I’m certain this is a virus or malware or something of that sort. My sister was using facebook and clicked a link to a video that asked her to update Adobe Flash. She did, the computer restarted and then the problems began. How do I get rid of this? I’m running Malwarebytes right now to see if it’ll do anything. If not, what steps should I take?
Also, my apologies if this isn’t in the right section. I just need some help.
[*]Quit all running programs
[*]For Vista/Seven, right click → run as administrator, for XP simply run RogueKiller.exe
[*]When prompted, type 2 and validate
[]The RKreport.txt shall be generated next to the executable.
[]If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe
Please post the contents of the RKreport.txt in your next Reply.
THEN
To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.
[*]Close ALL OTHER PROGRAMS.
[*]Double-click on OTS.exe to start the program.
[*]Check the box that says Scan All Users
[*]Under Additional Scans check the following:
[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Operating System: Windows 7 (6.1.7600 ) 64 bits version
Started in : Normal mode
User: Cristina [Admin rights]
Mode: Remove – Date : 07/25/2011 13:44:30
Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Owner [Admin rights]
Mode: Scan – Date : 07/25/2011 20:00:54
Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User: Hugene [Admin rights]
Mode: Remove – Date : 07/25/2011 14:26:36
Guys, please don’t hijack the original posters topic, it just confuses the issue when trying to help multiple users in the same topic.
So please create your own new topic, here http://forum.avast.com/index.php?board=4.0 in the viruses and worms forum and click the New topic and post your RogueKiller and OTS logs in your own new topic.
Hello dear fellows, I am new to the forum but have been around 7 years steadily an Avast user, so here’s the situation, I have the same problem with the Facebook thing and Enhanced security so I did everything that was told with the program RougKiller and here is the report, I did it for the seventh time and nothing changes still avast tells that it works under enhanced protection and still the connection to Fb is lost or damaged. :-X ???, Can you just tell me if you know for how long will this hacking if it can be said hacking thing to continue and is avast going to manage with the problem
This is a new variant malware that affects all Antivirus programmes - there is a Norton enhanced mode, a McAfee enhanced mode etc. etc.
Each fix I create will be unique to the system concerned, so each one will need to be in a seperate topic.
But again please do not get a flash player update from anywhere but adobe - period, full stop, never. 'cos you will get infected with the latest and best malware around… Until we find a way to kill it that is, then it will just get updated again
Once this run is complete there will be a zip file in the following location C:_OTS\moved files could you upload that to mediafire and post the sharing link please - I will then forward it to Avast. On completion of this could you also download and install a fresh copy of Avast
Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.
[Unregister Dlls]
[Processes - Safe List]
YY -> svchost.exe -> C:\Windows\update.2\svchost.exe
YY -> svchost.exe -> C:\Windows\update.1\svchost.exe
[Win32 Services - Safe List]
YY -> (srvsysdriver32) srvsysdriver32 [Auto | Stopped] -> C:\Windows\sysdriver32.exe
[Registry - Safe List]
< HOSTS File > ([2011/07/24 22:53:08 | 000,203,160 | -H-- | M] - 100105 lines) -> C:\Windows\SysNative\Drivers\etc\hosts
YN -> Reset Hosts ->
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "14739484-loader2.exe" -> C:\Windows\TEMP\14739484-loader2.exe ["C:\Windows\TEMP\14739484-loader2.exe"]
YY -> "388915.exe" -> C:\Windows\TEMP\388915.exe ["C:\Windows\TEMP\388915.exe"]
YY -> "707159.exe" -> C:\Windows\TEMP\707159.exe ["C:\Windows\TEMP\707159.exe"]
YY -> "7835015.exe" -> C:\Users\Cristina\AppData\Local\Temp\7835015.exe ["C:\Users\Cristina\AppData\Local\Temp\7835015.exe"]
YY -> "8435151.exe" -> C:\Windows\TEMP\8435151.exe ["C:\Windows\TEMP\8435151.exe"]
YY -> "l1rezerv.exe" -> C:\Windows\l1rezerv.exe ["C:\Windows\l1rezerv.exe"]
YY -> "sysdriver32.exe" -> C:\Windows\sysdriver32.exe ["C:\Windows\sysdriver32.exe" rezerv]
YY -> "sysdriver32_.exe" -> C:\Windows\sysdriver32_.exe ["C:\Windows\sysdriver32_.exe" rezerv]
YY -> "systemup" -> C:\Windows\systemup.exe ["C:\Windows\systemup.exe" stand]
YN -> "tray_ico" -> []
YY -> "tray_ico0" -> C:\Windows\update.tray-7-0\svchost.exe [C:\Windows\update.tray-7-0\svchost.exe]
YN -> "tray_ico1" -> []
YN -> "tray_ico2" -> []
YN -> "tray_ico3" -> []
YN -> "tray_ico4" -> []
YY -> "wxpdrv" -> C:\Windows\services32.exe [C:\Windows\services32.exe]
< SafeBoot AlternateShell [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
YN -> "AlternateShell" -> services32.exe
[Files/Folders - Created Within 30 Days]
NY -> update.5.0 -> C:\Windows\update.5.0
NY -> update.2 -> C:\Windows\update.2
NY -> av_ico -> C:\Windows\av_ico
NY -> update.1 -> C:\Windows\update.1
NY -> update.tray-7-0-lnk -> C:\Windows\update.tray-7-0-lnk
NY -> update.tray-7-0 -> C:\Windows\update.tray-7-0
[Files/Folders - Modified Within 30 Days]
NY -> info1 -> C:\Windows\info1
NY -> sysdriver32_.exe -> C:\Windows\sysdriver32_.exe
NY -> sysdriver32.exe -> C:\Windows\sysdriver32.exe
NY -> systemup.exe -> C:\Windows\systemup.exe
NY -> geoiplist.rar -> C:\Windows\geoiplist.rar
NY -> unrar.exe -> C:\Windows\unrar.exe
NY -> loader2.exe_ok -> C:\Windows\loader2.exe_ok
NY -> services32.exe -> C:\Windows\services32.exe
NY -> geoiplist -> C:\Windows\geoiplist
[Files - No Company Name]
NY -> systemup.exe -> C:\Windows\systemup.exe
NY -> l1rezerv.exe -> C:\Windows\l1rezerv.exe
NY -> geoiplist -> C:\Windows\geoiplist
NY -> geoiplist.rar -> C:\Windows\geoiplist.rar
NY -> unrar.exe -> C:\Windows\unrar.exe
NY -> info1 -> C:\Windows\info1
NY -> loader2.exe_ok -> C:\Windows\loader2.exe_ok
NY -> sysdriver32_.exe -> C:\Windows\sysdriver32_.exe
NY -> sysdriver32.exe -> C:\Windows\sysdriver32.exe
NY -> services32.exe -> C:\Windows\services32.exe
[File - Lop Check]
NY -> com.eol.www.CelebAlarm.2B123E4CD5F151A829F44ECC827710372278488B.1 -> C:\Users\Cristina\AppData\Roaming\com.eol.www.CelebAlarm.2B123E4CD5F151A829F44ECC827710372278488B.1
NY -> com.zoosk.Desktop.096E6A67431258A508A2446A847B240591D2C99B.1 -> C:\Users\Cristina\AppData\Roaming\com.zoosk.Desktop.096E6A67431258A508A2446A847B240591D2C99B.1
[Custom Scans]
YY -> svchost.exe : MD5=7A3BC4D258CBE30DFB0649EE863FAE25 -> C:\Windows\update.1\svchost.exe
YY -> svchost.exe : MD5=7A3BC4D258CBE30DFB0649EE863FAE25 -> C:\Windows\update.tray-7-0\svchost.exe
YY -> svchost.exe : MD5=7A3BC4D258CBE30DFB0649EE863FAE25 -> C:\Windows\update.tray-7-0-lnk\svchost.exe
YY -> svchost.exe : MD5=B29DC60E06AF2B9ED13E6C6935BC3670 -> C:\Windows\update.2\svchost.exe
YY -> svchost.exe : MD5=DDE08469DED554140851ACFFCB8F4802 -> C:\Windows\update.5.0\svchost.exe
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
[ZipFiles]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here
I will review the information when it comes back in.
Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.
Thank you so much! Everything’s working fine! Zip file and log below. :]
All Processes Killed
[Processes - Safe List]
Process svchost.exe killed successfully!
C:\Windows\update.2\svchost.exe moved successfully.
No active process named svchost.exe was found!
C:\Windows\update.1\svchost.exe moved successfully.
[Win32 Services - Safe List]
Service srvsysdriver32 stopped successfully!
Service srvsysdriver32 deleted successfully!
C:\Windows\sysdriver32.exe moved successfully.
[Registry - Safe List]
HOSTS file reset successfully!
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\14739484-loader2.exe deleted successfully.
C:\Windows\TEMP\14739484-loader2.exe moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\388915.exe deleted successfully.
C:\Windows\TEMP\388915.exe moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\707159.exe deleted successfully.
C:\Windows\TEMP\707159.exe moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7835015.exe deleted successfully.
C:\Users\Cristina\AppData\Local\Temp\7835015.exe moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8435151.exe deleted successfully.
C:\Windows\TEMP\8435151.exe moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\l1rezerv.exe deleted successfully.
C:\Windows\l1rezerv.exe moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysdriver32.exe deleted successfully.
File C:\Windows\sysdriver32.exe not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysdriver32_.exe deleted successfully.
C:\Windows\sysdriver32_.exe moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\systemup deleted successfully.
C:\Windows\systemup.exe moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tray_ico deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tray_ico0 deleted successfully.
C:\Windows\update.tray-7-0\svchost.exe moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tray_ico1 deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tray_ico2 deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tray_ico3 deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tray_ico4 deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wxpdrv deleted successfully.
C:\Windows\services32.exe moved successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\AlternateShell deleted successfully.
[Files/Folders - Created Within 30 Days]
C:\Windows\update.5.0 folder moved successfully.
C:\Windows\update.2 folder moved successfully.
C:\Windows\av_ico folder moved successfully.
C:\Windows\update.1 folder moved successfully.
C:\Windows\update.tray-7-0-lnk folder moved successfully.
C:\Windows\update.tray-7-0 folder moved successfully.
[Files/Folders - Modified Within 30 Days]
C:\Windows\info1 moved successfully.
File C:\Windows\sysdriver32_.exe not found!
File C:\Windows\sysdriver32.exe not found!
File C:\Windows\systemup.exe not found!
C:\Windows\geoiplist.rar moved successfully.
C:\Windows\unrar.exe moved successfully.
C:\Windows\loader2.exe_ok moved successfully.
File C:\Windows\services32.exe not found!
C:\Windows\geoiplist moved successfully.
[Files - No Company Name]
File C:\Windows\systemup.exe not found!
File C:\Windows\l1rezerv.exe not found!
File C:\Windows\geoiplist not found!
File C:\Windows\geoiplist.rar not found!
File C:\Windows\unrar.exe not found!
File C:\Windows\info1 not found!
File C:\Windows\loader2.exe_ok not found!
File C:\Windows\sysdriver32_.exe not found!
File C:\Windows\sysdriver32.exe not found!
File C:\Windows\services32.exe not found!
[File - Lop Check]
C:\Users\Cristina\AppData\Roaming\com.eol.www.CelebAlarm.2B123E4CD5F151A829F44ECC827710372278488B.1\Local Store#SharedObjects\CelebAlarm.swf folder moved successfully.
C:\Users\Cristina\AppData\Roaming\com.eol.www.CelebAlarm.2B123E4CD5F151A829F44ECC827710372278488B.1\Local Store#SharedObjects folder moved successfully.
C:\Users\Cristina\AppData\Roaming\com.eol.www.CelebAlarm.2B123E4CD5F151A829F44ECC827710372278488B.1\Local Store folder moved successfully.
C:\Users\Cristina\AppData\Roaming\com.eol.www.CelebAlarm.2B123E4CD5F151A829F44ECC827710372278488B.1 folder moved successfully.
C:\Users\Cristina\AppData\Roaming\com.zoosk.Desktop.096E6A67431258A508A2446A847B240591D2C99B.1\Local Store#SharedObjects folder moved successfully.
C:\Users\Cristina\AppData\Roaming\com.zoosk.Desktop.096E6A67431258A508A2446A847B240591D2C99B.1\Local Store#ApplicationUpdater folder moved successfully.
C:\Users\Cristina\AppData\Roaming\com.zoosk.Desktop.096E6A67431258A508A2446A847B240591D2C99B.1\Local Store folder moved successfully.
C:\Users\Cristina\AppData\Roaming\com.zoosk.Desktop.096E6A67431258A508A2446A847B240591D2C99B.1 folder moved successfully.
[Custom Scans]
File/Folder C:\Windows\update.1\svchost.exe not found.
File/Folder C:\Windows\update.tray-7-0\svchost.exe not found.
File/Folder C:\Windows\update.tray-7-0-lnk\svchost.exe not found.
File/Folder C:\Windows\update.2\svchost.exe not found.
File/Folder C:\Windows\update.5.0\svchost.exe not found.
[Custom Items]
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Cristina\Desktop\cmd.bat deleted successfully.
C:\Users\Cristina\Desktop\cmd.txt deleted successfully.
[Empty Temp Folders]
Double Click mbam-setup.exe to install the application.
[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
To ensure that I get all the information this log will need to be attached (instructions at the end) if it is [b]to[/b] large to attach then upload to Mediafire and post the sharing link.
should be “too”, not “to”.
I know that for users where English is the natural language that correction is “almost” unnecessary, but it may not be such for an international forum like this. I also saw other suggestions (so to improve the correct understanding from non-English speakers), but they are more related to the specific writing style.