also @ TechSpot: Leaked next generation iPhone casing photos validate multiple rumors

TechSpot

[Solved] XP Antivirus 2012 and other Malware

Discussion in 'Virus and Malware Removal' started by Sammy22, Dec 16, 2011.

Page 2 of 2

  1. Sammy22 Newcomer, in training

    OTL log below. I hope everything looks as it is supposed to. I see a lot of "not found" mentions.

    Assuming the OTL log looks good, I will proceed with the previously requested scans/directions tomorrow.

    Thanks

    ----

    All processes killed
    ========== OTL ==========
    Error: No service named GoogleDesktopManager-110309-193829 was found to stop!
    Service\Driver key GoogleDesktopManager-110309-193829 not found.
    Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\URLSearchHooks\\{A3BC75A2-1F87-4686-AA43-5347D756017C} not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3BC75A2-1F87-4686-AA43-5347D756017C}\ not found.
    Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\URLSearchHooks\\{A3BC75A2-1F87-4686-AA43-5347D756017C} not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3BC75A2-1F87-4686-AA43-5347D756017C}\ not found.
    Prefs.js: "Ask.com" removed from browser.search.defaultengine
    Prefs.js: "Ask.com" removed from browser.search.defaultenginename
    Prefs.js: "Ask.com" removed from browser.search.order.1
    Prefs.js: "Ask.com" removed from browser.search.selectedEngine
    Prefs.js: toolbar@ask.com:3.9.1.14019 removed from extensions.enabledItems
    C:\Users\Fname Lname\AppData\Roaming\Mozilla\Firefox\Profiles\2wcv829m.default\searchplugins\askcom.xml moved successfully.
    File C:\Program Files\mozilla firefox\searchplugins\avg-secure-search.xml not found.
    Prefs.js: avg@igeared:6.010.006.004 removed from extensions.enabledItems
    File HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\avg@igeared: C:\Program Files\AVG\AVG10\Toolbar\Firefox\avg@igeared not found.
    File HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files\AVG\AVG10\Firefox4 not found.
    File HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\avg@toolbar: C:\ProgramData\AVG Secure Search\9.0.0.18 not found.
    File C:\Users\Fname Lname\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla\10.0.0.1409_0\plug ins/avgnpss.dll not found.
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1CA1377B-DC1D-4A52-9585-6E06050FAC53}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1CA1377B-DC1D-4A52-9585-6E06050FAC53}\ not found.
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC}\ not found.
    Registry value HKEY_USERS\S-1-5-21-710243377-3777013803-3809824090-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{21FA44EF-376D-4D53-9B0F-8A89D3229068} not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21FA44EF-376D-4D53-9B0F-8A89D3229068}\ not found.
    Registry key HKEY_USERS\S-1-5-21-710243377-3777013803-3809824090-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\localhost\ not found.
    Registry value HKEY_USERS\S-1-5-21-710243377-3777013803-3809824090-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\GD\\http not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\viprotocol\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B658800C-F66E-4EF3-AB85-6C0C227862A9}\ not found.
    File {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files\Common Files\AVG Secure Search\ViProtocolInstaller\9.0.1\ViProtocol.dll File not found not found.
    File C:\Windows\System32\drivers\AVG\incavi.avm.old not found.
    C:\Users\Fname Lname\AppData\Local\607885p0r580t127s003l4glr2a8 moved successfully.
    File C:\ProgramData\607885p0r580t127s003l4glr2a8 not found.
    C:\Users\Fname Lname\Documents\Documents\Ke43yta.exe moved successfully.
    C:\Users\Fname Lname\AppData\Local\543355v4g606c064d538e7hbv5s7 moved successfully.
    File C:\ProgramData\543355v4g606c064d538e7hbv5s7 not found.
    File C:\Windows\System32\drivers\AVG\iavichjg.avm not found.
    C:\Users\Fname Lname\AppData\Local\2e01oq0m46k223 moved successfully.
    File C:\ProgramData\2e01oq0m46k223 not found.
    C:\Users\Fname Lname\AppData\Roaming\DVVVrllOBtx0yS1 folder moved successfully.
    C:\Users\Fname Lname\AppData\Roaming\h88fRRZ9hTXwUCl folder moved successfully.
    C:\Users\Fname Lname\AppData\Roaming\JIVrlONtx0c1b3n folder moved successfully.
    C:\Users\Fname Lname\AppData\Roaming\p11uvSS2obF3mGQ folder moved successfully.
    C:\Users\Fname Lname\AppData\Roaming\QNNyyxA00uS2iF3 folder moved successfully.
    C:\Users\Fname Lname\AppData\Roaming\Registry Mechanic folder moved successfully.
    C:\Users\Fname Lname\AppData\Roaming\t9ggTXXqjY folder moved successfully.
    C:\Users\Fname Lname\AppData\Roaming\xaQH6sWK7E9TqYw folder moved successfully.
    Unable to delete ADS C:\ProgramData\TEMP:D .
    ========== FILES ==========
    File\Folder C:\PROGRA~1\AVG not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    User: Fname Lname
    ->Temp folder emptied: 32804 bytes
    ->Temporary Internet Files folder emptied: 80950 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 13364567 bytes
    ->Google Chrome cache emptied: 0 bytes
    ->Flash cache emptied: 659 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 172555 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 13.00 mb


    [EMPTYFLASH]

    User: All Users

    User: Default

    User: Default User

    User: Public

    User: Fname Lname
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.31.0 log created on 12182011_225124

    Files\Folders moved on Reboot...
    File\Folder C:\Users\Fname Lname\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{9D31381E-33DE-439E-A40C-AEED4AC31B51}.tmp not found!
    File\Folder C:\Users\Fname Lname\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{975F121E-28E1-42BE-B02B-2FD22752DDFC}.tmp not found!

    Registry entries deleted on Reboot...
    Sammy22, Dec 18, 2011
    #21

  2. Broni Malware Annihilator

    Go on...........
    Broni, Dec 18, 2011
    #22

  3. Sammy22 Newcomer, in training

    Security Check Log...

    Results of screen317's Security Check version 0.99.24
    Windows Vista Service Pack 2 x86 (UAC is enabled)
    Internet Explorer 9
    ``````````````````````````````
    Antivirus/Firewall Check:
    avast! Free Antivirus
    AVG 2012
    WMI entry may not exist for antivirus; attempting automatic update.
    ```````````````````````````````
    Anti-malware/Other Utilities Check:
    Malwarebytes' Anti-Malware
    Java(TM) 6 Update 30
    Java(TM) 6 Update 5
    Out of date Java installed!
    Adobe Flash Player ( 10.3.181.22) Flash Player Out of Date!
    Adobe Reader X (10.1.1)
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent
    Malwarebytes' Anti-Malware mbamservice.exe
    AVAST Software Avast AvastSvc.exe
    AVAST Software Avast AvastUI.exe
    ``````````End of Log````````````

    Still running other scans...
    Sammy22, Dec 19, 2011
    #23

  4. Broni Malware Annihilator

    Broni, Dec 19, 2011
    #24

  5. Sammy22 Newcomer, in training

    Java 6 Update 5 has been deleted. Adobe for IE and Firefox have been updated.
    TFC ran without issue or reboot.
    AVG Remover ran with the following log:

    2011-12-20 03:19:48,947 INFO AvgRemover 2012.0.5
    -------------------------------------------------------
    2011-12-20 03:19:48,994 DEBUG Avg9Uninstall\Directories key failed to open (error: e0010013)
    2011-12-20 03:19:48,994 DEBUG Avg8Uninstall\Directories key failed to open (error: e0010013)
    2011-12-20 03:19:48,994 DEBUG Reading HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion:programFilesDir (x86) value failed (error: e001003d)
    2011-12-20 03:19:48,994 INFO Command line: "C:\Users\Fname Lname\Downloads\avg_remover_stf_x86_2012_1796.exe"
    2011-12-20 03:19:48,994 WARN AvgDir param empty.
    2011-12-20 03:19:48,994 WARN AvgDataDir param empty, but Remover found AvgDataDir at 'C:\ProgramData\AVG9', use this path as default.
    2011-12-20 03:19:54,688 INFO AvgRemover runs in attempt number 1
    2011-12-20 03:19:54,688 INFO Attempting to unregister AVG from the Windows Security Center.
    2011-12-20 03:19:54,688 INFO Attempting to uninstall toolbar

    NOTE:
    I ran ESET Online Scanner and it was at the 2 hour 15 min mark (99% of scan completed) before my computer forced closed. At that point, the scan had discovered two infections. I will retry the ESET Scan tomorrow and report back.
    Sammy22, Dec 19, 2011
    #25

  6. Broni Malware Annihilator

    OK...........
    Broni, Dec 19, 2011
    #26

  7. Sammy22 Newcomer, in training

    ESET ran with no infections this time. Although, remember that yesterday it ran and discovered two infections before force closing. I was never able to see a log yesterday due to the force closure, but I do remember that both infections were related to the Ask.com toolbar. One infection was a trojan.

    When running ESET this time, I did discover the following under the "Manage Quarantine" option...

    C:\_OTL\MovedFiles\12182011_225124\C_Fname Lname\Documents\Documents\Ke43yta.exe
    C:\Documents and Settings\Fname Lname\Downloads\Nero-7[1].10.1.0_eng_trial_wch.exe

    Ready for the next step...
    Sammy22, Dec 20, 2011
    #27

  8. Broni Malware Annihilator

    Your computer is clean [IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS]
[Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current.

    4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    7. Run Temporary File Cleaner (TFC) weekly.

    8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    10. (Windows XP only) Run defrag at your convenience.

    11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

    12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    13. Please, let me know, how your computer is doing.
    Broni, Dec 20, 2011
    #28

  9. Sammy22 Newcomer, in training

    Sammy22, Dec 21, 2011
    #29

  10. Broni Malware Annihilator

    Broni, Dec 21, 2011
    #30

  11. Sammy22 Newcomer, in training

    Thanks again, Broni! Hope you have a safe and joyous holiday season.
    Sammy22, Dec 21, 2011
    #31

  12. Broni Malware Annihilator

    Merry Christmas [IMG]
    Broni, Dec 21, 2011
    #32
Page 2 of 2