Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Virus


  • This topic is locked This topic is locked
10 replies to this topic

#1 H£nchman

H£nchman

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Location:London
  • Local time:06:27 PM

Posted 19 April 2010 - 08:38 AM

Hey my fellow Bleepers lol, I'm new to this so I thought I'd give a shoutout...

Well recently I had to do a clean install of my xp pro which really set me back, I'm really starting to hate my laptop, but I guess its not his fault eh lol. I have a Dell inspiron 6000 and xp professional sp3 with all updates.

Well I've been trying to gather general software for my pc and a friend of mine has been sending me a couple of setup files... he sent me a bundle of .rar files one of them containing something called crack.45155.exe... This is the only file which didn't respond when i opened it. After many attempts to run the program i noticed that my internet was acting funny.. it showed me connected to the internet but the wireless zero icon was greyed out and i could not go to any website. So i restarted my computer and everything seemed fine, i went on to google and searched the file only to find out it is a virus.. With this newly gained knowledge i looked around on my computer for anything wierd but to be honest, to me.. all the files look wierd :thumbsup:.

I went to processes to see if it was running on my system but i didnt see it... i have mcafee total protection and ive scanned like crazy these last couple of days ive also tried using a couple of other softwares i.e. Advanced system optimizer 3 and Malwarebytes anti-malware no such luck in finding anything. i then hadan idea and used the windows search tool (that little dog) and typed in crack45155 surely enough it popped up and i went to its directory and deleted it with a big grin on my face. So now that i deleted that i was hoping all is well but my computer is slow and my internet connection cuts out frequently and says not connected in the [view my connections page] even though its got 100% signal. Also my when on the internet via firefox i keep getting randomly redirected to fake sites and fake search sites, also Google links are a no go for me as when i click a link it takes me to either an attact site (i have some kind of blocker with a man holding a stop sign saying this is an attack site... with the options - Get me out of here or Ignore warning), a fake anti-virus site, a site which shows two big java signs loading or a fake search site which redirects me to a site with millions of codes.

I'm hoping this is familiar and you can help me.... Thanks.
"It's ironic that God gave Man both a pen*s and a brain, but unfortunately not enough blood supply to run both at the same time."

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,768 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:27 PM

Posted 19 April 2010 - 09:36 AM

Some infections are difficult to remove completely because of their morphing characteristics which allows the malware to regenerate itself. Sometimes there is hidden piece of malware (i.e. rootkit) which has not been detected by your security tools that protects malicious files and registry keys so they cannot be permanently deleted. Other types of malware can even terminate your security tools by changing the permissions on targeted programs so that they cannot run or complete scans. Further, even if you find and remove the primary offending file, it still may have had enough time to download and install other malicious files which you have not been able to find.

Please download CKScanner and save it to your Desktop. <-Important!!!
  • Double-click on CKScanner.exe and click Search For Files.
  • If using Vista, right-click on it and Run As Administrator.
  • After a very short time, when the cursor hourglass disappears, click Save List To File.
  • A text file will be created on your desktop named ckfiles.txt.
  • Click OK at the file saved message box.
  • Double-click the ckfiles.txt icon on your desktop to open the log and copy/paste the contents in your next reply.
Please download TFC (Temp File Cleaner) by Old Timer and save it to your desktop.
alternate download link
  • Save any unsaved work. TFC will close ALL open programs including your browser!
  • Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
  • Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
  • TFC will clear out all temp folders for all user accounts (temp, IE temp, Java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.
  • Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.
Note: It is normal for the computer to be slow to boot after running TFC cleaner the first time.

Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
    For instructions with screenshots, please refer to the How to use SUPERAntiSpyware to scan and remove malware from your computer Guide.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
-- If you cannot boot into safe mode or complete a scan, then perform your scan in normal mode.

-- If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.

Please post the results of your last MBAM scan for review (even if nothing was found).

To retrieve the Malwarebytes Anti-Malware scan log information, launch MBAM.
  • Click the Logs Tab at the top.
    • The log will be named by the date of scan in the following format: mbam-log-date(time).txt
      -- If you have previously used MBAM, there may be several logs showing in the list.
  • Click on the log name to highlight it.
  • Go to the bottom and click on Open.
  • The log should automatically open in notepad as a text file.
  • Go to Edit and choose Select all.
  • Go back to Edit and choose Copy or right-click on the highlighted text and choose Copy from there.
  • Come back to this thread, click Add Reply, then right-click and choose Paste.
  • Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Logs are saved to the following locations:
-- In XP: C:\Documents and Settings\<Username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs
-- In Vista: C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Logs

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 H£nchman

H£nchman
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Location:London
  • Local time:06:27 PM

Posted 19 April 2010 - 05:33 PM

Hey, thanks for getting back to me so promtly... erm there has been a problem. The log isn't here for the SUPERAntiSpyware... I'm not sure why and I'm dreading the thought of having to do another 3 hour scan :thumbsup: (please tell me that I don't have to...) I can tell you that it found four adware tracking cookies though.
Erm is there a specific directory where the logs are stored other than through the app?

Anyway, here are the other logs you requested....


CKScanner - Additional Security Risks - These are not necessarily bad
scanner sequence 3.MN.11
----- EOF -----


(Is CKScanner scan supposed to be this short???)




For MBAM.... this is my first scan




Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3999

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

17/04/2010 08:25:05
mbam-log-2010-04-17 (08-25-05).txt

Scan type: Quick scan
Objects scanned: 110211
Time elapsed: 2 hour(s), 5 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\YVIBBBHA8C (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\QZAIB7KITK (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yvibbbha8c (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.190,93.188.161.156 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8be973c1-fd0f-402e-a7cb-86a039d5d8ac}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.190,93.188.161.156 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90dd7a30-7a8f-4313-9a41-2895053d12ba}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.190,93.188.161.156 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\spool\prtprocs\w32x86\00004fb1.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.




In comparison to my last and latest scan...



Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3999

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

18/04/2010 03:40:04
mbam-log-2010-04-18 (03-40-04).txt

Scan type: Quick scan
Objects scanned: 16447
Time elapsed: 2 hour(s), 27 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


By the way the TFC app got rid of 360 files. And also when I was in safe mode, when I started the SAS app I got some of the prompts which I recieved during installation (is this natural?) I just followed with the default options the same as when I installed, but after that it asked if i wanted to update (saying that I havent updated for 14 days), and obviously in safe mode theres no way to update without any networking so i clicked yes and waited for a while and it just skipped that phase.... I assumed that this wouldn't be much of a problem because I already installed the latest updates straight after the installation.
"It's ironic that God gave Man both a pen*s and a brain, but unfortunately not enough blood supply to run both at the same time."

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,768 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:27 PM

Posted 20 April 2010 - 08:02 AM

To retrieve the SAS scan log information, launch SAS.
  • Click Preferences, then click the Statistics/Logs tab.
  • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
  • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
  • Go to Edit and choose Select all.
  • Go back to Edit and choose Copy or right-click on the highlighted text and choose Copy from there.
  • Come back to this thread, click Add Reply, then right-click and choose Paste.
There is no need to post if it only found tracking cookies.

Now rescan again with Malwarebytes Anti-Malware, but this time perform a Full Scan in normal mode and check all items found for removal. Don't forgot to check for database definition updates through the program's interface (preferable method) before scanning and to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.

The database in your previous log shows 3999. Last I checked it was 4012.

Please perform a scan with Kaspersky Online Virus Scanner.
-- Requires free Java Runtime Environment (JRE) to be installed before scanning for malware as ActiveX is no longer being used.
-- This scan will not remove any detected file threats but it will show where they are located so they can be cleaned with other tools.
  • Vista users need to right-click the IE or FF Start Menu or Quick Launch Bar icons and Run As Administrator from the context menu.
  • Read the "Advantages - Requirements and Limitations" then press the Posted Image... button.
  • You will be prompted to install an application from Kaspersky. Click the Run button. It will start downloading and installing the scanner and virus definitions.
  • When the downloads have finished, you should see 'Database is updated. Ready to scan'. Click on the Posted Image... button.
  • Make sure these boxes are checked. By default, they should be. If not, please check them and click on the Posted Image... button afterwards:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
  • Click on My Computer under the Scan section. OK any warnings from your protection programs.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • Once the scan is complete (the 'status' will show complete), click on View Scan Report and any infected objects will be shown.
  • Click on Save Report As... and change the Files of type to Text file (.txt)
  • Name the file KAVScan_ddmmyy (day, month, year) before clicking on the Save button and save it to your Desktop.
  • Copy and paste (Ctrl+C) the saved scan results from that file in your next reply.
-- Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 H£nchman

H£nchman
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Location:London
  • Local time:06:27 PM

Posted 20 April 2010 - 05:51 PM

Phew... this took a while, sorry.

And nope the sas scan results tab is empty, I have no logs there. But like I said before it found 4 tracking cookies, so it shouldn't much of a big deal, right?

MBAM LOG

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4012

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

20/04/2010 17:05:53
mbam-log-2010-04-20 (17-05-53).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 168327
Time elapsed: 2 hour(s), 26 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\batfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" %*) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\comfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" %*) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\piffile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" %*) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\scrfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" /S) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Chris\My Documents\Downloads\Nero9\MAKE NERO 9.4.26.0 RETAIL WITH FULL PLUGINS (PICTURES + INSTRUCTIONS)\keymaker.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{437309CC-E63C-4F1F-89ED-91023B670865}\RP183\A0023805.exe (Trojan.FraudPack.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{437309CC-E63C-4F1F-89ED-91023B670865}\RP183\A0023806.exe (Trojan.FraudPack.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{437309CC-E63C-4F1F-89ED-91023B670865}\RP183\A0023807.exe (Trojan.FraudPack.Gen) -> Quarantined and deleted successfully.


KAVScan LOG

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, April 20, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, April 20, 2010 13:55:08
Records in database: 3949374
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 50084
Threats found: 1
Infected objects found: 2
Suspicious objects found: 0
Scan duration: 03:29:32


File name / Threat / Threats count
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\NC0MR8LD\s002106201317r0809R01a6bd57X801d49b2Ycbd00fb7Z0100f080[1].pdf Infected: Exploit.JS.Pdfka.cbr 1
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\ZYPFM4KH\s002106201317r0809Rbf6fdd63X801d4f9bYcbd00fb7Z0100f080[1].pdf Infected: Exploit.JS.Pdfka.cbr 1

Selected area has been scanned.
"It's ironic that God gave Man both a pen*s and a brain, but unfortunately not enough blood supply to run both at the same time."

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,768 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:27 PM

Posted 20 April 2010 - 07:57 PM

Please download OTM by OldTimer and save to your Desktop.
  • Double-click on OTM.exe to launch the program. (If using Windows Vista, be sure to Run As Administrator)
  • Copy the file(s)/folder(s) paths listed below - highlight everything in the code box and press CTRL+C or right-click and choose Copy.
:Processes
explorer.exe

:Services

:Reg

:Files
:Files
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\NC0MR8LD\s002106201317r0809R01a6bd57X801d49b2Ycbd00fb7Z0100f080[1].pdf
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\ZYPFM4KH\s002106201317r0809Rbf6fdd63X801d4f9bYcbd00fb7Z0100f080[1].pdf 

:Commands
[emptytemp]
[start explorer]
[reboot]
  • Return to OTM, right-click in the open text box labeled "Paste Instructions for Items to be Moved" (under the yellow bar) and choose Paste.
  • Click the red MoveIt! button.
  • The list will be processed and the results will be displayed in the right-hand pane.
  • Highlight everything in the Results window (under the green bar), press CTRL+C or right-click, choose Copy, right-click again and Paste it in your next reply.
  • Click Exit when done.
  • A log of the results is automatically created and saved to C:\_OTM\MovedFiles \mmddyyyy_hhmmss.log <- the date/time the tool was run.
-- Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. After the reboot, open Notepad, click File > Open, in the File Name box type *.log and press the Enter key. Navigate to the C:\_OTM\MovedFiles folder, open the newest .log file and copy/paste the contents in your next reply. If not asked, reboot anyway.

Caution: Be careful of what you copy and paste with this tool. OTM is a powerful program, designed to move highly persistent files and folders and is intended by the developer to be used under the guidance and supervision of a trained malware removal expert.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 H£nchman

H£nchman
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Location:London
  • Local time:06:27 PM

Posted 21 April 2010 - 08:03 AM

OTM LOG

All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
========== FILES ==========
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\NC0MR8LD\s002106201317r0809R01a6bd57X801d49b2Ycbd00fb7Z0100f080[1].pdf moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\ZYPFM4KH\s002106201317r0809Rbf6fdd63X801d4f9bYcbd00fb7Z0100f080[1].pdf moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 184978 bytes

User: All Users

User: Chris
->Temp folder emptied: 111029076 bytes
->Temporary Internet Files folder emptied: 1328766 bytes
->Java cache emptied: 128094 bytes
->FireFox cache emptied: 54883610 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 6331 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 21896611 bytes
->Flash cache emptied: 2008 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 65536 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 374684 bytes

Total Files Cleaned = 181.00 mb


OTM by OldTimer - Version 3.1.10.2 log created on 04212010_134439

Files moved on Reboot...
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\ZYPFM4KH\event_news[1].txt not found!
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\0OJ2QMEC\s002106201317r0809Rb9eec031X801e9ff7Ycbd00fb7Z0100f080[1].pdf moved successfully.

Registry entries deleted on Reboot...
"It's ironic that God gave Man both a pen*s and a brain, but unfortunately not enough blood supply to run both at the same time."

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,768 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:27 PM

Posted 21 April 2010 - 08:08 AM

Looking good. How is your computer running now? Are there any more reports/alerts, signs of infection or issues with your browser?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 H£nchman

H£nchman
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Location:London
  • Local time:06:27 PM

Posted 21 April 2010 - 08:51 AM

The computer seems to be running much smoother now but there is still the problems with the google links which keep redirecting me to other search engines, attack sites etc. By the way when the links rediredct i get a browser pop up saying a 3d parsing error has occurred.

Edited by H£nchman, 21 April 2010 - 08:55 AM.

"It's ironic that God gave Man both a pen*s and a brain, but unfortunately not enough blood supply to run both at the same time."

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,768 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:27 PM

Posted 21 April 2010 - 09:05 AM

Some infections are difficult to remove completely because of their morphing characteristics which allows the malware to regenerate itself. Sometimes there is hidden piece of malware (i.e. rootkit) which has not been detected by your security tools that protects malicious files and registry keys so they cannot be permanently deleted. Other types of malware can even terminate your security tools by changing the permissions on targeted programs so that they cannot run or complete scans. Disinfection will probably require the use of more powerful tools than we recommend in this forum. Before that can be done you will need you to create and post a DDS log for further investigation.

Please read the pinned topic titled "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help". If you cannot complete a step, then skip it and continue with the next. In Step 7 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have done that, post your log in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the Malware Response Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the Malware Response Team.

Please be patient. It may take a while to get a response because the Malware Response Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have posted your log and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the Malware Response Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another Malware Response Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,011 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:27 PM

Posted 21 April 2010 - 07:26 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/311637/extremely-messy-looking-gmer-log/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users