TechSpot

Need opinion on scans

By strategic
May 29, 2010
  1. Please review the attached scans on one of my worse malware battles...
    GAMR has not posted a log so I am attaching logs from MalwareBytes and DDS.
    Thanks :)
     

    Attached Files:

  2. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    GMER won't run on 64-bit system.

    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:


    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    userinit.exe
    explorer.exe
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    CREATERESTOREPOINT


    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  3. strategic

    strategic TechSpot Paladin Topic Starter Posts: 1,020

    Thanks for your assistance Broni,
    Here are the OTL logs...
     

    Attached Files:

  4. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
      O3 - HKU\S-1-5-21-4234509393-26912181-2050760829-1001\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found.
      O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\SysWow64\mctadmin.exe File not found
      O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\SysWow64\mctadmin.exe File not found
      O18:[b]64bit:[/b] - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
      O18:[b]64bit:[/b] - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
      O18:[b]64bit:[/b] - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - Reg Error: Key error. File not found
      O18:[b]64bit:[/b] - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
      O18:[b]64bit:[/b] - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - Reg Error: Key error. File not found
      O20:[b]64bit:[/b] - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
      O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
      O21:[b]64bit:[/b] - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
      O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
      [2010/03/12 05:59:29 | 000,000,000 | ---D | C] -- C:\ProgramData\Norton
      [2010/03/12 05:58:06 | 000,000,000 | ---D | C] -- C:\ProgramData\NortonInstaller
      
      
      :Services
      
      :Reg
      
      :Files
      
      :Commands
      [purity]
      [emptytemp]
      [resethosts]
      [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.
    • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
     
  5. strategic

    strategic TechSpot Paladin Topic Starter Posts: 1,020

    Thanks again Broni,
    Here are the new logs.
    Sorry for the delay, I'm dealing with this on a friends PC, so I am not always near it, but at the same time, nobody is touching it throughout this ordeal.
    I appreciate your assistance!:)
     

    Attached Files:

  6. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    No problem :)

    What are the current issues with the machine?

    Please, update Malwarebytes, run it and give me new log.
     
  7. strategic

    strategic TechSpot Paladin Topic Starter Posts: 1,020

    Current issues: I don't think there are any more since I installed/ran MalwareBytes at the beginning. I have started using Avira on PC's for the past few months to get away from the hassle of the registration process from Avast. Avira however couldn't solve the problem, but then, I never thought about running it in safemode either.
    I'll run Malware again and post the log.
    Thanks.
     
  8. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    OK :).....
     
  9. strategic

    strategic TechSpot Paladin Topic Starter Posts: 1,020

    Here's the new Malware log.
    Please let me know if you find anything.
    Thanks)
     

    Attached Files:

  10. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Good :)

    Please download OTC to your desktop. It'll remove most tools and logs we used so far. If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

    • Double-click OTC.exe to run it. (Vista and 7 users, please right click on OTC and select "Run as an Administrator")
    • Click on the CleanUp! button and follow the prompts.
    • You will be asked to reboot the machine to finish the Cleanup process, choose Yes. If it doesn't ask you to reboot, restart computer manually.
    • After the reboot all the tools we used should be gone.
    • The tool will delete itself once it finishes.

    ===================================================================

    1. Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer.


    2. Go to Kaspersky website and perform an online antivirus scan.

    1. Disable your active antivirus program.
    2. Read through the requirements and privacy statement and click on Accept button.
    3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    4. When the downloads have finished, click on Settings.
    5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, Adware, Dialers, and other potentially dangerous programs
      [*] Archives
      [*] Mail databases
    6. Click on My Computer under Scan.
    7. Once the scan is complete, it will display the results. Click on View Scan Report.
    8. You will see a list of infected items there. Click on Save Report As....
    9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
     
  11. strategic

    strategic TechSpot Paladin Topic Starter Posts: 1,020

    Hi Broni,
    I was finally able to complete the online Kaspersky scan.
    Attached is a jpg of the screen shot showing it found nothing.
    Pleased advise if there is any other step required.
    Thanks again!:)
     

    Attached Files:

  12. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.

    Turn off System Restore:

    - Windows XP:
    1. Click Start.
    2. Right-click the My Computer icon, and then click Properties.
    3. Click the System Restore tab.
    4. Check "Turn off System Restore".
    5. Click Apply.
    6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
    7. Click OK.
    - Windows Vista and 7:
    1. Click Start.
    2. Right-click the Computer icon, and then click Properties.
    3. Click on System Protection under the Tasks column on the left side
    4. Click on Continue on the "User Account Control" window that pops up
    5. Under the System Protection tab, find Available Disks
    6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
    7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
    8. Click OK

    2. Restart computer.

    3. Turn System Restore on.

    4. Make sure, Windows Updates are current.

    5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    7. Run defrag at your convenience.

    8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    9. Please, let me know, how is your computer doing.
     
  13. strategic

    strategic TechSpot Paladin Topic Starter Posts: 1,020

    Done...
    System restore points deleted, new restore point created.
    WOT installed. Please also note I download/install/update the mvps hosts file on any machine I maintain. I'm a firm believer in it. People have claimed it slows their browsing, but I feel it makes it quicker since it doesn't load all the garbage nobody wants (or needs).
    Thanks again for all your help, I will follow through and check how the computer is running periodically and let you know.:)
     
  14. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Way to go!! [​IMG]
    Good luck and stay safe :)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...