Win64/patched.A

Garb96 · Nov 2, 2012

Hey got AVG popping up constantly looking at removing the problems and reading up looks like you guys might be able to help thanks!

TimW · Nov 2, 2012

Rescan with HitmanPro, when it finds services.exe - Virus, allow it to Replace by clicking the down arrow next to the detection and choosing Replace.

Choose to Delete these files if they are detected:

C:\Program Files (x86)\PageRage\OptChrome.exe
C:\Program Files (x86)\PageRage\YontooIEClient.dll
C:\ProgramData\Tarma Installer\{DE3B7BF9-0770-4104-BC0B-B1CCCCE2F053}\_Setupx.dll
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
C:\windows\praetorian.exe
C:\windows\system32\services.exe
C:\Program Files (x86)\Ask.com\ (AskBar)
C:\Program Files (x86)\Ask.com\cobrand.ico (AskBar)
C:\Program Files (x86)\Ask.com\config.xml (AskBar)
C:\Program Files (x86)\Ask.com\favicon.ico (AskBar)
C:\Program Files (x86)\Ask.com\mupcfg.xml (AskBar)
C:\Program Files (x86)\Funmoods\ (Funmoods)
C:\Users\stephanie\AppData\Local\AskToolbar\ (AskBar)
C:\Users\stephanie\AppData\Local\AskToolbar\Downloaded Program Files\ (AskBar)
C:\Users\stephanie\AppData\Local\AskToolbar\Downloaded Program Files\Nero.inf (AskBar)
C:\Windows\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE}\ (AskBar)
C:\Windows\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE}\1033.MST (AskBar)
C:\Windows\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE}\ARPPRODUCTICON.exe (AskBar)

Ignore all other detections.
Afterwards, click the Next button.
HitmanPro may want to reboot the PC in order for the changes to take affect, please do so.

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button

Now click the Registry tab and locate these detections:

[RUN][SUSP PATH] HKCU\[...]\Run : (C:\windows\praetorian.exe) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-3605448634-3786527120-3762133118-1000[...]\Run : (C:\windows\praetorian.exe) -> FOUND
[RUN][SUSP PATH] HKLM\[...]\Wow6432Node\Run : (C:\windows\praetorian.exe) -> FOUND
[TASK][SUSP PATH] At1.job : C:\windows\twwunk_32.exe -> FOUND
[TASK][ROGUE ST] 0 : c:\program files (x86)\internet explorer\iexplore.exe -> FOUND
[TASK][ROGUE ST] 4809 : wscript.exe C:\Users\STEPHA~1\AppData\Local\Temp\launchie.vbs //B -> FOUND
[TASK][SUSP PATH] At1 : C:\windows\twwunk_32.exe -> FOUND

Place a checkmark each of these items, leave the others unchecked.
Now press the Delete button.

Now click the Files/folders tab and locate these detections:

[ZeroAccess][FILE] @ : C:\windows\Installer\{e2ad0c78-3eb3-3882-47c6-2106083b7b9a}\@ --> FOUND
[ZeroAccess][FOLDER] U : C:\windows\Installer\{e2ad0c78-3eb3-3882-47c6-2106083b7b9a}\U --> FOUND
[ZeroAccess][FOLDER] L : C:\windows\Installer\{e2ad0c78-3eb3-3882-47c6-2106083b7b9a}\L --> FOUND
[ZeroAccess][FILE] Desktop.ini : C:\windows\Assembly\GAC_32\Desktop.ini --> FOUND
[ZeroAccess][FILE] Desktop.ini : C:\windows\Assembly\GAC_64\Desktop.ini --> FOUND
[Susp.ASLR][FILE] services.exe : C:\windows\system32\services.exe --> FOUND

Place a checkmark each of these items, leave the others unchecked.
Now press the Delete button.
When it is finished, there will be a log on your desktop called: RKreport[2].txt
Attach RKreport[2].txt to your next message. (How to attach)

Now rescan with both RogueKiller and Hitman and attach those new logs as well.

Now

http://imageshack.us/a/img841/7292/thisisujrt.gif Please download Junkware Removal Tool to your desktop.

Shut down your protection software now to avoid potential conflicts.

Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.

The tool will open and start scanning your system.

Please be patient as this can take a while to complete depending on your system's specifications.

On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

Attach JRT.txt to your next message.

Garb96 · Nov 3, 2012

Ok I was so exhausted last night not sure if I did everything right but here are all the logs. I'm doing a second post also to add the extra RKreports that came up. Thanks again for all the help!

Garb96 · Nov 3, 2012

All the RKreports

TimW · Nov 3, 2012

Re-run Hitman and have it remove all this crap:

Code:

Potential Unwanted Programs _________________________________________________
   HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}\ (Funmoods)
   HKLM\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\ (Funmoods)
   HKLM\SOFTWARE\Classes\AppID\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}\ (Funmoods)
   HKLM\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}\ (Funmoods)
   HKLM\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\ (Funmoods)
   HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\ (Funmoods)
   HKLM\SOFTWARE\Classes\Installer\UpgradeCodes\F928123A039649549966D4C29D35B1C9\ (AskBar)
   HKLM\SOFTWARE\Classes\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}\ (Funmoods)
   HKLM\SOFTWARE\Classes\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\ (Funmoods)
   HKLM\SOFTWARE\Classes\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}\ (Funmoods)
   HKLM\SOFTWARE\Classes\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}\ (Funmoods)
   HKLM\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\ (Funmoods)
   HKLM\SOFTWARE\Classes\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}\ (Funmoods)
   HKLM\SOFTWARE\Classes\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\ (Funmoods)
   HKLM\SOFTWARE\Classes\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}\ (Funmoods)
   HKLM\SOFTWARE\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\ (Funmoods)
   HKLM\SOFTWARE\Classes\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\ (Funmoods)
   HKLM\SOFTWARE\Classes\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}\ (Funmoods)
   HKLM\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\ (Funmoods)
   HKLM\SOFTWARE\Classes\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}\ (Funmoods)
   HKLM\SOFTWARE\Classes\Wow6432Node\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}\ (Funmoods)
   HKLM\SOFTWARE\Classes\Wow6432Node\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\ (Funmoods)
   HKLM\SOFTWARE\Classes\Wow6432Node\AppID\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}\ (Funmoods)
   HKLM\SOFTWARE\Classes\Wow6432Node\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}\ (Funmoods)
   HKLM\SOFTWARE\Classes\Wow6432Node\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\ (Funmoods)
   HKLM\SOFTWARE\Classes\Wow6432Node\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\ (Funmoods)
   HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\ (Funmoods)
   HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}\ (Funmoods)
   HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}\ (Funmoods)
   HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\ (Funmoods)
   HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}\ (Funmoods)
   HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\ (Funmoods)
   HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}\ (Funmoods)
   HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\ (Funmoods)
   HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\ (Funmoods)
   HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}\ (Funmoods)
   HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\ (Funmoods)
   HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}\ (Funmoods)
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\261F213D1F55267499B1F87D0CC3BCF7\ (AskBar)
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\741B4ADF27276464790022C965AB6DA8\ (AskBar)
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7DE196B10195F5647A2B21B761F3DE01\ (AskBar)
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9D4F5849367142E4685ED8C25E44C5ED\ (AskBar)
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A5875B04372C19545BEB90D4D606C472\ (AskBar)
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A876D9E80B896EC44A8620248CC79296\ (AskBar)
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B66FFAB725B92594C986DE826A867888\ (AskBar)
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEF\ (AskBar)
   HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}\ (AskBar)
   HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{86D4B82A-ABED-442A-BE86-96357B70F4FE}\ (AskBar)
   HKU\S-1-5-21-3605448634-3786527120-3762133118-1000\Software\AppDataLow\Software\blekkotb\ (Blekko)
   HKU\S-1-5-21-3605448634-3786527120-3762133118-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}\ (AskBar)
   HKU\S-1-5-21-3605448634-3786527120-3762133118-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform\AskTB5.6 (AskBar)

Then tell me how things are running.

Log in or Sign up

Win64/patched.A

Garb96 Private E-2

Attached Files:

RKreport[1].txt

mbam-log-2012-11-02 (08-45-39).txt

TDSSKiller.2.8.15.0_02.11.2012_08.58.35_log.txt

HitmanPro_20121102_0938.log

MGlogs.zip

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Garb96 Private E-2

Attached Files:

HitmanPro_20121103_1139.log

JRT.txt

Garb96 Private E-2

Attached Files:

RKreport[7].txt

RKreport[6].txt

RKreport[5].txt

RKreport[4].txt

RKreport[3].txt

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member