The Trojan twins 80000032.@ and 80000064.@

Ok, second run completed :slight_smile:

Here is the logfile, my internet heroes: http://pastebin.com/eFcF58GX

All my love and respect, Herrwuetent

Looks good. Latest Combofix log is clean and malware has been neutralized and removed.
Now I just want to confirm that + to check if there is any lefted damage to the system caused by ZA.

  1. Please download Farbar Recovery Scan Tool and save it to your desktop.

[color=green]Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “List BCD” and “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

------------ next ------------

  1. Please download Farbar Service Scanner and run it on the computer with the issue.
    [*]Make sure the following options are checked:

[*]Internet Services
[*]Windows Firewall
[*]System Restore
[*]Security Center/Action Center
[*]Windows Update
[*]Windows Defender

[*]Press “Scan”.
[]It will create a log (FSS.txt) in the same directory the tool is run.
[
]Please attach the log to your reply.

Step 1 completed, although waterfox still crashes when I hit the browse button…

Logfiles are here http://pastebin.com/7gBQ94ze for FRST.txt and

here http://pastebin.com/zQcaJbLX for Addition.txt

Now up to step 2 :slight_smile:

Edit: It crashes when I hit the browse button to attach the logfiles…

And here the FSS logfile http://pastebin.com/ySitdHTe

fingerscrossed

None of this is ZA related, however they are adware leftovers.

  1. Open notepad and copy/paste the text present inside the code box below.
    To do this highlight the contents of the box and right click on it. Paste this into the open notepad.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

START  
SearchScopes: HKCU - {F7C7A225-4F75-4291-9DA0-09ACC5116F97} URL = http://www.mysearchresults.com/search?c=4005&t=14&q={searchTerms}
Toolbar: HKCU - No Name - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} -  No File
Winsock: Catalog5 01 %SystemRoot%\System32\mswsock.dll [232448] (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 01 %SystemRoot%\System32\mswsock.dll [326144] (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
FF Extension: fhdp - C:\Users\Koester\AppData\Roaming\Mozilla\Firefox\Profiles\0uwboc2e.default\Extensions\fhdp@fhdp.tv.xpi
C:\Users\Koester\AppData\Roaming\Mozilla\Firefox\Profiles\0uwboc2e.default\Extensions\fhdp@fhdp.tv.xpi
C:\Users\Koester\AppData\Roaming\Mozilla\Firefox\Profiles\0uwboc2e.default\Extensions\{09408840-3f84-11dd-ae16-0800200c9a66}.xpi
Error reading preferences. Please check "preferences" file for possible corruption. <======= ATTENTION
CHR Extension: (DealPly  Shopping) - C:\Users\Koester\AppData\Local\Google\Chrome\User Data\Default\Extensions\mphpbdjcljebbcnfopfngmfdackbbdgf\3.5.0.0_0
C:\Users\Koester\AppData\Local\Google\Chrome\User Data\Default\Extensions\mphpbdjcljebbcnfopfngmfdackbbdgf
CHR HKLM-x32\...\Chrome\Extension: [bkomkajifikmkfnjgphkjcfeepbnojok] - C:\Program Files (x86)\PriceGong\2.6.11\pricegong.crx
C:\Program Files (x86)\PriceGong
CHR HKLM-x32\...\Chrome\Extension: [dednnpigldgdbpgcdpfppmlcnnbjciel] - C:\Users\Koester\AppData\Roaming\Media Finder\Extensions\gencrawler_gc.crx
C:\Users\Koester\AppData\Roaming\Media Finder
CHR HKLM-x32\...\Chrome\Extension: [kkfggacklibaabdomphfdpcodjgihgon] - C:\Program Files (x86)\FirstRowSportApp.com\stv10.crx
C:\Program Files (x86)\FirstRowSportApp.com
CHR HKLM-x32\...\Chrome\Extension: [lpmkgpnbiojfaoklbkpfneikocaobfai] - C:\Users\Koester\AppData\Roaming\Media Finder\Extensions\mf_plugin_gc.crx
C:\Users\Koester\AppData\Roaming\Media Finder
C:\Users\Koester\AppData\Roaming\MediaMonkey
Task: {02B311CD-4C2E-4C3B-A920-FF147A710403} - \BrowserProtect No Task File
Task: {46B9C53F-994C-476A-BAD0-6A2BEF6A4F22} - System32\Tasks\{FDB341E9-C20C-4102-AF06-CBE5CDF9F86D} => C:\Users\Koester\Desktop\Syndicate\main.exe No File
Task: {66EC5A26-6076-41BF-9A99-77328AA20FF8} - \Dealply No Task File
CMD: netsh winsock reset
CMD: ipconfig /flushdns
Hosts:
END
  1. Save notepad as fixlist.txt
    NOTE. It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

  2. Run FRST/FRST64 and press the Fix button just once and wait.
    If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
    The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.

Note: If the tool warned you about the outdated version please download and run the updated version.

Phew, that sounds good, thank you so much!!

Logfile: http://pastebin.com/EcN98QBw

Edit: no restart needed, but avira alert “access to host file denied”

fix log looks good. One more thing to check:

Start > Run , copy paste txt below

notepad C:\Windows\System32\Drivers\etc\hosts

Notepad will open with some txt. Paste that txt into your reply.

How’s your computer running now? 8)

Wow, awesome! I didn´t think it possible, but the wizards strike yet again!!!

This is the text from the notepad: 127.0.0.1 localhost

Ah, what did you think? ;D :smiley:

Since all looks good , it’s time for post cleaning:

It is necessary to uninstall ComboFix :

[*] Click Start (or
http://amf.mycity.rs/pg/images/VistaStartButton.png
) then Run.

On Windows7 or Vista you may use Start Search field if Run is not available.

[*] In the line of text type in (Copy) the following:

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

[*] then click OK (or press Enter ).

Wait for the uninstall process is complete.

------- next --------

Please download DelFix by “Xplode” to your Desktop.

Run the tool and check the following boxes below;

[] Remove disinfection tools
[
] Create registry backup
[*] Purge System Restore

Now click on “Run” button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt

I don’t need DelFix log report.

------- next --------

Visiting Secunia Online Software Inspector …
Make sure all your applications and browsers are up-to-date by visiting Secunia Online Software Inspector here:

Free Online Computer Scan - Online Software Inspector (OSI) - Secunia
http://secunia.com/vulnerability_scanning/online/

[*] Click ‘Start Scanner
[*] Wait for Status/Currently Processing: at the lower left to say ‘Java Applet loaded successfully. (allow java to run) Press “Start” to begin.’
[*] Click ‘Start’.
[*] The scan should take less than a minute or so.
[*] When done, download and install all the recommended updates.

------- next --------

I recommended you to keep Malwarebytes and to use MCShield if you will.
You may download MCShield from one of the following links:

MyCity - Official download link
Softpedija - Mirror download link

This is how it works:

  • Double click MCShield-Setup to install the application.
  • Wait a few seconds to MCShield finish initial scan.
    -Connect your USB storage devices to the computer one at a time take a look for another miracle as it happens. ;D
    Scanning will be done automatically.

It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but it will immediately clean flash drive, memory card or external HDD.

Be safe. :wink:

Wow, thank you so much for your help!!!

Last issue: the online scan doesn´t work, because the java applet doesn´t load… Downloaded MCshield and installed it.

I regret that I can´t give you more then my appreciation and respect for your efforts, I mean that! Thank you, thank you, thank you!!!

All the best, Herrwuetent

Last issue: the online scan doesn´t work, because the java applet doesn´t load
what do you mean by online scan?

I meant the Secunia online Software Inspector as recommended, sorry if I was unclear on that…

Edit: This is what happens:
I click on the provided link and then on the “start scanner” button. Then the online inspector site opens and waterfox tells me I need additional plugins to view all content. I have Java installed, yet in the bottom left corner it says "loading java applet try “X” of 50, when the counter reaches 50 there is a popup that informs me there might be a problem with java…

But other than that the system is stable, no alerts and the autorun entries, folders etc are all gone, so I am very, very happy and grateful :slight_smile:

[quote author=magna86 link=topic=132819.msg978683#msg978683 date=1377025495]
------- next --------

Visiting Secunia Online Software Inspector …
Make sure all your applications and browsers are up-to-date by visiting Secunia Online Software Inspector here:

Free Online Computer Scan - Online Software Inspector (OSI) - Secunia
http://secunia.com/vulnerability_scanning/online/

[*] Click ‘Start Scanner
[*] Wait for Status/Currently Processing: at the lower left to say ‘Java Applet loaded successfully. (allow java to run) Press “Start” to begin.’
[*] Click ‘Start’.
[*] The scan should take less than a minute or so.
[*] When done, download and install all the recommended updates.

I would recommend that you remove waterfox and use nativ Firefox or just re-install it. You may perform secunia scanning via som other browser like IE or Chrome.

You’re welcome. Glad I could help … :smiley:

Deinstalled waterfox, installed firefox, the scan now loads and everything is up and running and works like a charm!

So for one last time, thank you all so muh for your help, I think it is really amazing that you put so much time and effort into helping others. You guys rock! Good fight, good night!

Herrwuetent

:wink: