Hi,
I got infected yesterday by file recovery.
I did follow the steps in the "Logs to assist in cleaning malware "topic
I dont have internet access on the PC.
I did download roguekiller and run it as described in the 3 steps
here are the 3 log files:
RogueKiller V8.0.3 [13/09/2012] by Tigzy
mail: tigzyRKgmailcom
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com
Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Armelle [Admin rights]
Mode : Scan – Date : 17/09/2012 12:41:09
¤¤¤ Bad processes : 1 ¤¤¤
[SVCHOST] svchost.exe – C:\Windows\SysWOW64\svchost.exe → KILLED [TermProc]
¤¤¤ Registry Entries : 9 ¤¤¤
[RUN][SUSP PATH] HKCU[…]\Run : noikOKLwrXrkl.exe (C:\ProgramData\noikOKLwrXrkl.exe) → FOUND
[RUN][SUSP PATH] HKCU[…]\Run : enapcvuh (“C:\Users\Armelle\AppData\Local\osppuhxr.exe”) → FOUND
[RUN][SUSP PATH] HKCU[…]\Run : pK7JbaG9geJhO5 (C:\ProgramData\pK7JbaG9geJhO5.exe) → FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-1539493207-1264017170-1549233232-1002[…]\Run : noikOKLwrXrkl.exe (C:\ProgramData\noikOKLwrXrkl.exe) → FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-1539493207-1264017170-1549233232-1002[…]\Run : enapcvuh (“C:\Users\Armelle\AppData\Local\osppuhxr.exe”) → FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-1539493207-1264017170-1549233232-1002[…]\Run : pK7JbaG9geJhO5 (C:\ProgramData\pK7JbaG9geJhO5.exe) → FOUND
[HJPOL] HKCU[…]\System : DisableTaskMgr (0) → FOUND
[HJ DESK] HKLM[…]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) → FOUND
[HJ DESK] HKLM[…]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) → FOUND
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver : [NOT LOADED] ¤¤¤
¤¤¤ Infection : ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
→ C:\Windows\system32\drivers\etc\hosts
127.0.0.1 activate.adobe.com
¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: ST750LX003-1AC154 +++++
— User —
[MBR] 00f8a596e6ebedecb892419cc8d5372b
[BSP] ddfbabad535980246a7a5b1cda6bc1de : MaxSS MBR Code!
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 199 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 409600 | Size: 692706 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 1419071488 | Size: 22395 Mo
3 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 1464936448 | Size: 102 Mo
User = LL1 … OK!
User = LL2 … OK!
+++++ PhysicalDrive1: SDHC Card +++++
— User —
[MBR] 8a4a3f84a9eda68451f8bdccda84c484
[BSP] df4f83c1f72e36823a12b0dfc7617313 : MBR Code unknown
Partition table:
0 - [XXXXXX] FAT32 (0x0b) [VISIBLE] Offset (sectors): 8192 | Size: 7576 Mo
User = LL1 … OK!
Error reading LL2 MBR!
Finished : << RKreport[1].txt >>
RKreport[1].txt
report 2
RogueKiller V8.0.3 [13/09/2012] by Tigzy
mail: tigzyRKgmailcom
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com
Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Armelle [Admin rights]
Mode : Remove – Date : 17/09/2012 12:42:17
¤¤¤ Bad processes : 1 ¤¤¤
[SVCHOST] svchost.exe – C:\Windows\SysWOW64\svchost.exe → KILLED [TermProc]
¤¤¤ Registry Entries : 6 ¤¤¤
[RUN][SUSP PATH] HKCU[…]\Run : noikOKLwrXrkl.exe (C:\ProgramData\noikOKLwrXrkl.exe) → DELETED
[RUN][SUSP PATH] HKCU[…]\Run : enapcvuh (“C:\Users\Armelle\AppData\Local\osppuhxr.exe”) → DELETED
[RUN][SUSP PATH] HKCU[…]\Run : pK7JbaG9geJhO5 (C:\ProgramData\pK7JbaG9geJhO5.exe) → DELETED
[HJPOL] HKCU[…]\System : DisableTaskMgr (0) → DELETED
[HJ DESK] HKLM[…]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) → REPLACED (0)
[HJ DESK] HKLM[…]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) → REPLACED (0)
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver : [NOT LOADED] ¤¤¤
¤¤¤ Infection : ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
→ C:\Windows\system32\drivers\etc\hosts
127.0.0.1 activate.adobe.com
¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: ST750LX003-1AC154 +++++
— User —
[MBR] 00f8a596e6ebedecb892419cc8d5372b
[BSP] ddfbabad535980246a7a5b1cda6bc1de : MaxSS MBR Code!
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 199 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 409600 | Size: 692706 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 1419071488 | Size: 22395 Mo
3 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 1464936448 | Size: 102 Mo
User = LL1 … OK!
User = LL2 … OK!
+++++ PhysicalDrive1: SDHC Card +++++
— User —
[MBR] 8a4a3f84a9eda68451f8bdccda84c484
[BSP] df4f83c1f72e36823a12b0dfc7617313 : MBR Code unknown
Partition table:
0 - [XXXXXX] FAT32 (0x0b) [VISIBLE] Offset (sectors): 8192 | Size: 7576 Mo
User = LL1 … OK!
Error reading LL2 MBR!
Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt
report 3
RogueKiller V8.0.3 [13/09/2012] by Tigzy
mail: tigzyRKgmailcom
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com
Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Armelle [Admin rights]
Mode : Shortcuts HJfix – Date : 17/09/2012 12:44:08
¤¤¤ Bad processes : 1 ¤¤¤
[SVCHOST] svchost.exe – C:\Windows\SysWOW64\svchost.exe → KILLED [TermProc]
¤¤¤ Driver : [NOT LOADED] ¤¤¤
¤¤¤ File attributes restored: ¤¤¤
Desktop: Success 0 / Fail 0
Quick launch: Success 0 / Fail 0
Programs: Success 59318 / Fail 0
Start menu: Success 0 / Fail 0
User folder: Success 122 / Fail 0
My documents: Success 0 / Fail 0
My favorites: Success 0 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 0 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 10576 / Fail 0
Backup: [FOUND] Success 0 / Fail 0 / Exists 0
Drives:
[C:] \Device\HarddiskVolume2 – 0x3 → Restored
[D:] \Device\HarddiskVolume3 – 0x3 → Restored
[E:] \Device\CdRom0 – 0x5 → Skipped
[F:] \Device\HarddiskVolume5 – 0x2 → Restored
¤¤¤ Infection : ¤¤¤
Finished : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt
After my icons are back on the desktop and I do have access to the programs. But I still dont have access to Internet. I tried the program FSS.exe but I get the following error : AutoIt error line 3034 (file c:\users…FSS.exe) Error: The requested action with this object has failed.
What should I do now?
Thanks