Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91680 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Clock keeps reseting to 12 April 2016!


  • This topic is locked This topic is locked
141 replies to this topic

#136 Raktor

Raktor

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,114 posts

Posted 17 November 2009 - 05:05 AM

Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

    :OTL
    PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    
    :Files
    C:\ComboFix
    C:\cmdcons
    C:\WINDOWS\System32\cmd.execf
    C:\WINDOWS\NIRCMD.exe
    C:\WINDOWS\SWREG.exe
    C:\WINDOWS\SWXCACLS.exe
    C:\WINDOWS\SWSC.exe
    C:\WINDOWS\ERDNT
    C:\Qoobox
    C:\Documents and Settings\fabi\Desktop\ComboFix.exe
    C:\WINDOWS\PEV.exe
    C:\WINDOWS\MBR.exe
    C:\WINDOWS\sed.exe
    C:\WINDOWS\grep.exe
    C:\WINDOWS\zip.exe
    C:\32788R22FWJFW
    
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done

Make sure it reboots. Post the log. :)
Posted Image
Graduate from the WTT Malware Classroom
If you feel I have helped you, please consider a donation. Posted Image
Topics will be closed after three days if there is no response.
Please do not PM me for malware removal assistance.

    Advertisements

Register to Remove


#137 sdabbs

sdabbs

    Authentic Member

  • Authentic Member
  • PipPip
  • 97 posts

Posted 17 November 2009 - 06:33 AM

Shall I not bother with Mcafee then? Here is the log: All processes killed ========== OTL ========== No active process named explorer.exe was found! ========== FILES ========== C:\ComboFix folder moved successfully. Folder move failed. C:\cmdcons\SYSTEM32 scheduled to be moved on reboot. C:\cmdcons folder moved successfully. C:\WINDOWS\System32\cmd.execf moved successfully. File\Folder C:\WINDOWS\NIRCMD.exe not found. C:\WINDOWS\SWREG.exe moved successfully. C:\WINDOWS\SWXCACLS.exe moved successfully. C:\WINDOWS\SWSC.exe moved successfully. C:\WINDOWS\ERDNT\subs\Users\00000004 folder moved successfully. C:\WINDOWS\ERDNT\subs\Users\00000003 folder moved successfully. C:\WINDOWS\ERDNT\subs\Users\00000002 folder moved successfully. C:\WINDOWS\ERDNT\subs\Users\00000001 folder moved successfully. C:\WINDOWS\ERDNT\subs\Users folder moved successfully. C:\WINDOWS\ERDNT\subs folder moved successfully. C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004 folder moved successfully. C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003 folder moved successfully. C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002 folder moved successfully. C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001 folder moved successfully. C:\WINDOWS\ERDNT\Hiv-backup\Users folder moved successfully. C:\WINDOWS\ERDNT\Hiv-backup folder moved successfully. C:\WINDOWS\ERDNT folder moved successfully. C:\Qoobox\TestC folder moved successfully. C:\Qoobox\Test folder moved successfully. C:\Qoobox\Quarantine\Registry_backups folder moved successfully. C:\Qoobox\Quarantine\C\WINDOWS\Temp\logishrd folder moved successfully. C:\Qoobox\Quarantine\C\WINDOWS\Temp folder moved successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers folder moved successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Common folder moved successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\config\systemprofile\Application Data\Macromedia folder moved successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\config\systemprofile\Application Data folder moved successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\config\systemprofile folder moved successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\config folder moved successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32 folder moved successfully. C:\Qoobox\Quarantine\C\WINDOWS folder moved successfully. C:\Qoobox\Quarantine\C\Program Files\Common Files folder moved successfully. C:\Qoobox\Quarantine\C\Program Files folder moved successfully. C:\Qoobox\Quarantine\C\Documents and Settings\sean.DC59QB2J\Start Menu\Programs\Startup folder moved successfully. C:\Qoobox\Quarantine\C\Documents and Settings\sean.DC59QB2J\Start Menu\Programs folder moved successfully. C:\Qoobox\Quarantine\C\Documents and Settings\sean.DC59QB2J\Start Menu folder moved successfully. C:\Qoobox\Quarantine\C\Documents and Settings\sean.DC59QB2J folder moved successfully. C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService folder moved successfully. C:\Qoobox\Quarantine\C\Documents and Settings\fabi\Start Menu\Programs\Startup folder moved successfully. C:\Qoobox\Quarantine\C\Documents and Settings\fabi\Start Menu\Programs folder moved successfully. C:\Qoobox\Quarantine\C\Documents and Settings\fabi\Start Menu folder moved successfully. C:\Qoobox\Quarantine\C\Documents and Settings\fabi\Local Settings\Temp folder moved successfully. C:\Qoobox\Quarantine\C\Documents and Settings\fabi\Local Settings\Application Data\{2C55C526-E703-46F7-A298-7B23097490D5}\chrome\content folder moved successfully. C:\Qoobox\Quarantine\C\Documents and Settings\fabi\Local Settings\Application Data\{2C55C526-E703-46F7-A298-7B23097490D5}\chrome folder moved successfully. C:\Qoobox\Quarantine\C\Documents and Settings\fabi\Local Settings\Application Data\{2C55C526-E703-46F7-A298-7B23097490D5} folder moved successfully. C:\Qoobox\Quarantine\C\Documents and Settings\fabi\Local Settings\Application Data folder moved successfully. C:\Qoobox\Quarantine\C\Documents and Settings\fabi\Local Settings folder moved successfully. C:\Qoobox\Quarantine\C\Documents and Settings\fabi\Desktop folder moved successfully. C:\Qoobox\Quarantine\C\Documents and Settings\fabi\Application Data folder moved successfully. C:\Qoobox\Quarantine\C\Documents and Settings\fabi folder moved successfully. C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Documents folder moved successfully. C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\70686633 folder moved successfully. C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data folder moved successfully. C:\Qoobox\Quarantine\C\Documents and Settings\All Users folder moved successfully. C:\Qoobox\Quarantine\C\Documents and Settings folder moved successfully. C:\Qoobox\Quarantine\C folder moved successfully. C:\Qoobox\Quarantine folder moved successfully. C:\Qoobox\LastRun folder moved successfully. C:\Qoobox\BackEnv folder moved successfully. C:\Qoobox folder moved successfully. C:\Documents and Settings\fabi\Desktop\ComboFix.exe moved successfully. C:\WINDOWS\PEV.exe moved successfully. C:\WINDOWS\MBR.exe moved successfully. C:\WINDOWS\sed.exe moved successfully. C:\WINDOWS\grep.exe moved successfully. C:\WINDOWS\zip.exe moved successfully. File\Folder C:\32788R22FWJFW not found. ========== COMMANDS ========== [EMPTYTEMP] User: Administrator ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: All Users User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: fabi ->Temp folder emptied: 39724971 bytes ->Temporary Internet Files folder emptied: 18123789 bytes ->Java cache emptied: 1864291 bytes User: LocalService ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: MCX1 ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: NetworkService ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 33170 bytes User: sean User: sean.DC59QB2J ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes ->Java cache emptied: 0 bytes ->FireFox cache emptied: 0 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 0 bytes %systemroot%\System32 .tmp files removed: 0 bytes Windows Temp folder emptied: 109080 bytes %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes RecycleBin emptied: 0 bytes Total Files Cleaned = 57.08 mb OTL by OldTimer - Version 3.1.5.0 log created on 11172009_120054 Files\Folders moved on Reboot... File\Folder C:\cmdcons\SYSTEM32 not found! Registry entries deleted on Reboot...

#138 Raktor

Raktor

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,114 posts

Posted 17 November 2009 - 06:57 AM

I wouldn't recommend McAfee. If you've already installed a new antivirus program, just don't bother with it. Are you still experiencing any issues? It's looking all clean now. :)
Posted Image
Graduate from the WTT Malware Classroom
If you feel I have helped you, please consider a donation. Posted Image
Topics will be closed after three days if there is no response.
Please do not PM me for malware removal assistance.

#139 sdabbs

sdabbs

    Authentic Member

  • Authentic Member
  • PipPip
  • 97 posts

Posted 17 November 2009 - 07:04 AM

It's all clean? Excellent!! ^_^ Thank you so much for all of your hard work Raktor - and also thanks to Dave and any others that have helped out. It is great to see you guys work - I really thought there was no way out at one point! I wondered if you good put me in the right direction for something - I have a file (.ztl (digital sculpture)) that will not open (although I have saved it many times before, for some reason from the last save it will not open) do you know of any way to fix a file like that? or anybody/place that could fix it? Many thanks again :D

#140 Raktor

Raktor

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,114 posts

Posted 17 November 2009 - 07:10 AM

I'll pass on your thanks to Dave... some from me as well. :P

Take a look at the Zbrush forums for your file problem.

Please open OTL.exe and click the 'Cleanup!' button.

You can then remove all of the logs/programs we've used.

Your current version of Adobe Reader is out of date, and may contain security issues. Please uninstall the version you have now from Add/Remove programs, and then download and install the latest Adobe Reader.

Your version of Java is outdated.
Please download JavaRa to your desktop and unzip it to its own folder
Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
Accept any prompts.
Open JavaRa.exe again and select Search For Updates.
Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

Now Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

How to reduce your chances of infection in the future

Web Browsers
Internet Explorer does come pre-installed with all Windows machines - but this doesn't necessarily mean you have to use it! Because it is the most widely used browser, it is targeted by more malware writers, making you more susceptible to infection. There are many other free alternatives out there that offer better security, take one of these for a spin and see if it takes your fancy.
Mozilla Firefox
Google Chrome
Opera

WOT - Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
Green to go
Yellow for caution
Red to stop
WOT has an addon available for Firefox, Google Chrome and Internet Explorer.

If you would prefer to keep using Internet Explorer, follow these additional steps to make the browser more secure.
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab.
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt.
    • Change the Download unsigned ActiveX controls to Disable.
    • Change the Initialise and script ActiveX controls not marked as safe to Disable.
    • Change the Installation of desktop items to Prompt.
    • Change the Launching programs and files in an IFRAME to Prompt.
    • Change the Navigate sub-frames across different domains to Prompt.
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
Additional Security Measures
Keep your software up-to-date - You should be manually performing updates of your software once a week to ensure that you are current with anti-virus definitions and patched for any security vulnerabilities. This does not just apply to your anti-virus/anti-malware software; malware authors rely on exploiting commonly used software such as Java and Adobe Reader, which need to be kept up to date as well.

Keep Windows up-to-date - Use Windows Update regularly to stay current with security patches and service packs.

MVPS Hosts File - This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.

Firewalls - Without a firewall your computer is susceptible to being hacked and taken over. If you use the Windows Firewall you might think that's sufficient - but it only controls one way of the traffic (inbound). Simply using a Firewall in its default configuration can lower your risk greatly.

What Not To Do
The Perils of P2P File Sharing - Even if a P2P application is on the 'safe' list, malware can still be downloaded through infected files - executables, zip files and even MP3s. It is just not worth the risk.

Fake Security/Optimization Software - Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

Additional Reading
How to prevent Malware - I strongly recommend that you read Miekiemoses' good advice

Please reply to this thread once more if you are satisfied so that we can mark the problem as resolved.
Posted Image
Graduate from the WTT Malware Classroom
If you feel I have helped you, please consider a donation. Posted Image
Topics will be closed after three days if there is no response.
Please do not PM me for malware removal assistance.

#141 sdabbs

sdabbs

    Authentic Member

  • Authentic Member
  • PipPip
  • 97 posts

Posted 18 November 2009 - 02:12 AM

OK, all done :D Many thanks again Raktor!!

#142 Raktor

Raktor

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,114 posts

Posted 18 November 2009 - 06:00 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.
Posted Image
Graduate from the WTT Malware Classroom
If you feel I have helped you, please consider a donation. Posted Image
Topics will be closed after three days if there is no response.
Please do not PM me for malware removal assistance.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users