Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

INFECTED! HELP! Win 7 Security 2012 and Google Redirect on my


  • Please log in to reply

#31
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,012 posts
  • MVP
The files look good. Could be a permission problem I suppose or it just might be a problem with the log files themselves. The log files are stored in
C:\Windows\System32\winevt\Logs

Start, All Programs, Accessories, right click on Command Prompt and Run as Administrator, Continue. Type with an Enter after each line:

cd  \

dir  /a  *.evt.*  >  \evtjunk.txt

notepad  \evtjunk.txt


Copy and paste the text from notepad into a Reply.


Please download GrantPerms.zip
http://download.blee.../GrantPerms.zip
and save it to your desktop.
Rightclick on the file and Extract All then right click on GrantPerms64.exe and Run As Admin.
Copy and paste the following in the edit box:

C:\Windows\system32\eventvwr.msc
C:\Windows\SysWOW64\eventvwr.exe

Click Unlock. When it is done click "OK".
Click List Permissions and post the result (Perms.txt) that pops up. A copy of Perms.txt will be saved in the same directory the tool is run.
  • 0

Advertisements


#32
loganfield

loganfield

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
OK first line...copied, pasted enter: File not found

Second line, copied, pasted enter: File not found Do you want to create new file

Ran GrantPerms...here's the log:

GrantPerms by Farbar
Ran by Owner (administrator) at 2011-12-03 13:40:42

===============================================
\\?\C:\Windows\system32\eventvwr.msc

Owner: NT SERVICE\TrustedInstaller

DACL(P)(AI):
NT SERVICE\TrustedInstaller FULL ALLOW (NI)
BUILTIN\Administrators READ/EXECUTE ALLOW (NI)
NT AUTHORITY\SYSTEM READ/EXECUTE ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\C:\Windows\SysWOW64\eventvwr.exe

Owner: NT SERVICE\TrustedInstaller

DACL(P)(AI):
NT SERVICE\TrustedInstaller FULL ALLOW (NI)
BUILTIN\Administrators READ/EXECUTE ALLOW (NI)
NT AUTHORITY\SYSTEM READ/EXECUTE ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)

Am I missing some programs or files? Seems like it.....
  • 0

#33
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,012 posts
  • MVP
No that was my fault. I left out a line then mistyped another. I have fixed the previous entry so try it again.

You don't need the grant permissions again.
  • 0

#34
loganfield

loganfield

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts

No that was my fault. I left out a line then mistyped another. I have fixed the previous entry so try it again.

You don't need the grant permissions again.


No worries...

OK first line took me to C prompt.

Second line: File not found

Third line: Volume in drive C is OS
Volume Serial Number is 2062-042F

Directory of C:\

Maybe I am missing a file? If I can get by with out whatever I'm missing, I can roll with that. I don't want to take up your time....I'm just stoked you got rid of whatever was floating around in there before!
  • 0

#35
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,012 posts
  • MVP
Sounds like you have had enough. I don't understand why your event viewer is not working but the last notepad command should have worked. Are you sure that you typed it correctly?

Whatever is wrong doesn't appear to be hurting anything so we can hang it up if you want. Just a little cleanup:

We need to cleanup System Restore:

Copy the following:

:Commands
[emptytemp]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS]
[Reboot]

Right click on OTL and Run As Administrator. In the Custom Scans/Fixes box at the bottom, paste in the copied text (Ctrl + v) and then hit Run Fix.

That will get the last of the malware off the system.



You can uninstall or delete any tools we had you download and their logs.
To uninstall combofix, copy the next line:

"%userprofile%\Desktop\combofix.exe" /Uninstall

Start, All Programs, Accessories then right click on Command Prompt and Run As Administrator.
then right click, Paste, then hit Enter.

OTL has a cleanup tab if you go there it will remove itself and its logs.

To hide hidden files again (OTL may do it for you):

Vista or Win7

# Open the Control Panel menu and click Folder Options.
# After the new window appears select the View tab.
# Remove the check in the checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the radio button labeled Do not Show hidden files and folders.
# Check the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and exit My Computer.

Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat.

Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.

To help keep your programs up-to-date you should download and run the UpdateChecker:
http://www.filehippo.../updatechecker/
(You don't need to download Betas and if there is a program you don't use you can just uninstall it rather than update it. Exception is MSN messenger which appears to be part of Windows.)
If you get a blocked program notice after installing updatechecker then change it to not run at start then manually run it once a week.

If you use Firefox then get the AdBlock Plus Add-on. WOT (Web of Trust) is another you might want to try.
The equivalent to AdBlock Plus for IE is called Simple Adblock and you should install it too: http://simple-adblock.com/
The free version only blocks 200 ads a day so another reason to use Firefox or Chrome.

If Firefox is slow loading make sure it only has the current Java add-on. Then download and run Speedy Fox.
http://www.crystalidea.com/speedyfox . You can run it any time that Firefox seems slow.

Be warned: If you use Limewire, utorrent or any of the other P2P programs you will almost certain be coming back to the Malware Removal forum. If you must use P2P then submit any files you get to http://virustotal.com before you open them.


If you have a router, log on to it today and change the default password! If using a Wireless router you really should be using encryption on the link. Use the strongest (newest) encryption method that your router and PC wireless adapter support especially if you own a business. See http://www.king5.com...-120637284.html and http://www.seattlepi...ted-1344185.php for why encryption is important. If you don't know how, visit the router maker's website. They all have detailed step by step instructions or a wizard you can download.

Ron
  • 0

#36
loganfield

loganfield

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Yeah, pretty sure...copied and pasted directly from your last post...

I'm good...just thought you might have had enough! You've done more than enough for me. If you want me to make a donation to this site on your behalf, I'm all in...

OK..new OTL log:

All processes killed
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Owner
->Temp folder emptied: 4692047 bytes
->Temporary Internet Files folder emptied: 579560 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 127768187 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 2079 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 11888 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50333 bytes
RecycleBin emptied: 450985 bytes

Total Files Cleaned = 127.00 mb


[EMPTYFLASH]

User: All Users

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Owner
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb

Restore point Set: OTL Restore Point

OTL by OldTimer - Version 3.2.31.0 log created on 12032011_143947

Files\Folders moved on Reboot...
C:\Users\Owner\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

Registry entries deleted on Reboot...

Thanks again, sir. I wish I had the skills that you have in your pinky. I've got some PC knowledge, but looking through all of these logs you had me chugging out, it's almost like Hieroglyphics to me. Thanks again for all of your help. And I'm serious...I'll donate to the site. Quick question...I was using bit tornado to download torrents with...no programs...just mp3s of radio shows. You said I should uninstall it, so I did. Any recommendation as far as a safe bit torrent client?

Thanks again Ron!

John
  • 0

#37
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,012 posts
  • MVP
I think I need to take a nap. The commands should read:
cd  \

dir  /a  /s  *.evt.*  >  \evtjunk.txt

notepad  \evtjunk.txt


I'm pretty down on any P2P program tho I suppose if your radio shows are coming from a dedicated server that might not be too bad. The problem with P2P is that the files for the most part are stored on random PCs. Even if the file was legit to start with (and there are a lot of intentionally infected files out there) one of the PCs where it was stored might have had an infection which got to the file. You can use P2P but don't blindly run them. Instead submit them to http://www.virustotal.com and let them look at it first. I suppose BitTornado is as good as any as long as it doesn't insist on adding a toolbar to your browser. Avoid anything from Conduit. I don't trust them.

The site itself is self-supporting from ad revenues. Most of the helpers have a pay pal link in their signature but I've never gotten around to doing that. Instead I ask people who want to donate to donate to Kwiaht: http://www.kwiaht.org/donate.htm
Kwiáht is a Coast Salish (Native American) word that means a place that has been kept physically clean and spiritually healthy. It's a local environmental group that I volunteer with here in the San Juan Islands. We are trying to keep it the most beautiful place on the planet. When we walk the dog we see eagles, hawks, herons, otters and seals and we want it to stay that way.
  • 0

#38
loganfield

loganfield

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts

I think I need to take a nap. The commands should read:

cd  \

dir  /a  /s  *.evt.*  >  \evtjunk.txt

notepad  \evtjunk.txt


I'm pretty down on any P2P program tho I suppose if your radio shows are coming from a dedicated server that might not be too bad. The problem with P2P is that the files for the most part are stored on random PCs. Even if the file was legit to start with (and there are a lot of intentionally infected files out there) one of the PCs where it was stored might have had an infection which got to the file. You can use P2P but don't blindly run them. Instead submit them to http://www.virustotal.com and let them look at it first. I suppose BitTornado is as good as any as long as it doesn't insist on adding a toolbar to your browser. Avoid anything from Conduit. I don't trust them.

The site itself is self-supporting from ad revenues. Most of the helpers have a pay pal link in their signature but I've never gotten around to doing that. Instead I ask people who want to donate to donate to Kwiaht: http://www.kwiaht.org/donate.htm
Kwiáht is a Coast Salish (Native American) word that means a place that has been kept physically clean and spiritually healthy. It's a local environmental group that I volunteer with here in the San Juan Islands. We are trying to keep it the most beautiful place on the planet. When we walk the dog we see eagles, hawks, herons, otters and seals and we want it to stay that way.



You've been a really good guy to donate your time and help out guys like myself who almost, but not quite know what they're doing. Thanks again sir...The torrent site I d/l radio shows is pretty legit....haven't heard of any problems from any other users....I didn't know you could infect an MP3, actually.... If you ever want to hear some great radio, check out Ron Bennington Interviews @ http://ronbenningtoninterviews.com/ The password to listen is Ron Bennington. I never had a toolbar for Bit Tornado. I HATE toolbars! I never use them. They remind me of news channels with 50 billion things scrolling across the screen. I will definitely donate to Kwiaht on your behalf. Like I told you earlier, I was in Tacoma earlier this year...beautiful area...I can't even imagine what one of the islands look like.

You're a scholar and a gentleman Ron...thanks for the help. Safe travels, budday....

John (Loganfield on Facebook)
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP