win32/olmarik aj. trojan

[oldman960]

Hi asrash,

Next, Double click on OTL.exe

• Under the Custom Scans/Fixes box at the bottom, paste in the following
• Do Not copy the word CODE
• please note the fix starts with the :

Code:

:Services

:OTL
FF - prefs.js..browser.search.defaultenginename: "Search Results"
FF - prefs.js..browser.search.selectedEngine: "Search Results"
FF - prefs.js..keyword.URL: "http://dts.search-results.com/sr?src=ffb&appid=0&systemid=102&q="
FF - prefs.js..browser.search.order.1: "Search Results"
FF - prefs.js..browser.startup.homepage: "http://search.jzip.com/"
FF - prefs.js..extensions.enabledItems: {8A9386B4-E958-4c4c-ADF4-8F26DB3E4829}:2.1.0
[2011/09/21 13:22:43 | 000,002,497 | ---- | M] () -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\pjp1dlwi.default\searchplugins\SearchResults.xml
[2011/09/21 13:22:43 | 000,002,497 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\SearchResults.xml
O4 - HKLM..\Run: [DATAMNGR] C:\Program Files\Windows jZip Toolbar\Datamngr\datamngrUI.exe (Discordia, LTD)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
[2010/02/26 09:55:34 | 000,015,028 | -HS- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\rQVN4I4g

:Commands
[createrestorepoint]
[emptytemp]

Then click the Run Fix button at the top

• Let the program run unhindered
• Please save the resulting log to be posted in your next reply.

Please post the OTL fix log.

Is your homepage and search ok now?

Thanks

[arash]

All processes killed
========== SERVICES/DRIVERS ==========
========== OTL ==========
Prefs.js: "Search Results" removed from browser.search.defaultenginename
Prefs.js: "Search Results" removed from browser.search.selectedEngine
Prefs.js: "http://dts.search-results.com/sr?src=ffb&appid=0&systemid=102&q=" removed from keyword.URL
Prefs.js: "Search Results" removed from browser.search.order.1
Prefs.js: "http://search.jzip.com/" removed from browser.startup.homepage
Prefs.js: {8A9386B4-E958-4c4c-ADF4-8F26DB3E4829}:2.1.0 removed from extensions.enabledItems
File C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\pjp1dlwi.default\searchplugins\SearchResults.xml not found.
File C:\Program Files\mozilla firefox\searchplugins\SearchResults.xml not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\DATAMNGR not found.
File C:\Program Files\Windows jZip Toolbar\Datamngr\datamngrUI.exe not found.
Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions\ not found.
File C:\Documents and Settings\User\Local Settings\Application Data\rQVN4I4g not found.
========== COMMANDS ==========
Restore point Set: OTL Restore Point (0)

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LogMeInRemoteUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: parisaparadis
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: TEMP
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: User
->Temp folder emptied: 136958573 bytes
->Temporary Internet Files folder emptied: 29093968 bytes
->Java cache emptied: 224331 bytes
->FireFox cache emptied: 0 bytes
->Google Chrome cache emptied: 18419440 bytes
->Flash cache emptied: 1176 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 7351966 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 29687 bytes

Total Files Cleaned = 183.00 mb


OTL by OldTimer - Version 3.2.29.1 log created on 10032011_202001

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

[oldman960]

Hi arash,

How's the computer?

[arash]

all seem ok

Thanks so much for your help

regards

arash

[oldman960]

Hi arash,

Let's clean up some remnants and run a couple of scans to look for stragglers.

Next, Double click on OTL.exe

• Under the Custom Scans/Fixes box at the bottom, paste in the following
• Do Not copy the word CODE
• please note the fix starts with the :

Code:

:Services

:Files
C:\Program Files\Windows jZip Toolbar
C:\Program Files\Windows jZip 
C:\Documents and Settings\User\Application Data\jzipband

Then click the Run Fix button at the top

• Let the program run unhindered
• Please save the log

Please post the OTL fix log in your next reply.



You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM

• Click the Update tab
• Click Check for Updates
• If an update is found, it will download and install the latest version.
• The program will close to update and reopen.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.



Please run the F-Secure Online Scanner from F-Secure.

• At the bottom of the webpage, read and agree to the license terms and click run check. Be sure to run the Online Scanner and not the Health Check!
• If prompted, give the java plug-in permission to run.
• Select Quick Scan when prompted, and then click on Scan.
• Once the scan is finished, tick off Automatically and Send the Files to F-Secure.
• After clicking on next, click on Full Report. A log should appear in your internet browser. Copy that information and post it here.

Please post back with

• OTL fix log
• MBAM log
• F-Secure log

Thanks

[arash]

========== SERVICES/DRIVERS ==========
========== FILES ==========
C:\Program Files\Windows jZip Toolbar\Datamngr\FirefoxExtension\content folder moved successfully.
C:\Program Files\Windows jZip Toolbar\Datamngr\FirefoxExtension\components folder moved successfully.
C:\Program Files\Windows jZip Toolbar\Datamngr\FirefoxExtension folder moved successfully.
C:\Program Files\Windows jZip Toolbar\Datamngr folder moved successfully.
C:\Program Files\Windows jZip Toolbar folder moved successfully.
File\Folder C:\Program Files\Windows jZip not found.
C:\Documents and Settings\User\Application Data\jzipband folder moved successfully.

OTL by OldTimer - Version 3.2.29.1 log created on 10112011_204524

Edit
http://forums.spybot.info/showthread...992#post369992

[oldman960]

Hi arash,

How are you making out with the rest? How's the computer?

[oldman960]

Due to inactivity, this thread will now be closed.

Note:If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.