Malware, malicious program rootkit, dns redirect, host file mod. worm?
#1
Posted 01 May 2012 - 06:03 PM
#2
Posted 02 May 2012 - 08:06 AM
If you have resolved the issues you were originally experiencing, or have received help elsewhere, please let me know so that this topic can be closed.
Please make sure you are saving and printing the instructions out prior to each fix, this way you will have them on hand just in case you are unable to access this site. One of the steps I will be asking you to do requires you to boot into Safe Mode and this process will be much easier for you to perform if the instructions are printed out for you to follow.
If you are ready to get started, please review and follow these guidelines so that we resolve your issues in a timely and effective manner:
- Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post.
- Please make sure to carefully read any instructions that I give you. Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
- If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
- These instructions have been specifically tailored to your computer and the issues you are experiencing with your computer. These instructions are not suitable for any other computer, even if the issues are fairly similar.
- Do not do things I do not ask for, such as running a spyware scan on your computer. However, the one thing that you should always do, is to make sure your anti-virus definitions are up-to-date!
- Please do not use the Attachment feature for any log file. Just do a Copy/Paste of the entire contents of the log file inside your post and submit.
- You must reply within four days failure to reply will result in the topic being closed!
- Please do not PM me directly for help. If you have any questions, post them in this topic. PM me only if I have not responded to your last post in 2 days.
- Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to ultimately reformat your hard drive and reinstall the operating system.
Don't worry, this only happens in severe cases, but it sadly does happen. Please have the software and storage media for backing up your data available.
Step 1.
Download OTL to your Desktop
or
If you still have OTL on your desktop go immediately to the following steps:
- Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
- Select Scan All Users
- Under File Scans File Age: Select 90 days from the drop down box.
- Select Lop Check and Purity Check
- Under Extra Registry: Select Use SafeList
- Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
consrv.dll
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT /s
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBIOS /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
C:\Windows\assembly\tmp\U\*.* /s
C:\Program Files\Common Files\ComObjects\*.* /s
%Temp%\smtmp\1\*.*
%Temp%\smtmp\2\*.*
%Temp%\smtmp\3\*.*
%Temp%\smtmp\4\*.*
>C:\commands.txt echo list vol /raw /hide /c
/wait
>C:\DiskReport.txt diskpart /s C:\commands.txt /raw /hide /c
/wait
type c:\diskreport.txt /c
/wait
erase c:\commands.txt /hide /c
/wait
erase c:\diskreport.txt /hide /c
CREATERESTOREPOINT - Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open OTL.Txt and Extras.txt .
- Post both logs
Step 2.
Download aswMBR.exe ( 1.8mb ) to your desktop.
Double click the aswMBR.exe to run it Click the "Scan" button to start scan
On completion of the scan click save log, save it to your desktop and post in your next reply
If it does not run rename aswMBR.exe to Iexplore.exe and try it again.
Step 3.
In Safe Mode with Networking, please do the following:
Blue Screen Errors
- Click here to download BlueScreenView or here
- Right click bluescreenview.zip and choose "Extract All" or "Extract Here" to extract the contents of the zip file
- Once extracted, double click on BlueScreenView.exe to run the program
- Click Edit, then Select All
- Click File, then Save Selected Items
- In the File name, type bluescreenlog.txt and then Save it to your Desktop
- Open bluescreenlog.txt, then copy and paste all of the contents into your next reply
Step 4.
Please post:
OTL.txt
Extras.txt
aswMBR log
bluescreenlog.txt
Give me any updates on issues with your computer
#3
Posted 03 May 2012 - 07:56 AM
Attached Files
Edited by SweetHeart161, 03 May 2012 - 08:18 AM.
#4
Posted 03 May 2012 - 08:37 AM
I do have a few questions as I begin to prepare a fix:
Is this your real user names?
))())())(()(()((
or
))(())(())(())(())((
If these are not the real ones, I cannot prepare the fix or if I do you will have to correct it in the fix each time, this would be cumbersome and subject to errors that could cause other issues.
Did you get the whole OTL.txt?
OTL1 and OTL2 are nearly the same.
OTL3 is some different but does not have the last portion of the file at all. I need the whole file. If it is too large to post then go to mediafire, create an, upload the whole file, and post a link to it in your next post for me.
Regards,
CompCav
#5
Posted 03 May 2012 - 09:09 AM
Are you saying I should change my names?
#6
Posted 03 May 2012 - 09:27 AM
#7
Posted 03 May 2012 - 09:30 AM
No not at all just wanted to make sure they were real.Are you saying I should change my names?
#8
Posted 03 May 2012 - 09:31 AM
Your extras log does not show a resident antivirus. Do you have one installed?After I ran my logs I plugged in my usb drive and a trojan dropper was found.. will this change things?
#9
Posted 03 May 2012 - 09:54 AM
Edited by SweetHeart161, 03 May 2012 - 11:24 AM.
#10
Posted 03 May 2012 - 11:23 AM
aswMBR is not malware so it is a "false positive" by the AV.
CompCav
#11
Posted 03 May 2012 - 01:21 PM
- Please reopen on your desktop.
- Copy and Paste the following code into the textbox.
:OTL O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found. O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found. O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found. O4:64bit: - HKLM..\Run: [] File not found O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20) O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20) :files ipconfig /flushdns /c :reg :Commands [purity] [resethosts] [emptytemp] [createrestorepoint]
- Push
- OTL may ask to reboot the machine. Please do so if asked.
- Click the OK button.
- A report will open. Copy and Paste that report in your next reply.
- If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date and the time of the tool run.
Step 2.
Please download Malwarebytes' Anti-Malware from Here.
Double Click mbam-setup.exe to install the application. Do not accept the trial version at this time!
- Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select "Perform Quick Scan", then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
Step 3.
Boot Into Safe Mode with Networking, please do the following:
- Click here to download BlueScreenView or here
- Right click bluescreenview.zip and choose "Extract All" or "Extract Here" to extract the contents of the zip file
- Once extracted, double click on BlueScreenView.exe to run the program
- Click Edit, then Select All
- Click File, then Save Selected Items
- In the File name, type bluescreenlog.txt and then Save it to your Desktop
- Open bluescreenlog.txt, then copy and paste all of the contents into your next reply
Step 4.
Please post:
OTL fix log
bluescreenlog.txt
Give me an update on the computer
#12
Posted 03 May 2012 - 02:54 PM
Attached Files
Edited by SweetHeart161, 03 May 2012 - 02:55 PM.
#13
Posted 03 May 2012 - 03:02 PM
:OTL
There must be no spaces before it or blank lines before it and please post to not attach the files that are small enough to post.
#14
Posted 03 May 2012 - 03:41 PM
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
64bit-Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
64bit-Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
File rity] not found.
File sethosts] not found.
File ptytemp] not found.
File eaterestorepoint] not found.
OTL by OldTimer - Version 3.2.40.0 log created on 08212009_173907
#15
Posted 03 May 2012 - 03:49 PM
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users