Page 2 of 4 FirstFirst 1234 LastLast
Results 11 to 20 of 33

Thread: Problem with TrojanDownloader:Win32/Adload.DA

  1. 2012-08-24, 19:55 #11
    davman
    davman is offline
    Junior Member
    Join Date
    Aug 2012
    Posts
    24

    Default

    hey Maxi,

    I haven't run it. I just downloaded it a moved in to my desktop just in case it was required because it seemed to be a tool that your team reccommend now and then. Should I go ahead and run it now?

    And no, not so far as I can see. Is there a way of finding out what file it thinks is infected?

    Cheers,

    davman
  2. 2012-08-25, 14:42 #12
    maxi
    maxi is offline
    Retired Graduate
    Join Date
    Apr 2012
    Posts
    61

    Default

    Hi Davman, Please dont run ComboFix unless I ask you to

    Step 1
    Run OTL Script

    We need to run an OTL Fix

    • Right click on OTL.exe and select "Run As Administrator" to run it.
    • Copy and Paste the following code into the textbox. Do not include the word Code
      Code:
      :otl
IE - HKCU\..\SearchScopes,DefaultScope = {90342DB8-D648-40CB-A590-737A3BDB14A1}
O16:64bit: - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_16)
O16:64bit: - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_16)
O16:64bit: - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_33)
O16 - DPF: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_33)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_33)
[2012/08/14 11:31:50 | 000,000,000 | ---D | C] -- C:\Users\Dave\AppData\Local\{E0A3D526-40DD-464F-A317-404D3787F1DA}
[2012/08/14 11:31:38 | 000,000,000 | ---D | C] -- C:\Users\Dave\AppData\Local\{700BD24A-8440-47CE-9E8E-AE2F4A42711E}
[2012/08/12 01:18:47 | 000,000,000 | ---D | C] -- C:\Users\Dave\AppData\Local\{146EF47C-D714-471A-9B51-141C77C6117D}
[2012/08/12 01:18:35 | 000,000,000 | ---D | C] -- C:\Users\Dave\AppData\Local\{558B7AAE-093A-4BC8-A240-7CA258117302}
[2012/08/10 13:03:34 | 000,000,000 | ---D | C] -- C:\Users\Dave\AppData\Local\{07E934E0-09E6-4946-9B4C-9D50014994C2}
[2012/08/10 13:03:23 | 000,000,000 | ---D | C] -- C:\Users\Dave\AppData\Local\{51324D49-A93C-4F23-8B4B-A23E53043D53}
[2012/08/09 11:20:14 | 000,000,000 | ---D | C] -- C:\Users\Dave\AppData\Local\{C635DD5E-9C46-4EF2-87CD-A07847FB57E9}
[2012/08/09 11:20:02 | 000,000,000 | ---D | C] -- C:\Users\Dave\AppData\Local\{1075C4C3-2ED3-4E6A-A70C-2D0E1C414B9D}
[2012/08/08 10:58:19 | 000,000,000 | ---D | C] -- C:\Users\Dave\AppData\Local\{A85858E1-81A1-45F5-8C37-052A3B942905}
[2012/08/08 10:58:08 | 000,000,000 | ---D | C] -- C:\Users\Dave\AppData\Local\{D02DAE67-8896-48A1-B445-ACD7E68D7D2A}
[2012/08/07 22:54:19 | 000,000,000 | ---D | C] -- C:\Users\Dave\AppData\Local\{8BD1CA47-98C7-4A8A-8F20-70CF1FE3FEA3}
[2012/08/07 22:54:07 | 000,000,000 | ---D | C] -- C:\Users\Dave\AppData\Local\{C86D4F3E-6725-45DD-86F6-19E4C8464BB4}
[2012/08/06 10:18:33 | 000,000,000 | ---D | C] -- C:\Users\Dave\AppData\Local\{F0184283-6A19-4473-8A34-FACE746AC102}
[2012/08/06 10:18:21 | 000,000,000 | ---D | C] -- C:\Users\Dave\AppData\Local\{E751669D-BDC5-458F-BA3C-2983C00C3495}
[2012/08/05 20:45:43 | 000,000,000 | ---D | C] -- C:\Users\Dave\AppData\Local\{3335AE37-A368-4BE9-89CF-289B496A3864}
[2012/08/05 20:45:31 | 000,000,000 | ---D | C] -- C:\Users\Dave\AppData\Local\{D0D4C40F-8F6A-472C-89FF-7E9366C2C49D}
[2012/08/04 21:12:40 | 000,000,000 | ---D | C] -- C:\Users\Dave\AppData\Local\{A2998720-0C66-40BA-AEAB-489560C2B90B}
[2012/08/04 21:12:28 | 000,000,000 | ---D | C] -- C:\Users\Dave\AppData\Local\{F12AAF02-7566-46E7-BAFF-793C2FB4DBFD}
[2012/08/03 00:22:01 | 000,000,000 | ---D | C] -- C:\Users\Dave\AppData\Local\{365F84CA-C42D-4E4D-8441-ED16F51128D5}
[2012/08/03 00:21:49 | 000,000,000 | ---D | C] -- C:\Users\Dave\AppData\Local\{F21CAF8F-4EB2-4E21-A077-0101720065E9}
[2012/08/01 16:49:16 | 000,000,000 | ---D | C] -- C:\Users\Dave\AppData\Local\{AD4D47E2-A897-4205-869D-18C00549FEAB}
[2012/08/01 16:49:04 | 000,000,000 | ---D | C] -- C:\Users\Dave\AppData\Local\{68E074A9-5711-4070-8020-1F4C39B0CFE1}
[2012/07/31 11:49:25 | 000,000,000 | ---D | C] -- C:\Users\Dave\AppData\Local\{4F0024CC-BC4E-47AE-B3BF-4937B7717C98}
[2012/07/31 11:49:13 | 000,000,000 | ---D | C] -- C:\Users\Dave\AppData\Local\{2EFD4E05-C37B-4D9A-A802-F5D47B35459E}
[2012/07/30 11:47:59 | 000,000,000 | ---D | C] -- C:\Users\Dave\AppData\Local\{1334293C-21AC-4C35-94BF-00ACDF68A1B6}
[2012/07/30 11:47:48 | 000,000,000 | ---D | C] -- C:\Users\Dave\AppData\Local\{71923C93-E810-44ED-A713-A70F96FF17FE}
[2012/07/29 22:58:18 | 000,000,000 | ---D | C] -- C:\Users\Dave\AppData\Local\{A60C8A92-E1CE-471F-A9A7-9737207438EE}
[2012/07/29 22:58:06 | 000,000,000 | ---D | C] -- C:\Users\Dave\AppData\Local\{1A7D5CBF-C980-4225-9D3D-54DA94A56E5E}
[2012/07/28 13:56:35 | 000,000,000 | ---D | C] -- C:\Users\Dave\AppData\Local\{4F21A5F1-B554-4151-8161-C9E2837DE4E1}
[2012/07/28 13:56:24 | 000,000,000 | ---D | C] -- C:\Users\Dave\AppData\Local\{46D2D956-BF04-4ABC-8504-90146FBF5BD2}
[2012/07/26 16:41:31 | 000,000,000 | ---D | C] -- C:\Users\Dave\AppData\Local\{4F3BC134-DF2D-4376-9F63-BC53EDDA7725}
[2012/07/26 16:41:20 | 000,000,000 | ---D | C] -- C:\Users\Dave\AppData\Local\{3A14E972-84E7-47B4-BBF4-371CC696AF2B}
[2011/11/17 20:43:34 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}
[2012/05/17 12:10:30 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}
[2012/06/18 10:57:34 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}



:files
ipconfig /flushdns /c

:commands
[emptytemp]
[resethosts]
[createrestorepoint]
    • Then click the Run Fix button at the top.
    • Click .
    • OTL may ask to reboot the machine. Please do so if asked.
    • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.



    Step 2
    Malwarebytes' Anti-Malware (Decline the trial when offered- You can try it if you wish after we're done)

    Please download Malwarebytes' Anti-Malware and save to your desktop.

    • Right-click mbam-setup.exe And select " Run as administrator " then follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to:
      Update Malwarebytes' Anti-Malware
      Launch Malwarebytes' Anti-Malware
    • Then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform Quick Scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Check all items except items in the C:\System Volume Information folder... and click Remove Selected.
      Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
    • When completed, a log will open in Notepad. Please copy and paste the log back into your next reply
    • The log can also be found here:
      C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt


    Step 3
    ESET online scannner

    Note: You can use either Internet Explorer or Mozilla FireFox for this scan.

    Note: If you are using Windows Vista or Windows 7, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
    • First please Disable any Antivirus you have active, as shown in This topic.
    • Note: Don't forget to re-enable it after the scan.
    • Next hold down Control then click on the following link to open a new window to ESET online scannner
    • Select the option YES, I accept the Terms of Use then click on Start.
      Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
      All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
    • When prompted allow the Add-On/Active X to install.
    • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
    • Now click on Advanced Settings and select the following:
      • Scan for potentially unwanted applications
      • Scan for potentially unsafe applications
      • Enable Anti-Stealth Technology
    • Now click on Start.
    • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
    • When completed the Online Scan will begin automatically.
    • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
    • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
    • Now click on Finish.
    • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
    • Copy and paste that log as a reply to this topic.


    In your next reply please include:
    The OTL logfile.
    The Malwarebytes log.
    The eset log.
    Any problems you had with my instructions.

    Regards maxi
    Proud Graduate of MalWare Removal University
  3. 2012-08-25, 19:43 #13
    davman
    davman is offline
    Junior Member
    Join Date
    Aug 2012
    Posts
    24

    Default

    Hey Maxi,

    Here are the logs you requested. The ESET logfile seemed to be really empty despite apparently finding 4 infections? I have included the text export of the details of these infections according to ESET.

    1./ New OTL Log:

    ll processes killed
    ========== OTL ==========
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
    Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}
    64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
    64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
    64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
    64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
    Starting removal of ActiveX control {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
    64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}\ deleted successfully.
    64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}\ deleted successfully.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}\ deleted successfully.
    64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}\ not found.
    64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}\ not found.
    Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
    64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
    64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
    64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
    64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
    Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
    Starting removal of ActiveX control {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}\ deleted successfully.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}\ not found.
    Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
    C:\Users\Dave\AppData\Local\{E0A3D526-40DD-464F-A317-404D3787F1DA} folder moved successfully.
    C:\Users\Dave\AppData\Local\{700BD24A-8440-47CE-9E8E-AE2F4A42711E} folder moved successfully.
    C:\Users\Dave\AppData\Local\{146EF47C-D714-471A-9B51-141C77C6117D} folder moved successfully.
    C:\Users\Dave\AppData\Local\{558B7AAE-093A-4BC8-A240-7CA258117302} folder moved successfully.
    C:\Users\Dave\AppData\Local\{07E934E0-09E6-4946-9B4C-9D50014994C2} folder moved successfully.
    C:\Users\Dave\AppData\Local\{51324D49-A93C-4F23-8B4B-A23E53043D53} folder moved successfully.
    C:\Users\Dave\AppData\Local\{C635DD5E-9C46-4EF2-87CD-A07847FB57E9} folder moved successfully.
    C:\Users\Dave\AppData\Local\{1075C4C3-2ED3-4E6A-A70C-2D0E1C414B9D} folder moved successfully.
    C:\Users\Dave\AppData\Local\{A85858E1-81A1-45F5-8C37-052A3B942905} folder moved successfully.
    C:\Users\Dave\AppData\Local\{D02DAE67-8896-48A1-B445-ACD7E68D7D2A} folder moved successfully.
    C:\Users\Dave\AppData\Local\{8BD1CA47-98C7-4A8A-8F20-70CF1FE3FEA3} folder moved successfully.
    C:\Users\Dave\AppData\Local\{C86D4F3E-6725-45DD-86F6-19E4C8464BB4} folder moved successfully.
    C:\Users\Dave\AppData\Local\{F0184283-6A19-4473-8A34-FACE746AC102} folder moved successfully.
    C:\Users\Dave\AppData\Local\{E751669D-BDC5-458F-BA3C-2983C00C3495} folder moved successfully.
    C:\Users\Dave\AppData\Local\{3335AE37-A368-4BE9-89CF-289B496A3864} folder moved successfully.
    C:\Users\Dave\AppData\Local\{D0D4C40F-8F6A-472C-89FF-7E9366C2C49D} folder moved successfully.
    C:\Users\Dave\AppData\Local\{A2998720-0C66-40BA-AEAB-489560C2B90B} folder moved successfully.
    C:\Users\Dave\AppData\Local\{F12AAF02-7566-46E7-BAFF-793C2FB4DBFD} folder moved successfully.
    C:\Users\Dave\AppData\Local\{365F84CA-C42D-4E4D-8441-ED16F51128D5} folder moved successfully.
    C:\Users\Dave\AppData\Local\{F21CAF8F-4EB2-4E21-A077-0101720065E9} folder moved successfully.
    C:\Users\Dave\AppData\Local\{AD4D47E2-A897-4205-869D-18C00549FEAB} folder moved successfully.
    C:\Users\Dave\AppData\Local\{68E074A9-5711-4070-8020-1F4C39B0CFE1} folder moved successfully.
    C:\Users\Dave\AppData\Local\{4F0024CC-BC4E-47AE-B3BF-4937B7717C98} folder moved successfully.
    C:\Users\Dave\AppData\Local\{2EFD4E05-C37B-4D9A-A802-F5D47B35459E} folder moved successfully.
    C:\Users\Dave\AppData\Local\{1334293C-21AC-4C35-94BF-00ACDF68A1B6} folder moved successfully.
    C:\Users\Dave\AppData\Local\{71923C93-E810-44ED-A713-A70F96FF17FE} folder moved successfully.
    C:\Users\Dave\AppData\Local\{A60C8A92-E1CE-471F-A9A7-9737207438EE} folder moved successfully.
    C:\Users\Dave\AppData\Local\{1A7D5CBF-C980-4225-9D3D-54DA94A56E5E} folder moved successfully.
    C:\Users\Dave\AppData\Local\{4F21A5F1-B554-4151-8161-C9E2837DE4E1} folder moved successfully.
    C:\Users\Dave\AppData\Local\{46D2D956-BF04-4ABC-8504-90146FBF5BD2} folder moved successfully.
    C:\Users\Dave\AppData\Local\{4F3BC134-DF2D-4376-9F63-BC53EDDA7725} folder moved successfully.
    C:\Users\Dave\AppData\Local\{3A14E972-84E7-47B4-BBF4-371CC696AF2B} folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}\chrome\locale\zh-TW\ffjcext folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}\chrome\locale\zh-TW folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}\chrome\locale\zh-CN\ffjcext folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}\chrome\locale\zh-CN folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}\chrome\locale\sv-SE\ffjcext folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}\chrome\locale\sv-SE folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}\chrome\locale\ko-KR\ffjcext folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}\chrome\locale\ko-KR folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}\chrome\locale\ja-JP\ffjcext folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}\chrome\locale\ja-JP folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}\chrome\locale\it-IT\ffjcext folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}\chrome\locale\it-IT folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}\chrome\locale\fr-FR\ffjcext folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}\chrome\locale\fr-FR folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}\chrome\locale\es-ES\ffjcext folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}\chrome\locale\es-ES folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}\chrome\locale\en-US\ffjcext folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}\chrome\locale\en-US folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}\chrome\locale\de-DE\ffjcext folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}\chrome\locale\de-DE folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}\chrome\locale folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}\chrome\content\ffjcext folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}\chrome\content folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}\chrome folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}\chrome\locale\zh-TW\ffjcext folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}\chrome\locale\zh-TW folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}\chrome\locale\zh-CN\ffjcext folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}\chrome\locale\zh-CN folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}\chrome\locale\sv-SE\ffjcext folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}\chrome\locale\sv-SE folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}\chrome\locale\ko-KR\ffjcext folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}\chrome\locale\ko-KR folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}\chrome\locale\ja-JP\ffjcext folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}\chrome\locale\ja-JP folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}\chrome\locale\it-IT\ffjcext folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}\chrome\locale\it-IT folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}\chrome\locale\fr-FR\ffjcext folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}\chrome\locale\fr-FR folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}\chrome\locale\es-ES\ffjcext folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}\chrome\locale\es-ES folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}\chrome\locale\en-US\ffjcext folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}\chrome\locale\en-US folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}\chrome\locale\de-DE\ffjcext folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}\chrome\locale\de-DE folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}\chrome\locale folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}\chrome\content\ffjcext folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}\chrome\content folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}\chrome folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA} folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}\chrome\locale\zh-TW\ffjcext folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}\chrome\locale\zh-TW folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}\chrome\locale\zh-CN\ffjcext folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}\chrome\locale\zh-CN folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}\chrome\locale\sv-SE\ffjcext folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}\chrome\locale\sv-SE folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}\chrome\locale\ko-KR\ffjcext folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}\chrome\locale\ko-KR folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}\chrome\locale\ja-JP\ffjcext folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}\chrome\locale\ja-JP folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}\chrome\locale\it-IT\ffjcext folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}\chrome\locale\it-IT folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}\chrome\locale\fr-FR\ffjcext folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}\chrome\locale\fr-FR folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}\chrome\locale\es-ES\ffjcext folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}\chrome\locale\es-ES folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}\chrome\locale\en-US\ffjcext folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}\chrome\locale\en-US folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}\chrome\locale\de-DE\ffjcext folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}\chrome\locale\de-DE folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}\chrome\locale folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}\chrome\content\ffjcext folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}\chrome\content folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}\chrome folder moved successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} folder moved successfully.
    ========== FILES ==========
    < ipconfig /flushdns /c >
    Windows IP Configuration
    Successfully flushed the DNS Resolver Cache.
    C:\Users\Dave\Desktop\cmd.bat deleted successfully.
    C:\Users\Dave\Desktop\cmd.txt deleted successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Dave
    ->Temp folder emptied: 6507441 bytes
    ->Temporary Internet Files folder emptied: 19127345 bytes
    ->Java cache emptied: 1177123 bytes
    ->FireFox cache emptied: 42307994 bytes
    ->Google Chrome cache emptied: 279114292 bytes
    ->Apple Safari cache emptied: 11299840 bytes
    ->Flash cache emptied: 3905 bytes

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Public

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 13091840 bytes
    %systemroot%\System32 (64bit) .tmp files removed: 16414208 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 572832 bytes
    %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 132881 bytes
    RecycleBin emptied: 2961609746 bytes

    Total Files Cleaned = 3,196.00 mb

    C:\Windows\System32\drivers\etc\Hosts moved successfully.
    HOSTS file reset successfully
    Restore point Set: OTL Restore Point

    OTL by OldTimer - Version 3.2.57.0 log created on 08252012_151549

    Files\Folders moved on Reboot...
    C:\Users\Dave\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
    File\Folder C:\Users\Dave\AppData\Local\Temp\~DF687EAD9E2E86275B.TMP not found!
    File\Folder C:\Users\Dave\AppData\Local\Temp\~DF7505188A5FE19278.TMP not found!
    File\Folder C:\Users\Dave\AppData\Local\Temp\~DFBC91AF362EFF5E74.TMP not found!
    File\Folder C:\Users\Dave\AppData\Local\Temp\~DFBDB65A73D9D5FF8A.TMP not found!
    File move failed. C:\Windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

    PendingFileRenameOperations files...
    File C:\Users\Dave\AppData\Local\Temp\FXSAPIDebugLogFile.txt not found!
    File C:\Users\Dave\AppData\Local\Temp\~DF687EAD9E2E86275B.TMP not found!
    File C:\Users\Dave\AppData\Local\Temp\~DF7505188A5FE19278.TMP not found!
    File C:\Users\Dave\AppData\Local\Temp\~DFBC91AF362EFF5E74.TMP not found!
    File C:\Users\Dave\AppData\Local\Temp\~DFBDB65A73D9D5FF8A.TMP not found!
    [2012/08/25 15:20:41 | 000,000,000 | ---- | M] () C:\Windows\temp\_avast_\Webshlock.txt : Unable to obtain MD5

    Registry entries deleted on Reboot...


    2./ M-Bytes Log:

    Malwarebytes Anti-Malware 1.62.0.1300
    www.malwarebytes.org

    Database version: v2012.08.25.04

    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 9.0.8112.16421
    Dave :: DAVE-VAIO [administrator]

    25/08/2012 15:28:19
    mbam-log-2012-08-25 (15-28-19).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 198530
    Time elapsed: 3 minute(s), 37 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)




    3./ ESET Logs and Info:


    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner64.ocx - registred OK
    OnlineScanner.ocx - registred OK


    and additional:


    C:\Users\Dave\Downloads\avc-free.exe Win32/OpenCandy application
    C:\Users\Dave\Downloads\Programs and Installers\avc-free.exe Win32/OpenCandy application
    C:\Users\Dave\Downloads\Programs and Installers\FLVPlayerSetup.exe Win32/OpenCandy application
    C:\Users\Dave\Downloads\Programs and Installers\winamp5621_full_emusic-7plus_all.exe Win32/OpenCandy application
  4. 2012-08-26, 11:49 #14
    maxi
    maxi is offline
    Retired Graduate
    Join Date
    Apr 2012
    Posts
    61

    Default

    Hi Davman How is your computer running now ? Are you still seeing the warning ?

    Run OTL Script

    We need to run an OTL Fix

    • Right click on OTL.exe and select "Run As Administrator" to run it.
    • Copy and Paste the following code into the textbox. Do not include the word Code
      Code:
      :files
ipconfig /flushdns /c
C:\Users\Dave\Downloads\avc-free.exe
C:\Users\Dave\Downloads\Programs and Installers\avc-free.exe
C:\Users\Dave\Downloads\Programs and Installers\FLVPlayerSetup.exe
C:\Users\Dave\Downloads\Programs and Installers\winamp5621_full_emusic-7plus_all.exe

:commands
[emptytemp]
[clearallrestorepoints]
    • Then click the Run Fix button at the top.
    • Click .
    • OTL may ask to reboot the machine. Please do so if asked.
    • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.


    Then

    Security Check

    • Please download Security Check by screen317 from one of the links below:
    • Save it to your Desktop.
    • Right click SecurityCheck.exe And select " Run as administrator " , then follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt
    • Please post the contents of that document.


    In your next reply please include:
    The answer to my question.
    The new OTL log.
    The Security Check log.


    Regards maxi .)
    Proud Graduate of MalWare Removal University
  5. 2012-08-26, 13:18 #15
    davman
    davman is offline
    Junior Member
    Join Date
    Aug 2012
    Posts
    24

    Default

    Hey Maxi,

    Yeah, the message is still displayed in the action centre, although I have not really seen any sign of infection before or after the message appeard. However, I have been using the Linux partition on my HDD to post these messages and for general use to avoid letting the virus do too much damage so I haven't exactly had much oppertunity to see symptoms except for when I run the tools you reccomend.

    Here are the logs you requested...

    OTL Log:


    All processes killed
    ========== FILES ==========
    < ipconfig /flushdns /c >
    Windows IP Configuration
    Successfully flushed the DNS Resolver Cache.
    C:\Users\Dave\Desktop\cmd.bat deleted successfully.
    C:\Users\Dave\Desktop\cmd.txt deleted successfully.
    C:\Users\Dave\Downloads\avc-free.exe moved successfully.
    C:\Users\Dave\Downloads\Programs and Installers\avc-free.exe moved successfully.
    C:\Users\Dave\Downloads\Programs and Installers\FLVPlayerSetup.exe moved successfully.
    C:\Users\Dave\Downloads\Programs and Installers\winamp5621_full_emusic-7plus_all.exe moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Dave
    ->Temp folder emptied: 693462 bytes
    ->Temporary Internet Files folder emptied: 735093 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Google Chrome cache emptied: 0 bytes
    ->Apple Safari cache emptied: 0 bytes
    ->Flash cache emptied: 470 bytes

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Public

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32 (64bit) .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 708456 bytes
    %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 51318 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 2.00 mb

    Restore point Set: OTL Restore Point

    OTL by OldTimer - Version 3.2.57.0 log created on 08262012_115516

    Files\Folders moved on Reboot...
    C:\Users\Dave\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
    File\Folder C:\Users\Dave\AppData\Local\Temp\~DF1C6D59DA942EE09D.TMP not found!
    File\Folder C:\Users\Dave\AppData\Local\Temp\~DF452E05A9CCC04162.TMP not found!
    File\Folder C:\Users\Dave\AppData\Local\Temp\~DFCBFF3B2E54C20CC1.TMP not found!
    File\Folder C:\Users\Dave\AppData\Local\Temp\~DFCD41641F9FD74D7D.TMP not found!
    File move failed. C:\Windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

    PendingFileRenameOperations files...
    File C:\Users\Dave\AppData\Local\Temp\FXSAPIDebugLogFile.txt not found!
    File C:\Users\Dave\AppData\Local\Temp\~DF1C6D59DA942EE09D.TMP not found!
    File C:\Users\Dave\AppData\Local\Temp\~DF452E05A9CCC04162.TMP not found!
    File C:\Users\Dave\AppData\Local\Temp\~DFCBFF3B2E54C20CC1.TMP not found!
    File C:\Users\Dave\AppData\Local\Temp\~DFCD41641F9FD74D7D.TMP not found!
    [2012/08/26 11:58:51 | 000,000,000 | ---- | M] () C:\Windows\temp\_avast_\Webshlock.txt : Unable to obtain MD5

    Registry entries deleted on Reboot...



    Checkup Results:


    Results of screen317's Security Check version 0.99.46
    Windows 7 Service Pack 1 x64 (UAC is enabled)
    Internet Explorer 9
    ``````````````Antivirus/Firewall Check:``````````````
    Windows Firewall Enabled!
    avast! Antivirus
    Antivirus up to date!
    `````````Anti-malware/Other Utilities Check:`````````
    Malwarebytes Anti-Malware version 1.62.0.1300
    Java(TM) 6 Update 33
    Java version out of Date!
    Adobe Reader X (10.1.4)
    Mozilla Firefox (7.0.1)
    Google Chrome 21.0.1180.79
    Google Chrome 21.0.1180.83
    Google Chrome Plugins...
    ````````Process Check: objlist.exe by Laurent````````
    AVAST Software Avast AvastSvc.exe
    AVAST Software Avast AvastUI.exe
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C: 3%
    ````````````````````End of Log``````````````````````
  6. 2012-08-27, 11:26 #16
    maxi
    maxi is offline
    Retired Graduate
    Join Date
    Apr 2012
    Posts
    61

    Default

    Hi Davman, Sorry for the delay.

    Delete the Copy of aswMBR from your computer and follow the instructions below

    • Please download RogueKiller by Tigzy and save it to your desktop.
    • Allow the download if prompted by your security software and please close all your programs.
    • Right click on RogueKiller.exe and select " Run as administrator " to run it.
    • If it does not run, please try a few times.
    • Wait for PreScan to finish, then click on Scan.
    • Once completed, a log called RKreport[1].txt will be created on the desktop. It can also be accessed via the Report button.
    • Please copy and paste the contents of that log in your next reply.




    Then

    Please download aswMBR and save it to your Desktop.
    • Right click aswMBR.exe & choose "Run as Administrator" to run it.
    • Click Yes to the prompt to download Avast! virus definitions.
      (Please be patient whilst the virus definitions download)
    • With the AVscan set to Quick Scan, click the Scan button.
      (Please be patient whilst your computer is scanned.)
    • After a while when the scan reports "Scan finished successfully", click Save log & save the log to your desktop.
    • Click OK > Exit.
    • Note: Do not attempt to fix anything at this stage!
    • Two files will be created, aswMBR.txt & a file named MBR.dat.
    • MBR.dat is a backup of the MBR(master boot record), do not delete it..
    • I strongly suggest you keep a copy of this backup stored on an external device.
    • Copy & Paste the contents of aswMBR.txt into your next reply.


    Please Post both logs in your next reply
    Proud Graduate of MalWare Removal University
  7. 2012-08-27, 13:36 #17
    davman
    davman is offline
    Junior Member
    Join Date
    Aug 2012
    Posts
    24

    Default

    Hi Maxi,

    Don't worry about the delay. Everyone needs a Sunday off

    RK ran fine and I have included the report. However, aswMBR failed both times I tried to run it. Soon after starting to scan C:\users\dave The message avast! Antirootkit has stopped working appears and the program closes.

    Here is the RK report:

    RogueKiller V8.0.0 [08/26/2012] by Tigzy
    mail: tigzyRK<at>gmail<dot>com
    Feedback: http://www.geekstogo.com/forum/files...3-roguekiller/
    Blog: http://tigzyrk.blogspot.com

    Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User : Dave [Admin rights]
    Mode : Scan -- Date : 08/27/2012 12:05:29

    ¤¤¤ Bad processes : 0 ¤¤¤

    ¤¤¤ Registry Entries : 3 ¤¤¤
    [TASK][SUSP PATH] {EDFF933E-1F4C-4B1A-BC28-6402AB663E0B} : C:\Users\Dave\setup.exe -> FOUND
    [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver : [NOT LOADED] ¤¤¤

    ¤¤¤ Infection : ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\Windows\system32\drivers\etc\hosts

    ÿþ1

    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: ST9320325AS +++++
    --- User ---
    [MBR] 77e77d9c6677b2c88bb17f1b7bfe43a5
    [BSP] 57310392015cc50731ea31692b7b1682 : Windows 7 MBR Code
    Partition table:
    0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 11249 Mo
    1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 23040000 | Size: 100 Mo
    2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 23244800 | Size: 293894 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    +++++ PhysicalDrive3: Generic Flash Disk USB Device +++++
    --- User ---
    [MBR] ff539c300da24695b0732350eb9203fe
    [BSP] 28b7832184588ee3093bc71cc89376c6 : Standard MBR Code
    Partition table:
    0 - [ACTIVE] FAT16 (0x06) [VISIBLE] Offset (sectors): 32 | Size: 998 Mo
    User = LL1 ... OK!
    Error reading LL2 MBR!

    Finished : << RKreport[1].txt >>
    RKreport[1].txt


    Regards,

    davman
  8. 2012-08-27, 13:55 #18
    maxi
    maxi is offline
    Retired Graduate
    Join Date
    Apr 2012
    Posts
    61

    Default

    Hi

    I need you to run roguekiller again, When the scan completes I need you to Untick the lines below
    [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
    Then select the Delete button and post back the log that is created.

    Now
    Try to run aswMBR again.

    Regards maxi
    Proud Graduate of MalWare Removal University
  9. 2012-08-27, 14:39 #19
    davman
    davman is offline
    Junior Member
    Join Date
    Aug 2012
    Posts
    24

    Default

    Okay sure!

    Quick question though before I do:

    Is it okay to run these progams while disconnected from the internet?

    Regards,

    davman
  10. 2012-08-27, 15:17 #20
    maxi
    maxi is offline
    Retired Graduate
    Join Date
    Apr 2012
    Posts
    61

    Default

    Yes
    Proud Graduate of MalWare Removal University
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules