I’m a Vista 64-bit user…Avast found a Win32:AutoRun-VM[Wrm](filename:AutoRun.exe,located on G: (virtual DVD drive)),VBS:Malware-gen(filename:AutoRun.inf,located on G: and a JS:Redirector-B[Trj](filename:CACHE_002,located on C:\Users\Me\AppData\Local\Mozilla\Firefox\Profiles\k4ytnxbl.default\Cache) last year,and was able to quarantine them so i didnt touch it.But last week i got an infected usb stick from a friend and i forgot to check it for viruses before i opened the folder…I did it later and avast found some more dirtiness-namely: Win32:Oliga[Trj],(filename:tfk8.exe,location: H:(usb)),Win32:Rootkit-gen[Rtk](filename:jwgkvsq.vmx,located on: H:\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665),Win32:Crumpache[Cryp](filename:vashar.exe,located on: H:\SOMBORSKI),i have those files in quarantine also…so i did some more scans to be sure…In boot scan avast found one more thing:A Win32:Trojan-gen,(filename:Reason4RpsPatch.zip,location: C:\Users\Me\Desktop\folder\folder\Reason 4 + Keygen + Patch RPS,but when i move it to chest it shows two infected files.Upper mentioned and a :Win32:Agent-AEXI[Trj](filename:TuneUp Utilities 2009 8.0.2000\TuneUp Utilities 2009 8.0.2000.exe,location: C:\Users\Me\Desktop\folder\folder\TuneUp Utilities 2009 8.0.2000.rar)…Weird thing is that the second file isnt seen in bootscan log results…I’m sorry for writing it like this but i cant find the avast logs…then i did a MBAM scan too and MBAM found 8 more things that i accidentally deleted from quarantine(i know stupid thing to do…),i shall attach a log file here of what it found…I’m also putting a TDSSKiller log here because it too found a suspicious item…Some suspicious things that i’ve come across is that a keygen.exe program is checking itself on its own in DEP exclusions…(Data Exe. Prevention),even if i disable it or remove it ,it automatically comes back checked…The other weird thing is im not only getting redirected sometimes…DNS seem to be not functioning like it should on my pc…or something like that…a lot of times when i click on a link i get the message that the server cant be reached,or that my ip settings are not valid,or that dns isnt responding…ISP employee checked the tcp/ip settings and he told me that the settings are ok…one more thing is i’ve noticed sometimes that a iGoogle footer on my igoogle page is sometimes not alligned with the background…sort of like someone put a jpg. of footer links slightly crooked…Are those signs of a botnet zombie computer or something??.Oh and one last thing …today my friends g.mail acc. had been hacked and someone sent me a mail with a link from his adress…and i clicked it because it looked genuine enough…link is:hxxp://www.cumbredelvino.com/friends_links.php?widSID=84jk6…Some help greatly appreciated and again apologizing for the noobish post…
Additional info:Don’t mean to bump a thread but i just read that OTS log would be handy with analysis so i want to attach a OTS log but it was 240KB so i had to split it in two parts-one 156 KB and one 86KB…But now weird thing is happening-when i try to post it-forum informs me that filesize exceeds 192KB…i cant post it…so i will try to post one in each post…
Part two of OTS scanlog:
Hi rather than saving the log could you attach the log that OTS created on your desktop
I can’t…it says that the maximum is 192KB…log filesize is 248KB…any suggestions?
are you saving it as ANSI ?..do not save as UNICODE
Thank you for the replies both of you…ok now im attaching the ANSI version…It warned me that some characters will be lost though…Hope it will do
OK nothing readilly apparent there so lets go deeper - On completion of this run can you let me know what problems you are having… Also is your ISP in Slovenia ?
Download ComboFix from one of these locations:
* IMPORTANT !!! Save ComboFix.exe to your Desktop
[]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
[]Double click on ComboFix.exe & follow the prompts.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Hi-thanks again for helping me with this…To answer the ISP question-yes my ISP is in Slovenia…as for the problems…the keygen.exe is still here checking in the exclusions…im gonna throw my eye out for anything else suspisious and write it here…here is the combo log…
Combofix ran in reduced mode could you delete the copy from your desktop - download and then run a fresh copy please
Hmmmm,same thing now…when i start the combofix it prompts me to click yes to start in a reduced mode,or no to exit…any suggestions??One question-should I disconnect the internet while combo is scanning or not?..here’s the log…
Could you check that the time and date is correct on your computer please
Also what problems are you having now ?
Sorry for replying this late…yeah my time and date seem to be correct,but the posting time written here is off…About the problems…I’m still getting weird mails from hijacked gmail account-this time from my girlfriends account.Oh and keygen.exe is still here.My browser(mozilla ff) is acting strange,im still getting strange long urls,getting redirected and what not.It seems as something is filtering google results too now and then.My Igoogle page seems to have a mind of its own…:D…Those intermittent problems with dns that I described before still persists…I don’t know if it’s malware or a corrupt registry…I can’t say ,it’s small things u know,i have strong feeling that I dont have total control over my computer,and have some weird proceses,and services going on from time to time when idling.I remebered I had some problems with running cmd under admin privileges-something was blocking it,and instead always ran cmd under guest privileges,even though I ran it as admin…Let me mention this too:Today when i turned my pc on,Avast! wasnt in the startups anymore(due to combofix scan yesterday?),so i had to repair it.Another thing- combofix set my windows theme back to default aero theme…Well that’s what I can come up at the moment,but will post any other weird behaviours i will remember if you want me too…Can I ask one more thing?Can a mouclass.sys be a malevolent file disguised as a mouse driver??
Can I ask one more thing?Can a mouclass.sys be a malevolent file disguised as a mouse driver??That is a legitimate file
I would like to do a deeper analysis on this - plus you get a free AV scan thrown in ;D
Download AVPTool from Here to your desktop
Run the programme you have just downloaded to your desktop (it will be randomly named )
First we will run a virus scan
On the first tab select all elements down to Computer and then select start scan
Once it has finished select report and post that.
http://i1224.photobucket.com/albums/ee362/Essexboy3/avpfront.jpg
Do not close AVPTool or it will self uninstall, if it does uninstall - then just rerun the setup file on your desktop
Now an analysis scan
Select the Manual Disinfection tab
Press the Gather System Information button
Once done Open the last report saved folder then attach the zip file to your next post zip
The file is located at C:\Users[i]your name[/i]\Desktop\Virus Removal Tool\setup_9.0.0.722_05.01.2011_20-34\LOG\avptool_sysinfo.zip
http://i1224.photobucket.com/albums/ee362/Essexboy3/avpmanual.jpg
Hmmmm I’m not allowed to attach .zip files…Can I upload the .zip to google docs and paste the link here??..well here is the autoscan report -i understood you that I should check down to (and not including)computer in the autoscan settings…Oh btw… i had some failed windows updates in the past two years,if this is of any help.I can provide a list if needed…:-.…
The steps involved in removing a trojan are simple:
-Identify the trojan horse file on your hard disk.
-Find out how it is being started and take the necessary action to prevent it being restarted after a reboot.
-Reboot your machine and delete the trojan horse.
- Install Anti-Trojan Shield.
- See the Recovering from a System Compromise pages for more in-depth help on what else you may need to do.
Could you upload to Mediafire and post the sharing link please.
Oh and keygen.exe is still hereWhat is the location of this file ?
As the mail accounts are web based the first thing to do is change the password - lots of webmail accounts get hacked
Keygen.exe is excluding itself in the DEP…I can’t see the location of the file from there…Maybe is the keygen.exe that I accidentally deleted from the MBAMs quarantine and now can’t be removed from the DEP exclusions checklist…I searched my computer for any other keygens and found two more,but they appear to be clean when I scan them with Avast! and MBAM…Ok I’m gonna change the passwords…Can I do it from this computer or is this a bad idea? Here’s the link to the .zip file:
LOL…Keygen. Where you trying to crack some software? :
No need as I can see no apparent malware on your system - but make the passwords strong. A mixture of numbers and letters
Also can you get me a screenshot of the DEP error
And as stated by Dieselman cracks are the ideal vector for infection, so you not only get a free programme, but lots and lots of free viruses