Rumolottra/debrovorda

Yesterday, I began to notice that Avast continuously blocked the same two things over and over. I ran a full system scan with Avast in order to try to isolate the problem, but it didn’t yield any results. The names of the web page it consistently blocked are hxxp://debrovorda.com/aa/ and hxxp://rumolottra.com/aa/. I have performed scans with the programs listed in the cleaning malware thread, and attached the logs. Assistance would be greatly appreciated. Thanks!

Hello ryan_deason97,
You have been run ComboFix and you did not even bother to tell me that. So…read this:

Warning from sUBs itself;
http://www.techsupportforum.com/1829551-post6.html

Official warning;
http://www.bleepingcomputer.com/forums/topic273628.html


1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Start File: C:\Windows\system32\rcnzhz.dll File: C:\Windows\system32\uemaioa.dll VerifySignature: C:\Windows\system32\rcnzhz.dll VerifySignature: C:\Windows\system32\uemaioa.dll Folder: C:\Windows\System32\Tasks\{CCAD29DF-F86C-A0DB-B5EC-EA822ADC7FFD} CloseProcesses: HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc => ""="" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcpltsvc => ""="" HKLM-x32\...\Run: [] => [X] SearchScopes: HKLM - {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://search.ask.com/web?q={searchterms}&l=dis&o=HPDTDF SearchScopes: HKLM-x32 - {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://search.ask.com/web?q={searchterms}&l=dis&o=HPDTDF SearchScopes: HKCU - {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://search.ask.com/web?q={searchterms}&l=dis&o=HPDTDF Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File Winsock: Catalog5 01 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll" Winsock: Catalog5-x64 01 %SystemRoot%\System32\mswsock.dll [327168] (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll" S3 catchme; \??\C:\ComboFix\catchme.sys [X] CMD: typo C:\ComboFix.txt CMD: typo C:\Qoobox\ComboFix-quarantined-files.txt EmptyTemp: End

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

Hi again, sorry I didn’t inform you about my usage of ComboFix, I had used it in the past per request in order to solve a problem with a rootkit, and saw (probably incorrectly) where the problem I was having could be solved by using it, my mistake. When I ran FRST64 with the fixlist as instructed the program stopped working, I left it alone for several minutes to insure that it wasn’t intended, but it was still nonresponsive so I closed it. The Fixlog is attached. Again, sorry if my mistake hinders you in any way.

Hello,

When I ran FRST64 with the fixlist as instructed the program stopped working, I left it alone for several minutes to insure that it wasn't intended, but it was still nonresponsive so I closed it.

You should’t do that. Please re-create above FixList as you did before and run the script using Fix button in FRST and wait for the tool.

Tool shall ask you for reboot and do not pay attentions for ‘not responding’ title.

Post fresh created FixLog.txt back on topic.

Hi, thanks again for the assistance, after about 14 hours of running the program (I fell asleep around hour 8 ), an Avast window prompted me to restart my computer and perform a scan. The Fixlog is attached.

14 hours? Ok, this is the record. ;D

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Start
Folder: C:\Users\Ryan\AppData\Local\Temp
C:\Windows\system32\rcnzhz.dll
C:\Windows\system32\uemaioa.dll
C:\Windows\System32\Tasks\{CCAD29DF-F86C-A0DB-B5EC-EA822ADC7FFD}
Reboot:
End

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

=======================

Re-run FRST …

[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The tool should also create another log (Addition.txt). Please attach it to your reply.

This fixlist and scan were much more prompt. Thanks!

Hi

You should follow my instructions to the letter!

Post me here the fresh FixLog.txt logreprot.

I knew I missed something. I guess I’m just clumsy.

Hi,

Zip/Rar-it and upload the C:\FRST[b]Quarantine[/b] folder into this site:
http://www.wikisend.com

Paste here the download link (URL) as I would like to take a peek into malware files.

Also, now post me the C:\ComboFix.txt and C:\Qoobox\ComboFix-quarantined-files.txt logreprots as I need to see what has been done with this tool when you launched.


1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

File: C:\Windows\system32\HPZinw12.dll
File: C:\Windows\system32\HPZipm12.dll
C:\Users\Ryan\AppData\Roaming\Search Protection

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

http://wikisend.com/download/838730/FRST Quarantine.zip

Sorry to reply twice, since I noticed FRST usually closed all other applications running at the time I wanted to make sure I uploaded the other parts first. Fixlog is attached

Hi,

The procedure of creating by your side of latest fixlist was not performed correctly, you have not saved the script, you executed an empty script.

It’s okay, I will repeat it all but this time we shall use CFScript for ComboFix.

Open notepad and copy/paste the text present inside the code box below:

File::
c:\windows\system32\uemaioa.dll
c:\windows\system32\rcnzhz.dll

Folder::
C:\Users\Ryan\AppData\Roaming\Search Protection 

Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

Hi, here is the requested file.

Ok, posted log looks good. Still, re run ComboFix one more time by duble-clicking on icon, wait for all 50 stages to finish, post me the fresh created Combofix.txt logreprot.

And tell me how is the computer behavior now?

Thank you for all of the assistance you’ve provided, the computer isn’t registering any problems from Avast scans anymore. The issues that I originally had have stopped completely, and computer behavior seems normal. Again, thanks for the help!

The following will implement some post-cleanup procedures:

It is necessary to uninstall ComboFix :

[*] Click Start (or
http://amf.mycity.rs/pg/images/VistaStartButton.png
) then Run.

On Windows7 or Vista you may use Start Search field if Run is not available.

[*] In the line of text type in (Copy) the following:

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

[*] then click OK (or press Enter ).

Wait for the uninstall process is complete.

=> Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;
[i]
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Remove disinfection tools

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Create registry backup

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Purge System Restore [/i]
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:[b]DelFix.txt[/b])

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.