Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

caMyciloP and Airtostrong [Closed]

caMyciloP Airtostrong

  • This topic is locked This topic is locked

#1
greasedcougar

greasedcougar

    New Member

  • Member
  • Pip
  • 1 posts

Hi guys,

 

I was dumb yesterday and downloaded and loaded something i shouldn't have. I caught it right away and stopped the process but not soon enough. I cleaned out all the installed programs, ran McAfee , for the more resilient of the malware i had to go into services and stop and disable the processes and delete their residing folder in "program data " folder.

 

Im left with one browser hijacker that installs 2 programs onto my computer at random intervals. caMyciloP and Airtostrong. They replace all browser shortcuts to point to   http://search.sidecu...s.com/?st=sc&q=   or     file:///C:/ProgramData/caMyciloPs/ff.HP  

 

I have manually gone and destroyed all registry lines pointing to these two programs but something else is reinstalling them. Checked msconfig and i couldn't find anything on the startup that i think would be doing this.

 

This thing is buried deep and im out of ideas.

 

Update: after looking through the FRST data more closely i think i figured out where it buried itself.


Edited by greasedcougar, 15 February 2016 - 12:02 PM.

  • 0

Advertisements


#2
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Edit :Do you still require assistance ?


Hi, there does appear to be a pile of junk there... So lets get at it

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

CreateRestorePoint:
AppInit_DLLs-x32: C:\ProgramData\caMyciloP\Lightfan.dll => No File
HKU\S-1-5-21-1537208253-64187462-945491437-1001\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRYEqQao2TxTGptbOxpBNf02kLCqe19CEfHNs45WU3GnskdALPoTR4x0JhQMQTiwGhV99P4O8VQzr9T1q01OcbF_qnOUp9iPLrlPEe_ldm-jmDTRJzYyaw2OWVJd2rrfjAsBa3Aq9rzHfqAhSu99f6WRlejOSU3zzXfKNnc50qRsum0ELFMeCLVuZfXeq53M,&q={searchTerms}
HKU\S-1-5-21-1537208253-64187462-945491437-1001\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRYEqQao2TxTGptbOxpBNf02kLCqe19CEfHNs45WU3GnskdALPoTR4x0JhQMQTiwGhV99P4O8VQzr9T1q01OcbF_qnOUp9iPLrlPEe_ldm-jmDTRJzYyaw2OWVJd2rrfjAsBa3Aq9rzHfqAhSu99f6WRlejOSU3zzXfKNnc50qRsum0ELFMeCLVuZfXeq53M,&q={searchTerms}
HKU\S-1-5-21-1537208253-64187462-945491437-1001\Software\Microsoft\Internet Explorer\Main,SearchAssistant = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRYEqQao2TxTGptbOxpBNf02kLCqe19CEfHNs45WU3GnskdALPoTR4x0JhQMQTiwGhV99P4O8VQzr9T1q01OcbF_qnOUp9iPLrlPEe_ldm-jmDTRJzYyaw2OWVJd2rrfjAsBa3Aq9rzHfqAhSu99f6WRlejOSU3zzXfKNnc50qRsum0ELFMeCLVuZfXeq53M,&q={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {ielnksrch} URL =
SearchScopes: HKLM-x32 -> ielnksrch URL = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRYEqQao2TxTGptbOxpBNf02kLCqe19CEfHNs45WU3GnskdALPoTR4x0JhQMQTiwGhV99P4O8VQzr9T1q01OcbF_qnOUp9iPLrlPEe_ldm-jmDTRJzYyaw2OWVJd2rrfjAsBa3Aq9rzHfqAhSu99f6WRlejOSU3zzXfKNnc50qRsum0ELFMeCLVuZfXeq53M,&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1537208253-64187462-945491437-1001 -> DefaultScope {ielnksrch} URL = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRYEqQao2TxTGptbOxpBNf02kLCqe19CEfHNs45WU3GnskdALPoTR4x0JhQMQTiwGhV99P4O8VQzr9T1q01OcbF_qnOUp9iPLrlPEe_ldm-jmDTRJzYyaw2OWVJd2rrfjAsBa3Aq9rzHfqAhSu99f6WRlejOSU3zzXfKNnc50qRsum0ELFMeCLVuZfXeq53M,&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1537208253-64187462-945491437-1001 -> {ielnksrch} URL = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRYEqQao2TxTGptbOxpBNf02kLCqe19CEfHNs45WU3GnskdALPoTR4x0JhQMQTiwGhV99P4O8VQzr9T1q01OcbF_qnOUp9iPLrlPEe_ldm-jmDTRJzYyaw2OWVJd2rrfjAsBa3Aq9rzHfqAhSu99f6WRlejOSU3zzXfKNnc50qRsum0ELFMeCLVuZfXeq53M,&q={searchTerms}
FF NewTab: C:\\ProgramData\\caMyciloPs\\ff.NT
FF DefaultSearchEngine.US: findit
FF Homepage: C:\\ProgramData\\caMyciloPs\\ff.HP
S4 downlpadprodqcn; C:\Users\Marpat The Shark\AppData\Local\mediadom.exe [28160 2016-02-14] () [File not signed]
S2 ApplicationHosting; C:\ProgramData\\ApplicationHosting\\ApplicationHosting.exe shuz -f "C:\ProgramData\\ApplicationHosting\\ApplicationHosting.dat" -l -a
S4 caMyciloP; C:\ProgramData\\caMyciloP\\caMyciloP.exe -f "C:\ProgramData\\caMyciloP\\caMyciloP.dat" -l -a
S2 Dataup; C:\Program Files (x86)\dataup\dataup.exe [X]
S3 iscFlash; \??\C:\Users\MARPAT~1\AppData\Local\Temp\7zS7BD3.tmp\iscflashx64.sys [X]
2016-02-15 09:50 - 2016-02-15 09:50 - 00000000 ____D C:\Users\Marpat The Shark\AppData\Local\mstrn32
2016-02-15 09:50 - 2016-02-15 09:50 - 00000000 ____D C:\Users\Marpat The Shark\AppData\Local\cpx
2016-02-15 09:49 - 2016-02-15 09:50 - 00000000 ____D C:\Program Files (x86)\cpx
2016-02-15 09:49 - 2016-02-15 09:49 - 00000000 ____D C:\Program Files (x86)\msrtn32
2016-02-15 00:52 - 2016-02-15 00:52 - 00000000 ____D C:\Program Files (x86)\taskvmx
2016-02-15 00:43 - 2016-02-15 01:41 - 00000000 ____D C:\ProgramData\RFA_Backups
2016-02-15 00:43 - 2016-02-15 00:43 - 00000000 ____D C:\ProgramData\Registry First Aid
2016-02-14 21:08 - 2016-02-14 21:08 - 00003240 _____ C:\Windows\System32\Tasks\netupodtep
2016-02-14 15:10 - 2016-02-14 15:10 - 03278982 _____ () C:\Program Files\Common Files\sxgxvckw.exe
2016-02-14 15:08 - 2016-02-14 15:08 - 00003388 _____ C:\Windows\System32\Tasks\1q0si4kp
2016-02-14 15:08 - 2016-02-14 15:08 - 00000000 ____D C:\Program Files\Common Files\114w3jd3
2016-02-14 13:10 - 2016-02-14 13:10 - 03283564 _____ C:\Program Files\Common Files\lb1xrwyi.exe
2016-02-14 13:08 - 2016-02-14 13:08 - 00003388 _____ C:\Windows\System32\Tasks\y4b4gkfm
2016-02-14 13:08 - 2016-02-14 13:08 - 00000000 ____D C:\Program Files\Common Files\yetrkwfk
2016-02-14 12:08 - 2016-02-14 12:08 - 00003388 _____ C:\Windows\System32\Tasks\t4sd4lmf
2016-02-14 12:08 - 2016-02-14 12:08 - 00000000 ____D C:\Program Files\Common Files\2snnjkyo
2016-02-14 11:13 - 2016-02-14 11:13 - 00003278 _____ C:\Windows\System32\Tasks\psv_Donkix
2016-02-14 11:13 - 2016-02-14 11:13 - 00003272 _____ C:\Windows\System32\Tasks\psv_Tan-Dom
2016-02-14 11:13 - 2016-02-14 11:13 - 00003270 _____ C:\Windows\System32\Tasks\psv_ZimNix
2016-02-14 11:11 - 2016-02-14 11:11 - 03249996 _____ () C:\Program Files\Common Files\4gsok3qz.exe
2016-02-14 11:08 - 2016-02-14 11:08 - 00003388 _____ C:\Windows\System32\Tasks\ev0vzz24
2016-02-14 11:08 - 2016-02-14 11:08 - 00000000 ____D C:\Program Files\Common Files\l3w5gx1g
2016-02-14 10:11 - 2016-02-14 10:11 - 03232998 _____ C:\Program Files\Common Files\noegwx32.exe
2016-02-14 10:08 - 2016-02-14 10:08 - 00003388 _____ C:\Windows\System32\Tasks\k2iil50u
2016-02-14 10:08 - 2016-02-14 10:08 - 00000000 ____D C:\Program Files\Common Files\gf42yvjq
2016-02-14 09:41 - 2016-02-14 09:41 - 00003238 _____ C:\Windows\System32\Tasks\{4BA25BA7-9E41-4CEB-A509-032C60E01CC7}
2016-02-14 09:08 - 2016-02-15 02:23 - 00002397 _____ C:\Windows\SysWOW64\findit.xml
2016-02-14 09:07 - 2016-02-14 09:07 - 01827657 _____ C:\Users\Marpat The Shark\AppData\Roaming\Tandamcore.tst
2016-02-14 09:07 - 2016-02-14 09:07 - 00666112 _____ C:\Users\Marpat The Shark\AppData\Roaming\Tandamcore.exe
2016-02-14 09:07 - 2016-02-14 09:07 - 00666112 _____ C:\Users\Marpat The Shark\AppData\Roaming\Matzap.exe
2016-02-14 09:07 - 2016-02-14 09:07 - 00189676 _____ C:\Users\Marpat The Shark\AppData\Roaming\Zath-Eco.bin
2016-02-14 09:07 - 2016-02-14 09:07 - 00126976 _____ C:\Users\Marpat The Shark\AppData\Roaming\Installer.dat
2016-02-14 09:07 - 2016-02-14 09:07 - 00126464 _____ C:\Users\Marpat The Shark\AppData\Roaming\noah.dat
2016-02-14 09:07 - 2016-02-14 09:07 - 00126464 _____ C:\Users\Marpat The Shark\AppData\Roaming\lobby.dat
2016-02-14 09:07 - 2016-02-14 09:07 - 00072791 _____ C:\Users\Marpat The Shark\AppData\Roaming\Matzap.tst
2016-02-14 09:07 - 2016-02-14 09:07 - 00062976 _____ C:\Users\Marpat The Shark\AppData\Roaming\Config.xml
2016-02-14 09:07 - 2016-02-14 09:07 - 00054272 _____ C:\Users\Marpat The Shark\AppData\Roaming\ApplicationHosting.dat
2016-02-14 09:07 - 2016-02-14 09:07 - 00041472 _____ C:\Users\Marpat The Shark\AppData\Local\mediadom.dat
2016-02-14 09:07 - 2016-02-14 09:07 - 00028160 _____ C:\Users\Marpat The Shark\AppData\Local\mediadom.exe
2016-02-14 09:07 - 2016-02-14 09:07 - 00018432 _____ C:\Users\Marpat The Shark\AppData\Roaming\Main.dat
2016-02-14 09:07 - 2016-02-14 09:07 - 00017040 _____ C:\Users\Marpat The Shark\AppData\Roaming\InstallationConfiguration.xml
2016-02-14 09:07 - 2016-02-14 09:07 - 00005568 _____ C:\Users\Marpat The Shark\AppData\Roaming\md.xml
2016-02-14 09:07 - 2016-02-14 09:07 - 00000187 _____ C:\Users\Marpat The Shark\AppData\Local\mediadom.exe.config
2016-02-14 09:06 - 2016-02-14 09:06 - 00000000 ____D C:\Users\Marpat The Shark\AppData\Roaming\c
2016-02-14 00:32 - 2016-02-14 00:37 - 38192542 _____ C:\Users\Marpat The Shark\Downloads\Hot_Webcam_video_2581.avi
2016-02-14 11:11 - 2016-02-14 11:11 - 3249996 _____ () C:\Program Files\Common Files\4gsok3qz.exe
2016-02-14 15:10 - 2016-02-14 15:10 - 3278982 _____ () C:\Program Files\Common Files\sxgxvckw.exe
CustomCLSID: HKU\S-1-5-21-1537208253-64187462-945491437-1001_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1537208253-64187462-945491437-1001_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1537208253-64187462-945491437-1001_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1537208253-64187462-945491437-1001_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1537208253-64187462-945491437-1001_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1537208253-64187462-945491437-1001_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1537208253-64187462-945491437-1001_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1537208253-64187462-945491437-1001_Classes\CLSID\{CC182BE1-84CE-4A57-B85C-FD4BBDF78CB2}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1537208253-64187462-945491437-1001_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1537208253-64187462-945491437-1001_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1537208253-64187462-945491437-1001_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}\InprocServer32 -> no filepath
Task: {00D2A18E-40B4-4BE3-ADDB-62B8589A51B3} - System32\Tasks\y4b4gkfm => C:\Program Files\Common Files\yetrkwfk\2d69505nnjqpz.exe [2016-02-14] () <==== ATTENTION
Task: {03512266-1887-4A8F-81FA-D552904CA2C0} - System32\Tasks\psv_ZimNix => /c regedit.exe /s "C:\ProgramData\Airtostrong\UniTom.reg" &amp; del "C:\ProgramData\Airtostrong\UniTom.reg" &amp; SCHTASKS /Delete /TN "psv_ZimNix" /F <==== ATTENTION
Task: {0B871732-8F48-4A09-BA54-B4FC43189672} - System32\Tasks\psv_Tan-Dom => /c regedit.exe /s "C:\ProgramData\Airtostrong\Iceair.reg" &amp; del "C:\ProgramData\Airtostrong\Iceair.reg" &amp; SCHTASKS /Delete /TN "psv_Tan-Dom" /F <==== ATTENTION
Task: {38CF518C-E841-433B-9E96-7EE588E384CD} - System32\Tasks\ProPCCleaner_Start => C:\Program Files (x86)\Pro PC Cleaner\ProPCCleaner.exe <==== ATTENTION
Task: {6348E4F6-BF11-4214-83F7-1C3A499B3A7D} - System32\Tasks\ev0vzz24 => C:\Program Files\Common Files\l3w5gx1g\437fai2mbpqu0.exe [2016-02-14] () <==== ATTENTION
Task: {6419F744-8170-4B64-BC96-973F376DDEF5} - System32\Tasks\{B44FDBB5-3179-4F29-8D59-07AEF81EA1A9} => pcalua.exe -a "C:\Users\Marpat The Shark\Downloads\TagesSetup.exe" -d "C:\Users\Marpat The Shark\Downloads"
Task: {7AB4D9B6-66B1-46DD-AD0E-2A85C449FD73} - System32\Tasks\k2iil50u => C:\Program Files\Common Files\gf42yvjq\8c71aretravbl.exe [2016-02-14] () <==== ATTENTION
Task: {7F300963-1D7A-4B5A-A57A-DA9C593B3500} - System32\Tasks\ProPCCleaner_Popup => C:\Program Files (x86)\Pro PC Cleaner\Splash.exe <==== ATTENTION
Task: {8AA8B705-DAEC-4CAE-883A-6D9C79074CB1} - System32\Tasks\netupodtep => C:\Windows\system32\config\systemprofile\AppData\Local\San-Phase <==== ATTENTION
Task: {CF76F3AC-F0FB-4847-AB07-6B6D8AF863B4} - System32\Tasks\t4sd4lmf => C:\Program Files\Common Files\2snnjkyo\49db6czvzq3yj.exe [2016-02-14] () <==== ATTENTION
Task: {FE289DAF-1F71-47D1-91A0-5F83EBB38A23} - System32\Tasks\psv_Donkix => /c regedit.exe /s "C:\ProgramData\Airtostrong\Zummatam.reg" &amp; del "C:\ProgramData\Airtostrong\Zummatam.reg" &amp; SCHTASKS /Delete /TN "psv_Donkix" /F <==== ATTENTION
AlternateDataStreams: C:\ProgramData:gs5sys
AlternateDataStreams: C:\Users\All Users:gs5sys
AlternateDataStreams: C:\Users\Marpat The Shark:gs5sys
AlternateDataStreams: C:\ProgramData\Application Data:gs5sys
AlternateDataStreams: C:\ProgramData\desktop.ini:gs5sys
AlternateDataStreams: C:\ProgramData\TEMP:D5FBE8F9
AlternateDataStreams: C:\Users\Marpat The Shark\Application Data:gs5sys
AlternateDataStreams: C:\Users\Marpat The Shark\Cookies:gs5sys
AlternateDataStreams: C:\Users\Marpat The Shark\Local Settings:gs5sys
AlternateDataStreams: C:\Users\Marpat The Shark\Templates:gs5sys
AlternateDataStreams: C:\Users\Marpat The Shark\Desktop\desktop.ini:gs5sys
AlternateDataStreams: C:\Users\Marpat The Shark\AppData\Local:gs5sys
AlternateDataStreams: C:\Users\Marpat The Shark\AppData\Roaming:gs5sys
AlternateDataStreams: C:\Users\Marpat The Shark\AppData\Local\Application Data:gs5sys
AlternateDataStreams: C:\Users\Marpat The Shark\AppData\Local\desktop.ini:gs5sys
AlternateDataStreams: C:\Users\Marpat The Shark\AppData\Local\History:gs5sys
AlternateDataStreams: C:\Users\Marpat The Shark\Documents\desktop.ini:gs5sys
AlternateDataStreams: C:\Users\Public\Documents\desktop.ini:gs5sys
C:\Program Files (x86)\msrtn32
C:\Program Files (x86)\cpx
C:\Users\Marpat The Shark\AppData\Local\mediadom.exe
C:\ProgramData\ApplicationHosting
C:\ProgramData\caMyciloP
C:\Program Files (x86)\dataup
C:\Program Files\Common Files\yetrkwfk
C:\ProgramData\Airtostrong
C:\Program Files (x86)\Pro PC Cleaner\
C:\Program Files\Common Files\l3w5gx1g
C:\Windows\system32\config\systemprofile\AppData\Local\San-Phase
C:\Program Files\Common Files\2snnjkyo
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers


Save this as fixlist.txt, in the same location as FRST.exe
FRSTfix.JPG
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Scan.
  • After the scan is complete click on "Clean"
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S0].txt as well.

Edited by Essexboy, 15 February 2016 - 12:51 PM.

  • 0

#3
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP