aswBoot.txt (found>chest) \temp\bitool.dll infected with win32:somoto-J [PUP]

If anyone can walk me through scans and take a look at some logs that would be super duper.

“C:\Documents and settings\Administrator\Local settings\Temp\bitool.dll” is exact location found on a boot scan. i moved it to chest upon alert from avast during the boot scan. I have done nothing yet, waiting to finish boot scan.

Thank you

Here are my logs ??? [suspicious][/suspicious]

.5 the OTL

the rest

Thanks

more

C:\Documents and settings\Administrator\Local settings\[b]Temp[/b]\bitool.dll
run TFC-cleaner http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/

malware experts are notified and will check your logs…

hello after TFC done , do that :

Download and register ADWCleaner to your desktop from this direct link : http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/2-adwcleaner

run it , (For vista / 7 / 8 = > right click " to execute as administrator ") then click on “scan”

when done, click on “clean” and Attach C:\Adwcleaner[Sx].txt

Here ya go. Sorry took so long. CPU is running dreadfully slow…

that’s ok

Download Shortcut_Module from this link :

http://www.telecharger.sosvirus.net/gen-hackman/Shortcut_Module.exe

save it to your desktop

run it and click “Clean” , and OK

It’ll give a report at the end of the scan , in C:\Shortcut_Module_date_hour.txt , after the reboot of the machine.

Attach the log.

.

ok :slight_smile:

close all windows and applications during installation and analysis.

Download here: http://fr.malwarebytes.org/

Click on Download

Installs:

choose, "english"
does not modify the installation settings
put it up to date
Do not select the test pro version

Follow these instructions carefully:

Close all your running applications
Running Malwarebyte's.
Do a review "Complete"

Let the program work (and do nothing else with the computer during the scan).

At the end, click on “Show Results”

Verifies that all infected objects are validated, then click “delete”

Note: if you need to restart your computer to finish the cleaning, do it!

Post the report saved after deleting infected objects (in “reports / logs” Malwarebytes tab, the latest: mbamlog.xx.xx … Etc …)

excuses but generaly , I ask to do Malwarebytes at the end of the disinfection , never at beggining. :-\ >:(

do again OTL like this, this time :

copy/paste what is below in blue bold under “Personnalization” in OTL :

HKCU\Software
HKLM\Software
HKCU\Software\Microsoft\Command Processor /s
HKLM\Software\Microsoft\Command Processor /s
%Homedrive%*
%Homedrive%*.
%Userprofile%*
%Userprofile%*.
%Allusersprofile%*
%Allusersprofile%*.
%LocalAppData%*
%LocalAppData%*.
%Userprofile%\Local Settings\Application Data*
%Userprofile%\Local Settings\Application Data*.
%programFiles%*
%programfiles%\Google\Desktop\Install /s
%programFiles%*.
%Systemroot%\Installer*.
%Systemroot%\Temp*.exe /s
%systemroot%\system32*.dll /lockedfiles
%systemroot%\system32*.exe /lockedfiles
%systemroot%\system32*.in*
%systemroot%\Tasks*
%systemroot%\Tasks*.
%systemroot%\system32\Tasks*
%systemroot%\system32\Tasks*.
%systemroot%\system32\drivers*.sy* /lockedfiles
%systemroot%\system32\config*.exe /s
%Systemroot%\ServiceProfiles*.exe /s
%systemroot%\system32*.sys
dir %Homedrive%* /S /A:L /C
msconfig
activex
/md5start
explorer.exe
winlogon.exe
wininit.exe
volsnap.sys
atapi.sys
ndis.sys
cdrom.sys
i8042prt.sys
iastor.sys
tdx.sys
netbt.sys
afd.sys
/md5stop
netsvcs
safebootminimal
safebootnetwork
CREATERESTOREPOINT

configure it like this and click on “Run scan” lastly : (sorry but my picture is in french)

http://www.aht.li/1897388/OTL.PNG

if a 64 bits checkbox appears let it checked.

let the tool work
At the end “notepad” will open (OTL.txt & Extras.txt)
you can find them near the OTL executable.

Dont post them in the forum !!! ( they’re too big )

Attach them

mbam log

OTL

1/2 the OTL

The rest of the OTL…

Thank you for your time on this

hello

look in this folder if there’s nothing what you want to keep and delete the folder , it takes big place in your disk for nothing , it’s an old windows installation.

uninstall Spybot search and destroy , it’s useless , and makes your pc slow.I’d never see a so bad program like this.
uninstall Glary utilities , it’s a system killer , you risk to destroy important pieces of the registry without knowing

======

Run OTL again

copy/ paste the following text in blue bold in OTL where you copied the first script under “personnalization”

SRV - File not found [Auto | Stopped] – C:\Program Files\Spybot – (SDWSCService)
SRV - File not found [On_Demand | Stopped] – C:\Program Files\Spybot – (SDUpdateService)
SRV - File not found [On_Demand | Stopped] – C:\Program Files\Spybot – (SDScannerService)
FF - user.js - File not found
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\Systeiz.exe ()
O4 - HKLM..\Run: [SDTray] C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe (Safer-Networking Ltd.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.80.4.7
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces{DA96DD77-93B7-40B4-ADF8-355C8258FA7B}: DhcpNameServer = 10.80.4.7
O20 - Winlogon\Notify\SDWinLogon: DllName - (SDWinLogon.dll) - File not found
O33 - MountPoints2{7ff29e8e-9333-11e3-a6f9-806d6172696f}\Shell - “” = AutoRun
O33 - MountPoints2{7ff29e8e-9333-11e3-a6f9-806d6172696f}\Shell\AutoRun - “” = Auto&Play
O33 - MountPoints2{7ff29e8e-9333-11e3-a6f9-806d6172696f}\Shell\AutoRun\command - “” = D:\autorun.exe
O33 - MountPoints2{7ff29e8f-9333-11e3-a6f9-806d6172696f}\Shell\AutoRun\command - “” = E:\setup.exe
[2014/02/12 13:37:46 | 000,000,000 | —D | C] – C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy 2
[2014/02/12 13:37:34 | 000,018,968 | ---- | C] (Safer Networking Limited) – C:\WINDOWS\System32\sdnclean.exe
[2014/02/12 13:37:28 | 000,000,000 | —D | C] – C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2014/02/12 13:37:13 | 000,000,000 | —D | C] – C:\Program Files\Spybot - Search & Destroy 2
[2 C:\Program Files*.tmp files → C:\Program Files*.tmp → ]
[2014/02/22 02:01:38 | 000,000,512 | ---- | M] () – C:\Documents and Settings\Administrator\Desktop\MBR.dat
[2014/02/19 00:30:33 | 000,000,616 | ---- | M] () – C:\WINDOWS\tasks\Refresh immunization (Spybot - Search & Destroy).job
[2014/02/18 12:52:00 | 000,001,942 | ---- | M] () – C:\Documents and Settings\All Users\Desktop\Spybot-S&D Start Center.lnk
[2014/02/14 22:02:37 | 000,000,000 | —D | M] – C:\544cd50ccc3f1b10546cc1eb34
[2014/02/12 13:46:55 | 000,000,000 | —D | M] – C:\Program Files\Spybot - Search & Destroy 2

:reg
[-HKEY_CURRENT_USER\Software\Safer Networking Limited]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
“EnableFirewall”=DWORD:0

:commands
[emptytemp][/b]

don’t touch anything else, and click on “Run Fix”

Attach C:_OTL\Moved Files\date_hour.log

“OTL:” Is included in the code? or start at “SRV -”?

yes it’s included, with “:” too , at the left, if you don’t select “:” with , the script won’t work

the correct log?