Sorry, but what do you mean by "( Make sure you include :Processes )" ?
Sorry, but what do you mean by "( Make sure you include :Processes )" ?
Sorry, I missed that part out.
Refresh the page and look at the code box now.
Microsoft MVP Consumer Security 2009 -2010
If we have helped, please consider a donation
THESE INSTRUCTIONS ARE FOR THIS USER ONLY
Oh. So I already did it without :processes
Sorry for being impatient. Below is the report I obtained:
All processes killed
========== FILES ==========
D:\$RECYCLE.BIN\S-1-5-21-1171192100-3469164339-847101491-1000\desktop.ini moved successfully.
========== COMMANDS ==========
[EMPTYTEMP]
User: Administrator
User: All Users
User: Default
->Temp folder emptied: 0 bytes
File delete failed. C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SR4PIAG2\desktop.ini scheduled to be deleted on reboot.
File delete failed. C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OYUA34UW\desktop.ini scheduled to be deleted on reboot.
File delete failed. C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NHJNGCI9\desktop.ini scheduled to be deleted on reboot.
File delete failed. C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8AY0OR80\desktop.ini scheduled to be deleted on reboot.
File delete failed. C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini scheduled to be deleted on reboot.
File delete failed. C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 33170 bytes
User: Default User
->Temp folder emptied: 0 bytes
File delete failed. C:\Users\Default User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SR4PIAG2\desktop.ini scheduled to be deleted on reboot.
File delete failed. C:\Users\Default User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OYUA34UW\desktop.ini scheduled to be deleted on reboot.
File delete failed. C:\Users\Default User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NHJNGCI9\desktop.ini scheduled to be deleted on reboot.
File delete failed. C:\Users\Default User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8AY0OR80\desktop.ini scheduled to be deleted on reboot.
File delete failed. C:\Users\Default User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini scheduled to be deleted on reboot.
File delete failed. C:\Users\Default User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Users\Default User\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 33170 bytes
User: James
->Temp folder emptied: 76293068 bytes
File delete failed. C:\Users\James\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 24524431 bytes
->Java cache emptied: 57055012 bytes
->FireFox cache emptied: 48553921 bytes
->Google Chrome cache emptied: 35510766 bytes
User: Public
User: Sabina
->Temp folder emptied: 0 bytes
%systemdrive% .tmp files removed: 0 bytes
File delete failed. C:\Windows\DUMP4440.tmp scheduled to be deleted on reboot.
%systemroot% .tmp files removed: 137319958 bytes
%systemroot%\System32 .tmp files removed: 3334776 bytes
Windows Temp folder emptied: 6771209 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 371.39 mb
OTM by OldTimer - Version 3.0.0.5 log created on 07302009_231419
Files moved on Reboot...
File move failed. C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SR4PIAG2\desktop.ini scheduled to be moved on reboot.
File move failed. C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OYUA34UW\desktop.ini scheduled to be moved on reboot.
File move failed. C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NHJNGCI9\desktop.ini scheduled to be moved on reboot.
File move failed. C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8AY0OR80\desktop.ini scheduled to be moved on reboot.
File move failed. C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini scheduled to be moved on reboot.
File move failed. C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini scheduled to be moved on reboot.
File move failed. C:\Users\Default User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SR4PIAG2\desktop.ini scheduled to be moved on reboot.
File move failed. C:\Users\Default User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OYUA34UW\desktop.ini scheduled to be moved on reboot.
File move failed. C:\Users\Default User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NHJNGCI9\desktop.ini scheduled to be moved on reboot.
File move failed. C:\Users\Default User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8AY0OR80\desktop.ini scheduled to be moved on reboot.
File move failed. C:\Users\Default User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini scheduled to be moved on reboot.
File move failed. C:\Users\Default User\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini scheduled to be moved on reboot.
File move failed. C:\Windows\DUMP4440.tmp scheduled to be moved on reboot.
Registry entries deleted on Reboot...
Spybot still finds Win32.Buzus.amit .
Should I follow the instructions above again but including :Processes ?
Where does Spybot find it now ?
Uninstall Combofix
- This will clear your System Volume Information restore points and remove all the infected files that were quarantined
- Click START, type RUN into the search box, then click Enter
- Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
Uninstall OTMoveIt (OTM.exe)
- Open OTMoveIt Click Cleanup,
- When a box pops up click YES.
Microsoft MVP Consumer Security 2009 -2010
If we have helped, please consider a donation
THESE INSTRUCTIONS ARE FOR THIS USER ONLY
Spybot detects it when I right click on the recycle bin file inside the in D:\ .
I am running a full Spybot scan now to see if it picks it up that way too. I first scanned the recycle bin with Spybot because Avira kept freezing when it reached it and was unable to complete a full scan. When I ran Kaspersky (on your advice) it also froze at this same file. However, Avira and Kaspersky now detect nthing AND complete their scans.
I will follow the instructions you have just posted and will post the results of the full Spybot scan - though I'm not even sure if it is configured to scan the $RECYCLE.BIN folder under the basic 'scan for problems' option.
After I uninstalled Combofix, hidden files disappeared. I re-selected 'show hidden files and folders.'
Right-clicking the recycle bin file inside inside the $RECYCLE.BIN folder with Spybot still finds:
Spybot Search & Destroy (Malware)
desktop.ini nothing found
Spybot Search & Destroy (Heuristic)
desktop.ini Win32.Buzus.amit
The 'full' Spybot scan found nothing.
OTM.exe does not appear to have uninstalled. Also, on restarting the computer I get error messages (x7) from ERUNT.
What error message do you get from Erunt ?
( I suspect it's due to UAC )
Navigate to D:\ Right click on $RECYCLE.BIN and select Delete.
Click yes to any warnings.
Now delete something from the D: drive so that it gets recreated. (doesn't matter what, you can just create a new text document and delete that)
You may get a couple of error warnings, just click OK/Yes.
Reboot and see if spybot still finds a problem with the folder.
Microsoft MVP Consumer Security 2009 -2010
If we have helped, please consider a donation
THESE INSTRUCTIONS ARE FOR THIS USER ONLY
I didn't get an eror report this time from Erunt. I was getting something along the lines of 'unable to save, will have to restore manually'
I think I followed your instructions correctly. After re-start, $RECYCLE.BIN reappeared. Right-clicking and scanning with Spybot now looks different, but still finding Trojan:
Spybot Search & Destroy (Malware)
$I5WWNIV.doc Nothing found
$R5WWNIV.doc Nothing found
desktop.ini Nothing found
Spybot Search & Destroy (Heuristic)
$I5WWNIV.doc Nothing found
$R5WWNIV.doc Nothing found
desktop.ini Win32.Buzus.ini
There are 2 desktop.ini icons on my desktop.
I scanned both with Spybot.
Results from the first one:
Spybot Search & Destroy (Malware)
$I5WWNIV.doc Nothing found
$R5WWNIV.doc Nothing found
desktop.ini Nothing found
desktop.ini Nothing found
Spybot Search & Destroy (Heuristic)
$I5WWNIV.doc Nothing found
$R5WWNIV.doc Nothing found
desktop.ini Nothing found
desktop.ini Win32.Buzus.ini
The second one:
Spybot Search & Destroy (Malware)
desktop.ini Nothing found
Spybot Search & Destroy (Heuristic)
desktop.ini Nothing found
A scan of both 5 minutes later and they are both clean. !?
The recycle bin in D still shows as infected though.
Posting Permissions
