Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Malware, malicious program rootkit, dns redirect, host file mod. worm?


  • This topic is locked This topic is locked

#1
SweetHeart161

SweetHeart161

    Member

  • Member
  • PipPip
  • 89 posts
Greetings my friends! I come here to acquire some help with removal of an unknown infection. It all began with a BSOD cache manager and a non paged area BSOD and now things are sluggish and it messes with my antivirus programs turn off on their own, internet options turn off on their own.. It appears to get angry when I install any security program.. I scan but I it comes up with nothing.. I don't know how to detect a mbr virus? Maybe malicious software? Kernal rootkit maybe? I have had issues with installing software where it won't install properly fake antiviruses..worms etc.. please help! It would be much appreciated.. Thank you..!
  • 0

Advertisements


#2
CompCav

CompCav

    Member 5k

  • Expert
  • 12,448 posts
Hi, SweetHeart161! Posted ImageMy nick name is CompCav and I will be assisting you with your Malware/Security problems. Please make sure you read all of the instructions and fixes thoroughly before continuing with them. If you have any questions or you are unsure about anything, just ask and I will help you out. :)

If you have resolved the issues you were originally experiencing, or have received help elsewhere, please let me know so that this topic can be closed.


Please make sure you are saving and printing the instructions out prior to each fix, this way you will have them on hand just in case you are unable to access this site. One of the steps I will be asking you to do requires you to boot into Safe Mode and this process will be much easier for you to perform if the instructions are printed out for you to follow.

If you are ready to get started, please review and follow these guidelines so that we resolve your issues in a timely and effective manner:
  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post.
  • Please make sure to carefully read any instructions that I give you. Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • These instructions have been specifically tailored to your computer and the issues you are experiencing with your computer. These instructions are not suitable for any other computer, even if the issues are fairly similar.
  • Do not do things I do not ask for, such as running a spyware scan on your computer. However, the one thing that you should always do, is to make sure your anti-virus definitions are up-to-date!
  • Please do not use the Attachment feature for any log file. Just do a Copy/Paste of the entire contents of the log file inside your post and submit.
  • You must reply within four days failure to reply will result in the topic being closed!
  • Please do not PM me directly for help. If you have any questions, post them in this topic. PM me only if I have not responded to your last post in 2 days.
  • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to ultimately reformat your hard drive and reinstall the operating system.
    Don't worry, this only happens in severe cases, but it sadly does happen. Please have the software and storage media for backing up your data available.


Step 1.

Download OTL to your Desktop
or
If you still have OTL on your desktop go immediately to the following steps:

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Select Scan All Users
  • Under File Scans File Age: Select 90 days from the drop down box.
  • Select Lop Check and Purity Check
  • Under Extra Registry: Select Use SafeList
  • Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    consrv.dll
    explorer.exe
    winlogon.exe
    Userinit.exe
    svchost.exe
    /md5stop
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT /s
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBIOS /s
    hklm\software\clients\startmenuinternet|command /rs
    hklm\software\clients\startmenuinternet|command /64 /rs
    C:\Windows\assembly\tmp\U\*.* /s
    C:\Program Files\Common Files\ComObjects\*.* /s
    %Temp%\smtmp\1\*.*
    %Temp%\smtmp\2\*.*
    %Temp%\smtmp\3\*.*
    %Temp%\smtmp\4\*.*
    >C:\commands.txt echo list vol /raw /hide /c
    /wait
    >C:\DiskReport.txt diskpart /s C:\commands.txt /raw /hide /c
    /wait
    type c:\diskreport.txt /c
    /wait
    erase c:\commands.txt /hide /c
    /wait
    erase c:\diskreport.txt /hide /c
    CREATERESTOREPOINT
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open OTL.Txt and Extras.txt .
  • Post both logs


Step 2.

Download aswMBR.exe ( 1.8mb ) to your desktop.
Double click the aswMBR.exe to run it Click the "Scan" button to start scan

Posted Image

On completion of the scan click save log, save it to your desktop and post in your next reply

Posted Image
If it does not run rename aswMBR.exe to Iexplore.exe and try it again.

Step 3.

In Safe Mode with Networking, please do the following:

Blue Screen Errors

  • Click here to download BlueScreenView or here
  • Right click bluescreenview.zip and choose "Extract All" or "Extract Here" to extract the contents of the zip file
  • Once extracted, double click on BlueScreenView.exe to run the program
  • Click Edit, then Select All
  • Click File, then Save Selected Items
  • In the File name, type bluescreenlog.txt and then Save it to your Desktop
  • Open bluescreenlog.txt, then copy and paste all of the contents into your next reply


Step 4.

Please post:

OTL.txt
Extras.txt
aswMBR log
bluescreenlog.txt





Give me any updates on issues with your computer
  • 0

#3
SweetHeart161

SweetHeart161

    Member

  • Topic Starter
  • Member
  • PipPip
  • 89 posts
Thank you for the prompt response :0) Bluescreenviewer didn't show anything so I didn't include it.. I broke the otllog into 3 parts because it was two big..

Attached Files


Edited by SweetHeart161, 03 May 2012 - 08:18 AM.

  • 0

#4
CompCav

CompCav

    Member 5k

  • Expert
  • 12,448 posts
Thank you for the information.

I do have a few questions as I begin to prepare a fix:

Is this your real user names?
))())())(()(()((
or
))(())(())(())(())((

If these are not the real ones, I cannot prepare the fix or if I do you will have to correct it in the fix each time, this would be cumbersome and subject to errors that could cause other issues.


Did you get the whole OTL.txt?
OTL1 and OTL2 are nearly the same.
OTL3 is some different but does not have the last portion of the file at all. I need the whole file. If it is too large to post then go to mediafire, create an, upload the whole file, and post a link to it in your next post for me.


Regards,

CompCav
  • 0

#5
SweetHeart161

SweetHeart161

    Member

  • Topic Starter
  • Member
  • PipPip
  • 89 posts
Yes those are my real user names :thumbsup: http://www.mediafire...6s6kq5fjcy8rba5
Are you saying I should change my names?
  • 0

#6
SweetHeart161

SweetHeart161

    Member

  • Topic Starter
  • Member
  • PipPip
  • 89 posts
After I ran my logs I plugged in my usb drive and a trojan dropper was found.. will this change things?
  • 0

#7
CompCav

CompCav

    Member 5k

  • Expert
  • 12,448 posts

Are you saying I should change my names?

No not at all just wanted to make sure they were real. :thumbsup:
  • 0

#8
CompCav

CompCav

    Member 5k

  • Expert
  • 12,448 posts

After I ran my logs I plugged in my usb drive and a trojan dropper was found.. will this change things?

Your extras log does not show a resident antivirus. Do you have one installed?
  • 0

#9
SweetHeart161

SweetHeart161

    Member

  • Topic Starter
  • Member
  • PipPip
  • 89 posts
I have one but any recommendations are welcome :) While trying to move a log to my usb drive I accidentally moved the log over tdssqlook.exe and it opened it and it opened a trojan.. so I don't know if I am infected with that as well orif it changed any settings or not that is why I asked.. norton said it is quarantined... :unsure: aswMBR.exe ended up being infected/suspicious as well... :unsure: Also the names of my usb drives don't show up..?

Edited by SweetHeart161, 03 May 2012 - 11:24 AM.

  • 0

#10
CompCav

CompCav

    Member 5k

  • Expert
  • 12,448 posts
Norton is your AV, correct?


aswMBR is not malware so it is a "false positive" by the AV.

CompCav
  • 0

Advertisements


#11
CompCav

CompCav

    Member 5k

  • Expert
  • 12,448 posts
Step 1.

  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.

    :OTL
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O4:64bit: - HKLM..\Run: [] File not found
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
    O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
    
    
    
    
    :files
    ipconfig /flushdns /c
    
    
    :reg
    
    
    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [createrestorepoint]
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date and the time of the tool run.


Step 2.

Posted ImagePlease download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application. Do not accept the trial version at this time!

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


Step 3.

Boot Into Safe Mode with Networking, please do the following:

  • Click here to download BlueScreenView or here
  • Right click bluescreenview.zip and choose "Extract All" or "Extract Here" to extract the contents of the zip file
  • Once extracted, double click on BlueScreenView.exe to run the program
  • Click Edit, then Select All
  • Click File, then Save Selected Items
  • In the File name, type bluescreenlog.txt and then Save it to your Desktop
  • Open bluescreenlog.txt, then copy and paste all of the contents into your next reply


Step 4.

Please post:

OTL fix log
bluescreenlog.txt


Give me an update on the computer
  • 0

#12
SweetHeart161

SweetHeart161

    Member

  • Topic Starter
  • Member
  • PipPip
  • 89 posts
Bluescreenviewer showed nothing.. The bsod's were in the past. It happens usually when I get a new hard drive... and after the bsod performance degrades..windows experience index dropped 2 points since as-though something is installing permanently on my hard drives.. old bsods were rdpbus, tcpip, cache manager and non pool paged area bsod showed in Google searches stating something about remote software..? :confused: :wacko: As of right now Norton is installed..

Attached Files


Edited by SweetHeart161, 03 May 2012 - 02:55 PM.

  • 0

#13
CompCav

CompCav

    Member 5k

  • Expert
  • 12,448 posts
The fix did not work right. Pleae rerun it and when you copy it make sure the very first line in the custom scans/fixes box is:

:OTL

There must be no spaces before it or blank lines before it and please post to not attach the files that are small enough to post. :thumbsup:
  • 0

#14
SweetHeart161

SweetHeart161

    Member

  • Topic Starter
  • Member
  • PipPip
  • 89 posts
All processes killed

========== OTL ==========

Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.

64bit-Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.

64bit-Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.

Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.

Starting removal of ActiveX control {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}\ not found.

Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.

File rity] not found.

File sethosts] not found.

File ptytemp] not found.

File eaterestorepoint] not found.



OTL by OldTimer - Version 3.2.40.0 log created on 08212009_173907
  • 0

#15
SweetHeart161

SweetHeart161

    Member

  • Topic Starter
  • Member
  • PipPip
  • 89 posts
I was reading about this Mebromi a bios-flashing trojan?
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP