system
September 17, 2012, 7:49pm
1
I ran avast and it said i have a Trojan-gen and moved it to chest but will not let me delete.
I ran Malware
Malwarebytes Anti-Malware (Trial) 1.65.0.1400
www.malwarebytes.org
Database version: v2012.09.14.06
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 6.0.2900.5512
wendy :: WENDY-4K7CO2TYJ [administrator]
Protection: Enabled
9/17/2012 1:30:00 PM
mbam-log-2012-09-17 (13-30-00).txt
Scan type: Full scan (C:|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 243079
Time elapsed: 31 minute(s), 32 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
And it did not find anything.
How do i get this off my computer?
DavidR
September 17, 2012, 8:05pm
2
What is the file name, location of the detection ?
What reason was given for being unable to deal with it ?
system
September 17, 2012, 8:13pm
3
it moved it to the chest but grey out where you delete and apply.
I have a print screen of the internet error that i am getting but i do not know how to attach here?
DavidR
September 17, 2012, 8:17pm
4
Use the Attachments and other options link (expands) in the reply window to attach the screenshot.
system
September 17, 2012, 8:36pm
5
Here are the logs. I am working on the screen shot says its to large
system
September 17, 2012, 8:40pm
6
Infection Details
URL: hxxp://17.feedadvertising12.com/2feed?ty…
Process: C:\Program Files\Mozilla Firefox\firefox…
Infection: URL:Mal
I can’t get the screen shot to send but here is what it says.
DavidR
September 17, 2012, 10:20pm
7
A malware removal specialist has been informed of your topic.
There may be some delay due to differing time zones and availability of the volunteer malware removal specialists.
Please ‘modify’ your post change the URL from http to hXXp , to break the link and avoid accidental exposure to suspect sites, thanks.
Let me know if this stops it
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
https://dl.dropbox.com/u/73555776/OTL_Fix.GIF
:OTL
IE - HKU\S-1-5-21-746137067-1993962763-839522115-1004\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=iron2&chnl=iron2&cd=2XzutAtN2Y1L1QzutDtDtCyBtAtCyE0B0AtBtBtDtC0CtDzytN0D0TzutBtDtCtBtDyCtCtB&cr=1531058913
IE - HKU\S-1-5-21-746137067-1993962763-839522115-1004\..\SearchScopes\{14D3E54A-5163-A1DA-9E7D-3FD7FF3038A1}: "URL" = http://search.babylon.com/?q={searchTerms}&affID=109935&tt=060612_8_&babsrc=SP_ss&mntrId=0cd31c090000000000000017314ba220
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{69023299-FD32-11E1-8271-B8AC6F996F26}: C:\Documents and Settings\wendy\Local Settings\Application Data\{69023299-FD32-11E1-8271-B8AC6F996F26}\ [2012/09/12 19:34:46 | 000,000,000 | ---D | M]
[2012/09/12 19:34:46 | 000,000,000 | ---D | M] (Mozilla Safe Browsing) -- C:\DOCUMENTS AND SETTINGS\WENDY\LOCAL SETTINGS\APPLICATION DATA\{69023299-FD32-11E1-8271-B8AC6F996F26}
[2012/06/12 10:20:32 | 000,002,352 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\babylon.xml
O4 - HKLM..\Run: [lcsas] C:\Documents and Settings\wendy\Application Data\lcsas.dll ()
[2012/09/17 15:12:54 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\wendy\Local Settings\Application Data\¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ
[2012/06/12 10:27:10 | 000,302,425 | ---- | C] () -- C:\Documents and Settings\wendy\Local Settings\Application Data\funmoods-speeddial.crx
:Files
ipconfig /flushdns /c
netsh int ip reset c:\resetlog.txt /c
ipconfig /release /c
ipconfig /renew /c
:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
system
September 18, 2012, 5:13pm
9
How long should this take i think it may be froze up? Will i get a message when it is done?
OK that is MBAM blocking it
Stop OTL and then re-run it with this fix script
:OTL
IE - HKU\S-1-5-21-746137067-1993962763-839522115-1004\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=iron2&chnl=iron2&cd=2XzutAtN2Y1L1QzutDtDtCyBtAtCyE0B0AtBtBtDtC0CtDzytN0D0TzutBtDtCtBtDyCtCtB&cr=1531058913
IE - HKU\S-1-5-21-746137067-1993962763-839522115-1004\..\SearchScopes\{14D3E54A-5163-A1DA-9E7D-3FD7FF3038A1}: "URL" = http://search.babylon.com/?q={searchTerms}&affID=109935&tt=060612_8_&babsrc=SP_ss&mntrId=0cd31c090000000000000017314ba220
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{69023299-FD32-11E1-8271-B8AC6F996F26}: C:\Documents and Settings\wendy\Local Settings\Application Data\{69023299-FD32-11E1-8271-B8AC6F996F26}\ [2012/09/12 19:34:46 | 000,000,000 | ---D | M]
[2012/09/12 19:34:46 | 000,000,000 | ---D | M] (Mozilla Safe Browsing) -- C:\DOCUMENTS AND SETTINGS\WENDY\LOCAL SETTINGS\APPLICATION DATA\{69023299-FD32-11E1-8271-B8AC6F996F26}
[2012/06/12 10:20:32 | 000,002,352 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\babylon.xml
O4 - HKLM..\Run: [lcsas] C:\Documents and Settings\wendy\Application Data\lcsas.dll ()
[2012/09/17 15:12:54 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\wendy\Local Settings\Application Data\¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ
[2012/06/12 10:27:10 | 000,302,425 | ---- | C] () -- C:\Documents and Settings\wendy\Local Settings\Application Data\funmoods-speeddial.crx
:Files
ipconfig /flushdns /c
netsh int ip reset c:\resetlog.txt /c
ipconfig /release /c
ipconfig /renew /c
:Commands
[purity]
[resethosts]
[emptyjava]
[CREATERESTOREPOINT]
[Reboot]
system
September 18, 2012, 7:33pm
11
Here is the log with new script
Are you still getting the alerts ?
system
September 19, 2012, 12:01pm
13
No but now i am getting this.
DavidR
September 19, 2012, 12:36pm
14
Your text file attachment is empty.
Could you expand slightly