Jump to content

Rootkit.SmartService (A) & Trojan.Trafmous (A)


Elise M.
 Share

Recommended Posts

Elise,

Do the following:

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

HKLM Group Policy restriction on software: %systemroot%\system32\mrt.exe <==== ATTENTION
SearchScopes: HKU\S-1-5-21-2023144153-1527112895-3287757125-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-2023144153-1527112895-3287757125-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
2017-11-07 21:37 - 2017-11-07 21:37 - 000000000 ____D C:\Users\Elise\AppData\Local\Tempzxpsigne493dde1103f2286
2017-11-07 21:25 - 2017-11-07 21:25 - 000000000 ____D C:\Users\Elise\AppData\Local\Tempzxpsign9beb9f021ec124cc
2017-11-07 21:23 - 2017-11-07 21:23 - 000000000 ____D C:\Users\Elise\AppData\Local\Tempzxpsignf1d4b1814bf2db6c
2017-11-07 21:23 - 2017-11-07 21:23 - 000000000 ____D C:\Users\Elise\AppData\Local\Tempzxpsigndac3a28e59eae08e
2017-11-07 21:23 - 2017-11-07 21:23 - 000000000 ____D C:\Users\Elise\AppData\Local\Tempzxpsign888e1599712d5432
2017-11-07 21:23 - 2017-11-07 21:23 - 000000000 ____D C:\Users\Elise\AppData\Local\Tempzxpsign364b2ea5ceeb11d8
2017-11-07 21:21 - 2017-11-07 21:21 - 000000000 ____D C:\Users\Elise\AppData\Local\Tempzxpsigne08da7cb957cb818
2017-11-07 21:21 - 2017-11-07 21:21 - 000000000 ____D C:\Users\Elise\AppData\Local\Tempzxpsignd4627d01c4e1e0ae
2017-11-07 21:21 - 2017-11-07 21:21 - 000000000 ____D C:\Users\Elise\AppData\Local\Tempzxpsigncbbd5decacd5ce51
2017-11-03 06:37 - 2017-11-03 06:37 - 000000000 ____D C:\Users\Elise\AppData\Local\Tempzxpsignf69834f37f26482a
2017-11-03 06:37 - 2017-11-03 06:37 - 000000000 ____D C:\Users\Elise\AppData\Local\Tempzxpsign71793f00bac86e6d
2017-11-03 06:35 - 2017-11-03 06:35 - 000000000 ____D C:\Users\Elise\AppData\Local\Tempzxpsignbcb91e2f5c2bd44d
2017-11-03 06:35 - 2017-11-03 06:35 - 000000000 ____D C:\Users\Elise\AppData\Local\Tempzxpsign7b59b97376a3bb4a
2017-11-03 06:35 - 2017-11-03 06:35 - 000000000 ____D C:\Users\Elise\AppData\Local\Tempzxpsign5d92c9294bb4ec67
2017-10-26 21:06 - 2017-10-26 21:06 - 000000000 ____D C:\Users\Elise\AppData\Local\Tempzxpsignfc3ba2acdcfbd68a
2017-10-26 20:55 - 2017-10-26 20:55 - 000000000 ____D C:\Users\Elise\AppData\Local\Tempzxpsigne3dc00dfe5f6ea27
2017-10-26 20:51 - 2017-10-26 20:51 - 000000000 ____D C:\Users\Elise\AppData\Local\Tempzxpsign344c27e059205beb
2017-10-26 20:49 - 2017-10-26 20:49 - 000000000 ____D C:\Users\Elise\AppData\Local\Tempzxpsign4f41c3e2cf330f81
2017-10-26 20:49 - 2017-10-26 20:49 - 000000000 ____D C:\Users\Elise\AppData\Local\Tempzxpsign2bca1394608d9302
2017-10-26 20:49 - 2017-10-26 20:49 - 000000000 ____D C:\Users\Elise\AppData\Local\Tempzxpsign184fca7a8c942273
2017-11-10 16:37 - 2017-08-12 18:47 - 000000000 ____D C:\Users\Elise\AppData\Local\ntuserlitelist
C:\WINDOWS\system32\drivers\dumwidou.sys -> MD5 = D41D8CD98F00B204E9800998ECF8427E (0-byte MD5) <======= ATTENTION
C:\WINDOWS\system32\drivers\msidntfs.sys -> MD5 = D41D8CD98F00B204E9800998ECF8427E (0-byte MD5) <======= ATTENTION
CustomCLSID: HKU\S-1-5-21-2023144153-1527112895-3287757125-1001_Classes\CLSID\{0E270DAA-1BE6-48F2-AC49-A985A56D48DD}\InprocServer32 -> %%systemroot%%\system32\shell32.dll => No File
ContextMenuHandlers1: [7-Zip] -> [CC]{23170F69-40C1-278A-1000-000100020000} =>  -> No File
ContextMenuHandlers1: [AccExt] -> [CC]{2A118EB5-5797-4F5E-8B3D-F4ECBA3C98E4} =>  -> No File
ContextMenuHandlers1: [GDContextMenu] -> [CC]{BB02B294-8425-42E5-983F-41A1FA970CD6} =>  -> No File
ContextMenuHandlers2-x32: [mozy] -> [CC]{b32a6748-f273-4546-b60a-3c5adc239de5} =>  -> No File
ContextMenuHandlers3-x32: [mozy] -> [CC]{b32a6748-f273-4546-b60a-3c5adc239de5} =>  -> No File
ContextMenuHandlers4: [7-Zip] -> [CC]{23170F69-40C1-278A-1000-000100020000} =>  -> No File
ContextMenuHandlers4: [GDContextMenu] -> [CC]{BB02B294-8425-42E5-983F-41A1FA970CD6} =>  -> No File
ContextMenuHandlers4: [mozy] -> [CC]{b32a6748-f273-4546-b60a-3c5adc239de5} =>  -> No File
ContextMenuHandlers6: [7-Zip] -> [CC]{23170F69-40C1-278A-1000-000100020000} =>  -> No File
ContextMenuHandlers6: [AccExt] -> [CC]{2A118EB5-5797-4F5E-8B3D-F4ECBA3C98E4} =>  -> No File
ContextMenuHandlers6-x32: [mozy] -> [CC]{b32a6748-f273-4546-b60a-3c5adc239de5} =>  -> No File
Task: {08279E34-BF37-4876-935C-88EEBFB42C3E} - System32\Tasks\Updater_Online_Application => C:\Program Files (x86)\Microleaves\Online Application\Online Application Updater.exe <==== ATTENTION
Task: {0BFF85E3-0DF4-4589-AB0C-B662C3BC3267} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {0C4EB0BD-4226-45A3-8239-55914632580C} - System32\Tasks\78cf8b186753d79aca3bce2cdf750687 => powershell.exe -NoProfile -NoLogo -NonInteractive -ExecutionPolicy Bypass -File "C:\WINDOWS\78cf8b186753d79aca3bce2cdf750687.ps1" <==== ATTENTION
Task: {166C892E-3E9F-48B7-A27E-E460A7833CC8} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {232A1FA3-BE5F-44F0-B86E-77AA83AF6D0B} - \OfficeSoftwareProtectionPlatform\SvcRestartTask -> No File <==== ATTENTION
Task: {3754F62F-18DA-4293-AA1C-5C5936947CF5} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {40012ECC-A97C-4598-82C2-72A280045D1B} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {47AE73B7-13FF-4F5F-9206-72ABBEB83942} - System32\Tasks\Online Application V2G3 => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe <==== ATTENTION
Task: {53E7FA16-D5E8-4CE5-86CA-360800A58163} - System32\Tasks\Online Application V2G2 => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe <==== ATTENTION
Task: {6B139593-1E7C-44F0-BD92-3216D66E7D19} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {6F658C18-C1AC-446F-A2C9-9A4A5BF3A0DB} - System32\Tasks\c3bc020287e7a0a0189d436b7e54b519 => sc start c3bc020287e7a0a0189d436b7e54b519 <==== ATTENTION
Task: {7AC4E6F8-90C5-48BE-A195-6BF758AC60B2} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {8DDB235F-CE99-4403-8463-58B5F8279F33} - \GenericSettingsHandler\Windows-Credentials\RetrySyncTask_for_S-1-5-21-2023144153-1527112895-3287757125-1001 -> No File <==== ATTENTION
Task: {9A9175E3-0945-4D06-82E5-42DEEEF6CAA7} - System32\Tasks\Online Application V2G1 => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe <==== ATTENTION
Task: {A8892583-C8EE-4107-8F84-0CCFA8867DE1} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {C36D561D-3B42-4A5A-9597-41A8D8ED4795} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {CB26D4EB-CA2F-4FD1-892E-7BD949EB081A} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {CEFA8322-94F3-481D-AE59-990D31E7EC72} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {F4108AA1-5F9D-41A9-BC4B-43E3FB978126} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: C:\WINDOWS\Tasks\Online Application V2G1.job => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\Online Application V2G2.job => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\Online Application V2G3.job => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\Updater_Online_Application.job => C:\Program Files (x86)\Microleaves\Online Application\Online Application Updater.exe <==== ATTENTION
C:\WINDOWS\System32\Drivers\dumwidou.sys
C:\WINDOWS\system32\drivers\msidntfs.sys
C:\Users\Elise\AppData\Local\ntuserlitelist\vgajhxf\ctfjagd.exe
C:\Users\Elise\AppData\Local\ntuserlitelist\vgajhxf\imerpec.exe
C:\Users\Elise\AppData\Local\ntuserlitelist\vgajhxf\nisckej.exe
C:\Users\Elise\AppData\Local\ntuserlitelist\vgajhxf\niscqzk.exe
C:\Users\Elise\AppData\Local\ntuserlitelist\vgajhxf\nisgehq.exe
C:\Users\Elise\AppData\Local\ntuserlitelist\vgajhxf\vgagfbc.exe
C:\Users\Elise\AppData\Local\ntuserlitelist\vgajhxf\nisgxfs.exe
C:\Users\Elise\AppData\Local\ntuserlitelist\vgajhxf\vgaiqzc.exe
C:\Users\Elise\AppData\Local\ntuserlitelist\vgajhxf\vgajhxf.exe
C:\Users\Elise\AppData\Local\ntuserlitelist\vgajhxf\vgarwgh.exe
C:\Users\Elise\AppData\Local\ntuserlitelist\vgajhxf\nishtpr.exe
C:\Users\Elise\AppData\Local\ntuserlitelist\vgajhxf\vmtwela.exe
C:\Users\Elise\AppData\Local\ntuserlitelist\vgajhxf\vmadayh.exe
C:\Users\Elise\AppData\Local\ntuserlitelist\vgajhxf\winyign.exe
C:\Users\Elise\AppData\Local\ntuserlitelist\vgajhxf\unifgvn.exe
C:\Users\Elise\AppData\Local\ntuserlitelist\vgajhxf\winvyrx.exe
C:\Users\Elise\AppData\Local\ntuserlitelist\vgajhxf\wudtbdr.exe
C:\Users\Elise\AppData\Local\ntuserlitelist\vgajhxf\imehtyq.exe
C:\Users\Elise\AppData\Local\ntuserlitelist\vgajhxf
C:\Users\Elise\AppData\Local\ntuserlitelist

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...