Jump to content

Recommended Posts

Hi All:

  Could someone help me to remove potential virus on my windows 7? The computer suddenly slowed down. I bought Malwaregbytes premium, scanned several times, kill some virus. But computer still slow. CPU and memory are occupied by process such as wextract.exe*32, ctfmon.exe*32, wiaacmgr.exe*32, ctfmon.exe*32, dvdupgrd.exe*32, dllhost.exe*32...

some other hint: User/Appdata/local/Temp keeps filling up with folders like 1a3c 1a4c...

also frequently there is powershell error jumps out (powershell has stopped working)

attached is the malwarebytes anti Malware scan log txt file.

I also have Sophos installed

please help

rocky

malwarebytes scan.txt

Link to post
Share on other sites

Hi All:


  Could someone help me to remove potential virus on my windows 7? The computer suddenly slowed down. I bought Malwaregbytes premium, scanned several times, kill some virus. But computer still slow. CPU and memory are occupied by process such as wextract.exe*32, ctfmon.exe*32, wiaacmgr.exe*32, ctfmon.exe*32, dvdupgrd.exe*32, dllhost.exe*32...


some other hint: User/Appdata/local/Temp keeps filling up with folders like 1a3c 1a4c...


also frequently there is powershell error jumps out (powershell has stopped working)


attached is the malwarebytes anti Malware scan log txt file.


I also have Sophos installed


I posted 4 days ago without FRST scan, now I repost with complete logs attachment.


please help


rocky


malwarebytes scan.txt

FRST.txt

Addition.txt

Link to post
Share on other sites

  • Root Admin

Please read the following and post back the logs when ready and we'll see about getting you cleaned up.

General P2P/Piracy Warning:
 
 

 
If you're using
Peer 2 Peer
software such as
uTorrent, BitTorrent
or similar you must either fully uninstall them or completely disable them from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

If you have
illegal/cracked software, cracks, keygens etc
. on the system, please remove or uninstall them now and read the policy on
Piracy
.



 
Before we proceed further, please read all of the following instructions carefully.
If there is anything that you do not understand kindly ask before proceeding.
If needed please print out these instructions.
  • Please do not post logs using CODE, QUOTE, or FONT tags. Just paste them as direct text.
  • If the log is too large then you can use attachments by clicking on the More Reply Options button.
  • Please enable your system to show hidden files: How to see hidden files in Windows
  • Make sure you're subscribed to this topic:
    • Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

    [*]Removing malware can be unpredictable...It is unlikely but things can go very wrong! Please make sure you Backup all files that cannot be replaced if something were to happen. You can copy them to a CD/DVD, external drive or a pen drive [*]Please don't run any other scans, download, install or uninstall any programs unless requested by me while I'm working with you. [*]The removal of malware is not instantaneous, please be patient. Often we are also on a different Time Zone. [*]Perform everything in the correct order. Sometimes one step requires the previous one. [*]If you have any problems while following my instructions, Stop there and tell me the exact nature of the issue. [*]You can check here if you're not sure if your computer is 32-bit or 64-bit [*]Please disable your antivirus while running any requested scanners so that they do not interfere with the scanners. [*]When we are done, I'll give you instructions on how to cleanup all the tools and logs [*]Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that. [*]Your topic will be closed if you haven't replied within 3 days [*](If I have not responded within 24 hours, please send me a Private Message as a reminder)


 
STEP 0
RKill is a program that was developed at BleepingComputer.com that attempts to terminate known malware processes
so that your normal security software can then run and clean your computer of infections.
When RKill runs it will kill malware processes and then removes incorrect executable associations and fixes policies
that stop us from using certain tools. When finished it will display a log file that shows the processes that were
terminated while the program was running.

As RKill only terminates a program's running process, and does not delete any files, after running it you should not reboot
your computer as any malware processes that are configured to start automatically will just be started again.
Instead, after running RKill you should immediately scan your computer using the requested scans I've included.

Please download Rkill by Grinler from one of the links below and save it to your desktop.
 


Link 2

  • On Windows XP double-click on the Rkill desktop icon to run the tool.
  • On Windows Vista/Windows 7 or 8, right-click on the Rkill desktop icon and select Run As Administrator
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
  • Do not reboot the computer, you will need to run the application again.

STEP 01
Backup the Registry:
Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.
  • Please download ERUNT from one of the following links: Link1 | Link2 | Link3
  • ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
  • Double click on erunt-setup.exe to Install ERUNT by following the prompts.
  • NOTE: Do not choose to allow ERUNT to add an Entry to the Startup folder. Click NO.
  • Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
  • Choose a location for the backup.
    • Note: the default location is C:\Windows\ERDNT which is acceptable.

    [*]Make sure that at least the first two check boxes are selected. [*]Click on OK [*]Then click on YES to create the folder. [*]Note: if it is necessary to restore the registry, open the backup folder and start ERDNT.exe


STEP 02
Please run a Threat Scan with MBAM.  If you're unable to run or complete the scan as shown below please see the following:  MBAM Clean Removal Process 2x
When reinstalling the program please try the latest version.

Right click and choose "Run as administrator" to open Malwarebytes Anti-Malware and from the Dashboard please Check for Updates by clicking the Update Now... link
Open up Malwarebytes > Settings > Detection and Protection > Enable Scan for rootkit and Under Non Malware Protection set both PUP and PUM to Treat detections as malware.
Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button.
Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply.
 
 
 

Link to post
Share on other sites

Ron: 

 Thanks again. Below is the scan log of Malwarebytes anti malware. I followed all the steps in your link.

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 2/7/2015
Scan Time: 7:32:04 AM
Logfile: 
Administrator: Yes
 
Version: 0.00.0.0000
Malware Database: v2015.02.07.05
Rootkit Database: v2015.02.03.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled
 
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Fan
 
Scan Type: Custom Scan
Result: Completed
Objects Scanned: 998004
Time Elapsed: 7 hr, 24 min, 31 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Deep Rootkit Scan: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 2
PUP.Optional.CrossRider.C, C:\Users\Fan\AppData\Local\Google\Chrome\User Data\Default\Extensions\pdnfnkhpgegpcingjbfihlkjeighnddk\2.7.6.2_0, Quarantined, [d73b7aa04149da5cf57c226030d34cb4], 
PUP.Optional.CrossRider.C, C:\Users\Fan\AppData\Local\Google\Chrome\User Data\Default\Extensions\pdnfnkhpgegpcingjbfihlkjeighnddk\2.7.6.2_0\_metadata, Quarantined, [d73b7aa04149da5cf57c226030d34cb4], 
 
Files: 2
PUP.Optional.CrossRider.C, C:\Users\Fan\AppData\Local\Google\Chrome\User Data\Default\Extensions\pdnfnkhpgegpcingjbfihlkjeighnddk\2.7.6.2_0\_metadata\computed_hashes.json, Quarantined, [d73b7aa04149da5cf57c226030d34cb4], 
PUP.Optional.CrossRider.C, C:\Users\Fan\AppData\Local\Google\Chrome\User Data\Default\Extensions\pdnfnkhpgegpcingjbfihlkjeighnddk\2.7.6.2_0\_metadata\verified_contents.json, Quarantined, [d73b7aa04149da5cf57c226030d34cb4], 
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
Link to post
Share on other sites

  • Root Admin

Please go ahead and run through the following steps and post back the logs when ready.
 
STEP 04
Please download Junkware Removal Tool to your desktop.

  • Shutdown your antivirus to avoid any conflicts.
  • Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next reply message
  • When completed make sure to re-enable your antivirus


STEP 05
Lets clean out any adware now: (this will require a reboot so save all your work)

Please download AdwCleaner by Xplode and save to your Desktop.

  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • When it's done you'll see: Pending: Please uncheck elements you don't want removed.
  • Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • Look over the log especially under Files/Folders for any program you want to save.
  • If there's a program you may want to save, just uncheck it from AdwCleaner.
  • If you're not sure, post the log for review. (all items found are adware/spyware/foistware)
  • If you're ready to clean it all up.....click the Clean button.
  • After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
  • Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
  • To restore an item that has been deleted:
  • Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.


STEP 06
Please open Malwarebytes Anti-Malware and from the Dashboard please Check for Updates by clicking the Update Now... link
Open up Malwarebytes > Settings > Detection and Protection > Enable Scan for rootkits, Under Non Malware Protection set both PUP and PUM to Treat detections as malware.
Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button. Remove any threats found
Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply.


STEP 07
button_eos.gif

Please go here to run the online antivirus scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology


    [*]Click Scan [*]Wait for the scan to finish [*]If any threats were found, click the 'List of found threats' , then click Export to text file.... [*]Save it to your desktop, then please copy and paste that log as a reply to this topic.


STEP 08
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

Link to post
Share on other sites

  • Root Admin

Please restart your computer and then run the following.

 

 

Please download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • If you get Unsupported operating system. Aborting now, just reboot and try again.
  • A Notepad document should open automatically called checkup.txt.
  • Please Post the contents of that document.
  • Do Not Attach It!!!


 

Link to post
Share on other sites

Ron:

Thank you again for your help. Below is the checkup content. When I restart I feel the computer is slow again. I feel there is still something there.

wiaacmgr.exe*32, cmmon32.exe*32 eat up much memory, malwarebytes anti virus keeps showing malicious website blocked...

Results of screen317's Security Check version 0.99.96

Windows 7 Service Pack 1 x64 (UAC is enabled)

Internet Explorer 11

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

Sophos Anti-Virus

WMI entry may not exist for antivirus; attempting automatic update.

`````````Anti-malware/Other Utilities Check:`````````

Java version 32-bit out of Date!

Java 64-bit 8 Update 31

Adobe Flash Player 16.0.0.305

Adobe Reader 9

Adobe Reader XI

Mozilla Firefox 26.0 Firefox out of Date!

Google Chrome (40.0.2214.111)

Google Chrome (40.0.2214.94)

````````Process Check: objlist.exe by Laurent````````

Malwarebytes Anti-Malware mbamservice.exe

Malwarebytes Anti-Malware mbam.exe

Sophos Sophos Anti-Virus SavService.exe

Sophos Sophos Anti-Virus SAVAdminService.exe

Sophos Sophos Anti-Virus Web Intelligence swi_service.exe

Malwarebytes Anti-Malware mbamscheduler.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: 3%

````````````````````End of Log``````````````````````

Link to post
Share on other sites

  • Root Admin

Please download the following scanner from Kaspersky and save it to your computer: TDSSkiller

Then watch the following video on how to use the tool and make sure to temporarily disable your security applications before running TDSSkiller.



If any infection is found please make sure to choose SKIP and post back the log in case of a False Positive detection.

Once the tool has completed scanning make sure to re-enable your other security applications.
 

 

 

 

Next,

 

Please go into Control Panel, Add/Remove and uninstall ALL versions of Java and then run the following.
 
Please download JavaRa-1.16 and save it to your computer.

  • Double click to open the zip file and then select all and choose Copy.
  • Create a new folder on your Desktop named RemoveJava and paste the files into this new folder.
  • Quit all browsers and other running applications.
  • Right-click on JavaRa.exe in RemoveJava folder and choose Run as administrator to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location and post it in your next reply.

Next:
 
Please Run TFC by OldTimer to clear temporary files:
  • Download TFC from here and save it to your desktop.
  • http://oldtimer.geekstogo.com/TFC.exe
  • Close any open programs and Internet browsers.
  • Double click TFC.exe to run it on XP (for Vista and Windows 7 right click and choose "Run as administrator") and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
  • Please be patient as clearing out temp files may take a while.
  • Once it completes you may be prompted to restart your computer, please do so.
  • Once it's finished you may delete TFC.exe from your desktop or save it for later use for the cleaning of temporary files.


 
 

Link to post
Share on other sites

Ron:

Thanks for the help. Below is the log from JavaRa.I still see Malwarebytes antimalware shows malicious websites blocked.

By the way why I have to remove all java? Can I reinstall Java from oracle?

I have to attach log of TSSkiller because it is too large.

thanks

RockyRocky

JavaRa:

JavaRa 1.16 Removal Log.Report follows after line.------------------------------------The JavaRa removal process was started on Mon Feb 09 23:55:44 2015

Found and removed: JavaPlugin.1000Found and removed: SOFTWARE\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500}Found and removed: SOFTWARE\Classes\CLSID\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}Found and removed: SOFTWARE\Classes\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}Found and removed: SOFTWARE\Classes\Interface\{5852F5EC-8BF4-11D4-A245-0080C6F74284}Found and removed: SOFTWARE\Classes\MIME\Database\Content Type\application/java-deployment-toolkitFound and removed: SOFTWARE\Classes\TypeLib\{5852F5E0-8BF4-11D4-A245-0080C6F74284}Found and removed: SOFTWARE\Classes\JavaWebStart.isInstalledFound and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper ObjectsFound and removed: SOFTWARE\JavaSoftFound and removed: SOFTWARE\JreMetricsFound and removed: SOFTWARE\Classes\JavaPlugin.10512------------------------------------Finished reporting.

TDSSKiller.3.0.0.44_09.02.2015_23.28.32_log.txt

Link to post
Share on other sites

  • Root Admin

I remove the Java because it is one of the most used methods to infect the computer due to old code that's been compromised. Once we're done you can reinstall if if you want but if at all possible it's best to try and run without it.

 

 

Please open MBAM and go to the History, Application Logs. Find the most recent Protection log and then save it as a .TXT file and attach it to your next reply.

 

 

Next, please run the following.

 

 

panda-av.jpg Scan with Panda Cloud Cleaner

This type of scan often produces false positives. In any case do not remove on your own any of its findings! Removal will be made after the careful analysis of the scan results.

Please download Panda Cloud Cleaner and save the file to your desktop.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

  • Install the scanner by right-click on panda-av.jpg icon and select RunAsAdmin.jpg Run as Administrator.
  • It should start itself automaticaly after the installation.
  • In the main console click Accept and Scan.
  • This scan won't take long, about several minutes (depending on your system specs). Let it run uninterrupted.
  • At the last stage you will see a couple of messages about veryfying & analyzing results. Wait patiently.
  • Upon completion you will see detections window. Enter one of them and click there View Report at the bottom right side.
  • A notepad window named PCloudCleaner.log will open. Save it to your desktop.

Please include the contents of that file in your next reply.
Don't forget to re-enable your switched-off protection software!
After that you may uninstall Panda Cloud Cleaner from your machine, if you wish to.
 

 

 

Link to post
Share on other sites

Hi Ron:

Thanks again for your help. here is protection log from malwarebytes anti malware and Pcloundcleaner:

Malwarebytes Anti-Malware

www.malwarebytes.org

Detection, 2/12/2015 7:13:09 PM, SYSTEM, FAN-THINK, Protection, Malicious Website Protection, IP, 195.2.241.167, 27296, Outbound, C:\Windows\SysWOW64\dllhost.exe,

Detection, 2/12/2015 7:13:10 PM, SYSTEM, FAN-THINK, Protection, Malicious Website Protection, IP, 31.184.194.52, 27297, Outbound, C:\Windows\SysWOW64\dllhost.exe,

Detection, 2/12/2015 7:13:12 PM, SYSTEM, FAN-THINK, Protection, Malicious Website Protection, IP, 31.184.194.52, 27298, Outbound, C:\Windows\SysWOW64\dllhost.exe,

Detection, 2/12/2015 7:13:12 PM, SYSTEM, FAN-THINK, Protection, Malicious Website Protection, IP, 31.184.194.52, 27309, Outbound, C:\Windows\SysWOW64\dllhost.exe,

Detection, 2/12/2015 7:13:12 PM, SYSTEM, FAN-THINK, Protection, Malicious Website Protection, IP, 195.2.241.167, 27317, Outbound, C:\Windows\SysWOW64\dllhost.exe,

Detection, 2/12/2015 7:13:12 PM, SYSTEM, FAN-THINK, Protection, Malicious Website Protection, IP, 31.184.194.52, 27318, Outbound, C:\Windows\SysWOW64\dllhost.exe,

Detection, 2/12/2015 7:13:12 PM, SYSTEM, FAN-THINK, Protection, Malicious Website Protection, IP, 31.184.194.37, 27319, Outbound, C:\Windows\SysWOW64\dllhost.exe,

Detection, 2/12/2015 7:13:12 PM, SYSTEM, FAN-THINK, Protection, Malicious Website Protection, IP, 195.2.241.167, 27299, Outbound, C:\Windows\SysWOW64\dllhost.exe,

Detection, 2/12/2015 7:13:12 PM, SYSTEM, FAN-THINK, Protection, Malicious Website Protection, IP, 31.184.194.52, 27300, Outbound, C:\Windows\SysWOW64\dllhost.exe,

Detection, 2/12/2015 7:13:12 PM, SYSTEM, FAN-THINK, Protection, Malicious Website Protection, IP, 31.184.194.37, 27301, Outbound, C:\Windows\SysWOW64\dllhost.exe,

Detection, 2/12/2015 7:13:12 PM, SYSTEM, FAN-THINK, Protection, Malicious Website Protection, IP, 31.184.194.52, 27302, Outbound, C:\Windows\SysWOW64\dllhost.exe,

Detection, 2/12/2015 7:13:12 PM, SYSTEM, FAN-THINK, Protection, Malicious Website Protection, IP, 31.184.194.37, 27303, Outbound, C:\Windows\SysWOW64\dllhost.exe,

Detection, 2/12/2015 7:13:12 PM, SYSTEM, FAN-THINK, Protection, Malicious Website Protection, IP, 31.184.194.52, 27304, Outbound, C:\Windows\SysWOW64\dllhost.exe,

Detection, 2/12/2015 7:13:12 PM, SYSTEM, FAN-THINK, Protection, Malicious Website Protection, IP, 195.2.241.167, 27305, Outbound, C:\Windows\SysWOW64\dllhost.exe,

Detection, 2/12/2015 7:13:12 PM, SYSTEM, FAN-THINK, Protection, Malicious Website Protection, IP, 31.184.194.52, 27306, Outbound, C:\Windows\SysWOW64\dllhost.exe,

Detection, 2/12/2015 7:13:12 PM, SYSTEM, FAN-THINK, Protection, Malicious Website Protection, IP, 31.184.194.52, 27307, Outbound, C:\Windows\SysWOW64\dllhost.exe,

Detection, 2/12/2015 7:13:12 PM, SYSTEM, FAN-THINK, Protection, Malicious Website Protection, IP, 195.2.241.167, 27308, Outbound, C:\Windows\SysWOW64\dllhost.exe,

Detection, 2/12/2015 7:14:10 PM, SYSTEM, FAN-THINK, Protection, Malicious Website Protection, IP, 195.2.241.167, 27496, Outbound, C:\Windows\SysWOW64\dllhost.exe,

Detection, 2/12/2015 7:14:10 PM, SYSTEM, FAN-THINK, Protection, Malicious Website Protection, IP, 31.184.194.37, 27495, Outbound, C:\Windows\SysWOW64\dllhost.exe,

Detection, 2/12/2015 7:14:10 PM, SYSTEM, FAN-THINK, Protection, Malicious Website Protection, IP, 31.184.194.37, 27497, Outbound, C:\Windows\SysWOW64\dllhost.exe,

Detection, 2/12/2015 7:14:10 PM, SYSTEM, FAN-THINK, Protection, Malicious Website Protection, IP, 31.184.194.37, 27498, Outbound, C:\Windows\SysWOW64\dllhost.exe,

Detection, 2/12/2015 7:14:10 PM, SYSTEM, FAN-THINK, Protection, Malicious Website Protection, IP, 195.2.241.167, 27499, Outbound, C:\Windows\SysWOW64\dllhost.exe,

Detection, 2/12/2015 7:14:10 PM, SYSTEM, FAN-THINK, Protection, Malicious Website Protection, IP, 195.2.241.167, 27500, Outbound, C:\Windows\SysWOW64\dllhost.exe,

Detection, 2/12/2015 7:14:10 PM, SYSTEM, FAN-THINK, Protection, Malicious Website Protection, IP, 195.2.241.167, 27501, Outbound, C:\Windows\SysWOW64\dllhost.exe,

Detection, 2/12/2015 7:14:10 PM, SYSTEM, FAN-THINK, Protection, Malicious Website Protection, IP, 31.184.194.52, 27502, Outbound, C:\Windows\SysWOW64\dllhost.exe,

Detection, 2/12/2015 7:14:10 PM, SYSTEM, FAN-THINK, Protection, Malicious Website Protection, IP, 31.184.192.92, e9967a.com, 27503, Outbound, C:\Windows\SysWOW64\dllhost.exe,

Detection, 2/12/2015 7:14:10 PM, SYSTEM, FAN-THINK, Protection, Malicious Website Protection, IP, 31.184.192.92, e9967a.com, 27504, Outbound, C:\Windows\SysWOW64\dllhost.exe,

Detection, 2/12/2015 7:14:10 PM, SYSTEM, FAN-THINK, Protection, Malicious Website Protection, IP, 31.184.194.116, ff1493.com, 27505, Outbound, C:\Windows\SysWOW64\dllhost.exe,

Detection, 2/12/2015 7:14:10 PM, SYSTEM, FAN-THINK, Protection, Malicious Website Protection, IP, 31.184.194.116, ff1493.com, 27506, Outbound, C:\Windows\SysWOW64\dllhost.exe,

Detection, 2/12/2015 7:14:10 PM, SYSTEM, FAN-THINK, Protection, Malicious Website Protection, IP, 31.184.194.116, ff1493.com, 27507, Outbound, C:\Windows\SysWOW64\dllhost.exe,

Detection, 2/12/2015 7:14:10 PM, SYSTEM, FAN-THINK, Protection, Malicious Website Protection, IP, 31.184.194.116, ff1493.com, 27508, Outbound, C:\Windows\SysWOW64\dllhost.exe,

Detection, 2/12/2015 7:14:10 PM, SYSTEM, FAN-THINK, Protection, Malicious Website Protection, IP, 31.184.194.116, ff1493.com, 27509, Outbound, C:\Windows\SysWOW64\dllhost.exe,

Detection, 2/12/2015 7:14:10 PM, SYSTEM, FAN-THINK, Protection, Malicious Website Protection, IP, 31.184.194.116, ff1493.com, 27510, Outbound, C:\Windows\SysWOW64\dllhost.exe,

Detection, 2/12/2015 7:14:10 PM, SYSTEM, FAN-THINK, Protection, Malicious Website Protection, IP, 31.184.194.116, ff1493.com, 27511, Outbound, C:\Windows\SysWOW64\dllhost.exe,

Detection, 2/12/2015 7:14:11 PM, SYSTEM, FAN-THINK, Protection, Malicious Website Protection, IP, 31.184.194.6, c71585.com, 27512, Outbound, C:\Windows\SysWOW64\dllhost.exe,

Detection, 2/12/2015 7:14:11 PM, SYSTEM, FAN-THINK, Protection, Malicious Website Protection, IP, 31.184.194.6, c71585.com, 27513, Outbound, C:\Windows\SysWOW64\dllhost.exe,

Detection, 2/12/2015 7:14:11 PM, SYSTEM, FAN-THINK, Protection, Malicious Website Protection, IP, 31.184.194.6, c71585.com, 27514, Outbound, C:\Windows\SysWOW64\dllhost.exe,

Detection, 2/12/2015 7:14:11 PM, SYSTEM, FAN-THINK, Protection, Malicious Website Protection, IP, 31.184.194.6, c71585.com, 27515, Outbound, C:\Windows\SysWOW64\dllhost.exe,

Detection, 2/12/2015 7:14:11 PM, SYSTEM, FAN-THINK, Protection, Malicious Website Protection, IP, 31.184.194.6, c71585.com, 27516, Outbound, C:\Windows\SysWOW64\dllhost.exe,

Detection, 2/12/2015 7:14:11 PM, SYSTEM, FAN-THINK, Protection, Malicious Website Protection, IP, 31.184.194.37, 27518, Outbound, C:\Windows\SysWOW64\dllhost.exe,

(end)

And Pcloudcleaner log:

Malware. FILE: C:\USERS\FAN\APPDATA\LOCAL\TEMP\52C8\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES

\CONTENT.IE5\79PCDE0G\FMGKGA5O4X.JS to be deleted.Malware. FILE: C:\USERS\FAN\APPDATA\LOCAL\TEMP\52C8\APPDATA\LOCAL

\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\79PCDE0G\FM[7].JS to be deleted.Malware. FILE: C:\USERS\FAN

\APPDATA\LOCAL\TEMP\52C8\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\G5P03TQN.TXT to be deleted.Suspicious Policy. POLICY:

HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED[sHOWSUPERHIDDEN] to be changed to: 0Suspicious Policy.

POLICY: HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED[sHOWSUPERHIDDEN] to be changed to: 0Suspicious

Policy. POLICY: HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED[sUPERHIDDEN] to be changed to:

0Suspicious Policy. POLICY: HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED[sUPERHIDDEN] to be changed

to: 0Malware. REGKEY: HKCR\CLSID\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}\LOCALSERVER32. Key to be deleted.Malware. REGKEY:

HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM[DISABLEREGISTRYTOOLS]. Value: DISABLEREGISTRYTOOLS To be

deleted.Malware. REGKEY: HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM[DISABLETASKMGR]. Value:

DISABLETASKMGR To be deleted.

Link to post
Share on other sites

  • Root Admin

Please visit this webpage and read the ComboFix User's Guide:

  • Once you've read the article and are ready to use the program you can download it directly from the link below.
  • Important! - Please make sure you save combofix to your desktop and do not run it from your browser
  • Direct download link for: ComboFix.exe
  • Please make sure you disable your security applications before running ComboFix.
  • Once Combofix has completed it will produce and open a log file.  Please be patient as it can take some time to load.
  • Please attach that log file to your next reply.
  • If needed the file can be located here:  C:\combofix.txt
  • NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.


 

Link to post
Share on other sites

  • Root Admin

It's a very powerful program that can potentially do damage like any tool if it has a false positive but it works very well to find and fix things that other programs sometimes miss.

 

Here is what it found that we need to fix.

 

c:\windows\SysWow64\drivers\ntfs.sys . . . is infected!!

 

 

Please save the attached file CFScript.txt to the same location as Combofix.exe and then close your browser. Then using your mouse Drag-and-Drop CFScript.txt onto Combofix to run it. When done it should reboot and create a new log file. Please upload that new log file on your next reply.

 

 

CFScript.txt

Link to post
Share on other sites

Ron:

  Thanks. Here is the log: I did not turn off anti virus software while scan with combofix, is this an issue? Since it keeps showing access denied and NircmdB.exe not found (please see attached screenshot). Is this an issue? Should I rerun this? The log says the windows/..../ntfs.sys file is missing.

thanks

  RockyRocky

ComboFix 15-02-13.02 - Fan 02/14/2015  12:16:57.2.4 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3983.2047 [GMT -5:00]
Running from: C:\Users\Fan\Downloads\ComboFix.exe
Command switches used :: C:\Users\Fan\Downloads\CFScript.txt
AV: Sophos Anti-Virus *Enabled/Outdated* {65FBD860-96D8-75EF-C7ED-7BE27E6C498A}
SP: Sophos Anti-Virus *Enabled/Outdated* {DE9A3984-B0E2-7A61-FD5D-409005EB0337}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Resident AV is active
 
 
 
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
 
 
c:\windows\SysWow64\drivers\ntfs.sys . . . is missing!!
 
 
(((((((((((((((((((((((((   Files Created from 2015-01-14 to 2015-02-14  )))))))))))))))))))))))))))))))
 
 
2015-02-14 17:31:06 . 2015-02-14 17:31:06 -------- d-----w- C:\Users\Default\AppData\Local\temp
2015-02-14 05:30:23 . 2015-02-14 05:30:23 75888 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{8221A651-F5D6-4950-83A1-ED21802015A6}\offreg.dll
2015-02-14 00:19:06 . 2014-12-02 10:26:57 11870360 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{8221A651-F5D6-4950-83A1-ED21802015A6}\mpengine.dll
2015-02-13 00:20:01 . 2013-04-29 14:17:34 47632 ----a-w- C:\Windows\system32\drivers\PSKMAD.sys
2015-02-13 00:19:59 . 2015-02-13 00:19:59 -------- d-----w- C:\Windows\SysWow64\DASBOOT
2015-02-13 00:19:46 . 2015-02-13 00:19:46 -------- d-----w- C:\Program Files (x86)\Panda Security
2015-02-11 03:38:41 . 2015-01-13 03:10:22 1424384 ----a-w- C:\Windows\system32\WindowsCodecs.dll
2015-02-11 03:37:39 . 2014-12-08 03:09:05 406528 ----a-w- C:\Windows\system32\scesrv.dll
2015-02-11 03:37:39 . 2014-12-08 02:46:05 308224 ----a-w- C:\Windows\SysWow64\scesrv.dll
2015-02-11 03:37:32 . 2015-01-14 06:09:27 5554112 ----a-w- C:\Windows\system32\ntoskrnl.exe
2015-02-11 03:37:29 . 2015-01-14 05:44:59 3972544 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2015-02-11 03:37:27 . 2015-01-14 05:44:58 3917760 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2015-02-11 03:37:24 . 2015-01-14 06:05:30 503808 ----a-w- C:\Windows\system32\srcore.dll
2015-02-11 03:37:24 . 2015-01-14 06:05:30 50176 ----a-w- C:\Windows\system32\srclient.dll
2015-02-11 03:37:24 . 2015-01-14 06:04:56 296960 ----a-w- C:\Windows\system32\rstrui.exe
2015-02-11 03:37:24 . 2015-01-14 05:41:09 43008 ----a-w- C:\Windows\SysWow64\srclient.dll
2015-02-11 03:36:56 . 2015-01-09 02:03:01 3201536 ----a-w- C:\Windows\system32\win32k.sys
2015-02-09 01:01:02 . 2015-02-09 01:01:02 -------- d-----w- C:\Program Files (x86)\ESET
2015-02-08 21:01:20 . 2015-02-08 21:01:20 -------- d-----w- C:\Users\Fan\AppData\Roaming\PCDr
2015-02-08 21:00:09 . 2015-02-08 21:01:18 -------- d-----w- C:\ProgramData\PCDr
2015-02-08 13:43:23 . 2015-02-08 17:12:19 -------- d-----w- C:\AdwCleaner
2015-02-07 03:20:52 . 2015-02-07 03:21:02 -------- d-----w- C:\Program Files (x86)\ERUNT
2015-02-05 00:24:45 . 2015-02-05 00:24:45 5070512 ----a-w- C:\Windows\SysWow64\FlashPlayerInstaller.exe
2015-02-01 18:15:08 . 2015-02-09 13:19:39 -------- d-----w- C:\FRST
2015-01-24 18:44:37 . 2015-01-25 04:37:59 -------- d-----w- C:\Users\Fan\AppData\Roaming\FrameworkUpdate
2015-01-23 05:00:17 . 2015-01-23 05:00:17 -------- d-----w- C:\found.000
2015-01-17 02:38:31 . 2014-12-19 03:06:55 210432 ----a-w- C:\Windows\system32\profsvc.dll
2015-01-16 05:40:56 . 2014-12-11 17:47:12 52736 ----a-w- C:\Windows\system32\TSWbPrxy.exe
2015-01-16 05:40:55 . 2014-12-06 04:17:27 303616 ----a-w- C:\Windows\system32\nlasvc.dll
2015-01-16 05:40:55 . 2014-12-06 03:50:19 52224 ----a-w- C:\Windows\SysWow64\nlaapi.dll
2015-01-16 05:40:55 . 2014-12-06 03:50:18 156672 ----a-w- C:\Windows\SysWow64\ncsi.dll
2015-01-16 05:40:54 . 2014-12-19 01:46:45 141312 ----a-w- C:\Windows\system32\drivers\mrxdav.sys
.
 
 
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
 
2015-02-13 22:46:53 . 2015-01-02 18:34:55 129752 ----a-w- C:\Windows\system32\drivers\MBAMSwissArmy.sys
2015-02-13 00:19:45 . 2011-09-06 07:58:50 116773704 ----a-w- C:\Windows\system32\MRT.exe
2015-02-05 00:25:49 . 2012-05-19 22:48:33 701616 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2015-02-05 00:25:48 . 2011-09-04 17:24:20 71344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2015-01-27 20:14:45 . 2014-12-13 22:09:35 736952 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2015-01-23 12:13:03 . 2014-12-13 22:09:17 2876528 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
2015-01-23 12:12:53 . 2014-12-13 22:09:07 42168 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
2015-01-06 06:54:24 . 2014-12-15 01:38:04 736952 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore-2\Microsoft.MediaCenter.Sports.UI.dll
2015-01-01 15:19:46 . 2015-01-01 15:42:02 191400 ----a-w- C:\Windows\system32\javaw.exe
2015-01-01 15:19:46 . 2015-01-01 15:42:01 190888 ----a-w- C:\Windows\system32\java.exe
2015-01-01 15:19:46 . 2014-06-15 13:54:01 320936 ----a-w- C:\Windows\system32\javaws.exe
2014-12-23 05:41:02 . 2010-11-21 03:27:21 298120 ------w- C:\Windows\system32\MpSigStub.exe
2014-12-15 00:37:26 . 2014-12-15 00:37:26 2876528 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll
2014-12-15 00:37:15 . 2014-12-15 00:37:15 42168 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll
2014-12-13 22:30:55 . 2014-12-13 22:01:35 952 --sha-w- C:\ProgramData\KGyGaAvL.sys
2014-12-13 22:09:04 . 2014-12-13 22:09:04 539984 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2014-11-21 11:14:22 . 2015-01-02 18:31:43 63704 ----a-w- C:\Windows\system32\drivers\mwac.sys
2014-11-21 11:14:12 . 2015-01-02 18:31:43 93400 ----a-w- C:\Windows\system32\drivers\mbamchameleon.sys
2014-11-21 11:14:08 . 2015-01-02 18:31:42 25816 ----a-w- C:\Windows\system32\drivers\mbam.sys
2014-11-19 09:26:34 . 2014-11-19 09:26:34 1614504 ----a-w- C:\Windows\system32\FM20.DLL
 
 

post-182733-0-92048900-1423936422_thumb.

Link to post
Share on other sites

  • Root Admin

Yes you have to disable your antivirus but in this case I don't think there is a valid good copy for Combofix to use so you're going to have to do the following and replace missing core OS files.

 

Please visit the following links on how to use the SFC tool to check and repair invalid Windows system files.

Using System File Checker (SFC) To Fix Issues
http://blogs.technet.com/askcore/archive/2007/12/18/using-system-file-checker-sfc-to-fix-issues.aspx

How to Repair Windows 7 System Files with System File Checker
 

Link to post
Share on other sites

Hi Ron:

  I am a little nervous to hear that my system file is compromised. So in the earlier scan, combofix showed that this ntfs.sys is infected.

  Then I run the script you sent CFscript.txt, could you let me know exactly what this script does? delete the ntfs.sys and supposely replace with a healthy one?

  Right now what is the situation for the ntfs.sys in my computer (windows 7), it is deleted? replaced? deleted but not replaced?

  The two links you send me, the first is for vista and older version, the second one is for windows 7. Should I just follow the second one?

  Please help me walk through these details. Also should I rerun your CFscript.txt again with antivirus software turned off?

  Thanks

  RockyRocky

Link to post
Share on other sites

  • Root Admin

The file is there it was not removed or the computer would not run. It appears to not be a legitimate OS file but Combofix was unable to locate another valid copy and why you need to get one from an SFS scan. If you have another computer running the same exact OS that is not infected then you could probably copy that file over and replace but you'll need a tool like CF to replace it as it's in use.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.