Bunch of Trojans: Downloader, FakeAlert, DNSchanger, BHO, Agent, PUM.h
Posted 03 August 2011 - 02:27 PM
Safe mode did not work. It restarted and asked how to start, tried safe mode with networking, didn't start. So I started windows normally.
Posted 03 August 2011 - 02:31 PM
To ensure that I get all the information this log will need to be attached (instructions at the end) if it is too large to attach then upload to Mediafire and post the sharing link.
Download OTS to your Desktop
- Close ALL OTHER PROGRAMS.
- Double-click on OTS.exe to start the program.
- Check the box that says Scan All Users
- Under Additional Scans check the following:
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check
- Under the Custom Scan box paste this in
%systemroot%\*. /mp /s
- Now click the Run Scan button on the toolbar.
- Let it run unhindered until it finishes.
- When the scan is complete Notepad will open with the report file loaded in it.
- Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Posted 03 August 2011 - 03:02 PM
Posted 03 August 2011 - 03:09 PM
Please print these instruction out so that you know what you are doing
Latest version: v220.127.116.11
Size: 127,222,215b / 121.3MB
- Download the attached scan.txt to a USB drive
- Download OTLPENet.exe to your desktop
- Ensure that you have a blank CD in the drive
- Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
- Reboot your system using the boot CD you just created.
Note : If you do not know how to set your computer to boot from CD follow the steps here
- As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads
- Your system should now display a Reatogo desktop.
Note : as you are running from CD it is not exactly speedy
- Double-click on the OTLPE icon.
- Select the Windows folder of the infected drive if it asks for a location
- When asked "Do you wish to load the remote registry", select Yes
- When asked "Do you wish to load remote user profile(s) for scanning", select Yes
- Ensure the box "Automatically Load All Remaining Users" is checked and press OK
- OTL should now start.
- Double click the Custom scans and fixes box
- In the dialogue locate the scan.txt you have on the USB
- Press Run Scan to start the scan.
- When finished, the file will be saved in drive C:\OTL.txt
- Copy this file to your USB drive if you do not have internet connection on this system.
- Right click the file and select send to : select the USB drive.
- Confirm that it has copied to the USB drive by selecting it
- You can backup any files that you wish from this OS
- Please post the contents of the C:\OTL.txt file in your reply.
Posted 04 August 2011 - 11:21 PM
Posted 05 August 2011 - 11:34 AM
Run OTLPE and when the log has generated post that here please
Posted 05 August 2011 - 04:21 PM
Posted 06 August 2011 - 08:44 AM
Could you re-run AVP but just do the second part (the analysis run)
Then attach the zip file
Posted 06 August 2011 - 02:36 PM
- Re-run AVPTool
- Select the Manual Disinfection tab and press Script execution
- Where it states Insert text script in the following box copy the below script and press Run script
Copy from Begin until End
begin SetAVZPMStatus(True); SetAVZGuardStatus(True); SearchRootkit(true, true); DeleteFile('C:\Documents and Settings\Administrator\Local Settings\Temp\_uninst_93306840.bat'); BC_DeleteFile('C:\Documents and Settings\Administrator\Local Settings\Temp\_uninst_93306840.bat'); BC_ImportDeletedList; BC_ImportAll; ExecuteSysClean; BC_Activate; RebootWindows(true); end.
- Your system will reboot on completion, if it does not please do so yourself
- On completion please run another analysis scan and attach the zip file
Posted 06 August 2011 - 03:29 PM
Its only been freezing up since the virus and running the scans.
It froze on startup. So I turned it off, back on and now it says it found new hardware and wants to install software for "unknown". I just left it open.
Also I started the Automatic scan on accident, and it didn't stop it this time. I stopped it myself since I wasn't instructed to do that scan. I think it's possible now though. I did another manual disinfection scan and opened the report sending folder. There was only one zip file, seems like there should be two, but this one is 1kb smaller so I guess they're different.
Posted 07 August 2011 - 06:05 AM
Does it give an indication of what hardware has been found ?
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users