also @ TechSpot: The One Thing Next-Gen Consoles Could Really Learn From The PC

TechSpot

TechSpot News Products Downloads Forums

About
Sign in

Welcome to TechSpot

Why should I register?

Sign up for a new account or log in here:

Forgot your password?

Couldn't sign you in, please try again.

Possible virus.patchload.o Infection?

Discussion in 'Virus and Malware Removal' started by wisconsin, Dec 25, 2011.

Post New Reply

Page 4 of 5

Broni Malware Annihilator Posts: 40,091 +187
I didn't see your message about missing Extras.
That's fine.

OTL log looks perfectly clean.

Any current issues?

Last scans...

1. Download Security Check from HERE, and save it to your Desktop.

Double-click SecurityCheck.exe

Follow the onscreen instructions inside of the black box.

A Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

2. Download Temp File Cleaner (TFC)

Double click on TFC.exe to run the program.

Click on Start button to begin cleaning process.

TFC will close all running programs, and it may ask you to restart computer.

3. Please run a free online scan with the ESET Online Scanner

Disable your antivirus program

Tick the box next to YES, I accept the Terms of Use

Click Start

Accept any security warnings from your browser.

Check Scan archives

Click Start

ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

When the scan completes, click on List of found threats

Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

NOTE. If Eset won't find any threats, it won't produce any log.
Broni, Dec 29, 2011

#61
wisconsin Newcomer, in training Posts: 45

Results of screen317's Security Check version 0.99.24
Windows XP Service Pack 3 x86
Internet Explorer 6 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:
Ad-Aware
SpyHunter
````````````````````````````````
Process Check:
objlist.exe by Laurent
Ad-Aware AAWService.exe
Ad-Aware AAWTray.exe
``````````End of Log````````````

wisconsin, Dec 29, 2011

#62
Broni Malware Annihilator Posts: 40,091 +187

Update IE to version 8.

I'd suggest switching your AV program from Lavasoft to something better.
- Avast! free antivirus: http://www.avast.com/eng/download-avast-home.html
- free Microsoft Security Essentials: http://windows.microsoft.com/en-GB/windows/products/security-essentials
- free Comodo Antivirus: http://www.comodo.com/home/internet-security/antivirus.php

Broni, Dec 29, 2011

#63
wisconsin Newcomer, in training Posts: 45

Do you have a recommendation from the three you listed for AV?

I'm still running the ESET scan, will post the log or let you know if there was no log when it's completed.

wisconsin, Dec 29, 2011

#64
Broni Malware Annihilator Posts: 40,091 +187

All three are equally good

Broni, Dec 29, 2011

#65

wisconsin Newcomer, in training Posts: 45

Here are the results from the ESET scan ...

C:\Qoobox\Quarantine\C\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe.vir Win32/Patched.HN trojan cleaned - quarantined
C:\Qoobox\Quarantine\C\Program Files\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE.vir Win32/Patched.HN trojan cleaned - quarantined
C:\Qoobox\Quarantine\C\Program Files\Lavasoft\Ad-Aware\AAWService.exe.vir Win32/Patched.HN trojan cleaned - quarantined
C:\System Volume Information\_restore{CE3D79E4-2AA4-4588-BE0C-9958863083E8}\RP1\A0000006.sys Win32/Patched.NBE trojan deleted - quarantined
C:\System Volume Information\_restore{CE3D79E4-2AA4-4588-BE0C-9958863083E8}\RP1\A0000011.sys Win32/Patched.NBE trojan deleted - quarantined
C:\System Volume Information\_restore{CE3D79E4-2AA4-4588-BE0C-9958863083E8}\RP1\A0000024.sys Win32/Patched.NBE trojan deleted - quarantined
C:\System Volume Information\_restore{CE3D79E4-2AA4-4588-BE0C-9958863083E8}\RP1\A0001024.sys Win32/Patched.NBE trojan deleted - quarantined
C:\System Volume Information\_restore{CE3D79E4-2AA4-4588-BE0C-9958863083E8}\RP1\A0001074.exe Win32/Patched.HN trojan cleaned - quarantined
C:\System Volume Information\_restore{CE3D79E4-2AA4-4588-BE0C-9958863083E8}\RP1\A0001075.exe Win32/Patched.HN trojan cleaned - quarantined
C:\System Volume Information\_restore{CE3D79E4-2AA4-4588-BE0C-9958863083E8}\RP1\A0001076.exe Win32/Patched.HN trojan cleaned - quarantined
C:\WINDOWS\system32\ReinstallBackups\0003\DriverFiles\B_95503\ati2evxx.exe Win32/Patched.HN trojan cleaned - quarantined
C:\_OTL\MovedFiles\12272011_094946\C_Documents and Settings\OEM\Application Data\Afipat\piuguvi.exe a variant of Win32/Kryptik.WMS trojan cleaned by deleting - quarantined
C:\_OTL\MovedFiles\12272011_094946\C_Documents and Settings\OEM\Local Settings\Application Data\8e6ecde6\X a variant of Win32/Kryptik.XPH trojan cleaned by deleting - quarantined
C:\_OTL\MovedFiles\12272011_094946\C_Documents and Settings\OEM\Local Settings\Application Data\8e6ecde6\U\80000000.@ a variant of Win32/Sirefef.DV trojan cleaned by deleting - quarantined
C:\_OTL\MovedFiles\12272011_094946\C_Documents and Settings\OEM\Local Settings\Application Data\8e6ecde6\U\800000cb.@ a variant of Win32/Agent.TEO trojan cleaned by deleting - quarantined
C:\_OTL\MovedFiles\12272011_094946\C_Documents and Settings\OEM\Local Settings\Application Data\8e6ecde6\U\800000cf.@ a variant of Win32/Sirefef.DV trojan cleaned by deleting - quarantined
C:\_OTL\MovedFiles\12272011_094946\C_WINDOWS\system32\c_23141.nl_ a variant of Win32/Sirefef.CR trojan cleaned by deleting - quarantined
E:\Old Hard Disk\F\LAST DESKTOP FOLDER OF STUFF\My Documents\Software Updates\icur484.exe Win32/Adware.Aureate application deleted - quarantined
E:\Old Hard Disk\F\LAST DESKTOP FOLDER OF STUFF\New Folder\rpGDB_FAT2_00_kg.rar probably a variant of Win32/Agent.JOYOBNO trojan deleted - quarantined

wisconsin, Dec 29, 2011

#66

Broni Malware Annihilator Posts: 40,091 +187
Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following:

Code:

:OTL :Commands [purity] [emptytemp] [EMPTYFLASH] [CLEARALLRESTOREPOINTS] [Reboot]

Then click the Run Fix button at the top

Let the program run unhindered, reboot the PC when it is done

Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

Double-click OTL.exe to start the program.

Close all other programs apart from OTL as this step will require a reboot

On the OTL main screen, press the CLEANUP button

Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current.

4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. (Windows XP only) Run defrag at your convenience.

11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

13. Please, let me know, how your computer is doing.
Broni, Dec 29, 2011

#67
wisconsin Newcomer, in training Posts: 45

Okay, my Windows Updates are not current I think, due to having to run that Windows Repair step earlier. Should I get that up to date first before running any of the other steps?

wisconsin, Dec 29, 2011

#68
Broni Malware Annihilator Posts: 40,091 +187

Follow the exact order.
Updates as a step #3.

Broni, Dec 29, 2011

#69
wisconsin Newcomer, in training Posts: 45

Okay, will do

wisconsin, Dec 29, 2011

#70
wisconsin Newcomer, in training Posts: 45

All processes killed
========== OTL ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: OEM
->Temp folder emptied: 395934 bytes
->Temporary Internet Files folder emptied: 2515521 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 3.00 mb

[EMPTYFLASH]

User: All Users

User: Default User

User: LocalService
->Flash cache emptied: 0 bytes

User: NetworkService

User: OEM
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

Restore points cleared and new OTL Restore Point set!

OTL by OldTimer - Version 3.2.31.0 log created on 12302011_174544

Files\Folders moved on Reboot...
C:\Documents and Settings\OEM\Local Settings\Temporary Internet Files\Content.IE5\OPQRSTUV\si[1].htm moved successfully.
C:\Documents and Settings\OEM\Local Settings\Temporary Internet Files\Content.IE5\IJ2LANUP\topic175185-4[1].html moved successfully.
C:\Documents and Settings\OEM\Local Settings\Temporary Internet Files\Content.IE5\GHIJKLMN\CAURGNJG.php%3Fp%3D1123146%26posted%3D1&fu=0&ifi=1&dtd=62 moved successfully.

Registry entries deleted on Reboot...

wisconsin, Dec 29, 2011

#71
Broni Malware Annihilator Posts: 40,091 +187

13. Please, let me know, how your computer is doing.

Whenever ready....

Broni, Dec 30, 2011

#72
wisconsin Newcomer, in training Posts: 45

Hi Broni, I will be sure to let you know, I'm only at Step 3 so far

wisconsin, Dec 30, 2011

#73
wisconsin Newcomer, in training Posts: 45

I should add I've only been switching on this machine to run your instructions for the past week, and only to come to this website, so its usage has been very limited over that time. Based on that "experience" so far, it seems to be running just fine but I will feel more confident once I have completed all of the last steps and used the machine for a few days.

wisconsin, Dec 30, 2011

#74
Broni Malware Annihilator Posts: 40,091 +187

Way to go!!
Good luck and stay safe

Let me know if something comes up.

Broni, Dec 30, 2011

#75
wisconsin Newcomer, in training Posts: 45

Thanks so much, Broni, your assistance has been invaluable and much appreciated!!

Actually I do have another issue. I have decided to remove Spyhunter 4 due to it's somewhat sketchy reputation. I have used the add/remove software option from the Windows Control Panel. However, there are still files and folders in my Program Files and they are resisting deletion.

Do you have a method for a thorough removal of this software, or can you point me to link which describes how to do this?

wisconsin, Dec 30, 2011

#76
Broni Malware Annihilator Posts: 40,091 +187

Try free Revo: http://www.revouninstaller.com/revo_uninstaller_free_download.html

Broni, Dec 30, 2011

#77
wisconsin Newcomer, in training Posts: 45

I'm having the same issue with removal of the Lavasoft Ad-Adware. I ran the uninstall function that came with that software. Searching my Program Files Folder I see a Lavasoft folder which contains files. I attempt to send that folder to the Recycle Bin and it tells me it can't because the folder is not empty.

Attempting to individually remove the files from the Lavasoft folder allows me to delete all but one un-named file which comes up with an error message saying "Cannot delete file: Cannot read from the source file or disk."

wisconsin, Dec 30, 2011

#78
Broni Malware Annihilator Posts: 40,091 +187

Did you read my previous reply?

Broni, Dec 30, 2011

#79
wisconsin Newcomer, in training Posts: 45

Yep, thank you, must have been writing that last message while you were replying to my note on Spyhunter.

I have one last issue (I hope!) with my sound, as in I don't have any. Is this likely to just be a "re-install the drivers" issue rather than something to do with the virus infections? I do believe the sound went down when I got infected initially.

wisconsin, Dec 30, 2011

#80

Page 4 of 5

Add New Comment

	TechSpot Members Login or sign up for free, it takes about 30 seconds.			You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.