Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Can't get rid of malware, spyware animation [Solved]

Started by psychson , Nov 11 2014 06:14 PM

This topic is locked

#31
ruggie_uk

Posted 24 November 2014 - 08:10 AM

Trusted Helper

Malware Removal
2,083 posts

Hello, ok,your google chrome is a development build which means it is open to attack so we need to fix that. Most of what eset found are in combofix quarantine,but we will deal with the others shortly.

Step 1

We need to uninstall some programs.

Open Programs and Features by clicking the Start button, clicking Control Panel, clicking Programs, and then clicking Programs and Features.

Select the following programs from the list below, one at a time and click Uninstall.

Google Chrome

Once uninstalled,redownload and install from http://www.google.co...index.html#eula

#32
psychson

Posted 24 November 2014 - 01:48 PM

Member

Topic Starter
Member
28 posts

OK.

Chrome was uninstalled and installed again.

Now what's next ?

Thanks.

#33
ruggie_uk

Posted 30 November 2014 - 10:09 AM

Trusted Helper

Malware Removal
2,083 posts

Firstly I do apologise, I thought I had posted my reply and have been waiting for yours. My mistake.

As FRST still isn't working properly, lets try to see if this tool can get it moving.

Please download Download RogueKiller by Tigzy to your desktop.

Quit all programs
Right click roguekiller.exe and select Run as Administrator.
Wait until Prescan has finished ...
Click on Scan. Once finished, click on Report

If the program is blocked, do not hesitate to try several times. If it really does not work(it could happen), rename it to winlogon.com

Please post the contents of the RKreport.txt in your next Reply.

#34
psychson

Posted 01 December 2014 - 01:15 AM

Member

Topic Starter
Member
28 posts

Hi again,

I was wondering if you had given up on me, luckily not yet

I downloaded and ran RogueKiller and the report is bellow.

Thanks

-----------------

RogueKiller V10.0.8.0 [Nov 20 2014] by Adlice Software

mail : http://www.adlice.com/contact/

Feedback : http://forum.adlice.com

Website : http://www.adlice.co...es/roguekiller/

Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version

Started in : Normal mode

User : Suzie [Administrator]

Mode : Scan -- Date : 12/01/2014 05:12:05

¤¤¤ Processes : 1 ¤¤¤

[Suspicious.Path] Nike+ Connect daemon.exe -- C:\Users\Suzie\AppData\Local\Nike\Nike+ Connect\Nike+ Connect daemon.exe[-] -> Killed [TermProc]

¤¤¤ Registry : 16 ¤¤¤

[PUP] HKEY_CLASSES_ROOT\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3} -> Found

[PUP] HKEY_CLASSES_ROOT\CLSID\{5A4E3A41-FA55-4BDA-AED7-CEBE6E7BCB52} -> Found

[Suspicious.Path] HKEY_USERS\S-1-5-21-3823719251-145347726-1436220222-1000\Software\Microsoft\Windows\CurrentVersion\Run | Nike+ Connect : "C:\Users\Suzie\AppData\Local\Nike\Nike+ Connect\Nike+ Connect daemon.exe" -> Found

[PUM.HomePage] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft...d=ie&ar=msnhome -> Found

[PUM.HomePage] HKEY_USERS\S-1-5-21-3823719251-145347726-1436220222-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.uol.com.br/ -> Found

[PUM.HomePage] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft...d=ie&ar=msnhome -> Found

[PUM.SearchPage] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft...=ie&ar=iesearch -> Found

[PUM.SearchPage] HKEY_USERS\S-1-5-21-3823719251-145347726-1436220222-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft...=ie&ar=iesearch -> Found

[PUM.SearchPage] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft...=ie&ar=iesearch -> Found

[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AC490675-FD03-45B5-B4CC-25DF0BFE305F} | DhcpNameServer : 172.20.10.1 [(Private Address) (XX)] -> Found

[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{AC490675-FD03-45B5-B4CC-25DF0BFE305F} | DhcpNameServer : 172.20.10.1 [(Private Address) (XX)] -> Found

[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{AC490675-FD03-45B5-B4CC-25DF0BFE305F} | DhcpNameServer : 172.20.10.1 [(Private Address) (XX)] -> Found

[PUM.Policies] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Found

[PUM.StartMenu] HKEY_USERS\S-1-5-21-3823719251-145347726-1436220222-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowRun : 0 -> Found

[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found

[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found

¤¤¤ Tasks : 7 ¤¤¤

[Suspicious.Path] \\{01772589-0850-4154-BD84-C564A5A7C835} -- C:\Users\Suzie\Desktop\FRST.exe -> Found

[Suspicious.Path] \\{14F9E1CB-1DC7-40B0-B8B0-D11746BFB08C} -- C:\Users\Suzie\Desktop\FRST.exe -> Found

[Suspicious.Path] \\{1CDB3F2C-F7E9-441A-B042-97C933F2936E} -- C:\Users\Suzie\Desktop\FRST.exe -> Found

[Suspicious.Path] \\{442743F5-A015-430A-9892-FB870522CC99} -- C:\Users\Suzie\Desktop\FRST.exe -> Found

[Suspicious.Path] \\{7D2410DE-1925-4030-ACE9-0393D7EC915B} -- C:\Users\Suzie\Desktop\FRST.exe -> Found

[Suspicious.Path] \\{BBB2ABB8-F466-4A18-A7CE-79418FBBF480} -- C:\Users\Suzie\Desktop\FRST.exe -> Found

[Suspicious.Path] \\{E151CCBB-88AA-40DC-9A39-0F4B96C34712} -- C:\Users\Suzie\Desktop\FRST.exe -> Found

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 1 ¤¤¤

[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 localhost

¤¤¤ Antirootkit : 40 (Driver: Loaded) ¤¤¤

[SSDT:Addr(Hook.SSDT)] NtAssignProcessToJobObject[43] : Unknown @ 0x8626c634

[SSDT:Addr(Hook.SSDT)] NtCreateKey[70] : Unknown @ 0x861f03ac

[SSDT:Addr(Hook.SSDT)] NtCreateMutant[74] : Unknown @ 0x862326c4

[SSDT:Addr(Hook.SSDT)] NtCreateProcess[79] : Unknown @ 0x8626162c

[SSDT:Addr(Hook.SSDT)] NtCreateProcessEx[80] : Unknown @ 0x8626062c

[SSDT:Addr(Hook.SSDT)] NtCreateSymbolicLinkObject[86] : Unknown @ 0x8623268c

[SSDT:Addr(Hook.SSDT)] NtCreateThread[87] : Unknown @ 0x862676bc

[SSDT:Addr(Hook.SSDT)] NtCreateThreadEx[88] : Unknown @ 0x86267684

[SSDT:Addr(Hook.SSDT)] NtCreateUserProcess[93] : Unknown @ 0x86246634

[SSDT:Addr(Hook.SSDT)] NtDebugActiveProcess[96] : Unknown @ 0x8626c6dc

[SSDT:Addr(Hook.SSDT)] NtDeleteKey[103] : Unknown @ 0x862646bc

[SSDT:Addr(Hook.SSDT)] NtDeleteValueKey[106] : Unknown @ 0x862656bc

[SSDT:Addr(Hook.SSDT)] NtDuplicateObject[111] : Unknown @ 0x86232654

[SSDT:Addr(Hook.SSDT)] NtGetContextThread[135] : Unknown @ 0x8623177c

[SSDT:Addr(Hook.SSDT)] NtLoadDriver[155] : Unknown @ 0x8626764c

[SSDT:Addr(Hook.SSDT)] NtMapViewOfSection[168] : Unknown @ 0x86266684

[SSDT:Addr(Hook.SSDT)] NtOpenProcess[190] : Unknown @ 0x8622d634

[SSDT:Addr(Hook.SSDT)] NtOpenSection[194] : Unknown @ 0x862666bc

[SSDT:Addr(Hook.SSDT)] NtOpenThread[198] : Unknown @ 0x86263634

[SSDT:Addr(Hook.SSDT)] NtProtectVirtualMemory[215] : Unknown @ 0x8626c66c

[SSDT:Addr(Hook.SSDT)] NtRenameKey[290] : Unknown @ 0x86264684

[SSDT:Addr(Hook.SSDT)] NtRestoreKey[302] : Unknown @ 0x8626464c

[SSDT:Addr(Hook.SSDT)] NtResumeThread[304] : Unknown @ 0x8623170c

[SSDT:Addr(Hook.SSDT)] NtSetContextThread[316] : Unknown @ 0x86231744

[SSDT:Addr(Hook.SSDT)] NtSetSystemInformation[350] : Unknown @ 0x862317b4

[SSDT:Addr(Hook.SSDT)] NtSetValueKey[358] : Unknown @ 0x86224e2c

[SSDT:Addr(Hook.SSDT)] NtSystemDebugControl[368] : Unknown @ 0x8626c6a4

[SSDT:Addr(Hook.SSDT)] NtTerminateProcess[370] : Unknown @ 0x86268644

[SSDT:Addr(Hook.SSDT)] NtTerminateThread[371] : Unknown @ 0x8623075c

[SSDT:Addr(Hook.SSDT)] NtWriteVirtualMemory[399] : Unknown @ 0x8626664c

[ShwSSDT:Addr(Hook.Shadow)] NtUserCreateWindowEx[361] : Unknown @ 0x8741cae4

[ShwSSDT:Addr(Hook.Shadow)] NtUserSetWindowsHookAW[584] : Unknown @ 0x869a38d4

[ShwSSDT:Addr(Hook.Shadow)] NtUserSetWindowsHookEx[585] : Unknown @ 0x879970b4

[IAT:Inl] (explorer.exe) SHELL32.dll - SHFileOperationW : C:\Program Files\Unlocker\UnlockerHook.dll @ 0x10001102 (jmp 0xffffffff9a1779fa)

[IAT:Inl] (explorer.exe @ SkyDriveShell.dll) SHELL32.dll - SHFileOperationW : C:\Program Files\Unlocker\UnlockerHook.dll @ 0x10001102 (jmp 0xffffffff9a1779fa)

[IAT:Inl] (explorer.exe @ gameux.dll) SHELL32.dll - SHFileOperationW : C:\Program Files\Unlocker\UnlockerHook.dll @ 0x10001102 (jmp 0xffffffff9a1779fa)

[IAT:Inl] (explorer.exe @ wpdshserviceobj.dll) SHELL32.dll - SHFileOperationW : C:\Program Files\Unlocker\UnlockerHook.dll @ 0x10001102 (jmp 0xffffffff9a1779fa)

[IAT:Inl] (explorer.exe @ ieframe.dll) SHELL32.dll - SHFileOperationW : C:\Program Files\Unlocker\UnlockerHook.dll @ 0x10001102 (jmp 0xffffffff9a1779fa)

[IAT:Inl] (explorer.exe @ appwiz.cpl) SHELL32.dll - SHFileOperationW : C:\Program Files\Unlocker\UnlockerHook.dll @ 0x10001102 (jmp 0xffffffff9a1779fa)

[IAT:Inl] (explorer.exe @ zipfldr.dll) SHELL32.dll - SHFileOperationW : C:\Program Files\Unlocker\UnlockerHook.dll @ 0x10001102 (jmp 0xffffffff9a1779fa)

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤

+++++ PhysicalDrive0: ST3320418AS ATA Device +++++

--- User ---

[MBR] 2814c990aad985df5f8fbedc07148ac6

[BSP] cd792270ffb5467780e85e9d19688940 : Windows Vista/7/8 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 305243 MB

User = LL1 ... OK

User = LL2 ... OK

#35
ruggie_uk

Posted 01 December 2014 - 03:59 AM

Trusted Helper

Malware Removal
2,083 posts

Hi

Roguekiller picked up on a couple of items, one warrants a question, do you use your phone as a modem? If so this would explain one of the entries.

Upload file to Virustotal to analyse

Please go to the Virustotal website.
Click Choose File then on the File Upload window locate the file C:\Users\Suzie\AppData\Local\Nike\Nike+ Connect\Nike+ Connect daemon.exe and click Open
If you see a pop-up with "File already analyzed" click Reanalyse and wait for the scan to finish
Copy the link you have on the address bar of the browser window, it should be something like this: https://www.virustotal.com/en/file/... and paste into your next reply.

Items I need to see in your next post:

Virustotal result
Answer to my question

#36
psychson

Posted 01 December 2014 - 12:11 PM

Member

Topic Starter
Member
28 posts

Hi,

Answering your question: I do not use my phone as a modem. However my internet provider is the same for my home phone and cable tv, all in one(Phone+internet+tv).

And before I run the analyses you asked, I can tell you that Nike+, NikeConnect belongs to my Nike running bracelet that syncs to Nike website and shouldn't be any problem with it.

I don't see how to copy the results, only as image and the forum does not allow me. The analyses gave me all green check marks.

#37
ruggie_uk

Posted 01 December 2014 - 12:19 PM

Trusted Helper

Malware Removal
2,083 posts

Hi, yes I am aware of nike being legitimate bit there are 2 files with the same name in different locations so I just want to ensure that the second one isn't malware that has copied the filename. Just copy the web address link at the top in the address bar and paste that here thanks

#38
psychson

Posted 01 December 2014 - 01:14 PM

Member

Topic Starter
Member
28 posts

Ok, I didn't think the copied URL would work.

Here it is:

https://www.virustot...sis/1417461174/

#39
ruggie_uk

Posted 01 December 2014 - 02:58 PM

Trusted Helper

Malware Removal
2,083 posts

Hi and thanks for that.

As Nike is clean, let's see if your DNS has been altered.

Avira DNS Repair
Please download the Avira DNS Repair Tool from here and save it to your Desktop.

Right click AviraDNSRepairEN.exe

on your Desktop and choose Run As Administrator to run the program, then accept the agreement.
No log is created so please report what the program says.

#40
psychson

Posted 01 December 2014 - 03:09 PM

Member

Topic Starter
Member
28 posts

Ok, it's done.

it says: The DNS settings of your system have not been manipulated by the DNSChanger.

Thanks.

#41
ruggie_uk

Posted 02 December 2014 - 04:36 AM

Trusted Helper

Malware Removal
2,083 posts

Hello again, let's get the hammer out and see if we can remove this pain once and for all.

Fix with ComboFix

Please download Combofix from here and save the file to your Desktop. << Important!

Note: Please read through these instructions before running ComboFix.
Press the + R on your keyboard at the same time.
A Run window should appear in the lower left corner. Type in notepad.exe and press Enter.

In the shown window paste in the following script:

Registry::
[-HKEY_CLASSES_ROOT\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}]
[-HKEY_CLASSES_ROOT\CLSID\{5A4E3A41-FA55-4BDA-AED7-CEBE6E7BCB52}]

Go to File menu and select Save as.
Make sure that the Save as type option is set to Text files (*.txt) and the place to save will be your desktop.
Name the file CFScript and select Save.
Your CFScript.txt file should appear on your desktop.

Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
- Now drag your CFScript file and drop it onto the icon.
- This will start ComboFix. Let it run uninterrupted!
- A reboot may be needed during this run. Allow it.
- When finished, it shall produce a log for you at C:\ComboFix.txt and display it.
Please include that log in your next reply.

If you'll encounter any issues with internet connection after running ComboFix, please visit this link.
If an error about operation on the key marked for deletion will appear after running the tool, please reboot your machine.
Do not forget to turn on your previously switched-off protection software!

Items I need to see in your next post:
- Combofix Log
- How is your computer running now?

#42
Dakeyras

Posted 07 December 2014 - 02:31 PM

Anti-Malware Mammoth

Expert
9,772 posts

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

#43
CompCav

Posted 10 December 2014 - 06:09 PM

Member 5k

Expert
12,454 posts

User returned.

#44
psychson

Posted 10 December 2014 - 07:51 PM

Member

Topic Starter
Member
28 posts

Thanks for reopening my post.

As instructed, I did the fix requested, run ComboFix.

However you may ask me to redo a couple of tools. Why ?

After I ran combofix I updated my windows from the boring Windows 7 starter to WIndows 7 Ultimate.

Anyway, below is the summary.

------------------

ComboFix 14-11-03.01 - Suzie 10/12/2014 6:05.3.2 - x86

Microsoft Windows 7 Starter 6.1.7601.1.1252.55.1046.18.1981.761 [GMT -2:00]

Executando de: c:\users\Suzie\Desktop\ComboFix.exe

Comandos utilizados :: c:\users\Suzie\Desktop\CFScript.txt

AV: Trend Micro Maximum Security *Disabled/Updated* {F2F88E6A-3C7A-545F-268A-5D0BDD38EE06}

SP: Trend Micro Maximum Security *Disabled/Updated* {49996F8E-1A40-5BD1-1C3A-6679A6BFA4BB}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Criado um novo ponto de restauração

ADS - drivers: deleted 208 bytes in 1 streams.

(((((((((((((((( Arquivos/Ficheiros criados de 2014-11-10 to 2014-12-10 ))))))))))))))))))))))))))))

2014-12-10 08:14 . 2014-12-10 08:14 -------- d-----w- c:\users\Public\AppData\Local\temp

2014-12-10 08:14 . 2014-12-10 08:14 -------- d-----w- c:\users\Default\AppData\Local\temp

2014-12-10 08:14 . 2014-12-10 08:14 -------- d-----w- c:\users\Convidado\AppData\Local\temp

2014-12-10 08:14 . 2014-12-10 08:14 -------- d-----w- c:\users\Administrador\AppData\Local\temp

2014-12-09 04:36 . 2014-12-09 04:36 -------- d-----w- c:\program files\Common Files\Adobe

2014-12-01 06:59 . 2014-12-01 06:59 34808 ----a-w- c:\windows\system32\drivers\TrueSight.sys

2014-12-01 06:59 . 2014-12-01 06:59 -------- d-----w- c:\programdata\RogueKiller

2014-11-24 19:45 . 2014-11-24 19:46 -------- d-----w- c:\program files\Google

2014-11-24 19:33 . 2014-11-24 19:33 -------- d-sh--w- c:\users\Suzie\AppData\Local\EmieBrowserModeList

2014-11-23 06:35 . 2014-11-23 06:35 -------- d-----w- c:\program files\ESET

2014-11-20 17:53 . 2014-11-22 02:54 -------- d-----w- C:\FRST

2014-11-19 01:21 . 2014-11-11 02:44 186880 ----a-w- c:\windows\system32\pku2u.dll

2014-11-19 01:21 . 2014-11-11 02:44 550912 ----a-w- c:\windows\system32\kerberos.dll

2014-11-18 19:47 . 2014-11-18 19:47 -------- d-----w- c:\windows\ERUNT

2014-11-18 07:11 . 2014-11-18 07:11 -------- d-----w- C:\_OTL

2014-11-12 03:54 . 2014-10-18 01:33 571904 ----a-w- c:\windows\system32\oleaut32.dll

2014-11-12 03:54 . 2014-08-12 01:36 701440 ----a-w- c:\windows\system32\IMJP10K.DLL

2014-11-11 08:10 . 2014-11-11 09:21 -------- d-----w- c:\program files\Spybot - Search & Destroy

2014-11-11 06:01 . 2014-11-11 06:01 -------- d-----w- c:\programdata\Malwarebytes

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

2014-12-10 06:43 . 2013-04-13 22:53 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2014-12-10 06:43 . 2013-04-13 22:53 701104 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2014-11-09 04:43 . 2014-11-09 04:24 214576 ----a-w- c:\windows\RegBootClean.exe

2014-11-09 04:10 . 2014-11-09 04:10 59 ----a-w- c:\windows\system32\SupportTool.exe.bat

2014-11-06 14:35 . 2014-07-08 03:49 19216 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\TeamViewer_PrintProcessor.dll

2014-11-03 06:39 . 2014-11-09 04:28 61728 ----a-w- c:\windows\system32\drivers\kbfilter.sys

2014-11-03 06:39 . 2014-11-09 04:28 61728 ----a-w- C:\kbfilter.sys

2014-11-03 06:39 . 2014-11-09 04:28 98 ----a-w- C:\install.bat

2014-11-03 06:39 . 2014-11-09 04:28 81 ----a-w- C:\uninstall.bat

2014-10-28 08:35 . 2013-04-13 22:24 229000 ------w- c:\windows\system32\MpSigStub.exe

2014-10-20 05:37 . 2014-11-08 01:55 8901368 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{9A765CBE-817C-47DD-84A6-D572BDDE517D}\mpengine.dll

2014-10-18 16:45 . 2014-10-18 16:45 29160 ----a-w- c:\windows\system32\drivers\PROCEXP152.SYS

2014-10-16 02:51 . 2014-10-16 02:51 96680 ----a-w- c:\windows\system32\WindowsAccessBridge.dll

2014-10-07 09:06 . 2013-10-15 00:31 590536 ----a-w- c:\programdata\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe

2014-10-02 16:23 . 2014-10-02 16:23 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2014-10-02 16:23 . 2014-10-02 16:23 69632 ----a-w- c:\windows\system32\QuickTime.qts

2014-09-25 01:40 . 2014-10-01 05:52 519680 ----a-w- c:\windows\system32\qdvd.dll

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

*Nota* entradas vazias e legítimas por padrão não são apresentadas.

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]