laptop shutting down automatically and restartingSolved/Closed

Question

Hi,

My laptop is shutting down automatically after 5 to 10 minutes without any reason... and restarting.

recently I have downloaded a movie using mu torrent

please help me in this

Ambucias · Accepted Answer

Please, delete the previous ZHPDiag logs just like I previously explained, produce a new one and upload on speedyshare.

Ambucias · Answer

To help you and precribe a remedy, I must make a diagnostic and to do so, I require a log. 

1. Boot in safemode with networking.

2. Open this link and download ZHPDiag2 : 

https://www.zebulon.fr/telechargements/securite/systeme/zhpdiag.html 

(Don't be alarmed is the site is in French, it sometimes happens, the tool will take your system language and allow the download if you get a warning message. )

3. Save the file on your Desktop. 

4. Double click on ZHPDiag.exe and follow the installation instructions. 

the tool creates three icons ZHPDiag, MRB, and ZHPFix (If necessary,we will use ZHPFix at the next step). 

5. Double click on the short cut ZHPDiag on your Destktop. 

6. Click on the eyedropper icon  and ensure all of the items.

7. Click on the Magnifying glass with the + sign and run the analysys. 

Wait for the tool to finished (maybe a long time) 

8. Close ZHPDiag. 

9. To transmit the report, click on this link : 

https://authentification.site 

10. Usually on your desktop or C:\Program Files\ZHPDiag). 

11. Select the file ZHPDiag.txt. 

12. Click on "upload » 

13. Copy the url and post it here

Best regards

Ambucias
Moderator, Security Contributor

orapps20 · Answer

Hi,

I have ran as per the steps given by you and below is the link. Because of this issue internet is not opening in my laptop. if try to open gmail it is displaying message as 'The server's security certificate is revoked!'


http://speedy.sh/9HmB7/ZHPDiag.txt

Thanks,
Rajesh

Ambucias · Answer

Greetings,

Thank you for the log.  I'm impressed as to how well you succeeded to infect your computer.

You don't have any antivirus software or programme !  You are lucky to have survived for this long without one.

Your computer is indeed very infected by 

1. adware, 
2. a rogue Trojan Horse 
3. a rootkit, 
4. a USB infection 
5. a worm.

All of the above infection originate from the downloads you have made from peer to peer applications: u.torrent and Go for files.

All of the above infections can be removed but to insure that your system stay stable, we must proceed step by step.  From what I gather, you are in Singapore, we are not in the same time zone, hence it may take two, perhaps three days before we solve the issue.

Are you willing to stick with me through the procedures ?  Let me know and we shall begin.

The certificate error you got from GMail is due to the rootkit which has changed the time and date of your computer.  Try to adjust it, but it may get changed again.

When you answer me, I must know if your Windows XP is genuine or if it's a copy.

Waiting for your reply,

Best regards

orapps20 · Answer

Hi,
Thanks for reply.

I am ready to coordinate with you. I dont know windows XP is guinine or not. I bought laptop 4 yrs before. 

Thanks,

Ambucias · Answer

Hello,

Very well, but I must tell you now that your Windows is counterfeited which may create problems in the future if you try to update it.  Since it seems that it was not your doing I will help you.

First, lets attack the rootkit which is the cause of the main headache:

Gmer is a powerful rootkit detector and can remove many Rootkits. 

Download here: 
http://www.gmer.net 

Once the tool download completed, right-click on the set up Gmer.Exe and select Run. This will launch the program and autoscan of your computer system

Second, lets take care of the rogue

Please follow the following procedure carefully and to the letter. 

You have a rogue virus Trojan Horse which is self protective, thus it will prevent any antivirus from fonctionning. 

You must kill the evil processes which the virus is presently running amd preventing you from running any antivirus. If you don't it will keep reproducing the files for ever. 

To kill the processes: 

1. Download to your desktop and run Rogue Kill: 

https://download.bleepingcomputer.com/grinler/rkill.com 

2. You should now see a window that shows all of your desktop icons, including the rkill.com program. 

3. Double-click on the rkill.com in order to automatically attempt to stop any processes associated with the Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. 

If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by the Horse when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate the processes . So, please try running Rkill until malware is no longer running. 

As a matter of a fact, if you get messages, it is a sign that the virus is agonizing with excrutiating pain, so you can just grin while it is suffering!:)))

Please, DO NOT REBOOT your computer or the processes will come back to haunt you! 

Download to your desktop Malwarebyte. 

https://ccm.net/downloads/security-and-maintenance/4621-malwarebytes-anti-malware/ 

Once on your desktop, we must still outwit the virus. 

Right click on the MBAM icon and click on rename. Rename it kioskea.exe. 

Install Malwarebyte and launch it. From the second tab, update it. 

Please, request a FULL system scan which should take more than hour. Once the scan is finish, delete all of item that were found. 

Third, some viruses will still be there.

Delete your previous ZHP Diag log, produce a new one and uploaded on speedyshare for my analysis.

Good luck

orapps20 · Answer

Hi,

Thanks for your update for help.

please find the below link as requested.

http://speedy.sh/Jp86C/ZHPDiag.txt

Thanks,

orapps20 · Answer

Still it is shutting down after 5 min..d

Ambucias · Answer

Hi

It still is shutting down because the rootkit, the rogue and the worm still present.  If you followed my directions to the letter to kill the rootkit and the rogue, it is not suppose to shut down.

Here is what will do, but after you are done, again, delete the previous ZHP Diag log and produce a new one to upload on Speedyshare.

To keep your system safe, you must follow the instructions hereunder to the letter: 

1. Download Combofix to your desktop. 

https://www.bleepingcomputer.com/download/combofix/

(click on the download @ bleeping computer button) 

2.Close all open Windows including this one. 

Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. 

3. Double click on the ComboFix icon. 

Windows is issuing this prompt because ComboFix does not have a digital signature. This is perfectly normal and safe and you can click on the Run button to continue. 

4. Accept the disclaimer and the recovery 

5.You should now press the Yes button to continue. If at any time during the Recovery Console installation you receive a message stating that it failed to install, please allow ComboFix to continue with the scan of your computer. 

ComboFix will disconnect your computer from the Internet, so do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet. When ComboFix has finished it will automatically restore your Internet connection. 

While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to their previous settings. 

If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt. 

During the process, please do not mouse click nor must you tap on the keyboard. Let the tool run. 

Good luck

orapps20 · Answer

Thanks a lot for your help.
Now it is not restarting automatically.

Please find the ZHP log in below link and let me know if anything I need to do.

http://speedy.sh/ZrmYc/ZHPDiag.txt

Thanks,

Ambucias · Answer

Hi

Either you sent me the same log or your computer is still infected.

Please paste here the following file:

C:\ComboFix.txt

Regards

orapps20 · Answer

Hi,

Please find below combofix.txt
ComboFix 13-06-17.01 - Administrator 06/18/2013  10:14:30.1.2 - x86
Running from: e:\documents and settings\Administrator\Desktop\ComboFix.exe
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
D:\Autorun.inf
e:\windows\$NtUninstallKB45099$
e:\windows\$NtUninstallKB45099$\2554745541
e:\windows\$NtUninstallKB45099$\4100342861\@
e:\windows\$NtUninstallKB45099$\4100342861\Desktop.ini
e:\windows\$NtUninstallKB45099$\4100342861\L\00000004.@
e:\windows\$NtUninstallKB45099$\4100342861\L\201d3dde
e:\windows\$NtUninstallKB45099$\4100342861\L\76603ac3
e:\windows\$NtUninstallKB45099$\4100342861\L\aodripvi
e:\windows\$NtUninstallKB45099$\4100342861\U\00000004.@
e:\windows\$NtUninstallKB45099$\4100342861\U\00000008.@
e:\windows\$NtUninstallKB45099$\4100342861\U\000000cb.@
e:\windows\$NtUninstallKB45099$\4100342861\U\80000000.@
e:\windows\$NtUninstallKB45099$\4100342861\U\80000032.@
e:\windows\AutoRun.ini
e:\windows\system32\c__10082.nls
e:\windows\system32\cttype.nls
e:\windows\system32egobj.dll
.
Infected copy of e:\windows\system32\drivers
etbt.sys was found and disinfected 
Restored copy from - The cat found it :) 
.
(((((((((((((((((((((((((   Files Created from 2013-05-18 to 2013-06-18  )))))))))))))))))))))))))))))))
.
.
2013-06-18 02:06 . 2004-08-03 17:44	162816	-c--a-w-	e:\windows\system32\dllcache
etbt.sys
2013-06-18 02:06 . 2004-08-03 17:44	162816	----a-w-	e:\windows\system32\drivers
etbt.sys
2013-06-16 08:16 . 2013-06-16 08:16	--------	d-----w-	e:\documents and settings\Administrator\Application Data\Malwarebytes
2013-06-16 08:16 . 2013-06-16 08:16	--------	d-----w-	e:\documents and settings\All Users\Application Data\Malwarebytes
2013-06-16 08:16 . 2013-04-04 06:50	22856	----a-w-	e:\windows\system32\drivers\mbam.sys
2013-06-16 08:16 . 2013-06-16 09:21	--------	d-----w-	e:\program files\Malwarebytes' Anti-Malware
2013-06-12 15:45 . 2013-06-16 14:10	--------	d-----w-	E:\ZHP
2013-06-12 15:45 . 2013-06-16 14:10	--------	d-----w-	e:\program files\ZHPDiag
2013-06-12 14:59 . 2013-06-12 14:59	175616	----a-w-	e:\documents and settings\All Users\Application Data\Microsoft\Media Tools	emp	mpF.exe
2013-06-11 18:31 . 2013-06-11 18:31	--------	d-----w-	e:\documents and settings\All Users\Application Data\Systweak
2013-06-11 18:31 . 2012-07-25 04:03	17136	----a-w-	e:\windows\system32\sasnative32.exe
2013-06-11 18:31 . 2013-06-11 18:31	--------	d-----w-	e:\program files\Amazon
2013-06-11 18:31 . 2013-06-12 15:04	--------	d-----w-	e:\program files\MyPC Backup
2013-06-11 18:30 . 2013-06-11 18:32	--------	d-----w-	e:\documents and settings\Administrator\Application Data\Systweak
2013-06-11 18:03 . 2013-06-11 18:22	--------	d-----w-	e:\documents and settings\All Users\Application Data\MFAData
2013-06-11 18:03 . 2013-06-11 18:03	--------	d-----w-	e:\documents and settings\All Users\Application Data\Common Files
2013-06-11 18:03 . 2013-06-11 18:03	--------	d-----w-	e:\documents and settings\Administrator\Local Settings\Application Data\MFAData
2013-06-11 18:03 . 2013-06-11 18:03	--------	d-----w-	e:\documents and settings\Administrator\Local Settings\Application Data\Avg2013
2013-06-11 17:28 . 2013-06-11 17:49	--------	d-----w-	e:\windows\system32\MpEngineStore
2013-06-11 01:20 . 2013-06-11 14:55	--------	d-----w-	e:\program files\Mega Codec Pack
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-06-12 16:16 . 2013-03-02 10:31	692104	----a-w-	e:\windows\system32\FlashPlayerApp.exe
2013-06-12 16:16 . 2011-05-19 17:50	71048	----a-w-	e:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-09 08:58 . 2013-04-21 06:12	229648	----a-w-	e:\windows\system32\aswBoot.exe
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-10-12 . 32272BF10467C8ACF1F83138C61D541E . 1580544 . . [5.1.2600.2180] . . e:\windows\system32\sfcfiles.dll
[-] 2008-04-14 . 9DD07AF82244867CA36681EA2D29CE79 . 1614848 . . [5.1.2600.5512] . . e:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\sfcfiles.dll
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\0MediaIconsOerlay]
@="{1EC23CFF-4C58-458f-924C-8519AEF61B32}"
[HKEY_CLASSES_ROOT\CLSID\{1EC23CFF-4C58-458f-924C-8519AEF61B32}]
2013-06-11 01:21	224256	----a-w-	e:\documents and settings\All Users\Application Data\Microsoft\Media Tools\MediaIconsOverlays.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="e:\program files\uTorrent\uTorrent.exe" [2011-05-01 399736]
"Messenger (Yahoo!)"="e:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2012-05-24 6595928]
"Skype"="e:\program files\Skype\Phone\Skype.exe" [2013-01-08 18705664]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SMSERIAL"="sm56hlpr.exe" [2004-12-29 544768]
"RTHDCPL"="RTHDCPL.EXE" [2009-12-25 18789408]
"IgfxTray"="e:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="e:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="e:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"GrooveMonitor"="e:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"SunJavaUpdateSched"="e:\program files\Java\jre6\bin\jusched.exe" [2010-09-03 136600]
"oc4j"="e:\oraclebi\oc4j_bi\bin\oc4j.cmd" [2010-09-03 4991]
.
e:\documents and settings\Administrator\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - e:\program files\Microsoft Office\Office12\ONENOTEM.EXE /tsr [2006-10-27 98632]
.
e:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - e:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2012-12-27 113664]
AutoCAD Startup Accelerator.lnk - e:\program files\Common Files\Autodesk Shared\acstart17.exe [2006-3-6 11000]
McAfee Security Scan Plus.lnk - e:\program files\McAfee Security Scan\3.0.318\SSScheduler.exe [2013-2-5 272248]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe"=
.
R?2 OracleCSService;OracleCSService;e:\oracle\product\10.1.0\db_1\bin\ocssd.exe service --> e:\oracle\product\10.1.0\db_1\bin\ocssd.exe service [?]
R2 BMFMySQL;BMFMySQL;e:\program files\Quest Software\Benchmark Factory for Databases\Repository\MySQL\bin\mysqld-max-nt.exe [10/23/2005 2:05 AM 4431872]
R2 HWDeviceService.exe;HWDeviceService.exe;e:\documents and settings\All Users\Application Data\DatacardService\HWDeviceService.exe [3/14/2011 11:27 PM 271712]
R2 OracleOraDb10g_home1TNSListener;OracleOraDb10g_home1TNSListener;e:\oracle\product\10.1.0\db_1\BIN\TNSLSNR  --> e:\oracle\product\10.1.0\db_1\BIN\TNSLSNR  [?]
R2 OracleServiceORCL;OracleServiceORCL;e:\oracle\product\10.1.0\db_1\bin\ORACLE.EXE ORCL --> e:\oracle\product\10.1.0\db_1\bin\ORACLE.EXE ORCL [?]
R2 sawjavahostsvc;Oracle BI Java Host;e:\oraclebi\web\bin\sawjavahostsvc.exe [9/3/2010 3:47 PM 94208]
R2 sawsvc;Oracle BI Presentation Server;e:\oraclebi\web\bin\sawserver.exe [9/3/2010 3:47 PM 86016]
R2 Skype C2C Service;Skype C2C Service;e:\documents and settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [5/14/2013 3:56 PM 3289208]
R2 SkypeUpdate;Skype Updater;e:\program files\Skype\Updater\Updater.exe [1/8/2013 3:25 PM 161536]
R2 vpnagent;Cisco AnyConnect VPN Agent;e:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [12/18/2009 6:32 AM 497856]
R3 huawei_enumerator;huawei_enumerator;e:\windows\system32\drivers\ew_jubusenum.sys [9/6/2012 2:42 AM 73216]
S2 Oracle BI Server;Oracle BI Server;e:\oraclebi\server\Bin\NQSServer.exe [9/3/2010 3:40 PM 49152]
S3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;e:\windows\system32\drivers\ew_hwusbdev.sys [9/6/2012 2:42 AM 102784]
S3 hwusbdev;Huawei DataCard USB PNP Device;e:\windows\system32\DRIVERS\ewusbdev.sys --> e:\windows\system32\DRIVERS\ewusbdev.sys [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;e:\program files\McAfee Security Scan\3.0.318\McCHSvc.exe [2/5/2013 11:48 PM 235216]
S3 Oracle BI Cluster Controller;Oracle BI Cluster Controller;e:\oraclebi\server\Bin\NQSClusterController.exe [9/3/2010 4:24 PM 33792]
S3 Oracle BI Scheduler;Oracle BI Scheduler;e:\oraclebi\server\Bin\NQScheduler.exe [9/3/2010 4:26 PM 122880]
S3 OracleOraDb10g_home1SNMPPeerEncapsulator;OracleOraDb10g_home1SNMPPeerEncapsulator;e:\oracle\product\10.1.0\db_1\BIN\encsvc.exe [9/3/2010 4:43 PM 187392]
S3 OracleOraDb10g_home1SNMPPeerMasterAgent;OracleOraDb10g_home1SNMPPeerMasterAgent;e:\oracle\product\10.1.0\db_1\BIN\agntsvc.exe [9/3/2010 4:43 PM 254464]
S3 ztemtusbser;ZTEMT Legacy Serial Communication;e:\windows\system32\drivers\CT_ZTEMT_U_USBSER.sys [9/1/2012 11:57 AM 105472]
S4 OracleJobSchedulerORCL;OracleJobSchedulerORCL;e:\oracle\product\10.1.0\db_1\Bin\extjob.exe ORCL --> e:\oracle\product\10.1.0\db_1\Bin\extjob.exe ORCL [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-06-06 15:37	1165776	----a-w-	e:\program files\Google\Chrome\Application\27.0.1453.110\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-06-16 e:\windows\Tasks\Adobe Flash Player Updater.job
- e:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-03-02 16:16]
.
2013-06-18 e:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- e:\program files\Google\Update\GoogleUpdate.exe [2013-01-21 17:14]
.
2013-06-16 e:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- e:\program files\Google\Update\GoogleUpdate.exe [2013-01-21 17:14]
.
2013-06-10 e:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-746137067-1547161642-839522115-500Core.job
- e:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-01-26 20:08]
.
2013-06-16 e:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-746137067-1547161642-839522115-500UA.job
- e:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-01-26 20:08]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://https://in.yahoo.com/?fr=mkg029.yahoo.com
mStart Page = hxxp://https://in.yahoo.com/?fr=mkg029.yahoo.com
uSearchURL,(Default) = hxxp://in.rd.yahoo.com/customize/ycomp/defaults/su/*https://in.yahoo.com/
IE: E&xport to Microsoft Excel - e:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - e:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - e:\windows\webelated.htm
TCP: DhcpNameServer = 192.168.0.1
DPF: {2AB1C516-6654-4D3A-B3D6-2185BBCEB409} - hxxps://webvpn.in.capgemini.com/+CSCOL+/csvrloader32.cab
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-Advanced System Protector_startup - e:\program files\Advanced System Protector\AdvancedSystemProtector.exe
e:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk - (no file)
AddRemove-00212D92-C5D8-4ff4-AE50-B20F0F85C40A_Systweak_Ad~B9F029BF_is1 - e:\program files\Advanced System Protector\unins000.exe
AddRemove-{488b57a8-0004-4dc7-a7fb-711868ce44eb} - e:\program files\Common Files\Nero\Nero ProductInstaller 4\SetupX.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-06-18 10:29
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\OracleOraDb10g_home1TNSListener]
"ImagePath"="e:\oracle\product\10.1.0\db_1\BIN\TNSLSNR "
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@e:\WINDOWS\system32\Macromed\Flash\FlashUtil32_11_7_700_224_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="e:\WINDOWS\system32\Macromed\Flash\FlashUtil32_11_7_700_224_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2408)
e:\documents and settings\All Users\Application Data\Microsoft\Media Tools\MediaIconsOverlays.dll
e:\windows\system32\hnetcfg.dll
.
------------------------ Other Running Processes ------------------------
.
e:\program files\Cisco Systems\VPN Client\cvpnd.exe
e:\program files\Java\jre6\bin\jqs.exe
e:\windows\sm56hlpr.exe
e:\windows\RTHDCPL.EXE
e:\windows\system32\igfxsrvc.exe
e:\program files\Microsoft Office\Office12\ONENOTEM.EXE
e:\oracle\product\10.1.0\db_1\bin\ocssd.exe
e:\oracle\product\10.1.0\db_1\bin\isqlplussvc.exe
e:\oracle\product\10.1.0\db_1\BIN\TNSLSNR.exe
e:\oracle\product\10.1.0\db_1\jdk\bin\java.exe
e:\oracle\product\10.1.0\db_1\bin\ORACLE.EXE
.
**************************************************************************
.
Completion time: 2013-06-18  10:30:13 - machine was rebooted
ComboFix-quarantined-files.txt  2013-06-18 02:29
.
Pre-Run: 6,727,073,792 bytes free
Post-Run: 7,179,554,816 bytes free
.
- - End Of File - - EDA011D2694594245A7911350F6434C4
8F558EB6672622401DA993E1E865C861

Ambucias · Answer

Hello,

Okay, the rootkit has been removed but it seems that your system is still vulnerable.

Delete the ZHPDiag.txt log on your desktop as well as the folder C:/ZHP

Produce a new ZHP Diag log and post upload it on Speedyshare.

Best regards

orapps20 · Answer

Hi Please find below link for log.

Please help me to clean my machine..

http://speedy.sh/tweJD/ZHPDiag.txt

Thanks,

Ambucias · Answer

Hello

ZHP Diag created on your desktop an icon called ZHP Fix. (looks like a seringe)

1. Open ZHP Fix.
2. Copy the lines below
3. In ZHP Fix click on the button clipboard which will paste the lines in the window.
4. Click on the GO button below which will delete the lines.

Here are the lines to copy

[HKCU\Software\SweetIM]   =>PUP.SweetIM
[HKLM\Software\SweetIM]   =>PUP.SweetIM
O81 - IFC: Internet Feature Controls [HKUS\.DEFAULT] [FEATURE_BROWSER_EMULATION] -- svchost.exe    => Infection Rootkit (Rootkit.TDSS)
O81 - IFC: Internet Feature Controls [HKUS\S-1-5-18] [FEATURE_BROWSER_EMULATION] -- svchost.exe    => Infection Rootkit (Rootkit.TDSS)
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\Smart Fortress 2012]   =>Rogue.Multiple
[HKCU\Software\HackFacebookProfiles]   =>Hacker.FaceBook
[HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\00E944CB89111313EAF35A0553F547F9]   =>PUP.Dealio
[HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\53F55AF3F4049ED3FA6EA6F88E414E24]   =>PUP.Dealio
[HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\68E4BF4B11615E03C97732FD581AB607]   =>PUP.Dealio
[HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\8CE3DDAB2D152683FBCEB4866BCD2B0F]   =>PUP.Dealio
[HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\AF6CE16AFEA5C9A39B766468A8B35C21]   =>PUP.Dealio
[HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\FB1E44269B58F433A8C8E671E37CFDCF]   =>PUP.Dealio
E:\Program Files\Mozilla Firefox\Extensions\wtxpcom@mybrowserbar.com   =>PUP.Dealio
E:\Documents and Settings\Administrator\Application Data\Software   =>Adware.Boxore
O90 - PUC: "8AF9A797EFE4EF14DA807A1569655976" . (.pdfforge Toolbar v7.1.) -- E:\WINDOWS\Installer\{797A9FA8-4EFE-41FE-AD08-A75196569567}\ARPPRODUCTICON.exe

5. Paste the ZHP Fix log here (It will be on your desktop)

6. Again, delete all ZHP Diag logs

7. Produce a new one and upload on Speedyshare and post the URL here

Regards

orapps20 · Answer

Really Thanks for your help.

Please find the below fix log.

Rapport de ZHPFix 2013.6.12.3 par Nicolas Coolman, Update du 12/06/2013
Fichier d'export Registre : 
Run by Administrator at 6/21/2013 12:09:52 PM
High Elevated Privileges : OK
Windows XP Professional Service Pack 2 (Build 2600)

Recycle Files Deleted

========== Registry Key ==========
DELETED Key: HKCU\Software\SweetIM
DELETED Key: HKLM\Software\SweetIM
DELETED Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\Smart Fortress 2012
DELETED Key: HKCU\Software\HackFacebookProfiles
DELETED Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\00E944CB89111313EAF35A0553F547F9
DELETED Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\53F55AF3F4049ED3FA6EA6F88E414E24
DELETED Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\68E4BF4B11615E03C97732FD581AB607
DELETED Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\8CE3DDAB2D152683FBCEB4866BCD2B0F
DELETED Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\AF6CE16AFEA5C9A39B766468A8B35C21
DELETED Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\FB1E44269B58F433A8C8E671E37CFDCF
DELETED Key: \Software\Classes\Installer\Products\8AF9A797EFE4EF14DA807A1569655976
DELETED Key: \Software\Classes\Installer\Features\8AF9A797EFE4EF14DA807A1569655976

========== Registry Value ==========
NOT FOUND IFC: [FEATURE_BROWSER_EMULATION] svchost.exe

========== Repertory ==========
DELETED Folder: e:\program files\mozilla firefox\extensions\wtxpcom@mybrowserbar.com
DELETED Folder: e:\documents and settings\administrator\application data\software


========== Summary ==========
12 : Registry Key
1 : Registry Value
2 : Repertory


End of clean in 01mn AMs

========== Report File ==========
E:\ZHP\ZHPFix[R1].txt - 6/21/2013 12:09:52 PM [1961]



And link for diag log.
http://speedy.sh/TqVqR/ZHPDiag.txt

Ambucias · Answer

Hello

Thanks for the logs.

Rootkits are difficult to kill and it is still there.

1. Please download Kapersky's TDSS Killer here:

https://support.kaspersky.com/downloads/utils/tdsskiller.zip

2. Open TDSS and click on start scan

3. If items are found click on continue and then on reboot.

4. A log will appear when the computer restart, copy it and paste it here.

Have a nice day and thank you for your patience.

orapps20 · Answer

Hi,

you are helping me a lot.

Please find log in below link.

http://speedy.sh/bsw9M/tdss.txt

Thanks,

Ambucias · Answer

Hello,

Thank you for the log.

When you performed the scan:

1. Where any items found?
2. Did you click "continue" or "skip"?
3. Why do you have oracle in your system ?

Please, delete the previous ZHPDiag logs just like I previously explained, produce a new one and upload on speedyshare.

Thank you again for your patience.  As you must be aware now, your computer was badly infected by severe viruses and it take time to clean  without having to reformat and lose all of your data and applications.

Regards

orapps20 · Answer

Hi,

Thank you for your reply.

I clicked on continue, did not changed any.

I am learning Oracle tools. It was installed year before.

Please help to clean my laptop.

Thanks,

Laptop shutting down automatically and restarting

20 responses

Similar discussions

Subscribe To Our Newsletter!