Logs posted as directed.. backdoor.bot issue
- Thread starter lindavb
- Start date
- Status
OCD
Malware Team-Emeritus
Hi lindavb,
Re- run AdwCleaner
It should be on your desktop
TFC
Download TFC to your desktop
In your next post please provide the following:
Re- run AdwCleanerIt should be on your desktop
- Windows XP : Double click on the icon to run it.
- Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"
- Click on the Scan button.
- AdwCleaner will begin to scan your computer like it did before.
- After the scan has finished...
- This time, click on the Clean button.
- Press OK when asked to close all programs and follow the onscreen prompts.
- Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
- After rebooting, a log file report (AdwCleaner[S1].txt) will open automatically.
- Copy and paste the contents of that log file in your next reply.
- A copy of that log file will also be saved in the C:\AdwCleaner folder.
TFCDownload TFC to your desktop
- Close any open windows.
- Double click the TFC icon to run the program
- Vista, Windows 7 & 8 Right click and select "Run as Administrator"
- TFC will close all open programs itself in order to run,
- Click the Start button to begin the process.
- Allow TFC to run uninterrupted.
- The program should not take long to finish it's job
- Once its finished it should automatically reboot your machine,
- if it doesn't, manually reboot to ensure a complete clean
In your next post please provide the following:
- AdwCleaner[S1].txt
- TFC log
adw log
# AdwCleaner v3.302 - Report created 06/08/2014 at 11:27:17
# Updated 30/07/2014 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Linda - LINDA-PC
# Running from : C:\Users\Linda\Desktop\AdwCleaner.exe
# Option : Clean
***** [ Services ] *****
***** [ Files / Folders ] *****
***** [ Scheduled Tasks ] *****
***** [ Shortcuts ] *****
***** [ Registry ] *****
***** [ Browsers ] *****
-\\ Internet Explorer v11.0.9600.17207
-\\ Mozilla Firefox v
-\\ Google Chrome v36.0.1985.125
[ File : C:\Users\Linda\AppData\Local\Google\Chrome\User Data\Default\preferences ]
*************************
AdwCleaner[R0].txt - [5339 octets] - [04/08/2014 21:23:17]
AdwCleaner[R1].txt - [943 octets] - [06/08/2014 10:52:24]
AdwCleaner[R2].txt - [1002 octets] - [06/08/2014 11:23:25]
AdwCleaner[S0].txt - [5947 octets] - [04/08/2014 21:24:47]
AdwCleaner[S1].txt - [925 octets] - [06/08/2014 11:27:17]
########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [984 octets] ##########
Note, I ran clean when it became an option. After scan, it said "pending" but it stayed at that point a very long time and so I assumed it was waiting for me to make a further selection.
# AdwCleaner v3.302 - Report created 06/08/2014 at 11:27:17
# Updated 30/07/2014 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Linda - LINDA-PC
# Running from : C:\Users\Linda\Desktop\AdwCleaner.exe
# Option : Clean
***** [ Services ] *****
***** [ Files / Folders ] *****
***** [ Scheduled Tasks ] *****
***** [ Shortcuts ] *****
***** [ Registry ] *****
***** [ Browsers ] *****
-\\ Internet Explorer v11.0.9600.17207
-\\ Mozilla Firefox v
-\\ Google Chrome v36.0.1985.125
[ File : C:\Users\Linda\AppData\Local\Google\Chrome\User Data\Default\preferences ]
*************************
AdwCleaner[R0].txt - [5339 octets] - [04/08/2014 21:23:17]
AdwCleaner[R1].txt - [943 octets] - [06/08/2014 10:52:24]
AdwCleaner[R2].txt - [1002 octets] - [06/08/2014 11:23:25]
AdwCleaner[S0].txt - [5947 octets] - [04/08/2014 21:24:47]
AdwCleaner[S1].txt - [925 octets] - [06/08/2014 11:27:17]
########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [984 octets] ##########
Note, I ran clean when it became an option. After scan, it said "pending" but it stayed at that point a very long time and so I assumed it was waiting for me to make a further selection.
Tfc
TFC did not reboot so I manually rebooted. I save the log before doing so, good thing because it did not provide one upon restarting. Here it is:
Getting user folders.
Stopping running processes.
Emptying Temp folders.
User: All Users
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 56504 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
User: fbwuser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33298 bytes
->Flash cache emptied: 56504 bytes
User: Linda
->Temp folder emptied: 336480864 bytes
->Temporary Internet Files folder emptied: 1778552447 bytes
->Java cache emptied: 4138900 bytes
->Google Chrome cache emptied: 22869884 bytes
->Apple Safari cache emptied: 2034688 bytes
->Flash cache emptied: 92192 bytes
User: Public
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 50950 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33298 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 753 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 42304743 bytes
Emptying RecycleBin. Do not interrupt.
RecycleBin emptied: 4375402839 bytes
Process complete!
Total Files Cleaned = 6,258.00 mb
TFC did not reboot so I manually rebooted. I save the log before doing so, good thing because it did not provide one upon restarting. Here it is:
Getting user folders.
Stopping running processes.
Emptying Temp folders.
User: All Users
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 56504 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
User: fbwuser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33298 bytes
->Flash cache emptied: 56504 bytes
User: Linda
->Temp folder emptied: 336480864 bytes
->Temporary Internet Files folder emptied: 1778552447 bytes
->Java cache emptied: 4138900 bytes
->Google Chrome cache emptied: 22869884 bytes
->Apple Safari cache emptied: 2034688 bytes
->Flash cache emptied: 92192 bytes
User: Public
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 50950 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33298 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 753 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 42304743 bytes
Emptying RecycleBin. Do not interrupt.
RecycleBin emptied: 4375402839 bytes
Process complete!
Total Files Cleaned = 6,258.00 mb
external back up?
Again, I am wondering about my external backup drive, is this being cleaned as well? I have been transferring date from one PC to another for quite a few years and would transfer this date once more to any new PC I may get, so I want to be sure I am not transferring any viruses in the process!
Again, I am wondering about my external backup drive, is this being cleaned as well? I have been transferring date from one PC to another for quite a few years and would transfer this date once more to any new PC I may get, so I want to be sure I am not transferring any viruses in the process!
OCD
Malware Team-Emeritus
Hi lindavb,
C:\AdwCleaner\AdwCleaner[R2].txt
TFC log is fine.
Remember Google is your friend, do a search and see if anything comes up.
=========================
Chkdsk in Vista/7
You must run the command prompt as an administrator or in an "elevated mode".
To view results log:
In your next post please provide the following:
Locate this log and post it
C:\AdwCleaner\AdwCleaner[R2].txt
TFC log is fine.
Yes, it should be. If you are still concerned, most AV's will allow you to select which drive you want to run a scan on. You should be able to designate your external drive to scan individually
I have no experience with Dropbox, but if I understand it correctly it is used to store images online. Our cleaning process shouldn't be randomly deleting files from your online storage.
Remember Google is your friend, do a search and see if anything comes up.
=========================
Chkdsk in Vista/7You must run the command prompt as an administrator or in an "elevated mode".
- Start menu, in the search bar type "cmd"
- Right-click the cmd icon, select "run as administrator"
- If you have user account control (UAC) set up it may prompt you to accept that action.
- Then type in "chkdsk /r" (make note of the space between chkdsk and /)
To view results log:- Open the Start Menu, and type eventvwr.msc in the search box and press enter.
- If prompted by UAC, then click on Yes (Windows 7) or Continue (Vista).
- In the left pane of Event Viewer, double click on Windows Logs to expand it, then right click on Application and click on Find.
- Copy and paste Chkdsk into the line, and click on Find Next.
- You will now see the system log for the scan results of Check Disk (chkdsk).
- In the right had menu select copy, open notepad and paste the chkdsk results into notepad
- Post in your next reply.
In your next post please provide the following:
- chkdsk results
here is the adw log, looks just like the one I posted though:
AdwCleaner v3.302 - Report created 06/08/2014 at 11:23:25
# Updated 30/07/2014 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Linda - LINDA-PC
# Running from : C:\Users\Linda\Desktop\AdwCleaner.exe
# Option : Scan
***** [ Services ] *****
***** [ Files / Folders ] *****
***** [ Scheduled Tasks ] *****
***** [ Shortcuts ] *****
***** [ Registry ] *****
***** [ Browsers ] *****
-\\ Internet Explorer v11.0.9600.17207
-\\ Mozilla Firefox v
-\\ Google Chrome v36.0.1985.125
[ File : C:\Users\Linda\AppData\Local\Google\Chrome\User Data\Default\preferences ]
*************************
AdwCleaner[R0].txt - [5339 octets] - [04/08/2014 21:23:17]
AdwCleaner[R1].txt - [943 octets] - [06/08/2014 10:52:24]
AdwCleaner[R2].txt - [804 octets] - [06/08/2014 11:23:25]
AdwCleaner[S0].txt - [5947 octets] - [04/08/2014 21:24:47]
########## EOF - C:\AdwCleaner\AdwCleaner[R2].txt - [923 octets] ##########
I'm not sure about the dropbox thing it might be because someone I share a folder with is deleting docs that they placed there, or because it is synced to my phone and I have recently deleted a lot downloads to save space. Either way not your problem!
The rest I will do later night...
AdwCleaner v3.302 - Report created 06/08/2014 at 11:23:25
# Updated 30/07/2014 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Linda - LINDA-PC
# Running from : C:\Users\Linda\Desktop\AdwCleaner.exe
# Option : Scan
***** [ Services ] *****
***** [ Files / Folders ] *****
***** [ Scheduled Tasks ] *****
***** [ Shortcuts ] *****
***** [ Registry ] *****
***** [ Browsers ] *****
-\\ Internet Explorer v11.0.9600.17207
-\\ Mozilla Firefox v
-\\ Google Chrome v36.0.1985.125
[ File : C:\Users\Linda\AppData\Local\Google\Chrome\User Data\Default\preferences ]
*************************
AdwCleaner[R0].txt - [5339 octets] - [04/08/2014 21:23:17]
AdwCleaner[R1].txt - [943 octets] - [06/08/2014 10:52:24]
AdwCleaner[R2].txt - [804 octets] - [06/08/2014 11:23:25]
AdwCleaner[S0].txt - [5947 octets] - [04/08/2014 21:24:47]
########## EOF - C:\AdwCleaner\AdwCleaner[R2].txt - [923 octets] ##########
I'm not sure about the dropbox thing it might be because someone I share a folder with is deleting docs that they placed there, or because it is synced to my phone and I have recently deleted a lot downloads to save space. Either way not your problem!
The rest I will do later night...chkdsk
Ok, this is weird. This does not show up in my programs, and when I search it shows up but I can't open it, it's like a phantom that starts to open and then disappears. When I right click a select "run as administrator, it does a scan on a black screen that I cannot copy nor does it leave a log. It begins with a warning "F parameter not specified" and "read only mode. It does three stages of a scan and then just disappears. This file is dated 2009, but I bought this PC in 2010. I will run it again and try to get a screen shot again. But it looks like I do not have this program installed on my PC, just a remnant of some sort.
Ok, this is weird. This does not show up in my programs, and when I search it shows up but I can't open it, it's like a phantom that starts to open and then disappears. When I right click a select "run as administrator, it does a scan on a black screen that I cannot copy nor does it leave a log. It begins with a warning "F parameter not specified" and "read only mode. It does three stages of a scan and then just disappears. This file is dated 2009, but I bought this PC in 2010. I will run it again and try to get a screen shot again. But it looks like I do not have this program installed on my PC, just a remnant of some sort.
I can't do a screen shot. But it verifies files, indexes, and security descriptors, and then disappears not leaving a trace. It is chkdsk.exe. Again, I cannot filed the program, it only comes up in a search. I managed to move it to my desktop but I cannot open it with a left click and can only run as admin with a right. What to do?
OCD
Malware Team-Emeritus
Hi lindavb,
It is a Check Disk Utility. It won't be listed in with the rest of your programs. That 2009 date is correct. Just because you purchased your computer in 2010 doesn't mean the file system wasn't assembled prior to that date. The file is chkdsk and it is an executable file (.exe)
1. Did you copy it to your desktop or move it to your desktop?
You should refrain from moving system files, you could severely damage your system if things go wrong.
If you copied the file to your desktop, that will probably be OK to just delete it. BUT if you moved the file to your desktop, then you will have to move it back to where it was located before we can continue.
2. Do you remember what folder it was in?
3. Did you follow the instructions exactly for running the chkdsk scan?
Then type in "chkdsk /r" (make note of the space between chkdsk and /) But without the quote marks.
Were you sure to put the space between chkdsk and the /? That is a crucial part of the command.
Before you proceed with any other steps let me know if you moved or copied chkdsk from it's original location and if you know where to move it back to. (if that will be necessary)
It is a Check Disk Utility. It won't be listed in with the rest of your programs. That 2009 date is correct. Just because you purchased your computer in 2010 doesn't mean the file system wasn't assembled prior to that date. The file is chkdsk and it is an executable file (.exe)
1. Did you copy it to your desktop or move it to your desktop?
You should refrain from moving system files, you could severely damage your system if things go wrong.
If you copied the file to your desktop, that will probably be OK to just delete it. BUT if you moved the file to your desktop, then you will have to move it back to where it was located before we can continue.
2. Do you remember what folder it was in?
3. Did you follow the instructions exactly for running the chkdsk scan?
Then type in "chkdsk /r" (make note of the space between chkdsk and /) But without the quote marks.
Were you sure to put the space between chkdsk and the /? That is a crucial part of the command.
Before you proceed with any other steps let me know if you moved or copied chkdsk from it's original location and if you know where to move it back to. (if that will be necessary)
I am pretty sure I copied it, because that is what I normally do when given the option, but I can't say for certain. When following your instructions, I could not find it listed in programs. When I did a search with the start button, it came up but would not open with a left click. With a right click I had options to run as administrator, scan, move, copy etc. I ran as administrator, got a black screen that went immediately to scan mode. There was no way to do any commands myself, and thus I could not type in anything. I let it scan, but after it completed the screen disappeared with no trace and no way to copy it. That is why I put it on my desktop, I thought maybe from there it would be more accessible. But it was the same thing, it won't open with a left click and can only run as administrator with a right click. Again, it goes directly to scanning with no chance to input anything myself. This is why I thought maybe this was a remnant of something that was previously eliminated. If it is not listed in programs, then how do you find it? I looked all over but the only way I could find it was to do a search from the start button. If I just copied it, then it should still be wherever it is/was? I am afraid this is beyond my geek quotient... : /
I should add I do not know the original location because the only way I could find it was to search from the start button and wait for it to come up in the list. Again, once it came up it would not open and could only be accessed via right click options. I never got a screen that allowed me to run any commands myself. How can I determine with certainty whether I copied or moved it?
looking at "properties," under "general" it says it is application located in C - desktop, created Aug 7 2014 (it was after midnight when I moved/copied to desktop), modified 2009. Under "previous versions" it says no previous versions. Does that mean I moved it to desktop rather than copied it? Not sure if the other/orginal location would show up... and how to move back when I don't know where it was? System restore? I know, I'm not touching anything until further instructions... looks like I've made a bit of a mess...
OCD
Malware Team-Emeritus
Hi lindavb,
Based on your last reply, I would say you move it.
Go ahead and do a System Restore back before you moved the file.
Reboot
Then try and run it again as previously instructed.
If it doesn't run that's fine, I just want to verify that it shows when you try and locate it via the Start menu
Based on your last reply, I would say you move it.
Go ahead and do a System Restore back before you moved the file.
Reboot
Then try and run it again as previously instructed.
If it doesn't run that's fine, I just want to verify that it shows when you try and locate it via the Start menu
The recommended restore date is Aug 2, and when I ask for more points it gives me a few more but the latest is Aug 3. If I do that, I will undo everything we've been doing and reinstall things that have been uninstalled, not good. But I cannot seem to choose just the point before I moved the program...
OCD
Malware Team-Emeritus
Hi lindavb,
It is not a normal program, it is a utility that is part of Windows.
Mine is located here >> C:\Windows\System32
After reading back over your reply, I don't think you carried out the steps as outlined in my instructions.
You must run the command prompt as an administrator or in an "elevated mode".
This is the screen you should have seen, or very similar.
You can always try to move the file from your desktop, back to the system32 folder, the reboot and try the process again. But the reason you got the error "F parameter not specified" and "read only mode". Is because you didn't enter the command as outlined. You MUST open the command prompt first, then type in the command of 'chkdsk /r' for the utility to run as designed. From the screen above you would choose "Y" to have the scan run on the next restart.
It is not a normal program, it is a utility that is part of Windows.
Mine is located here >> C:\Windows\System32
After reading back over your reply, I don't think you carried out the steps as outlined in my instructions.
You must run the command prompt as an administrator or in an "elevated mode".
- Start menu, in the search bar type "cmd"
- Right-click the cmd icon, select "run as administrator"
- If you have user account control (UAC) set up it may prompt you to accept that action.
- Then type in "chkdsk /r" (make note of the space between chkdsk and /)
This is the screen you should have seen, or very similar.
You can always try to move the file from your desktop, back to the system32 folder, the reboot and try the process again. But the reason you got the error "F parameter not specified" and "read only mode". Is because you didn't enter the command as outlined. You MUST open the command prompt first, then type in the command of 'chkdsk /r' for the utility to run as designed. From the screen above you would choose "Y" to have the scan run on the next restart.
- Status