Can someone take a look at my OTL output files? I’m concerned with my computer. This is my work PC. I’ve recently uninstalled Chrome and now using IE as my browser, because my Chrome Updater files kept getting infected.

I’m using Dell Desktop PC…running Windows 7 Pro 64 bit with Norton AV.

Nothing readily apparent there, what problems are you experiencing ?

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

[*]Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will produce a log called FRST.txt in the same directory the tool is run from.
[*]Please attach the log back here.
[*]The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please attach that along with the FRST.txt into your reply.

It all started with my Seagate Backup Plus External Drive. I started noticing folders going hidden (grayed out option) and getting access denied. My wife’s laptop started losing the ability to go to Control Panel, Task Manager, Services, etc…until the point where all we could do was log in (in safe mode) and just sit there. Then my home desktop PC started doing the same. I disconnected the External Drive, formatted my PC and reinstalled OS (about 50 times) before I finally stopped getting virus messages. My work PC will sometimes give me that access is denied and was thinking that since I use USB Flash Drives between the two PCs, maybe something got on there…or on my Dropbox or Google Drive. I don’t know. I don’t know how to be 100% sure that it’s gone. I felt safe until I hooked up my External Drive again. I deleted half of the drive because I didn’t want to take the chance, but just couldn’t delete all the files (photos and such). I’ve disconnected the drive again (at home), but I want to be sure that all the computers that I log into are secure and safe. It seems like my Windows Updates aren’t performing correctly. Sometimes it will download and install, then it will say that it wants to install the updates (same ones). A lot of my DLL files, under systemroot, seem to be in other children folders as well. Occasionally, I still get redirects at home using IE browser. The strange thing (to me anyways) is that my wife’s laptop seems fine, ever since I ran the Factory Restore Discs that came with her laptop.

OK whilst I look at the log install the following programme on all computers

Download MCShield to your desktop and install
It will initially run a scan and show the result as a toaster by the system clock
Then in the control centre select scanner and tick unhide items on flash drives

https://dl.dropbox.com/u/73555776/mcshield%20unhide.JPG

Plug in the drive and McShield will start a scan

Then get the log which will be here :

Start > all programs > MCShield > logs > all scans

And post that

Did you set policy restrictions on this computer disabling exe files ?

This is a company computer, but I have domain admin rights on it, so I should be able to do pretty much anything. If not, I can log in as the local admin. But to answer your question…no, I didn’t set any policy restrictions that would disable exe files. I work for a Software Development company, so I’m always creating new EXE files as well as taking full advantage of using Windows API’s.

FYI - Last night on my home PC, I noticed an entry in my firewall settings that allow a program called QTChat.exe to all Private and Public networks. The location of the file showed as my E: Drive (I’m assuming one of my USB Flash Drives). I removed the permission and deleted the file from my firewall settings.

oh…I just read your instructions for MCShield. I actually didn’t bring any of my flash drives today. I’ll have to do this when I get off work (in a couple hours from now). Should I run it on this PC anyways?

OK it looks like a flash drive infection … Run MCShield on all systems and then insert the USB drives/external drives for checking out when you have them.
MCShield once installed will then protect you from any USB malware

Once done let me know what problems you are having on each system and we will try to resolve them

I installed MCShield on my Desktop PC and the laptop. Then I hooked up the External Drive. I didn’t notice anything happening. I ran OTL on my desktop PC, but out of habit…I clicked on Cleanup and it removed the log files from OTL. I’ll run it again a little later.

When using CCleaner, I noticed the follow 3 items were added to my startup, so I disabled them as I don’t know what they were for and they just recently were put there.

after MCShield install, did you check Start > all programs > MCShield > logs > all scans for a log?

the OTL clean up button is for removing OTL … so dont use that button before instructed to
OTL does not do any removal before the removal expert have made a fix for you to run if needed…based on the log you first attach

Attached are the OTL logs and the log from MCShield. I haven’t tried out my flash drives yet. I’ll do that now.

I feel a system check will probably be in order for this one as some files may be corrupted

Go Start > All Programs > Accessories
Right click Command Prompt and select “Run as Administrator”
In the black box that open type in the following command and press enter :

sfc /scannow

Allow the programme to run and reboot on completion
Then let me know how the computer is behaving

essexboy,

I hate to change gears on you, but I’m in the office now. I have a couple questions related to some running processes and such. As of yesterday, I noticed that I now have a running process called msSpellCheckingFacility.exe. My task manager shows the command line executed was “C:\Windows\System32\MsSpellCheckingFacility.exe” - Embedding. This might be a legit Microsoft File that performs Spell Checking, however, it has never appeared on my Task Manager until yesterday.

One other thing that has puzzled me is that there is some Windows/System User called TrustedInstaller that is constantly taking ownership of folders and files. There is also a file called TrustedInstaller.exe located at C:\Windows\servicing. This user is setup as the login for quite a few services as well. I tried to do some research on it, but couldn’t seem to find much (at least during that time). Is this thing legit? Is it acting the way that it should be? I’ve noticed that if I take ownership for a file away from TrustedInstaller, that file will turn into a shortcut (either a shortcut or a symbolic shortcut) to where I am unable to execute the file until I give TrustedInstaller rights back to the file. I’ve noticed similar behavior after I install Malwarebytes. All the executable icons will turn into some default icon and when I try to look at the file properties, it will display as if it’s a shortcut…but a shortcut to itself. I don’t get it.

If you have the time, I’m attaching a log from running Autorunsc -a. Please let me know if you find anything out of the ordinary that maybe AV or Malware Scan might not pick up on. Also, is there anyway that I can check digital signatures on my files? I know in Windows XP, there was a right click option that showed the MD5 and SHA for files, but didn’t ever say whether it matched the original file.

Have you just updated IE to IE10 ? as that is the spellchecker addon, you can disable that

Also trusted installer is an important windows service http://www.thewindowsclub.com/trustedinstaller-exe-windows-7

For MD5 sysinternals has Sigcheck which you may want to look at http://technet.microsoft.com/en-us/sysinternals/bb897441.aspx

Sfc will reset any corruption within system files so it is worth running that

Nothing untoward in autoruns

Actually, I’m using IE 11, not 10. On my home PC last night, I was running some scans or something and I remember noticing that it couldn’t detect that I was even using Internet Explorer. I have IE 11 at home as well. I will run the suggested links/programs above. So far, I like Avast as an AV program, but was thinking of installing a different firewall program. I believe that Avast and Windows firewall are both enabled at home. Also, I have a license for SUPERAntivirusSpyware, but was told (don’t remember where) that I shouldn’t let it run while I have Avast AV running. Is that true? I just want to be sure that I can still doing my software development (which I must have Administrator rights on my user account), but keep my system free and clear from any alterations or harm. So far I just have Avast AV running. Also, I added that MCShield to my startup folder…was that a good idea or no?

MCShield is best running at system start as it will monitor all USB and external drives, and the resources used are negligible
SAS is a different type of programme to Avast so should cause no conflicts although the webshield will cover most of the same bases
If you have a modern router then windows firewall will suffice
A useful page to read if you download programmes from the internet http://blog.avast.com/2013/07/09/shady-practices-of-free-download-servers/
If you are creating programmes then you may need to disable deepscreen temporarily whilst you are compiling/debugging the main executable

I currently have clocked up 8 years malware free using only Avast so I feel it is good

I was going through my registry to add MCShield when I noticed an entry I’ve never seen before. It was under Local System/Software/Microsoft. The key was named Salsita. I can’t find any info on it. I deleted it. I’ll watch to see if it returns.

EDIT: After restarting my computer, I went back to the registry to add MCShield and found some very unusual entries…attaching two screenshots. And before I forget…even though Internet Explorer looks 500 times better than it did at version 6…I’d still like to use a different browser. I’m still a little weary to go back to Chrome. Do you think I just had some bad luck or has Chrome become unsafe?

Salsita design plugins for Chrome and FF http://www.salsitasoft.com/

The Reg keys are encrypted histories of IE use

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count

There will be a series of binary sub-keys called HRZR_EHACVQY:%pfvqy6%\ These are actually your favorites cached in a encrypted form

and this key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist{75048700-EF1F-11D0-9888-006097DEACF9}\Count

There will be a series of binary sub-keys called HRZR_EHACVQY:%pfvqy2%\ These are actually the sites you’ve visited, nicely cached in a encrypted form .

Personally I prefer IE, but as it stands Chrome and firefox are susceptible to rogue addons

Well, then I have to say that I must be virus/malware free now. I think I’m always going to question EVERYTHING on my computer from now on. I really don’t like that feeling, but hopefully it will pass as time goes by.

Thank you for indulging me on my paranoid and long log files. I originally got the infection in July. To my knowledge, it was my first time dealing with a virus in my 14 years of IT work experience. Not to mention 10+ years of personal experience. I had really believed that computer virus and malware was only a myth. I really need to start reading up on prevention, firewall settings, network shares, etc. For now, I’m just going to do a daily check and be sure Remote Desktop and Terminal Services can’t start.

I guess you would feel that way, although I have never had an unintentional virus

Subject to no further problems

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

Clear Restore Points

Go Start > All Programmes > Accessories > System tools
Right click Disc Cleanup and select run as administrator
When it pops up at the first prompt select OK after it has done some calculations the tabs will appear
Select More Options tab
Press Sytem Restore and Shadow Copies Cleanup button

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?Keep safe