Win32 DownTango

systemlook log file

SystemLook 30.07.11 by jpshortstuff
Log created at 15:28 on 27/11/2012 by Kate
Administrator - Elevation successful

========== filefind ==========

Searching for "Win32.DownTango"
No files found.

========== Regfind ==========

Searching for "Win32.DownTango"
No data found.

-= EOF =-


(and just checked Spybot again and it's still finding it - sorry :-( )
 
That file you sent up to VirusTotal is fine, I need to go over your Spybot log a bit closer but wont be able to get to it until this evening.

Run this through SystemLook

:filefind
DownTango

:Regfind
DownTango
 
No worries - thanks for all your time :-)

This is the new systemlook log:


SystemLook 30.07.11 by jpshortstuff
Log created at 17:35 on 27/11/2012 by Kate
Administrator - Elevation successful

========== filefind ==========

Searching for "DownTango"
No files found.

========== Regfind ==========

Searching for "DownTango"
[HKEY_CURRENT_USER\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.8\com.trolltech.Qt.QImageIOHandlerFactoryInterface:\C:\Program Files (x86)\Red Sky\DownTango]
[HKEY_CURRENT_USER\Software\Trolltech\OrganizationDefaults\Qt Plugin Cache 4.8.false\C:\Program Files (x86)\Red Sky\DownTango]
[HKEY_USERS\S-1-5-21-1786509448-2931731986-1769432513-1001\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.8\com.trolltech.Qt.QImageIOHandlerFactoryInterface:\C:\Program Files (x86)\Red Sky\DownTango]
[HKEY_USERS\S-1-5-21-1786509448-2931731986-1769432513-1001\Software\Trolltech\OrganizationDefaults\Qt Plugin Cache 4.8.false\C:\Program Files (x86)\Red Sky\DownTango]

-= EOF =-
 
While I am looking over your logs run this quick scan please

Download CKScanner by askey127 from Here & save it to your Desktop.
  • Doubleclick CKScanner.exe then click Search For Files
  • When the cursor hourglass disappears, click Save List To File
  • A message box will verify the file saved
  • Please Run this program only once
  • Double-click the CKFiles.txt icon on your desktop then copy/paste the contents in your next reply
 
CK Scanner text

CKScanner 2.1 - Additional Security Risks - These are not necessarily bad
c:\program files (x86)\kodak\aio\center\ekkeygenerator.exe
c:\program files (x86)\kodak\aio\center\ekkeygenerator.exe.config
scanner sequence 3.LB.11.TVNATO
----- EOF -----
 
Backup Your Registry with ERUNT:
  • Download erunt.zip to your Desktop from here:
    http://aumha.org/downloads/erunt.zip
  • Right-click erunt.zip, select Extract All... and follow the prompts to extract ERUNT to a new folder on your Desktop
  • Inside the new folder, double-click ERUNT.exe to start the program
  • OK all the prompts to back up your registry to the default location.
Note: to restore your registry, go to the backup folder and start ERDNT.exe



Open OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

    Code: 
    :processes
killallprocesses

:OTL

:Services

:Reg
[-HKEY_CURRENT_USER\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.8\com.trolltech.Qt.QImageIOHandlerFactoryInterface:\C:\Program Files (x86)\Red Sky\DownTango]
[-HKEY_CURRENT_USER\Software\Trolltech\OrganizationDefaults\Qt Plugin Cache 4.8.false\C:\Program Files (x86)\Red Sky\DownTango]
[-HKEY_USERS\S-1-5-21-1786509448-2931731986-1769432513-1001\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.8\com.trolltech.Qt.QImageIOHandlerFactoryInterface:\C:\Program Files (x86)\Red Sky\DownTango]
[-HKEY_USERS\S-1-5-21-1786509448-2931731986-1769432513-1001\Software\Trolltech\OrganizationDefaults\Qt Plugin Cache 4.8.false\C:\Program Files (x86)\Red Sky\DownTango]

:Files
C:\Program Files (x86)\Red Sky


:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
  • Then click the Run Fix button at the top. <--Not run Scan
  • Let the program run unhindered, reboot when it is done
  • Then post the results of the log it produces
 
Latest OTL log

All processes killed
========== PROCESSES ==========
========== OTL ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
Registry key HKEY_CURRENT_USER\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.8\com.trolltech.Qt.QImageIOHandlerFactoryInterface:\C:\Program Files (x86)\Red Sky\DownTango\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Trolltech\OrganizationDefaults\Qt Plugin Cache 4.8.false\C:\Program Files (x86)\Red Sky\DownTango\ deleted successfully.
Registry key HKEY_USERS\S-1-5-21-1786509448-2931731986-1769432513-1001\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.8\com.trolltech.Qt.QImageIOHandlerFactoryInterface:\C:\Program Files (x86)\Red Sky\DownTango\ not found.
Registry key HKEY_USERS\S-1-5-21-1786509448-2931731986-1769432513-1001\Software\Trolltech\OrganizationDefaults\Qt Plugin Cache 4.8.false\C:\Program Files (x86)\Red Sky\DownTango\ not found.
========== FILES ==========
C:\Program Files (x86)\Red Sky\DownTango folder moved successfully.
C:\Program Files (x86)\Red Sky folder moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Kate
->Temp folder emptied: 425948 bytes
->Temporary Internet Files folder emptied: 556565 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 77717578 bytes
->Flash cache emptied: 922 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 51692 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 49621 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 75.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 11272012_230014

Files\Folders moved on Reboot...
C:\Users\Kate\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...


Sadly I've just checked Spybot again and it's still picking it up.
I'm just off to bed now but will check back in the morning - thanks again for your help.
 
OK, run Spybot again and post a new log

Then plug this in to SystemLook

:filefind
DownTango
Red Sky

:folderfind
DownTango
Red Sky

:regfind
DownTango
Red Sky
 
systemlook log file

SystemLook 30.07.11 by jpshortstuff
Log created at 08:41 on 28/11/2012 by Kate
Administrator - Elevation successful

========== filefind ==========

Searching for "DownTango"
No files found.

Searching for "Red Sky"
No files found.

========== folderfind ==========

Searching for "DownTango"
C:\Users\Kate\AppData\Local\DownTango d------ [19:10 03/10/2012]
C:\_OTL\MovedFiles\11272012_230014\C_Program Files (x86)\Red Sky\DownTango d------ [19:10 03/10/2012]

Searching for "Red Sky"
C:\_OTL\MovedFiles\11272012_230014\C_Program Files (x86)\Red Sky d------ [19:10 03/10/2012]

========== regfind ==========

Searching for "DownTango"
No data found.

Searching for "Red Sky"
[HKEY_CURRENT_USER\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.8\com.trolltech.Qt.QImageIOHandlerFactoryInterface:\C:\Program Files (x86)\Red Sky]
[HKEY_CURRENT_USER\Software\Trolltech\OrganizationDefaults\Qt Plugin Cache 4.8.false\C:\Program Files (x86)\Red Sky]
[HKEY_USERS\S-1-5-21-1786509448-2931731986-1769432513-1001\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.8\com.trolltech.Qt.QImageIOHandlerFactoryInterface:\C:\Program Files (x86)\Red Sky]
[HKEY_USERS\S-1-5-21-1786509448-2931731986-1769432513-1001\Software\Trolltech\OrganizationDefaults\Qt Plugin Cache 4.8.false\C:\Program Files (x86)\Red Sky]

-= EOF =-
 
Hi,

Again, back up your registry with ERUNT

Open OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

    Code: 
    :processes
killallprocesses

:OTL

:Services

:Reg
[-HKEY_CURRENT_USER\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.8\com.trolltech.Qt.QImageIOHandlerFactoryInterface:\C:\Program Files (x86)\Red Sky]
[-HKEY_CURRENT_USER\Software\Trolltech\OrganizationDefaults\Qt Plugin Cache 4.8.false\C:\Program Files (x86)\Red Sky]
[-HKEY_USERS\S-1-5-21-1786509448-2931731986-1769432513-1001\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.8\com.trolltech.Qt.QImageIOHandlerFactoryInterface:\C:\Program Files (x86)\Red Sky]
[-HKEY_USERS\S-1-5-21-1786509448-2931731986-1769432513-1001\Software\Trolltech\OrganizationDefaults\Qt Plugin Cache 4.8.false\C:\Program Files (x86)\Red Sky]

:Files
C:\Users\Kate\AppData\Local\DownTango
C:\Windows\Launcher.exe
C:\Program Files (x86)\Red Sky

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
  • Then click the Run Fix button at the top. <--Not run Scan
  • Let the program run unhindered, reboot when it is done
  • Then post the results of the log it produces
 
All processes killed
========== PROCESSES ==========
========== OTL ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
Registry key HKEY_CURRENT_USER\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.8\com.trolltech.Qt.QImageIOHandlerFactoryInterface:\C:\Program Files (x86)\Red Sky\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Trolltech\OrganizationDefaults\Qt Plugin Cache 4.8.false\C:\Program Files (x86)\Red Sky\ deleted successfully.
Registry key HKEY_USERS\S-1-5-21-1786509448-2931731986-1769432513-1001\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.8\com.trolltech.Qt.QImageIOHandlerFactoryInterface:\C:\Program Files (x86)\Red Sky\ not found.
Registry key HKEY_USERS\S-1-5-21-1786509448-2931731986-1769432513-1001\Software\Trolltech\OrganizationDefaults\Qt Plugin Cache 4.8.false\C:\Program Files (x86)\Red Sky\ not found.
========== FILES ==========
C:\Users\Kate\AppData\Local\DownTango\userplugins\internal folder moved successfully.
C:\Users\Kate\AppData\Local\DownTango\userplugins\hoster folder moved successfully.
C:\Users\Kate\AppData\Local\DownTango\userplugins\hooks folder moved successfully.
C:\Users\Kate\AppData\Local\DownTango\userplugins\crypter folder moved successfully.
C:\Users\Kate\AppData\Local\DownTango\userplugins\container folder moved successfully.
C:\Users\Kate\AppData\Local\DownTango\userplugins\captcha folder moved successfully.
C:\Users\Kate\AppData\Local\DownTango\userplugins\accounts folder moved successfully.
C:\Users\Kate\AppData\Local\DownTango\userplugins folder moved successfully.
C:\Users\Kate\AppData\Local\DownTango\tmp\jinja_cache folder moved successfully.
C:\Users\Kate\AppData\Local\DownTango\tmp\container_file_lock folder moved successfully.
C:\Users\Kate\AppData\Local\DownTango\tmp\container_file\4\44 folder moved successfully.
C:\Users\Kate\AppData\Local\DownTango\tmp\container_file\4 folder moved successfully.
C:\Users\Kate\AppData\Local\DownTango\tmp\container_file folder moved successfully.
C:\Users\Kate\AppData\Local\DownTango\tmp folder moved successfully.
C:\Users\Kate\AppData\Local\DownTango\scripts\unrar_finished folder moved successfully.
C:\Users\Kate\AppData\Local\DownTango\scripts\package_finished folder moved successfully.
C:\Users\Kate\AppData\Local\DownTango\scripts\download_preparing folder moved successfully.
C:\Users\Kate\AppData\Local\DownTango\scripts\download_finished folder moved successfully.
C:\Users\Kate\AppData\Local\DownTango\scripts\before_reconnect folder moved successfully.
C:\Users\Kate\AppData\Local\DownTango\scripts\all_dls_processed folder moved successfully.
C:\Users\Kate\AppData\Local\DownTango\scripts\all_dls_finished folder moved successfully.
C:\Users\Kate\AppData\Local\DownTango\scripts\after_reconnect folder moved successfully.
C:\Users\Kate\AppData\Local\DownTango\scripts folder moved successfully.
C:\Users\Kate\AppData\Local\DownTango\Logs folder moved successfully.
C:\Users\Kate\AppData\Local\DownTango\Downloads folder moved successfully.
C:\Users\Kate\AppData\Local\DownTango folder moved successfully.
C:\Windows\Launcher.exe moved successfully.
File\Folder C:\Program Files (x86)\Red Sky not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Kate
->Temp folder emptied: 314657 bytes
->Temporary Internet Files folder emptied: 1241758 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 77071014 bytes
->Flash cache emptied: 694 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 50240 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 23722 bytes

Total Files Cleaned = 75.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 11282012_095135

Files\Folders moved on Reboot...
C:\Users\Kate\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
File\Folder C:\Users\Kate\AppData\Local\Temp\~DF9CCB71AA6CEEBE35.TMP not found!

PendingFileRenameOperations files...

Registry entries deleted on Reboot...
 
Just run spybot and it didn't find anything this time - hooray!

Be back later for any further instructions. Just as an aside - Spybot never immunises properly as it thinks I'm not an administrator (which I am) - is there a way to fix that?

Thanks so much.
 
Great :bigthumb:

What I would do is post in the Spybot forum as they know this program inside and out and they can help you with the immunization problem
http://forums.spybot.info/forumdisplay.php?f=4


Since your still here it wouldn't hurt to run a couple of scans to make sure your free of malware

Run Malwarebytes, all you need is the free version

Please download Malwarebytes from Here or Here

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
    MBAMCapture.jpg
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected .
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
  • Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report please







Please run this free online virus scanner from ESET
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is NOT TICKED, and the option Scan unwanted applications is checked
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic
 
MAlwareBytes Log

The scan completed successfully - no malicious items were detected.

Log:
Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Database version: v2012.11.25.07

Windows 7 x64 NTFS
Internet Explorer 8.0.7600.16385
Kate :: KATE-PC [administrator]

28/11/2012 16:57:07
mbam-log-2012-11-28 (16-57-07).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 203859
Time elapsed: 2 minute(s), 29 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 
ESST log

Also looking good - it said nothing found:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK
esets_scanner_update returned -1 esets_gle=53251


One more question - do I need to reverse any of the things we did earlier (eg making all files visible?). Am I ok to uninstall the things we used like OTE, or should I leave them sitting there - do they have any benefit if they are left in situ? Should I run something like malwarebytes regularly to check for infections or is spybot normally enough?

Sorry to bombard you with questions....
 
Sorry to bombard you with questions.. :rockon:

Not a problem, thats why where here.

It looks like your good to go. You have the free version of Malwarebytes, you can keep that if you wish, check for updates and run a scan a few times a month.

I am going to have you run Cleanup with OTL and whatever programs where not removed you can just drag to the trash. You can rehide files and folders, its better that way so none can be deleted accidently


Open OTL and click on Clean Up and it will remove programs we used to clean your system along with there backups, any programs that where not removed you can just drag to the trash.


Malwarebytes is the free version and yours to keep and will not be removed




Safe Surfn
Ken
 
You must log in or register to reply here.
Back
Top