Good morning. I tried to follow your “logs to assist in cleaning malware” instructions, however could not download MBAM on my desktop (Malware bytes anti malware run time error (at 69:252): External ecxception E06D7363). Then I deinstalled MBAM.

(What happened: Yesterday, in Czech Republic there was a massive email attack with fake “you owe money to the bank” and “eviction notices”. Before the warning was announced everywhere, I was stupid enough to download zip attachment :frowning: It carried a trojan (Agent GZ) that apparently opens backdoors fro more trojans…).

Thank you for your help.

Hi. Omit Asyn steps and perform this one:

https://sites.google.com/site/cannedfixes/home/hosted-images-tools/51a612a8b27e2-Zoek.png
Scan with ZOEK

Please download ZOEK by Smeenk and save it to your desktop (preferred version is the *.exe one)
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

[*]Right-click on
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/51a612a8b27e2-Zoek.png
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
[]Wait patiently until the main console will appear, it may take a minute or two.
[
]In the main box please paste in the following script:

createsrpoint;
process;
services-list;
systemspecs;
startupall;
skipfix-iedefaults;
firefoxlook;
chromelook;
filesrcm;
installedprogs;
%windir%\prefetch;vs

[*]Make sure that Scan All Users option is checked.
[*]Push Run Script and wait patiently. The scan may take a couple of minutes.
[*]When the scan completes, a zoek-results logfile should open in notepad.
[*]If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)

Please include its content in your next reply.
Dont forget to re-enable your previuosly switched-off protection software!

Hi. Thank you. This may take some time, sorry. Not sure why but: it does not want to let me run the ZOEK as administrator.

I meant your Zoek log. :wink:

Edit: To be clear, don’t copy and paste any logs. Thanks.

Oh, I see. Sorry.

You’re running XP. That’s why you couldn’t run it as administrator :slight_smile:
I’ll post you my XP introduction and we will use different tool. Bare inmind, that wherever I’d ask to run as admin, you should do it just y double clicking.

https://sites.google.com/site/cannedfixes/windows-xp/windows_xp_logo.jpg
Windows XP notes

I’ve noticed that you’re a Windows XP user. I need to tell you that my canned speeches (texts I use to present instructions) are designed for newer systems in first place. Therefore, whenever you will see a request to Run as Administrator, please ignore it and instead run the tool just by a double-click on the aforementioned icon.

https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/warning.gif
Windows XP end of support warning!

As 8th of April 2014 has passed, this Operating System is not longer supported by the Microsoft.
Any patches, updates or security releases are ceased for this System.

[*]Windows XP end of support

This is just an information for you if not aware.
My recommendation would be to start thinking about replacing it with some newer edition, like Windows Vista, Windows 7 or Windows 8.

Let’s use this one scanner instead.

https://sites.google.com/site/cannedfixes/otl/51a5d669693dd-icon_OTL.png
Scan with OTL

Please download OTL by OldTimer and save the file to your desktop.

[*]Right-click on
https://sites.google.com/site/cannedfixes/otl/51a5d669693dd-icon_OTL.png
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
[*]Make sure that Scan All Users, LOP check and Purity check are ticked.
[*]For 64-bit systems only - make sure that Include 64-bit option is also ticked.
[*]Sections Processes, Modules, Services, Drivers, Standard Registry are set to Use Safelist.
[*]Section Extra Registry is also set to Use Safelist.
[*]Under the Custom Scans/Fixes bar in the box paste in the following:

BASESERVICES
/md5start
rpcss.dll
/md5stop
%windir%\prefetch\*

[*]Push Run Scan and wait patiently.
[*]Two notepad windows will be opened after this run: OTL.txt (maximized) and Extras.txt (minimized).

Please include the content of both logfiles in your next reply.

Thanks for explaining, Naat. Logs attached.

Your log looks like junk.

Please open each of them (OTL and Extras), go to File > Save as and save them once more, but make sure in the lower panel that Encoding is set to ANSI.

After that please attach them once more :slight_smile:

Well, one more try.

Greetings from Poland :slight_smile:

Can you tell me what issues are you experiencing? Anything unusual with your machine behavior?
Let’s run some more tools to dig a little deeper.

https://sites.google.com/site/cannedfixes/adwcleaner/adwcleaner_new.png
Fix with AdwCleaner

Please download AdwCleaner by Xplode and save the file to your desktop.

[*]Right-click on
https://sites.google.com/site/cannedfixes/adwcleaner/adwcleaner_new.png
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
[*]Follow the prompts and click Scan.
[*]When finished, please click Clean.
[*]Upon completion, click Report. A log (AdwCleaner[S*].txt) will open.

Please include the contents of that file in your reply.

https://sites.google.com/site/cannedfixes/junkware-removal-tool/JRTbythisisu.png
Fix with Junkware Removal Tool

Please download JRT by Thisisu and save the file to your desktop.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

[*]Right-click on
https://sites.google.com/site/cannedfixes/junkware-removal-tool/JRTbythisisu.png
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
[*]Follow the prompts and let this process run uninterrupted.
[*]This scan can take a while, depending on your System specs.
[*]Upon completion, a log (JRT.txt) will open on your desktop.

Please include the contents of that file in your reply.
Do not forget to re-enable your previously switched off protection software!
Please also manually reboot your machine after this procedure.

https://sites.google.com/site/cannedfixes/gmer/gmericon.png
Scan with Gmer

This type of scan often produces false positives. At any point do not take any action for any suspicious entries you may see there. Instead post the log to be analyzed.

Please download GMER by Gmer and save the file to your desktop.
It will come as a randomly named file (like a6ge38b4.exe) - that’s absolutely normal.

Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
If you are a user of CD emulation software (like Daemon Tools or Alcohol) also disable it for the cleaning process - instructions here.

[*]Right-click on randomly named
https://sites.google.com/site/cannedfixes/gmer/gmericon.png
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
[*]It is very important that you do not use your computer while Gmer is running!
[*]Gmer will open to the Rootkit/Malware tab and perform an automatic quick scan.
[*]If you receive a warning about rootkit activity and are asked to fully scan your system click NO!

When the pre-scan is completed, please do the following:

[*]Please check in the Quick scan box.
[*]Please uncheck the IAT/EAT and Show All.
[*]Click Scan.
[*]If you see a rootkit warning window click OK.
[*]When the scan is finished, Save the results to your desktop as gmer.log.

Please include the content of this file in your next reply.
Don’t forget to re-enable previously switched-off protection software!

http://forum.programosy.pl/images/smilies/icon_idea.gif
If you encounter any problems, try running GMER in Safe Mode.

http://forum.programosy.pl/images/smilies/icon_idea.gif
If GMER crashes or keeps resulting in a Blue Screen of Death, uncheck Devices on the right side before scanning.

Ok, Naat, before I get into the steps you recommend:

  1. There are no visible issues with my pc now
  2. I just want to clean it up after I unfortuntely downloaded this Trojan
  3. As I said it was just 10 minutes before all over the media appeared warning: do not even touch the mail - the attachment is pretty nasty
  4. I was surprised that avast! did not give me any warning
  5. I ran a scan with avast! afterwords and avast! moved the threat to the chest
  6. After restart there were 2 new issues, avast! moved them to the chest again

I am not exactly sure this means everything is fine and clean. That is why I came here for help…

This is all fine, my requests were made because I need to connect any symptoms you may have had with those lines in your logs :slight_smile:

I see some minor things to fix, but I wonder if there isn’t anything nastier lurking here. Please proceed with my instructios and post reports when ready :slight_smile:

pozdravy,
Radek/Naat :slight_smile:

Good, Naat. Shall we go on? Here are the logs you requested.

OK, let’s get rid of some remnants and search for any vulnerabilities.

https://sites.google.com/site/cannedfixes/otl/51a5d669693dd-icon_OTL.png
Fix with OTL

Please re-run OTL with this removal script included.

https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[b] This fix was created for this user for use on that particular machine.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif

https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
Running it on another one may cause damage and render the system unstable.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[/b]

[*]Right-click on
https://sites.google.com/site/cannedfixes/otl/51a5d669693dd-icon_OTL.png
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
[*]Under the Custom Scans/Fixes bar in the box paste in the following:


:Commands
[createrestorepoint]
:OTL
O4 - HKU\S-1-5-21-1708537768-1035525444-1606980848-1003..\Run: [AdobeChk] C:\Documents and Settings\kuk\Data aplikací\AdobeChk\chk.exe File not found
O4 - Startup: C:\Documents and Settings\kuk\Nabídka Start\Programy\Po spuštění\KooBits 4.lnk =  File not found
O15 - HKU\S-1-5-21-1708537768-1035525444-1606980848-1003\..Trusted Domains: hola.org ([]http in Důvěryhodné servery)
:Files
C:\Documents and Settings\kuk\Data aplikací\AdobeChk
:Commands
[emptytemp]

[*]Push Run Fix and wait patiently.
[*]If asked to reboot, please allow it to.
A notepad window with a logfile will open after this run. It will be also saved in _OTL\MovedFiles directory on your main drive as b_(time).log.

Please include the content of this logfile in your next reply.

https://sites.google.com/site/cannedfixes/security-check/51c9d14017fa0-SecurityCheck.PNG
Scan with Security Check

Please download Security Check by Screen317 and save it to your desktop.

[*]Right-click on
https://sites.google.com/site/cannedfixes/security-check/51c9d14017fa0-SecurityCheck.PNG
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.[/]
[*]Follow onscreen instructions inside the black box. This scan won’t take long.[/
]
[*]Soon a notepad document called checkup.txt will open automaticaly.[/*]

Please include the content of that document.

Ok, here we go…

Hi :slight_smile:

Looks like there’s the light at the end of the tunnel :slight_smile:

https://sites.google.com/site/cannedfixes/updating-software/updates.png
Update outdated software

Staying always updated is crucial, not only for your operating system, but also for any third-party installed software.
Your logs clearly indicate that some of your apps need updating:

https://sites.google.com/site/cannedfixes/updating-software/javacup.png
Updating Java manually

[*]Click the Start button
[*]Click Control Panel
[*]Double click Java - Looks like a coffee cup. You may have to switch to Classical View to see it.
[*]Click the Update tab
[*]Click Update Now
[*]Allow any updates to be downloaded and installed.
[*]If prompted (during the installation) to also install ASK toolbar, leave this unchecked - Ask does not have a good reputation.
[*]From Control panel also please remove any older versions of Java - do not leave them installed!.

Please remember to always keep it up to date.

https://sites.google.com/site/cannedfixes/updating-software/adobe-flash-player.jpeg.png
Updating Adobe Flash Player manually

[*]Visit Adobe website.
[*]You will see a download option there for the newest Adobe Flash Player version.
[*]In the center part you will be prompted to install Google Chrome as a recommended bundled installation. This is foistware. Remember to leave the box for Chrome UNCHECKED.
[*]Click on Install, save the file to a convenient location, double-click it and follow the prompts.

Please remember to always keep it up to date.

https://sites.google.com/site/cannedfixes/updating-software/firefox-256.jpg
Updating Mozilla Firefox manually

[*]Please open Firefox.
[*]Click the
https://sites.google.com/site/cannedfixes/updating-software/firefoxmenu.png
icon.
[*]Click Help and select About Firefox.
[]Firefox will search for any updates and start downloading them automatically.
[
]When the updates will be ready you will be prompted to restart Firefox. Please do it.

Please remember to always keep it up to date.

https://sites.google.com/site/cannedfixes/delfix/51a5ce45263de-delfix.png
Clean with DelFix

Please download DelFix by Xplode and save it to your desktop.

[*]Right-click on
https://sites.google.com/site/cannedfixes/delfix/51a5ce45263de-delfix.png
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
[*]Ensure that Remove disinfection tools, Purge system restore and Reset system settings are checked.
[*]Push Run.
[*]When finished, it will display a notepad report.

Include it for my review.

Hi, Naat, thanks for all your help!

I will clean-up my pc with DelFix tool and send the report to you.

I will be back in a while :slight_smile:

__ petr

OK, post DelFix and after that I will finish this topic, unless you’re facing any other annoying issues :slight_smile:

Ok, Naat, here it is. If that is all: thanks again and good luck in your future. __petr

You’re welcome :slight_smile:

Below you will find my thoughts about securing your machine. Go ahead through it, you will benefit from some useful advice about safe computing.

Recommended reading:

http://forum.programosy.pl/images/smilies/icon_exclaim.gif
MUST READ - security tips: Computer Security - a short guide to staying safer online.

http://forum.programosy.pl/images/smilies/icon_exclaim.gif
MUST READ - general maintenance: What to do if your Computer is running slowly?

Recommended additional software:

http://forum.programosy.pl/images/smilies/icon_arrow.gif
TFC - to clean unneeded temporary files.

http://forum.programosy.pl/images/smilies/icon_arrow.gif
Malwarebytes’ Anti-Malware - to scan your system from time to time in search for malware.

http://forum.programosy.pl/images/smilies/icon_arrow.gif
Malwarebytes’ Anti-Exploit - to prevent plenty of mostly exploited vulnerabilities.

http://forum.programosy.pl/images/smilies/icon_arrow.gif
McShield - to prevent infections spread by removable media.

http://forum.programosy.pl/images/smilies/icon_arrow.gif
CryptoPrevent - to secure yourself from very severe CryptoLocker infection.

http://forum.programosy.pl/images/smilies/icon_arrow.gif
Unchecky - to prevent from installing additional foistware, implemented in legitimate installations.

Now if you have any other questions, feel free to ask me. Otherwise simply acknowledge my recommendations and this topic will be closed.

https://sites.google.com/site/cannedfixes/closing/Minion-Bye-smaller.jpg

Stay safe,
Naat :slight_smile: