you can delete that back up folder if you consider it as not needed...

 

Any remnant files/logs from tools we have used can be deleted…

 

Next,

 

Read the following link to fully understand PC security and best practices, you may find it useful....

 

http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/#entry2316629

 

Let me know if we are ok to close out...

 

Thank you,

 

Kevin...

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.