Malware Discussions

turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Reply
Topic Options
Stone Noble melody406
Stone Noble
melody406
Posts: 32
Registered: ‎02-14-2012
Accepted Solution

Need help, I believe my computer is infected with malware or a virus

Options

‎02-14-2012 12:29 PM

I upgraded the Free version of AVG 2012 on my computer on 1/9 and since have had a lot of trouble with my computer. Computer started crashing, doing redirects, telling me I was using more memory than I was, blue screens and then rebooting on its own.  I have not had a problem on this computer since 2007 when one of the tech people at CA helped me get a nasty virus off when someone who was visiting me went on a porn site. This new problem started 1/12 when I signed on to the computer and a box said "this computer has just recovered from a serious crash" or something to that effect. After that, the computer has never been the same. The AVG upgrade was done 1/9.

Also, once when I attempted to turn my computer on, it took a long time to go out of the Windows XP screen and then I got a black screen with white writing that said I should choose "settings that last worked" and that's how I was able to get the computer on.

 


In C/Documents & Settings/Delores Lewis there is a folder My Recent Documents and all the files have "shortcut" arrows in the left hand corner. When I look at Properties, it says Type of file: Shortcut.

In C/Windows there's a folder $AVG that opens to $Vault that opens to vvfolder.idx. When I open that, there's just gibberish with little boxes. There's already an AVG folder in the Programs folder, so what is $AVG.

 

Once I lost my desktop...the computer restarted itself, after failing to go into a website and then my desktop came up with a white screen that says active desktop recovery. When I do a search for a file, the file or application is coming up more than 20 times with the same kb and same date. It's as if the files are duplicating. On the desktop there was a script error with a URL that said "C:/Documents%20and%20Settings/Delores%20Lewis/Application%20Data/Microsoft/Internet%20Explorer/Desktop. When I click "return my active desktop" I kept getting this error script.

 

Another thing I'd like you to know, when I go into my AVG program, and look at Event history, 98% of the history for each day says: ""2/12/2012, 11:51:50 AM";"NT AUTHORITY\SYSTEM";"General";"AVG is starting."
The other 2% says "System" or my name. What is this and has someone taken over my computer??

 


 I spoke with a friend who said that when you see "Recycler" files on your C: drive, and you don't have access to files that you once had, then a very bad type of virus or trojan is on your computer and it can't be fixed, you have to buy another computer. Is this true??? I do have more "Recycler" files on my computer and I do have files that tell me "access denied" when I try to get in them. I am the Administrator of my computer, why would files be closed to me?   I had some forum help to no avail, so now I would like your expert opinion.  Here is HJT Log and RootKit Buster Log:

 

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:12:15 PM, on 2/13/2012
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\AVG\AVG2012\avgemcx.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe
C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://safesearch.cyberdefender.com/smallsearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O1 - Hosts: ÿþ127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG_TRAY] "C:\Program Files\AVG\AVG2012\avgtray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [Universal Installer] "C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe" /fromrun /starthidden
O4 - HKCU\..\Run: [Desktop Software] "C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe"  /ini "uinstaller.ini" /fromrun /starthidden
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll (file missing)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - Unknown owner - C:\Program Files\AVG\AVG9\avgemc.exe (file missing)
O23 - Service: AVG Free WatchDog (avg9wd) - Unknown owner - C:\Program Files\AVG\AVG9\avgwdsvc.exe (file missing)
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\avgwdsvc.exe
O23 - Service: Blue Coat K9 Web Protection (bckwfs) - Unknown owner - C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe (file missing)
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PEVSystemStart - Unknown owner - C:\Combo-Fix\pev.3XE
O23 - Service: Phoenix VCD Service (PhnxVCDService) - Phoenix Technologies Ltd. - C:\WINDOWS\system32\PhnxCDSvr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6067 bytes

 

When I did the RKB scan, it found 7 hidden registry entries and 4 operating system threats.  I clicked fix and 2 operating systems items said "can't be fixed."  Then last night when I ran the scan again, ALL of the threats were found again, even though it appeared that RKB fixed them.


2012/02/14 15:24:24 GMT-05:00 2760:3176 00 F [LogWritter_setEnable()]:  -+-+-+  RootkitBuster-5.00.01050,2012/02/14 15:24:24 Turn ON logging -+-+-+  [  (0)]
2012/02/14 15:24:24 GMT-05:00 2760:3176 00 F [LogWritter_setEnable()]:  -+-+-+  RootkitBuster-5.00.01050,2012/02/14 15:24:24 Turn ON logging -+-+-+  [  (0)]
2012/02/14 15:24:24 GMT-05:00 2760:3176 00 E [getModuleFolder]: Module path: C:\Documents and Settings\Delores Lewis\Desktop
 [  (0)]
2012/02/14 15:24:24 GMT-05:00 2760:3176 00 E [Setting::init]: Working Path: C:\Documents and Settings\Delores Lewis\Local Settings\Temp\RootkitBuster\
 [  (0)]
2012/02/14 15:24:24 GMT-05:00 2760:3176 00 E [Setting::init]: Module Path: C:\Documents and Settings\Delores Lewis\Desktop
 [  (0)]
2012/02/14 15:24:24 GMT-05:00 2760:3176 00 E [Setting::init]: DB Path: C:\Documents and Settings\Delores Lewis\Local Settings\Temp\RootkitBuster\DB
 [  (0)]
2012/02/14 15:24:24 GMT-05:00 2760:3176 00 E [Setting::init]: Sqlite Path: C:\Documents and Settings\Delores Lewis\Local Settings\Temp\RootkitBuster\sqlite3.dll
 [  (0)]
2012/02/14 15:24:24 GMT-05:00 2760:3176 00 E [Setting::init]: Schema Path: C:\Documents and Settings\Delores Lewis\Local Settings\Temp\RootkitBuster\scan_db.sql
 [  (0)]
2012/02/14 15:24:24 GMT-05:00 2760:3176 00 E [Setting::init]: Component Info Path: C:\Documents and Settings\Delores Lewis\Local Settings\Temp\RootkitBuster\component_info.cfg
 [  (0)]
2012/02/14 15:24:24 GMT-05:00 2760:3176 00 E [Setting::init]: iAU SDK Path: C:\Documents and Settings\Delores Lewis\Local Settings\Temp\RootkitBuster\IAU_SDK.exe
 [  (0)]
2012/02/14 15:24:24 GMT-05:00 2760:3176 00 E [Setting::init]: Backup DB Path: C:\Documents and Settings\Delores Lewis\Local Settings\Temp\RootkitBuster\DB
 [  (0)]
2012/02/14 15:24:24 GMT-05:00 2760:3176 00 E [Setting::init]: Backup Virus Path: C:\Documents and Settings\Delores Lewis\Local Settings\Temp\RootkitBuster\Virus
 [  (0)]
2012/02/14 15:24:30 GMT-05:00 2760:3176 00 E [TMRKB_InitializeRKB]: g_hRkbDevice:-1 [  (0)]
2012/02/14 15:24:30 GMT-05:00 2760:3176 00 E [TMRKB_InitializeRKB]: g_hRkbDevice = 196 [  (0)]
2012/02/14 15:24:30 GMT-05:00 2760:3176 00 E [TMRKB_PreScan]: g_hRkbDevice:196 [  (0)]
2012/02/14 15:24:30 GMT-05:00 2760:3176 00 E [TMRKB_InitMiniportAPI]: g_hRkbDevice:196 [  (0)]
2012/02/14 15:24:41 GMT-05:00 2760:3176 00 E [CTMRKScanWinApp::InitDriverAndLibraries]: Initialization of TMRKSCAN_Initialize() success. [  (0)]
2012/02/14 15:24:41 GMT-05:00 2760:3176 00 E [GetVersionFromInstalledModule()]: Version in Reg=5.0.0.1050 [  (0)]
2012/02/14 15:25:12 GMT-05:00 2760:3176 00 E [CConsoleDialog::updateLogHistoryList()]: Latest: 1329191314
 [  (0)]
2012/02/14 15:25:12 GMT-05:00 2760:3176 00 E [CConsoleDialog::updateLogHistoryList()]: # of items: 3
 [  (0)]
2012/02/14 15:25:12 GMT-05:00 2760:3176 00 E [CConsoleDialog::updateLogHistoryList()]: requestLogHistoryList: {"LOG_HISTORY_LIST": [{"ID": 1, "SCAN_DATE": 1329179485}, {"ID": 2, "SCAN_DATE": 1329180253}, {"ID": 3, "SCAN_DATE": 1329191314}, {"ID": 4, "SCAN_DATE": 1329251091}]}
 [  (0)]
2012/02/14 15:25:12 GMT-05:00 2760:3176 00 E [CConsoleDialog::requestLogHistory]: 1329251091
 [  (0)]
2012/02/14 15:25:12 GMT-05:00 2760:3176 00 E [CConsoleDialog::requestLogHistory]: # of items: 0x0
 [  (0)]
2012/02/14 15:25:15 GMT-05:00 2760:3176 00 E [CSICReportLogger::_CloseLogFile]: CloseLogFile [  (0)]
2012/02/14 15:25:15 GMT-05:00 2760:3176 00 E [TMRKB_DeInitMiniportAPI]: g_hRkbDevice:196 [  (0)]
2012/02/14 15:25:15 GMT-05:00 2760:3176 00 E [TMRKB_DeInitializeRKB]: g_hRkbDevice:196 [  (0)]
2012/02/14 15:25:15 GMT-05:00 2760:3176 00 E [TMRKB_PostScan]: g_hRkbDevice:196 [  (0)]
2012/02/14 15:25:15 GMT-05:00 2760:3176 00 E [WinAppDestructor()]: (After waiting)bStopped=1 [  (0)]
2012/02/14 15:25:15 GMT-05:00 2760:3176 00 E [WinAppDestructor()]: After uninstall driver=1 [  (0)]
2012/02/14 15:25:15 GMT-05:00 2760:3176 00 F [LogWritter_setEnable()]:  -+-+-+  RootkitBuster-5.00.01050,2012/02/14 15:25:15 Turn OFF logging -+-+-+  [  (0)]

Any help you can give me I'd truly appreciate it. Thanks so much!

 

Report Inappropriate Content
Message 1 of 59 (2,320 Views)
Reply
0 Kudos
Champion Noble malwarekiller
Champion Noble
malwarekiller
Posts: 3,557
Registered: ‎08-08-2011

Re: Need help, I believe my computer is infected with malware or a virus

[ Edited ]
Options

‎02-14-2012 09:31 PM - edited ‎02-14-2012 10:27 PM

Welcome aboard! Posted Image

 I would need some logs to analyze first....


Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

 

NEXT


  • Download RogueKiller and save it on your desktop.  
  •     Quit all programs 
  •     Start RogueKiller.exe.  
  •     Wait until Prescan has finished ... 
  •     Click on Scan

  
   

  • Wait for the end of the scan.   
  •     The report has been created on the desktop.   
  •     Click on the Delete button.

  
   

  • The report has been created on the desktop.
  • Next click on the ShortcutsFix  
      
      
  • The report has been created on the desktop.

Please post:  
  
All RKreport logs located on your desktop.

 

NEXT

 

 

Download OTL  to your Desktop.

http://www.geekstogo.com/forum/files/file/398-otl-oldtimers-list-it/

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Select All Users
  • Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
consrv.dll
explorer.exe

netbt.sys

atapi.sys

volsnap.sys

redbook.sys

lsi_sas.sys

lsi_scsi.sys

cdrom*

tcpip.sys
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT /s
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBIOS /s
C:\Windows\assembly\tmp\U\*.* /s

C:\Program Files\Common Files\ComObjects\*.* /s
CREATERESTOREPOINT


  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • attach both logs

 NEXT

 

Download aswmbr.exe ( 1.8mb ) to your desktop. 

http://public.avast.com/~gmerek/aswMBR.htm
 Double click the aswMBR.exe to run it  Click the "Scan" button to start scan.

  • Click the [Scan] button to start scan

  • On completion of the scan click [Save log], save it to your desktop and post in your next reply.

     



Report Inappropriate Content
Message 2 of 59 (2,300 Views)
Reply
0 Kudos
Stone Noble melody406
Stone Noble
melody406
Posts: 32
Registered: ‎02-14-2012

Re: Need help, I believe my computer is infected with malware or a virus

Options

‎02-20-2012 12:42 PM

Thanks so much for your response...I have been down with the flu for 3 days and today is my first day back on the computer.  I have attached the Malwarebytes Log, the 3 RogueKiller Logs, the OTL. txt Log (didn't get Extras.txt) and the ansMBR Log:

 

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.20.03

Windows XP Service Pack 2 x86 NTFS
Internet Explorer 8.0.6001.18702
Delores Lewis :: DEENA [administrator]

2/20/2012 1:00:32 PM
mbam-log-2012-02-20 (13-00-32).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 198497
Time elapsed: 5 minute(s), 38 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

 

RogueKiller V7.0.4 [02/08/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 2) 32 bits version
Started in : Normal mode
User: Delores Lewis [Admin rights]
Mode: Scan -- Date : 02/20/2012 14:42:36

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 3 ¤¤¤
[] HKLM\[...]\Windows :  () -> ACCESS DENIED
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[] HKLM\[...]\Windows :  () -> ACCESS DENIED

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
ÿþ1

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD800BB-22JHC0 +++++
--- User ---
[MBR] 16ac99e440feab6d3eae4101840f8131
[BSP] 4e7d49a8311e69543df9e08541155bcb : MBR Code unknown
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 70998 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: HP Photosmart 7800 USB Device +++++
Error reading User MBR!
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1].txt >>
RKreport[1].txt

 

 

RogueKiller V7.0.4 [02/08/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 2) 32 bits version
Started in : Normal mode
User: Delores Lewis [Admin rights]
Mode: Remove -- Date : 02/20/2012 14:43:56

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 3 ¤¤¤
[] HKLM\[...]\Windows :  () -> ACCESS DENIED
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[] HKLM\[...]\Windows :  () -> ACCESS DENIED

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
ÿþ1

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD800BB-22JHC0 +++++
--- User ---
[MBR] 16ac99e440feab6d3eae4101840f8131
[BSP] 4e7d49a8311e69543df9e08541155bcb : MBR Code unknown
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 70998 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: HP Photosmart 7800 USB Device +++++
Error reading User MBR!
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt

 

 

RogueKiller V7.0.4 [02/08/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 2) 32 bits version
Started in : Normal mode
User: Delores Lewis [Admin rights]
Mode: Shortcuts HJfix -- Date : 02/20/2012 14:46:19

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ File attributes restored: ¤¤¤
Desktop: Success 0 / Fail 0
Quick launch: Success 0 / Fail 0
Programs: Success 6 / Fail 0
Start menu: Success 0 / Fail 0
User folder: Success 158 / Fail 0
My documents: Success 938 / Fail 0
My favorites: Success 0 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 0 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 2025 / Fail 0
Backup: [NOT FOUND]

Drives:
[C:] \Device\HarddiskVolume1 -- 0x3 --> Restored
[D:] \Device\CdRom0 -- 0x5 --> Skipped
[E:] \Device\Harddisk1\DP(1)0-0+3 -- 0x2 --> Restored

¤¤¤ Infection :  ¤¤¤

Finished : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt

 

 Will attach other logs, cannot fit on copy and paste.

Attachment OTL.Txt 2202012.txt ‏90 KB
Attachment ansMBR Log 2202012.txt ‏2 KB
Report Inappropriate Content
Message 3 of 59 (2,163 Views)
Reply
0 Kudos
Stone Noble melody406
Stone Noble
melody406
Posts: 32
Registered: ‎02-14-2012

Re: Need help, I believe my computer is infected with malware or a virus

Options

‎02-20-2012 12:53 PM

I had to copy and past the MB Log and the 3 RogueKiller Logs and I attached the OTL Log and the ansMBR Log.  If you didn't get all of them, please let me know.  Also, while looking at the logs I see a lot of mention of Mozilla and/or FireFox.  I don't have them on my computer that I know of and have never used them before.

 

 

 

Report Inappropriate Content
Message 4 of 59 (2,160 Views)
Reply
0 Kudos
Champion Noble malwarekiller
Champion Noble
malwarekiller
Posts: 3,557
Registered: ‎08-08-2011

Re: Need help, I believe my computer is infected with malware or a virus

[ Edited ]
Options

‎02-20-2012 09:13 PM - edited ‎02-20-2012 09:14 PM

Hi the OTL log has 2 to 3 of baddies to kill....

 

Warning This fix is only relevant for this system and no other, using on another computer may cause problems 

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot 

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following:
:OTL
[2012/02/20 14:00:00 | 000,000,296 | ---- | M] () -- C:\WINDOWS\tasks\oymdqrpj.job
[2006/12/31 19:12:40 | 000,010,920 | ---- | M] () -- C:\aolconnfix.exe
[2004/09/16 12:26:40 | 000,012,634 | ---- | C] () -- C:\WINDOWS\System32\drivers\ADFUUD.SYS

ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Please attach the log generated after the fix completion.

 

NEXT

 

For x32 (x86) bit systems download farbar recovery scan tool and save it to a flash drive.

 

download link is located here:

 

http://www.bleepingcomputer.com/forums/topic439879.html

 


For x64 bit systems downloadfarbar recovery scan tool and save it to a flash drive.

download link is located here:

 

http://www.bleepingcomputer.com/forums/topic439879.html


Plug the flashdrive into the infected PC.

Enter System Recovery Options

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.


To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.


On the System Recovery Options menu you will get the following options:Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter 
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.


Report Inappropriate Content
Message 5 of 59 (2,141 Views)
Reply
0 Kudos
Stone Noble melody406
Stone Noble
melody406
Posts: 32
Registered: ‎02-14-2012

Re: Need help, I believe my computer is infected with malware or a virus

Options

‎02-21-2012 11:29 AM

Here's the OTL Fix Log;  I'm not able to enter System Recovery Options from Advanced Boot Options.  I have XP Service Pack 2, and I cannot find anything that says Repair your computer menu item.  I saw a screen in black and white when pressing F8, which has safe mode, etc.  I also went into the BIOS screen but saw nothing to help me fix anything.  Can you explain it further??

 

Also, while OTL was running the Fix log a screen popped up that said "OTL:  Corrupt file,  The file or Directory C: is corrupt and unreadable.  Please run ckdsk utility."  The OTL scan processed completely though.

 

 

 

 

All processes killed
========== OTL ==========
C:\WINDOWS\tasks\oymdqrpj.job moved successfully.
C:\aolconnfix.exe moved successfully.
C:\WINDOWS\system32\drivers\ADFUUD.SYS moved successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
 
[EMPTYTEMP]
 
User: All Users
->Flash cache emptied: 0 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
 
User: Delores Lewis
->Temp folder emptied: 97201994 bytes
->Temporary Internet Files folder emptied: 819494 bytes
->Java cache emptied: 0 bytes
->Apple Safari cache emptied: 35840 bytes
->Flash cache emptied: 470 bytes
 
User: Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
 
User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: Louis Washington
->Temporary Internet Files folder emptied: 0 bytes
 
User: NetworkService
->Temp folder emptied: 896 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 2194864 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 51408870 bytes
 
Total Files Cleaned = 145.00 mb
 
 
[EMPTYFLASH]
 
User: All Users
->Flash cache emptied: 0 bytes
 
User: Default User
->Flash cache emptied: 0 bytes
 
User: Delores Lewis
->Flash cache emptied: 0 bytes
 
User: Guest
->Flash cache emptied: 0 bytes
 
User: LocalService
 
User: Louis Washington
 
User: NetworkService
 
Total Flash Files Cleaned = 0.00 mb
 
Restore points cleared and new OTL Restore Point set!
 
OTL by OldTimer - Version 3.2.31.0 log created on 02212012_121456

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

 

Report Inappropriate Content
Message 6 of 59 (2,120 Views)
Reply
0 Kudos
Champion Noble malwarekiller
Champion Noble
malwarekiller
Posts: 3,557
Registered: ‎08-08-2011

Re: Need help, I believe my computer is infected with malware or a virus

[ Edited ]
Options

‎02-21-2012 08:07 PM - edited ‎02-21-2012 08:07 PM

Hi i think u have a corrupted C: so we have to run chkdsk utility to fix it...

 

Try the below go to Run... command for me please:-

sfc /purgecache

And let myself know the outcome, also run the below:-

Check Hard Disk For Errors:

Press Start >> Run..., then copy/paste the following command into the box and press OK:

 

cmd /c chkdsk c: |find /v "percent" >> "%userprofile%\desktop\checkhd.txt"


A blank command window will open on your desktop, then close in a few minutes. This is normal. 

A file icon named checkhd.txt should appear on your Desktop. Please post the contents of this file.

 

Hard-Drive Maintenance/Repair:

Note: for the CHKDSK portion you may refer to this tutorial of mine here and follow the instructions for Graphical Mode if you so wish.

Click on Start >> Run and type cleanmgr in the box and press OK.

  • Ensure the boxes for Temporary FilesTemporary Internet Files and Recycle Bin are checked.
  • You can choose to check other boxes if you wish but they are not required.
  • Click on OK then Yes.

Next:-

  • Click on Start >> Run... then type in CMD and click on OK.
  • At the Command Prompt C:\ > type the following:
  • CD C:\ and hit the Enter/Return key.
  • Now type in DEFRAG C: -F
  • A Analysis report will be displayed and then Windows will start the Defragmention run automatically.
  • This may take some time, when completed the Command Prompt C:\ > will appear.
  • Now type in CHKDSK C: /R and hit the Enter/Return key.
  • When prompted with:

 

CHKDSK cannot run because the volume is in use by another process
Would you like to schedule this volume to be checked next time the system 
restarts (Y/N)

  • Hit the key then at the Command Prompt C:\ >
  • Type in EXIT and and hit the Enter/Return key.
  • Now Reboot(Restart) your computer.


Note: Upon Reboot(Restart) the CHKDSK(check-disk) will start and carry out the repairs required.

Report Inappropriate Content
Message 7 of 59 (2,107 Views)
Reply
0 Kudos
Stone Noble melody406
Stone Noble
melody406
Posts: 32
Registered: ‎02-14-2012

Re: Need help, I believe my computer is infected with malware or a virus

Options

‎02-22-2012 08:17 AM

Ran the steps for the C drive.  Everything worked up to the point of DEFRAG.  Will have to run that separately maybe.  When I tried your way, kept saying run chkdsk first which machine had already did.  Anyway, here's the log:

 

The type of the file system is NTFS.

WARNING!  F parameter not specified.
Running CHKDSK in read-only mode.

CHKDSK is verifying files (stage 1 of 3)...
CHKDSK is verifying indexes (stage 2 of 3)...
CHKDSK is recovering lost files.
CHKDSK is verifying security descriptors (stage 3 of 3)...
CHKDSK is verifying Usn Journal...
Usn Journal verification completed.
Correcting errors in the master file table's (MFT) BITMAP attribute.
Correcting errors in the Volume Bitmap.
Windows found problems with the file system.
Run CHKDSK with the /F (fix) option to correct these.

  72702125 KB total disk space.
  24466032 KB in 57874 files.
     26812 KB in 10201 indexes.
         0 KB in bad sectors.
    175557 KB in use by the system.
     65536 KB occupied by the log file.
  48033724 KB available on disk.

      4096 bytes in each allocation unit.
  18175531 total allocation units on disk.
  12008431 allocation units available on disk.

 

Are we finished with the infections?

Thanks!

Report Inappropriate Content
Message 8 of 59 (2,098 Views)
Reply
0 Kudos
Champion Noble malwarekiller
Champion Noble
malwarekiller
Posts: 3,557
Registered: ‎08-08-2011

Re: Need help, I believe my computer is infected with malware or a virus

[ Edited ]
Options

‎02-22-2012 08:26 AM - edited ‎02-22-2012 08:32 AM

OK u have some errors and corrupted files on your PC...open command prompt and type this in:

 

CHKDSK /R [Notice space between K and /]

 

Reboot if asked.

 

Once fininshed post the data from chkdsk and we will continue fixing your computer.

Report Inappropriate Content
Message 9 of 59 (2,096 Views)
Reply
0 Kudos
Stone Noble melody406
Stone Noble
melody406
Posts: 32
Registered: ‎02-14-2012

Re: Need help, I believe my computer is infected with malware or a virus

Options

‎02-22-2012 04:45 PM

Ran the chkdk but didn't get a post from it.  It said "chkdk cannot run because the volume is in use by another process, would you like to schedule this volume to be checked next time the system restarts" and I answered yes.  The computer restarted and chkdsk ran.  It took a long time but it finally finished.  I wanted to "print screen" but didn't know how to.  Anyway, when it finished, it said "The volume is clean." 

Report Inappropriate Content
Message 10 of 59 (2,073 Views)
Reply
0 Kudos