Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan Horse has my dell by the throat [Solved]


  • This topic is locked This topic is locked

#1
juleskragen

juleskragen

    Member

  • Member
  • PipPip
  • 12 posts
This morning m y Dell Vostro picked up a nasty virus. I am using my mac to post so I can bet help.

First Symantec picked up two trojan horse viruses from Mozilla and quarantined them. Then things went nuts.
I have tried to go into safe mode to download the malwarebyte software but no luck.

I have run TFC, we go it in through a USB stick.

So I am stuck, no functions and no way to bring in software to fix.

Anyone able to get through this with advice to offer?
  • 0

Advertisements


#2
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Can you burn to a CD ? There are two flavours to this programme OTLPENet.exe includes network drivers so you should be able to get online from the infected system, select whichever you prefer


Please print these instruction out so that you know what you are doing

File details OTLPEStd.exe
Bytes=97,702,766
MB=93.1
MD5=FC1A07D156DE710955032B1CF7891671

File details OTLPENet.exe
Bytes=126,850,486
MB=120.9
MD5=8A7C5BA1C92552ADDCC5E468D0AA069A




  • Download OTLPEStd.exe to your desktop
  • Download OTLPENet.exe to your desktop
  • Ensure that you have a blank CD in the drive
  • Double click OTLPEStd.exe and this will then open imgburn to burn the file to CD
  • Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
  • Reboot your system using the boot CD you just created.
    Note : If you do not know how to set your computer to boot from CD follow the steps here
  • As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads :)

  • Your system should now display a Reatogo desktop.
    Note : as you are running from CD it is not exactly speedy
  • Double-click on the OTLPE icon.
  • Select the Windows folder of the infected drive if it asks for a location
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start.
  • Drag and drop this attached scan.txt into the Custom scans and fixes box
  • Press Run Scan to start the scan.
  • When finished, the file will be saved in drive C:\OTL.txt
  • Copy this file to your USB drive if you do not have internet connection on this system.
  • Right click the file and select send to : select the USB drive.
  • Confirm that it has copied to the USB drive by selecting it
  • You can backup any files that you wish from this OS
  • Please post the contents of the C:\OTL.txt file in your reply.

  • 0

#3
juleskragen

juleskragen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
I am happy to try this but don't understand how to get the text from the Mac, where I am reading this, to the Dead dell.

I also have identified the offender, it is timer.xul
  • 0

#4
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
If need be run without the scan and I will pick up those bits later, do you have any functionality on the Dell
  • 0

#5
juleskragen

juleskragen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
I can go into safe mode and be functional but can't reach the web there for some reason.
The virus grabs everything when in user mode and takes you the false sites.
Is the idea (sorry for my lack of sophistication) to download the programs on the mac and then use the cd to reboot the dell?

Thanks

jules
  • 0

#6
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
That is correct, If for some reason the mac will not allow the burn you could download and run from USB the following programme (in safe mode )

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop
  • Close ALL OTHER PROGRAMS.
  • Double-click on OTS.exe to start the program.
  • Check the box that says Scan All Users
  • Under Additional Scans check the following:
    • Reg - Shell Spawning
    • File - Lop Check
    • File - Purity Scan
    • Evnt - EvtViewer (last 10)
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Please attach the log in your next post.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post

  • 0

#7
juleskragen

juleskragen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Mac pulls all of the OTS files into a text file which can't be cut or pasted or dragged onto a USB.
Any thoughts?
  • 0

#8
juleskragen

juleskragen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Mac pulls all of the OTS files into a text file which can't be cut or pasted or dragged onto a USB.
Any thoughts?
  • 0

#9
juleskragen

juleskragen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Does anyone have any ideas.
  • 0

#10
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Unfortunately I have no experience with a Mac - Do you have the option to select the file extension on download ? Can you download direct to the USB ?
  • 0

Advertisements


#11
juleskragen

juleskragen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Good day.
I am back at a different windows desktop so am proceeding to take steps outlined.
Should have results later.

Jules
  • 0

#12
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
I am here for another two hours or so
  • 0

#13
juleskragen

juleskragen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Attached File  OTS.Txt   110.53KB   102 downloads

I hope that I have attached the findings correctly.
  • 0

#14
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Here we go

Start OTS. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-1195492579-1499592111-4157199112-1006\] > -> 
YN -> HKEY_USERS\S-1-5-21-1195492579-1499592111-4157199112-1006\: "ProxyEnable" -> 1
YN -> HKEY_USERS\S-1-5-21-1195492579-1499592111-4157199112-1006\: "ProxyServer" -> http=127.0.0.1:5555
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YN -> "Locked" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "jqxrriap" -> C:\Documents and Settings\JUELS\Local Settings\Application Data\jrkdffdax\smqbqcvtssd.exe [C:\Documents and Settings\JUELS\Local Settings\Application Data\jrkdffdax\smqbqcvtssd.exe]
< Run [HKEY_USERS\S-1-5-21-1195492579-1499592111-4157199112-1006\] > -> HKEY_USERS\S-1-5-21-1195492579-1499592111-4157199112-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "jqxrriap" -> C:\Documents and Settings\JUELS\Local Settings\Application Data\jrkdffdax\smqbqcvtssd.exe [C:\Documents and Settings\JUELS\Local Settings\Application Data\jrkdffdax\smqbqcvtssd.exe]
< CurrentVersion Policy Settings - Explorer [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
YY -> \Run\\"RTHDBPL" -> C:\Documents and Settings\JUELS\Application Data\SystemProc\lsass.exe [C:\Documents and Settings\JUELS\Application Data\SystemProc\lsass.exe]
[Files/Folders - Created Within 30 Days]
NY ->  jrkdffdax -> C:\Documents and Settings\JUELS\Local Settings\Application Data\jrkdffdax
NY ->  SystemProc -> C:\Documents and Settings\JUELS\Application Data\SystemProc
[Files/Folders - Modified Within 30 Days]
NY ->  confin.sys -> C:\confin.sys
[Files - No Company Name]
NY ->  confin.sys -> C:\confin.sys
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTS log.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.


THEN

Posted Image Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
  • 0

#15
juleskragen

juleskragen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Attached File  06032010_142028.txt   6.42KB   67 downloadsAttached File  06032010_141716.txt   6.62KB   67 downloads

The file that was created during this operation is attached.
It did require me to reboot the computer which I did

I tried twice and each time the file came back as .log which I changed.

Finally it also downloaded a folder each time. One contains a file name I recognize as nasty, isaas.exe.

I have not uploaded those files.

Another question: When I download the malware it will run on this computer. Is that what you want me to do?

How do I get it to the other one?

Thank you

Jules
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP