[juleskragen]

This morning m y Dell Vostro picked up a nasty virus. I am using my mac to post so I can bet help.

First Symantec picked up two trojan horse viruses from Mozilla and quarantined them. Then things went nuts.
I have tried to go into safe mode to download the malwarebyte software but no luck.

I have run TFC, we go it in through a USB stick.

So I am stuck, no functions and no way to bring in software to fix.

Anyone able to get through this with advice to offer?

[Advertisements]

Can you burn to a CD ? There are two flavours to this programme OTLPENet.exe includes network drivers so you should be able to get online from the infected system, select whichever you prefer


Please print these instruction out so that you know what you are doing

File details OTLPEStd.exe
Bytes=97,702,766
MB=93.1
MD5=FC1A07D156DE710955032B1CF7891671

File details OTLPENet.exe
Bytes=126,850,486
MB=120.9
MD5=8A7C5BA1C92552ADDCC5E468D0AA069A

• Download OTLPEStd.exe to your desktop
• Download OTLPENet.exe to your desktop
• Ensure that you have a blank CD in the drive
• Double click OTLPEStd.exe and this will then open imgburn to burn the file to CD
• Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
  
• Reboot your system using the boot CD you just created.
  Note : If you do not know how to set your computer to boot from CD follow the steps here
• As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads
  
  
• Your system should now display a Reatogo desktop.
  Note : as you are running from CD it is not exactly speedy
• Double-click on the OTLPE icon.
• Select the Windows folder of the infected drive if it asks for a location
• When asked "Do you wish to load the remote registry", select Yes
• When asked "Do you wish to load remote user profile(s) for scanning", select Yes
• Ensure the box "Automatically Load All Remaining Users" is checked and press OK
• OTL should now start.
• Drag and drop this attached scan.txt into the Custom scans and fixes box
  
• Press Run Scan to start the scan.
• When finished, the file will be saved in drive C:\OTL.txt
• Copy this file to your USB drive if you do not have internet connection on this system.
• Right click the file and select send to : select the USB drive.
• Confirm that it has copied to the USB drive by selecting it
• You can backup any files that you wish from this OS
• Please post the contents of the C:\OTL.txt file in your reply.

[Essexboy]

Can you burn to a CD ? There are two flavours to this programme OTLPENet.exe includes network drivers so you should be able to get online from the infected system, select whichever you prefer


Please print these instruction out so that you know what you are doing

File details OTLPEStd.exe
Bytes=97,702,766
MB=93.1
MD5=FC1A07D156DE710955032B1CF7891671

File details OTLPENet.exe
Bytes=126,850,486
MB=120.9
MD5=8A7C5BA1C92552ADDCC5E468D0AA069A

• Download OTLPEStd.exe to your desktop
• Download OTLPENet.exe to your desktop
• Ensure that you have a blank CD in the drive
• Double click OTLPEStd.exe and this will then open imgburn to burn the file to CD
• Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
  
• Reboot your system using the boot CD you just created.
  Note : If you do not know how to set your computer to boot from CD follow the steps here
• As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads
  
  
• Your system should now display a Reatogo desktop.
  Note : as you are running from CD it is not exactly speedy
• Double-click on the OTLPE icon.
• Select the Windows folder of the infected drive if it asks for a location
• When asked "Do you wish to load the remote registry", select Yes
• When asked "Do you wish to load remote user profile(s) for scanning", select Yes
• Ensure the box "Automatically Load All Remaining Users" is checked and press OK
• OTL should now start.
• Drag and drop this attached scan.txt into the Custom scans and fixes box
  
• Press Run Scan to start the scan.
• When finished, the file will be saved in drive C:\OTL.txt
• Copy this file to your USB drive if you do not have internet connection on this system.
• Right click the file and select send to : select the USB drive.
• Confirm that it has copied to the USB drive by selecting it
• You can backup any files that you wish from this OS
• Please post the contents of the C:\OTL.txt file in your reply.

[juleskragen]

I am happy to try this but don't understand how to get the text from the Mac, where I am reading this, to the Dead dell.

I also have identified the offender, it is timer.xul

[Essexboy]

If need be run without the scan and I will pick up those bits later, do you have any functionality on the Dell

[juleskragen]

I can go into safe mode and be functional but can't reach the web there for some reason.
The virus grabs everything when in user mode and takes you the false sites.
Is the idea (sorry for my lack of sophistication) to download the programs on the mac and then use the cd to reboot the dell?

Thanks

jules

[Essexboy]

That is correct, If for some reason the mac will not allow the burn you could download and run from USB the following programme (in safe mode )

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop

• Close ALL OTHER PROGRAMS.
• Double-click on OTS.exe to start the program.
• Check the box that says Scan All Users
• Under Additional Scans check the following:
  • Reg - Shell Spawning
  • File - Lop Check
  • File - Purity Scan
  • Evnt - EvtViewer (last 10)
• Now click the Run Scan button on the toolbar.
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

To attach a file, do the following:

• Click Add Reply
• Under the reply panel is the Attachments Panel
• Browse for the attachment file you want to upload, then click the green Upload button
• Once it has uploaded, click the Manage Current Attachments drop down box
• Click on to insert the attachment into your post

[juleskragen]

Mac pulls all of the OTS files into a text file which can't be cut or pasted or dragged onto a USB.
Any thoughts?

[juleskragen]

Mac pulls all of the OTS files into a text file which can't be cut or pasted or dragged onto a USB.
Any thoughts?

[juleskragen]

Does anyone have any ideas.

[Essexboy]

Unfortunately I have no experience with a Mac - Do you have the option to select the file extension on download ? Can you download direct to the USB ?

[juleskragen]

Good day.
I am back at a different windows desktop so am proceeding to take steps outlined.
Should have results later.

Jules

[Essexboy]

I am here for another two hours or so

[juleskragen]

 OTS.Txt   110.53KB   131 downloads

I hope that I have attached the findings correctly.

[Essexboy]

Here we go

Start OTS. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-1195492579-1499592111-4157199112-1006\] > -> 
YN -> HKEY_USERS\S-1-5-21-1195492579-1499592111-4157199112-1006\: "ProxyEnable" -> 1
YN -> HKEY_USERS\S-1-5-21-1195492579-1499592111-4157199112-1006\: "ProxyServer" -> http=127.0.0.1:5555
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YN -> "Locked" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "jqxrriap" -> C:\Documents and Settings\JUELS\Local Settings\Application Data\jrkdffdax\smqbqcvtssd.exe [C:\Documents and Settings\JUELS\Local Settings\Application Data\jrkdffdax\smqbqcvtssd.exe]
< Run [HKEY_USERS\S-1-5-21-1195492579-1499592111-4157199112-1006\] > -> HKEY_USERS\S-1-5-21-1195492579-1499592111-4157199112-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "jqxrriap" -> C:\Documents and Settings\JUELS\Local Settings\Application Data\jrkdffdax\smqbqcvtssd.exe [C:\Documents and Settings\JUELS\Local Settings\Application Data\jrkdffdax\smqbqcvtssd.exe]
< CurrentVersion Policy Settings - Explorer [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
YY -> \Run\\"RTHDBPL" -> C:\Documents and Settings\JUELS\Application Data\SystemProc\lsass.exe [C:\Documents and Settings\JUELS\Application Data\SystemProc\lsass.exe]
[Files/Folders - Created Within 30 Days]
NY ->  jrkdffdax -> C:\Documents and Settings\JUELS\Local Settings\Application Data\jrkdffdax
NY ->  SystemProc -> C:\Documents and Settings\JUELS\Application Data\SystemProc
[Files/Folders - Modified Within 30 Days]
NY ->  confin.sys -> C:\confin.sys
[Files - No Company Name]
NY ->  confin.sys -> C:\confin.sys
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTS log.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.


THEN

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

[juleskragen]

 06032010_142028.txt   6.42KB   92 downloads  06032010_141716.txt   6.62KB   97 downloads

The file that was created during this operation is attached.
It did require me to reboot the computer which I did

I tried twice and each time the file came back as .log which I changed.

Finally it also downloaded a folder each time. One contains a file name I recognize as nasty, isaas.exe.

I have not uploaded those files.

Another question: When I download the malware it will run on this computer. Is that what you want me to do?

How do I get it to the other one?

Thank you

Jules