Hi there, just a few minutes ago i got caught with this virus, i browsed the forum a bit and followed essex’s guide
i have ran MBAM and TFC to clean the pc up a bit
OTS logs is included in this post
please help
Hi there, just a few minutes ago i got caught with this virus, i browsed the forum a bit and followed essex’s guide
i have ran MBAM and TFC to clean the pc up a bit
OTS logs is included in this post
please help
welcome to the forum.
please also add the malwarebytes scanning log.
did malwarebytes detect anything?
someone will look at that log and give you advise on it. I’m not that good at them.
Essexboy is notified
you usually find him here at 8:00pm - 11:59pm uk time
Pondus,
We are now at htxp://62.122.73.203/549/getcfg.php
The malware are variants of Trojan Karagany.A
see: http://www.malware-control.com/statics-pages/21dcd2445525bd73498743eb026dedaf.php
polonus
Hi there, Thanks for the welcome,
After the cleansing process of MBAM and TFC, the popup spam has stopped
but i just wanted to make sure if everything’s fine now and curious to hear what essex has to say about this (possibly new?) virus
Hi there - you have been using an infected USB drive - I would recommend that you format them and start afresh, then use Panda Vaccinate to keep them safe http://www.pandasecurity.com/homeusers/downloads/usbvaccine/
It looks like MBAM took the majority out - what problems are you experiencing now ?
Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.
[Unregister Dlls]
[Registry - Safe List]
< FireFox Extensions [Program Folders] > ->
YY -> No name found -> C:\PROGRAM FILES\MOZILLA FIREFOX\EXTENSIONS\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {000123B4-9B42-4900-B3F7-F4B073EFC214} [HKLM] -> [Octh Class]
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
YN -> \{170af057-b888-11de-95eb-0026183c9aab} ->
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{170af057-b888-11de-95eb-0026183c9aab}\SHell\AUtOpLay\cOmMand ->
YN -> \{170af057-b888-11de-95eb-0026183c9aab}\SHell\AUtOpLay\cOmMand\\"" -> [G:\ulvqf.cmd]
YN -> \{170af057-b888-11de-95eb-0026183c9aab} ->
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{170af057-b888-11de-95eb-0026183c9aab}\SHell\AutoRun\command ->
YN -> \{170af057-b888-11de-95eb-0026183c9aab}\SHell\AutoRun\command\\"" -> [G:\ulvqf.cmd]
YN -> \{170af057-b888-11de-95eb-0026183c9aab} ->
YN -> \{170af057-b888-11de-95eb-0026183c9aab}\SHell\eXplore\comMANd\\"" -> [G:\ulvqf.cmd]
YN -> \{170af057-b888-11de-95eb-0026183c9aab} ->
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{170af057-b888-11de-95eb-0026183c9aab}\SHell\OpEN\COmMand ->
YN -> \{170af057-b888-11de-95eb-0026183c9aab}\SHell\OpEN\COmMand\\"" -> [G:\ulvqf.cmd]
YN -> \{525257cb-5c01-11df-a60b-0026183c9aab} ->
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{525257cb-5c01-11df-a60b-0026183c9aab}\shell\AutoRun\command ->
YN -> \{525257cb-5c01-11df-a60b-0026183c9aab}\shell\AutoRun\command\\"" -> [H:\esewus.exe]
YN -> \{525257cb-5c01-11df-a60b-0026183c9aab} ->
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{525257cb-5c01-11df-a60b-0026183c9aab}\shell\open\Command ->
YN -> \{525257cb-5c01-11df-a60b-0026183c9aab}\shell\open\Command\\"" -> [H:\esewus.exe]
YN -> \{8ce0a2d2-945a-11de-b5ee-0026183c9aab} ->
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8ce0a2d2-945a-11de-b5ee-0026183c9aab}\shell\AutoRun\command ->
YN -> \{8ce0a2d2-945a-11de-b5ee-0026183c9aab}\shell\AutoRun\command\\"" -> [p.exe]
YN -> \{8ce0a2d2-945a-11de-b5ee-0026183c9aab} ->
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8ce0a2d2-945a-11de-b5ee-0026183c9aab}\shell\open\Command ->
YN -> \{8ce0a2d2-945a-11de-b5ee-0026183c9aab}\shell\open\Command\\"" -> [p.exe]
YN -> \{8ce0a2d7-945a-11de-b5ee-0026183c9aab} ->
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8ce0a2d7-945a-11de-b5ee-0026183c9aab}\shell ->
YN -> \{8ce0a2d7-945a-11de-b5ee-0026183c9aab}\shell\\"" -> [AutoRun]
YN -> \{a18e0e9f-fa8a-11de-b5db-0026183c9aab} ->
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a18e0e9f-fa8a-11de-b5db-0026183c9aab}\SHell\AutoRun\command ->
YN -> \{a18e0e9f-fa8a-11de-b5db-0026183c9aab}\SHell\AutoRun\command\\"" -> [temp\winsetup.exe]
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a18e0e9f-fa8a-11de-b5db-0026183c9aab}\SHell\OPen\COmMand ->
YN -> \{a18e0e9f-fa8a-11de-b5db-0026183c9aab}\SHell\OPen\COmMand\\"" -> [temp\winsetup.exe]
YN -> \{aa994ab3-ed32-11df-9eb7-0026183c9aab} ->
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{aa994ab3-ed32-11df-9eb7-0026183c9aab}\shell\AutoRun\command ->
YN -> \{aa994ab3-ed32-11df-9eb7-0026183c9aab}\shell\AutoRun\command\\"" -> [G:\NG-HR-JTJAYAN\NG-HR-JTJAYAN\NG-HR-JTJAYANx1.exe]
YN -> \{aa994ab3-ed32-11df-9eb7-0026183c9aab} ->
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{aa994ab3-ed32-11df-9eb7-0026183c9aab}\shell\open\command ->
YN -> \{aa994ab3-ed32-11df-9eb7-0026183c9aab}\shell\open\command\\"" -> [G:\NG-HR-JTJAYAN\NG-HR-JTJAYAN\NG-HR-JTJAYANx1.exe]
[Files - No Company Name]
NY -> 17012263.exe -> C:\Windows\System32\17012263.exe
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here
I will review the information when it comes back in.
ran the fix, so far looking good
and usually avast detect and autorun.exe malware in usb flashdrive and i just click delete everytime, is it not good doing that way?
i will give the panda a shot
thanks for the help, really appreciate it
heres the log
Better prevention than cure I feel - so vaccinate the flash drives
Run it for a while now and if all is clear I will remove my junk
Hi essexboy,
Your “crap” has saved loads of computers from becoming totally “bunkers”,
pol
pc and usb flashdrive has been vaccinated
hopefully there is no more problems now