system
December 3, 2013, 8:51pm
1
Scanned with Avast this morning. Came up with some infections.
Win32:Dropper-gen
Win:32Malware-gen
I did a Malwarebytes scan a few minutes ago. Attached.
I also did a boot scan which did come up with some problems related. First, how do I get that report?
system
December 3, 2013, 8:52pm
2
hello where did avast detect that ?
system
December 4, 2013, 12:52am
5
Download and register ( direct link) : http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/2-adwcleaner
ADWCleaner on your Desktop.
Launch it , (For vista / 7 / 8 = > right click " run as administrator ") then click on “scan”
when done, click on “clean” and post C:\Adwcleaner[Sx].txt
system
December 4, 2013, 2:08am
6
How long does this scan take? It has been going for quite a while.
It is saying:
Pending. Please uncheck elements you don’t want to remove.
system
December 4, 2013, 4:21am
7
Here is the ADWCleaner log.
system
December 4, 2013, 10:37am
8
hello
If you have XP = > double click
If you have Vista or Windows 7 / 8 = > right click “as administrator”
On OTL.exe to Launch it.
Click here to configure it : http://www.archive-host.com/files/1897388/ecd939269bcc7cdfed2d2e726c22709a32db3067/OTL.PNG
Copy and Paste the contents of what follows in bold face in the bottom of OTL “Customization”(“Personalization”)
HKCU\Software
HKLM\Software
HKCU\Software\Microsoft\Command Processor /s
HKLM\Software\Microsoft\Command Processor /s
%Homedrive%*
%Homedrive%*.
%Userprofile%*
%Userprofile%*.
%Allusersprofile%*
%Allusersprofile%*.
%LocalAppData%*
%LocalAppData%*.
%Userprofile%\Local Settings\Application Data*
%Userprofile%\Local Settings\Application Data*.
%programFiles%*
%programfiles%\Google\Desktop\Install /s
%programFiles%*.
%Systemroot%\Installer*.
%Systemroot%\Temp*.exe /s
%systemroot%\system32*.dll /lockedfiles
%systemroot%\system32*.exe /lockedfiles
%systemroot%\system32*.in*
%systemroot%\Tasks*
%systemroot%\Tasks*.
%systemroot%\system32\Tasks*
%systemroot%\system32\Tasks*.
%systemroot%\system32\drivers*.sy* /lockedfiles
%systemroot%\system32\config*.exe /s
%Systemroot%\ServiceProfiles*.exe /s
%systemroot%\system32*.sys
dir %Homedrive%* /S /A:L /C
msconfig
activex
/md5start
explorer.exe
winlogon.exe
wininit.exe
volsnap.sys
atapi.sys
ndis.sys
cdrom.sys
i8042prt.sys
iastor.sys
tdx.sys
netbt.sys
afd.sys
/md5stop
netsvcs
safebootminimal
safebootnetwork
CREATERESTOREPOINT
Click on “Analyse”
At the end of the scan, Notepad is going to open with the reports (OTL.txt) and (Extras.txt).
These files are on your Desktop.
Give the links of both files
system
December 4, 2013, 2:07pm
9
Sending each report individually. Error message: too large. Hope this works.
system
December 4, 2013, 2:34pm
11
ok
select all this blue text , and CTRL + C :
explorer.exe
iexplore.exe
firefox.exe
msnmsgr.exe
Teatimer.exe
:OTL
DRV - File not found [Kernel | On_Demand | Stopped] – C:\ProgramData\Norton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20081126.003\NAVEX15.SYS – (NAVEX15)
DRV - File not found [Kernel | On_Demand | Stopped] – C:\ProgramData\Norton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20081126.003\NAVENG.SYS – (NAVENG)
IE - HKLM..\SearchScopes{57A0A9D6-7B3C-4CCC-9F38-CBDA0DF2DD6E}: “URL” = http://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=irmsd103&cd=2XzuyEtN2Y1L1Qzu0DtDyDyBzzyDyBtAtB0EtD0A0B0D0BtBtN0D0Tzu0CyCzztCtN1L2XzutBtFtBtFzztFtCtByEyBtN1L1Czu1L1C1H1B1QtCtDtA&cr=98619568&ir=
IE - HKLM..\SearchScopes{D7D7E51C-4790-489C-BF78-9B7CA5C3183E}: “URL” = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
IE - HKU\S-1-5-18..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\S-1-5-21-2496689375-1795694736-1448263659-1000..\SearchScopes{57A0A9D6-7B3C-4CCC-9F38-CBDA0DF2DD6E}: “URL” = http://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=irmsd103&cd=2XzuyEtN2Y1L1Qzu0DtDyDyBzzyDyBtAtB0EtD0A0B0D0BtBtN0D0Tzu0CyCzztCtN1L2XzutBtFtBtFzztFtCtByEyBtN1L1Czu1L1C1H1B1QtCtDtA&cr=98619568&ir=
IE - HKU\S-1-5-21-2496689375-1795694736-1448263659-1000..\SearchScopes{6D27FD24-A93D-4FE9-82BD-1630F0045217}: “URL” = http://search.avg.com/route/?d=4cb3188c&v=6.10.6.4&i=23&tp=chrome&q={searchTerms}&lng={language}&iy=&ychte=us
IE - HKU\S-1-5-21-2496689375-1795694736-1448263659-1000..\SearchScopes{864AD560-E997-43CA-B640-EF7A76453AA3}: “URL” = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3306061&CUI=UN38554777102902915&UM=2
IE - HKU\S-1-5-21-2496689375-1795694736-1448263659-1000..\SearchScopes{D7D7E51C-4790-489C-BF78-9B7CA5C3183E}: “URL” = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
IE - HKU\S-1-5-21-2496689375-1795694736-1448263659-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: “ProxyEnable” = 1
IE - HKU\S-1-5-21-2496689375-1795694736-1448263659-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: “ProxyOverride” =
FF - user.js - File not found
[2013/11/11 14:57:51 | 000,000,000 | —D | M] (No name found) – C:\Users\Carole\AppData\Roaming\Mozilla\Firefox\Profiles\8bnq2e1v.default\extensions\staged
[2013/11/11 14:57:51 | 000,000,000 | —D | M] (No name found) – C:\Users\Carole\AppData\Roaming\Mozilla\Firefox\Profiles\znyna0n8.default\extensions\staged
O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - No CLSID value found.
O3 - HKLM..\Toolbar: (no name) - {8660E5B3-6C41-44DE-8503-98D99BBECD41} - No CLSID value found.
O3 - HKLM..\Toolbar: (no name) - 10 - No CLSID value found.
O3 - HKU\S-1-5-21-2496689375-1795694736-1448263659-1000..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKU\S-1-5-21-2496689375-1795694736-1448263659-1000..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found.
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-21-2496689375-1795694736-1448263659-1000\Software\Policies\Microsoft\Internet Explorer\restrictions present
O20 - Winlogon\Notify!SASWinLogon: DllName - (C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL) - File not found
O33 - MountPoints2{359f69c8-271d-11e1-aa4b-0026187b353f}\Shell - “” = AutoRun
O33 - MountPoints2{359f69c8-271d-11e1-aa4b-0026187b353f}\Shell\AutoRun\command - “” = J:\VZAccess_Manager.exe /z detect
O33 - MountPoints2{359f69f6-271d-11e1-aa4b-0026187b353f}\Shell - “” = AutoRun
O33 - MountPoints2{359f69f6-271d-11e1-aa4b-0026187b353f}\Shell\AutoRun\command - “” = K:\VZAccess_Manager.exe /z detect
O33 - MountPoints2{473d4606-1d07-11e1-bfd3-0026187b353f}\Shell - “” = AutoRun
O33 - MountPoints2{473d4606-1d07-11e1-bfd3-0026187b353f}\Shell\AutoRun\command - “” = J:\VZAccess_Manager.exe /z detect
O33 - MountPoints2\K\Shell - “” = AutoRun
O33 - MountPoints2\K\Shell\AutoRun\command - “” = K:\VZAccess_Manager.exe /z detect
O37 - HKU\S-1-5-18.…exe [@ = exefile] – Reg Error: Key error. File not found
O37 - HKU\S-1-5-21-2496689375-1795694736-1448263659-1000.…exe [@ = exefile] – Reg Error: Key error. File not found
MsConfig - StartUpReg: b Adobe Reader Speed Launcher[/b] - hkey= - key= - File not found
MsConfig - StartUpReg: b DriverScanner[/b] - hkey= - key= - File not found
MsConfig - StartUpReg: b Google Update[/b] - hkey= - key= - File not found
[1 C:\Windows\System32\drivers*.tmp files → C:\Windows\System32\drivers*.tmp → ]
[2012/12/04 12:00:45 | 000,027,520 | ---- | C] () – C:\Users\Carole\AppData\Local\dt.dat
[2012/01/02 09:55:43 | 000,001,290 | -HS- | C] () – C:\Users\Carole\AppData\Local\702ao54ws08b66585568wakmrl1l858mpw2qq24801e
[2012/01/02 09:55:43 | 000,001,290 | -HS- | C] () – C:\ProgramData\702ao54ws08b66585568wakmrl1l858mpw2qq24801e
[2007/10/12 13:56:51 | 004,194,441 | ---- | C] () – C:\Users\Carole\AppData\Roaming\sdi.db
[2012/06/22 11:08:58 | 000,000,000 | —D | M] – C:\ProgramData\blekkotb_031
[2013/09/06 13:34:10 | 000,000,000 | —D | M] – C:\ProgramData\Spybot - Search & Destroy
[2012/06/22 10:35:21 | 000,000,000 | —D | M] – C:\Users\Carole\AppData\Local\blekkotb_031
[2013/09/06 13:34:10 | 000,000,000 | —D | M] – C:\Program Files\Spybot - Search & Destroy
:reg
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
“”=-
[-HKEY_LOCAL_MACHINE\Software\SUPERAntiSpyware.com]
[-HKEY_LOCAL_MACHINE\Software\Symantec]
[-HKEY_LOCAL_MACHINE\Software\Safer Networking Limited]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
“EnableFirewall”=DWORD:0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
“EnableFirewall”=DWORD:0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
“EnableFirewall”=DWORD:0
:commands
[emptytemp][/b]
open OTL with right click “run as administrator” and paste the text , where you pasted before under “personalization” , and click “RUN FIX”
after the reboot , attach C:_OTL\Moved Files<date_and_hour>.txt
system
December 4, 2013, 2:59pm
12
OTL stopped working about the time that it was ready to reboot. I had to shut down and reboot manually. What should I do? Should I redo the RUN FIX or should I sent the report as is? Will wait for your reply.
system
December 4, 2013, 3:20pm
13
just send this report : C:_OTL\Moved Files<date_and_hour>.log
system
December 4, 2013, 3:57pm
14
Okay, attempted to find this:
C:_OTL\Moved Files<date_and_hour>.log
Am not able to get past the Moved Files. I get the _OTL\Moved Files and when I click the Moved Files here is what I get: 12042013_084422
If I click that I get: C_Program Files and C_Program Data and C_Users
If I click either of them I get: C_Program Files Spybot - Search & Destroy
If I go beyond that it still does not give any log.
system
December 4, 2013, 5:10pm
15
redo the RUN FIX in safemode
system
December 4, 2013, 5:45pm
16
Finally got it. Thanks for the safe mode suggestion.
system
December 4, 2013, 6:57pm
17
ok it had already work in the normal mode , i don’t understand why it didn’t give log.
look if Avast still detects what it did at the beginning of the topic
system
December 4, 2013, 8:40pm
18
Avast clear
Malwarebytes detected one. Attached.
system
December 4, 2013, 10:48pm
19
system
December 4, 2013, 11:34pm
20
Okay, deleted the Temp folder.
About the other things that you posted about are these things that I should be doing? A different PDF reader, etc. I guess I don’t understand. about that part. Also, about the FlashPlayer - is this something that you think I need? Or, are you suggesting that I get away from Adobe? Just wondering.
Thank you so much for all of your help.