Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Malware, malicious program rootkit, dns redirect, host file mod. worm?

Started by SweetHeart161 , May 01 2012 06:03 PM

This topic is locked

#16
CompCav

Posted 03 May 2012 - 05:44 PM

Member 5k

Expert
12,454 posts

Mebromi a bios-flashing trojan

You needn't worry about this.

Let's focus on getting the fix right your copy did not get the last series of commands correct since it left off pieces. So let's try this:

fix.txt 824bytes 199 downloads
Download the above file to your desktop named fix.txt

Please reopen on your desktop.
Click Run Fix
It will say "No fix is provided! Click OK
A dialog box will open and fix.txt should be in File name, Click Open
Check to make sure you see some lines in the Custom Scans/Fixes box
Push again
OTL may ask to reboot the machine. Please do so if asked.
Click the OK button.
A report will open. Copy and Paste that report in your next reply.
If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date and the time of the tool run.

#17
SweetHeart161

Posted 03 May 2012 - 09:16 PM

Member

Topic Starter
Member
89 posts

All processes killed

========== OTL ==========

Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.

64bit-Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked not found.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked not found.

64bit-Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ not found.

Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.

Starting removal of ActiveX control {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}\ not found.

Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.

========== FILES ==========

< ipconfig /flushdns /c >

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

C:\Users\))())())(()(()((\Desktop\cmd.bat deleted successfully.

C:\Users\))())())(()(()((\Desktop\cmd.txt deleted successfully.

========== REGISTRY ==========

========== COMMANDS ==========

C:\windows\System32\drivers\etc\Hosts moved successfully.

HOSTS file reset successfully

[EMPTYTEMP]

User: ))(())(())(())(())((

->Temp folder emptied: 273586953 bytes

->Temporary Internet Files folder emptied: 39936 bytes

User: ))())())(()(()((

->Temp folder emptied: 7676620 bytes

->Temporary Internet Files folder emptied: 472874 bytes

User: Administrator

User: All Users

User: Default

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32 (64bit) .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 44926 bytes

%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50333 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 269.00 mb

Restore point Set: OTL Restore Point

OTL by OldTimer - Version 3.2.40.0 log created on 08212009_231232

#18
CompCav

Posted 03 May 2012 - 09:22 PM

Member 5k

Expert
12,454 posts

Great job! It completed. :thumbsup:

Now please post the MalwareBytes' log from Post #11 and Step 2.

#19
SweetHeart161

Posted 04 May 2012 - 03:15 AM

Member

Topic Starter
Member
89 posts

Yay!

I couldn't find the scan from earlier but it came up the same

Malwarebytes Anti-Malware (Trial) 1.61.0.1400

www.malwarebytes.org

Database version: v2012.04.04.08

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 8.0.7601.17514

))())())(()(()(( :: PC [limited]

Protection: Enabled

8/22/2009 4:49:06 AM

mbam-log-2009-08-22 (04-49-06).txt

Scan type: Full scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 252088

Time elapsed: 24 minute(s), 45 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Edited by SweetHeart161, 04 May 2012 - 07:59 AM.

#20
CompCav

Posted 04 May 2012 - 06:04 AM

Member 5k

Expert
12,454 posts

Good job

The log is clean.

What are the current issues with your computer?

#21
SweetHeart161

Posted 04 May 2012 - 08:33 AM

Member

Topic Starter
Member
89 posts

I still can't see the names of my usb drives.. they show up as local disk..? It wasn't like that when I first formatted.. Also.. Malwarebytes never finds anything on my pc...plus I haven't connected to the Internet to update yet.. and even then nothing.. So I would say I am still "infected" or I still have this malicious software on my pc because the symptoms are still there.. :unsure:

#22
CompCav

Posted 04 May 2012 - 08:56 AM

Member 5k

Expert
12,454 posts

I still can't see the names of my usb drives.. they show up as local disk

We can work on this later it is not due to an infection it is a setting.

What symptoms beyond the labels of usb drives are you experiencing?

#23
SweetHeart161

Posted 04 May 2012 - 09:10 AM

Member

Topic Starter
Member
89 posts

While opening programs while playing a movie the movie freezes for a few seconds.. the movies are on my usb drives. The open with tab in the top of explorer window is missing when I select a .exe file, nominal lag while scanning for infections.. I have had issues with infected explorer.exe, urlmon, terminal service starting on it's own, seclogon, internet option moving to an unsafe setting on their own.. users switching sides on winlogon screen, netportsharing infected, unknown multi numbered drivers, thumbs.db infected in system32 folder.. any idea how I can make network authority user account more secure or change the password? Also should I block DNS, HTTP and HTTPS from incoming on my firewall? I haven't connected to the internet due to the risk of further infection, since the infection remains after a multi pass format..

Edited by SweetHeart161, 04 May 2012 - 09:14 AM.

#24
CompCav

Posted 04 May 2012 - 09:22 AM

Member 5k

Expert
12,454 posts

While opening programs while playing a movie the movie freezes for a few seconds.. the movies are on my usb drives.

So you are starting up a program while playing the movie? This is not unheard of and is not related to malware.

Did it not do this until recently?

If this is a change we may need to look at performance issues that need correcting but it is not a malware issue typically.

any idea how I can make network authority user account more secure or change the password?

What network are you running on to need this?

Also should I block DNS, HTTP and HTTPS from incoming on my firewall?
No is the simple answer. There may be a specific DNS or HTTP/HTTPS site you would want to block but stopping these would shut down any internet communication.

I am only asking these questions so that we can solve your computer issues since some may be malware and some not.

Regards,

CompCav

#25
CompCav

Posted 04 May 2012 - 09:25 AM

Member 5k

Expert
12,454 posts

Let's run a security check on your computer.

Security Check
Download Security Check by screen317 from here or here.

Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

#26
SweetHeart161

Posted 04 May 2012 - 09:58 AM

Member

Topic Starter
Member
89 posts

Results of screen317's Security Check version 0.99.32

Windows 7 x64 (UAC is enabled)

Internet Explorer 8 Out of date!

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

Norton Internet Security

WMI entry may not exist for antivirus; attempting automatic update.

```````````````````````````````

Anti-malware/Other Utilities Check:

Java™ 6 Update 20

Java version out of date!

Adobe Flash Player 10.1.53.64 Flash Player out of Date!

Adobe Reader 9 Adobe Reader out of date!

````````````````````````````````

Process Check:

objlist.exe by Laurent

Norton ccSvcHst.exe

Malwarebytes' Anti-Malware mbamservice.exe

Malwarebytes' Anti-Malware mbamgui.exe

``````````End of Log````````````

I was curious because, about the NT Authority super user because it heard it is a backdoor..

Edited by SweetHeart161, 04 May 2012 - 10:00 AM.

#27
CompCav

Posted 04 May 2012 - 10:32 AM

Member 5k

Expert
12,454 posts

I was curious because, about the NT Authority super user because it heard it is a backdoor..

The scan does not show any issues of that nature.

Let's focus on what we need to update to insure your security.

Step 1.

Clear the Java Cache by following the instructions here

Then you will need to reconnect to the internet. At this point update Norton virus definitions and update MalwareBytes' then go on to step 2.

Step 2.

Update Java

Please download JavaRa to your desktop and unzip it to its own folder

Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
Accept any prompts.
Open JavaRa.exe again and select Search For Updates.
Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

Step 3.

Update Adobe Reader

Recently there have been vulnerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

Uninstall all previous versions.
Download the latest version from: http://www.adobe.com.../readstep2.html

If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

Step 4.

Update adobe flash player

We need to uninstall the existing flash player(s). Please go here
Follow steps 1. to 4.
Once flash player is uninstalled go on to the next paragraph.

You will need to download and install both the IE and non-IE versions of Adobe Flashplayer. Make sure to uncheck the install of the McAfee tool before downloading. You will need to select your operating system (Windows 7 64-bit) and then each version to download and install separately.

Step 5.

Now we need to update Internet explorer to 9.0

Plase go to windows update:

Windows Update (Win 7)

Click Start >> Control Panel >> System and Security >> Under Windows Update click Check for updates >> Check for updates

Select and install any updates a few at a time, including IE 9.0, you have that are critical, important, and recommended.

You may have to reboot several times but this is an important step in maintaining your security.

Once this is complete make sure you setup automatic updates using instructions found here

Then come back and give me an update on your computer

#28
SweetHeart161

Posted 04 May 2012 - 10:38 AM

Member

Topic Starter
Member
89 posts

I was also wondering about Trusted Installer having all permissions over all of my files? Also AppData ans system information folders and some other folders not having permissions to be scanned by my security programs..?

#29
CompCav

Posted 04 May 2012 - 11:25 AM

Member 5k

Expert
12,454 posts

I was also wondering about Trusted Installer having all permissions over all of my files? Also AppData ans system information folders and some other folders not having permissions to be scanned by my security programs..?

These are all normal settings of your operating system.

#30
SweetHeart161

Posted 04 May 2012 - 11:39 AM

Member

Topic Starter
Member
89 posts

Can we scan these folders? I also have issues with my admin user account always logging into a TEMP profile.. and odd consequences after making a new profile.. userinit configuring changes after logging back into my profile after it had already been established.. for several days.. Well, I have updated all the programs u have asked..