I only see a globe icon under your avatar, that link takes me to your sky drive if I’m not mistaken. Am I to upload there? And also,
I only see a globe icon under your avatarclick the [b]my messages [/b]button you see at the forum top
Thanks Pondus
Essexboy, I’m defeated. The flash I intended to use to upload those files was infected with whatever I have. I tried to place it in my friends mac, but notice another removal drive that wasn’t physically there. There were 802.1x connections and made signed by an outdated certificate, I think it was from a Thawte Servers CA, or something like that. I wrote down the enterprise number. It infected the Mac (MacBook pro running 10.8.3 ) package contents of several programs, including remote desktop connection. And I believe somehow it was able to tap into my phone, which had avast! mobile security and anti theft installed, and it wiped my Nexus. When I boot my phone, it just stays tuck on the screen that says Google. Morale is quite low at this point, as I don’t have a safe to to transfer those files to you. I’d be willing to send you the USB or even my laptop. I’m not sure what to do anymore…
Lets run an external virus check
Create an emergency repair USB drive:
Download Dr Web Live USB to your desktop
[]Connect a USB flash drive to the computer. Registering the plugging in event takes no more than 10 seconds.
[]Launch drwebliveusb.exe.
[*]The program will detect available USB-devices automatically and prompt you to choose the one you’d like to use as an emergency repair drive. You can format the device if you like (a warning will be displayed before you proceed with formatting). In order to read the License agreement, follow a corresponding link found in the program window (the page containing the license agreement text will be loaded in your default browser).
https://dl.dropbox.com/u/73555776/liveusb_ru.jpg
[]To create a bootable USB flash drive, press the Create Dr.Web LiveUSB button.
[]Files will be copied automatically.
[]Once the copying process is completed, press the Exit button to close the application.
[]Reboot the infected computer with the USB in the drive
[]Ensure that the first boot device is USB - If you are not sure about that then see this page for instructions
[]As loading starts, a dialogue window will prompt you to choose between the standard and safe modes.
https://dl.dropboxusercontent.com/u/73555776/Live%20boot%20screen.png
[*]Use arrow keys to select DrWeb-LiveCD (Default)
https://dl.dropboxusercontent.com/u/73555776/drwebselect.JPG
[*]Press select objects for scanning
https://dl.dropboxusercontent.com/u/73555776/drwebfolders.JPG
[*]When the system is loaded, check the disks or folders you want to scan, and click on Start.
[*]The programme will now scan for and cure/delete any malware that it finds. Allow it to do so
https://dl.dropboxusercontent.com/u/73555776/drwebscan.JPG
[*]When it has completed
https://dl.dropboxusercontent.com/u/73555776/drwebscancomplete.JPG
[]Select Open Report and copy to the USB
[]Once completed reboot to normal windows, and attach the report here
Will do. Those expired certifiactes came from “Thawte Premium Server CA”, the enterprise ID: AB9851FD-0E70yNA9 A1BB-A76… not sure if you can do anything with that, but I would love to figure out where this originated from and what it exactly is.
I think they had a batch of certificates stolen a while back, that may be part of it
Essexboy, this “virus” can create connections using Bluetooth technology and I believe it used the Airport Utility o the Mac to peep around at around and look up surroundings items’ Bluetooth and MAC address, including my PlayStation 3. Any suggestions on how to temporarily stop it from spreading? After digging around and witnessing a Macbook Pro’s full capabilities, I think people should be required to fill out a background check before purchasing one. that type of utility is too dangerous in the wrong hands. Anyhow, I’ll be running the external virus check soon, possibly tonight, and should have the log soon. Also, is anything on this webpage associated with “dl.dropboxusercontent.com”?
That may be my screenshots as I store them there https://dl.dropboxusercontent.com/u/73555776/advanced8.JPG
Bluetooth in my opinion should be disabled unless you are actually using it, as it broadcasts your computer to all and sundry
I’ve had my bluetooth on my new ( or really old) replacement phone turned off, since I’ve inserted the SIM card into it, and prior to turning it on a couple of days ago, it hadn’t been powered on since 2011. When I was looking though my browser’s stored certificates today, I found one from ‘Thawte Premium Server’ again. How could that be possible?
Hopefully i’m not coming across as paranoid, but the last time this ‘virus’ got into phone, it was able to download apps that could read my phone’s identity and state, create network connections, modify contents on the SD card, access my contacts, texts, etc…
Sorry for the delayed results of the external scan, I tried downloading the program at work, but it was about 244 MB so I’ll have to find and alternate method.
Hello again, and sorry for the extended delay in between posts. I was finally able to download the Dr. Web Live USB, but instead of downloading it directly to my desktop, the .exe file was transferred to my desktop via a new flash drive of mine. I was able to launch the program, briefly saw a dialogue box that said “Unable to create log file”, and then proceeded to create a bootable USB flash drive. The program completely copied its files, so I exited the application and rebooted, making sure to set the USB device priority as the first boot device, but nothing happened afterward. By nothing, I mean that my laptop booted Windows normally as if it were just ignoring the presence of the USB, so I decided to disable booting from the HDD, CD/DVD, and Network, leaving the only option to boot from USB in my BIOS. I noticed that it was in parenthesis though, if that makes difference. After making this change, I tried rebooting, butI just received a BIOS error telling me to insert a bootable device and press a key to continue or change my boot settings. What should I try next?
OK time for a rethink…
Download McShield to your desktop and install
It will initially run a scan and show the result as a toaster by the system clock
Then in the control centre select scanner and tick unhide items on flash drives
https://dl.dropbox.com/u/73555776/mcshield%20unhide.JPG
Plug in the drive with DrWeb on and McShield will start a scan
Then get the log which will be here :
Start > all programs > MCShield > logs > all scans
Once done retry to create the USB bootable drive again
And post that
The computer that I am currently using has a firewall and proxy that prevent me from navigating to the url to download Mcshield, is there any possiblity that I could have the .exe file emailed to me?
Well, I downloaded and installed McShield via usb. Since I am using safe mode without networking, it didn’t update, but installed just fine. The initial scan that I ran found and renamed a suspicous file (C:/aaw7boot.cmd) but that was the only thing it returned. When I inserted the USB with DrWeb on it, McShield preformed its scan of it, but didn’t return aynthing in the scan. I proceeded to reboot with the USB still being the first boot device, but [deep sigh] , the Windows OS still boots… 
Could you run a fresh OTL scan please with all users selected
Will do and post soon.
2 off topic questions for you: 1. How much is the VPN service through avast! ? 2. I’m sure it didn’t happen overnight, but how did you come to know as much as you do about computer security?
Secure vpn data http://www.avast.com/en-gb/secureline-vpn
I have spent several years at hands on practice after spending a year being trained at G2G in malware removal
I have ran an OTL scan for all users, but I’m not sure how I should go about uploading it anymore. After scrolling through the OTL log and a couple of random file folders that I didn’t recognize, I’ve decided that placing a USB from my laptop into a public computer is not a good idea. I can boot into safe mode w/ networking and upload directly from my infected PC, but I really don’t want to accidentally infect another pc.
I located a file folder titled “USBCONTROL” or something similarly named to that effect. It had a lot “.ini” files and other configuration files in it that appeared to have something to do with my USB ports. Also, the application “Network Magic” has somehow been installed, and an older application, VMWare, is also has drivers in play.
I also noticed from the OTL log that I have 2 un-named alternated data streams that seem to have their orgin in a temporary folder, and I also believe there were 4 entries in the Zero access check results. :-X
I’ll stop listing my findings now though and will wait for advice on how to get the log to you so that you may perform the real expert analysis. Thanks in advance!
DaRell
As it is just a txt file it can be safely uploaded here to the forum. Presence of the zero access check is normal as OTL scans specific registry keys and then shows the results. It does not mean that you have ZA