Other > Viruses and worms
These Trojan Horse Twins called 80000032.@ and 80000064.@ are destrying my life
frankocean89:
Thanks mchain I will look into that when my system is cleaned :)
magna86 I have attached the log :)
frankocean89:
Done
magna86:
This fix you shall deploy from normal mode as some malicius services are still loaded.
1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system
--- Code: ---START
() C:\Users\SAMSUNG\AppData\Local\GetBooks\GetBooks.exe
HKCU\...\Run: [GetBooks] - C:\Users\SAMSUNG\AppData\Local\GetBooks\GetBooks.exe [509440 2013-05-15] ()
C:\Users\SAMSUNG\AppData\Local\GetBooks
HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://feed.snap.do/?publisher=Download&dpid=Download&co=GB&userid=00c0ab9a-df4a-455b-aec2-db82b7a2f123&searchtype=ds&q={searchTerms}
HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://feed.snap.do/?publisher=Download&dpid=Download&co=GB&userid=00c0ab9a-df4a-455b-aec2-db82b7a2f123&searchtype=ds&q={searchTerms}
SearchScopes: HKLM - {006ee092-9658-4fd6-bd8e-a21a348e59f5} URL = http://feed.snap.do/?publisher=Download&dpid=Download&co=GB&userid=00c0ab9a-df4a-455b-aec2-db82b7a2f123&searchtype=ds&q={searchTerms}
SearchScopes: HKCU - {006ee092-9658-4fd6-bd8e-a21a348e59f5} URL =
Toolbar: HKLM - No Name - {ae07101b-46d4-4a98-af68-0333ea26e113} - No File
Winsock: Catalog5 01 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 06 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
CHR Extension: (Ask Toolbar) - C:\Users\SAMSUNG\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaajpbjobobnmcnepdoldijfgmgogbe\21.54118_0
C:\Users\SAMSUNG\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaajpbjobobnmcnepdoldijfgmgogbe
CHR Extension: (Missing e) - C:\Users\SAMSUNG\AppData\Local\Google\Chrome\User Data\Default\Extensions\bcjbagclppcgdbpobcpoojdjdmcjhpid\2.14.3_0
C:\Users\SAMSUNG\AppData\Local\Google\Chrome\User Data\Default\Extensions\bcjbagclppcgdbpobcpoojdjdmcjhpid
CHR Extension: (UnfollowHater) - C:\Users\SAMSUNG\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpjobkfnjnakiggjoafelkncclbonjhm\1.0.13_0
C:\Users\SAMSUNG\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpjobkfnjnakiggjoafelkncclbonjhm
CHR Extension: (Chrome In-App Payments service) - C:\Users\SAMSUNG\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.4.11_0
C:\Users\SAMSUNG\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
CHR HKLM\...\Chrome\Extension: [aaaajpbjobobnmcnepdoldijfgmgogbe] - C:\ProgramData\AskPartnerNetwork\Toolbar\MYC3-V7\CRX\ToolbarCR.crx
C:\ProgramData\AskPartnerNetwork
U2 *etadpug; "C:\Program Files\Google\Desktop\Install\{a9dc3b77-a104-26f7-d8cc-b3ee5a1d846e}\ \...\???\{a9dc3b77-a104-26f7-d8cc-b3ee5a1d846e}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)
DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
CMD: netsh winsock reset
CMD: ipconfig /flushdns
END
--- End code ---
2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.
------ next -------
Reboot(restart) mashine once more time....
------ next -------
Re-run FRST, just press Scan button and post me fresh created FRST log.
frankocean89:
Thanks soooooo much. I checked the location of the trojan horses and they have been deleted :*
magna86:
--- Quote ---Thanks soooooo much. I checked the location of the trojan horses and they have been deleted :*
--- End quote ---
8)
We have not finished yet. I shall qoute myself again:
--- Quote from: magna86 on October 08, 2013, 03:28:01 PM ---[*] I will be working on your Malware issues this may or may not solve other issues you have with your machine.
[*] The fixes are specific to your problem and should only be used for this issue on this machine.
[*] If you don't know or understand something, please don't hesitate to ask.
[*]Please refrain from making any further changes to your computer (Install/Uninstall programs, delete files, edit the registry, etc...)
[*] Please DO NOT run any other tools or scans whilst I am helping you.
[*] It is important that you reply to this thread. Do not start a new topic.
[*] Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
[*] Absence of symptoms does not mean that everything is clear.[/list]
--- End quote ---
---------------------------------------------------------------------------------------------
=> Run Chrome > > Settings
Under "On startup" part of options, check box for "Open a specific page or set of pages" and click "Set pages".
Under "Add new page" type: "www.google.com" and press Ok.
-----------------------------
Rootkit is killed. ZA is no more. But we need to check/repair the all damage caused by ZA rootkit.
We shall re-check with Combofix and therefor I wanna you tu run another Farbar tool named FSS
With FSS we shall check is there any damage caused by rootkit.
Scan with Combofix:
[*] Please download ComboFix and save it to your Desktop.
You may read how Combofix works here.
[*] Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
If you are unsure how to do this please read this or this Instruction.
[*] Run ComboFix. Click on I Agree! & follow the prompts.
Note: If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart your computer.
[*] When finished, it will produce a report for you. Please attach log reports (ComboFix.txt) back to topic.
(typical log location: C:\ComboFix.txt )[/list]
----- next -----
Please download Farbar Service Scanner and run it on the computer with the issue.[*]Make sure the following options are checked:
[*]Internet Services
[*]Windows Firewall
[*]System Restore
[*]Security Center/Action Center
[*]Windows Update
[*]Windows Defender
[/list]
[*]Press "Scan".
[*]It will create a log (FSS.txt) in the same directory the tool is run.
[*]Please copy and paste the log to your reply.
[/list]
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version