Jump to content

rich300

Members
  • Posts

    9
  • Joined

  • Last visited

Reputation

0 Neutral
  1. Thanks so much for your help Sir, really appreciated the easy to follw step-by-step instructions. Have a nice day, Richard.

  2. MrC, Attached is the mbam log. Everything looks good now, thank you so much for your help. Kind Regards, Richard mbam-log-2012-07-22 (23-12-43).txt
  3. MrC, RogueKiller reported back zero bad processes and zero registry entries as you can see by the log. Hopefully good news. So I gather that the Eqcungsu files in the Microsoft folder were planted by rootkit.zeroaccess? Regards, Richard RKreport3.txt
  4. Buabogh and Wuke are both empty folders. I'm 90% sure they were virus infected folders at one time, but one of my many previous virus/malware scans seem to have removed any contents in the folder. They were both created on 26 June 2012, but the problem I have had with Eqcungsu goes back further than June. So not sure if Eqcungsu is related to Buabogh and Wuke. Regards, Richard.
  5. MrCharlie, I do recognize the troublesome 'Eqcungsu', it's a folder that repeatedly plants itself into my Microsoft folder. Everytime I reboot my laptop, Eqcungsu.exe runs automatically and opens up a new Microsoft Windows Explorer window every 20 seconds or so, but the URL's are always broken links. I'm sure it's some sort of pay-per-click advertising scam that's infested on my laptop. The requested URL: https://www.virustotal.com/file/8293b740a9dd860d977184506d3ccd831bea8367e87dd92e87c7ff851a5aa65e/confirmation/?ajax=false&detection-ratio=12/42&blob=AMIfv97Hm-NEap3ZBMmdCe-Iz2aXrmJ4Q_Ej1JQCqPVOiDuYZNKcjszqawvzvisujyxS_EIaZCxU4iu9NSrAS1G46gP7OqQQgXvm7_pJSyV5-7OGTi1m4fz6pPOyVe80zqQ6Zcbbd0hUwqKnfe6cSZpsThnCGsqTzPgHOQKSGneLb_Njh2V7j3s&last-analysis=1342933830&filename=eqcungsu.exe Kind Regards, Richard
  6. Thanks MrCharlie, Attached is the ComboFix report. Kind Regards, Richard ComboFix.txt
  7. How you doing MrCharlie, Ok so Utorrent has been uninstalled. Secondly, I ran RogueKiller again but I got less registry results than first time. After I delete the 3 bad processes, I'm only left with 1 registry entry (C:\Users\rich\AppData\Roaming\Microsoft\Eqcungsu\eqcungsu.exe) which has been deleted. I believe that in the log I attached in my previous post, I had 8 registry entries, so not sure what happened here, Nevertheless, I then created a restore point, simple enough. Next, TDSSkiller (ran as administrator) found 8 threats. 5 were unassigned files which were skipped. 1 was a locked file, also skipped. The other two were rootkit.win32.tdss.tdl4 (high risk malware object) which was cured. And tdss filesystem (medium risk suspicious object) was skipped. I've attached the TDSS report. Kind Regards, Richard TDSSKiller.2.7.46.0_22.07.2012_15.59.37_log.txt
  8. Hi MrCharlie! As requested, here are the DDS and Attach logs, and the RogueKiller report. Kind Regards, Richard RKreport1.txt Attach.txt DDS.txt
  9. Hey guys, seems like a fair amount of other users are also infected with this nasty rootkit.zeroaccess virus. Malwarebytes detected it but doesn't seem to have removed it. I have also tried RogueKiller and ComboFix and whilst they seem to recognise there is a problem with my system, they haven't fully removed the problem. I would be eternally grateful if I can get a little help as to what I should do from here, and what logs you need me to post for assistance. Below is a HijackThis log I just recorded after re-booting my system. I believe one of my main problems are the 'eqcungsu' files which keeps planting itself in my Microsoft folder. Thank you so much for any advise you can give me. Kind Regards, Richard. Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 23:11:32, on 21/07/2012 Platform: Windows Vista SP1 (WinNT 6.00.1905) MSIE: Internet Explorer v7.00 (7.00.6001.18319) Boot mode: Normal Running processes: C:\Windows\system32\Dwm.exe C:\Windows\system32\taskeng.exe C:\Windows\Explorer.EXE C:\Windows\System32\hkcmd.exe C:\Windows\System32\igfxpers.exe C:\Program Files\Launch Manager\HotkeyApp.exe C:\Windows\PixArt\Pac207\Monitor.exe C:\Program Files\Synaptics\SynTP\SynTPStart.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe C:\Users\rich\AppData\Roaming\Microsoft\Eqcungsu\eqcungsu.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Windows\system32\wbem\unsecapp.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Windows\system32\igfxsrvc.exe C:\Users\rich\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing) O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MI7967~1\Office14\URLREDIR.DLL O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (file missing) O4 - HKLM\..\Run: [igfxTray] C:\Windows\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe O4 - HKLM\..\Run: [HotkeyApp] "C:\Program Files\Launch Manager\HotkeyApp.exe" O4 - HKLM\..\Run: [PAC207_Monitor] C:\Windows\PixArt\PAC207\Monitor.exe O4 - HKLM\..\Run: [synTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray O4 - HKCU\..\Run: [huqg] "C:\Users\rich\AppData\Roaming\Microsoft\Eqcungsu\eqcungsu.exe" O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [olnuezq] "C:\Users\rich\AppData\Roaming\Microsoft\Eqcungsu\eqcungsu.exe" O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user') O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI7967~1\Office14\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/VistaMSNPUplden-gb.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Google Update Service (gupdate) (gupdate) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe (file missing) O23 - Service: Google Update Service (gupdatem) (gupdatem) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe (file missing) O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing) O23 - Service: IviRegMgr - InterVideo - c:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe O23 - Service: Lavasoft Ad-Aware Service - Lavasoft Limited - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe O23 - Service: Sony Ericsson OMSI download service (OMSI download service) - Unknown owner - C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing) O23 - Service: Fujitsu Siemens Computers Diagnostic Testhandler (TestHandler) - Fujitsu Siemens Computers - C:\Program Files\Fujitsu Siemens Computers\SystemDiagnostics\OnlineDiagnostic\TestManager\TestHandler.exe O23 - Service: WisLMSvc - Wistron Corp. - C:\Program Files\Launch Manager\WisLMSvc.exe -- End of file - 6525 bytes
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.