Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 92790 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

ICE Cyber Crime virus on Windows XP [Solved]


  • This topic is locked This topic is locked
66 replies to this topic

#31 LMac

LMac

    Authentic Member

  • Authentic Member
  • PipPip
  • 42 posts

Posted 05 September 2014 - 02:34 PM

I did not get an "ACCEPT" box when I ran Roguekiller

 

RogueKiller V9.2.9.0 [Jul 11 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : https://www.adlice.c...es/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows XP (5.1.2600 Service Pack 2) 32 bits version
Started in : Normal mode
User : Joe Blow [Admin rights]
Mode : Scan -- Date : 09/05/2014  13:21:18

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 17 ¤¤¤
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\aswMBR -> FOUND
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\aswVmm -> FOUND
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\aswMBR -> FOUND
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\aswVmm -> FOUND
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 192.168.0.1 205.171.2.25  -> FOUND
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 192.168.0.1 205.171.2.25  -> FOUND
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 192.168.0.1 205.171.2.25  -> FOUND
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Tcpip\Parameters | DhcpNameServer : 192.168.0.1 205.171.2.25  -> FOUND
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{133E1BE7-4823-45B8-A4D6-09AE514650DC} | DhcpNameServer : 192.168.0.1 205.171.2.25  -> FOUND
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{133E1BE7-4823-45B8-A4D6-09AE514650DC} | DhcpNameServer : 192.168.0.1 205.171.2.25  -> FOUND
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{133E1BE7-4823-45B8-A4D6-09AE514650DC} | DhcpNameServer : 192.168.0.1 205.171.2.25  -> FOUND
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Tcpip\Parameters\Interfaces\{133E1BE7-4823-45B8-A4D6-09AE514650DC} | DhcpNameServer : 192.168.0.1 205.171.2.25  -> FOUND
[PUM.StartMenu] HKEY_USERS\S-1-5-21-2291903390-3433162778-840360825-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowPrinters : 0  -> FOUND
[PUM.StartMenu] HKEY_USERS\S-1-5-21-2291903390-3433162778-840360825-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowRecentDocs : 0  -> FOUND
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> FOUND
[Rans.Gendarm] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\winmgmt\Parameters | ServiceDll : C:\DOCUME~1\ALLUSE~1\APPLIC~1\50BC232.cpp  -> FOUND
[PUM.SearchPage] HKEY_USERS\S-1-5-21-2291903390-3433162778-840360825-1006\Software\Microsoft\Internet Explorer\Main | Search Page : http://rd.yahoo.com/...//www.yahoo.com  -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ HOSTS File : 1 ¤¤¤
[C:\WINDOWS\System32\drivers\etc\hosts] 127.0.0.1       localhost

¤¤¤ Antirootkit : 44 (Driver: LOADED) ¤¤¤
[SSDT:Addr(Hook.SSDT)] NtAlertResumeThread[12] : Unknown @ 0x87057f38
[SSDT:Addr(Hook.SSDT)] NtAlertThread[13] : Unknown @ 0x87057fd0
[SSDT:Addr(Hook.SSDT)] NtAllocateVirtualMemory[17] : Unknown @ 0x86d5e3c0
[SSDT:Addr(Hook.SSDT)] NtAssignProcessToJobObject[19] : Unknown @ 0x86f43458
[SSDT:Addr(Hook.SSDT)] NtConnectPort[31] : Unknown @ 0x8714e1f8
[SSDT:Addr(Hook.SSDT)] NtCreateMutant[43] : Unknown @ 0x870bd4a8
[SSDT:Addr(Hook.SSDT)] NtCreateSymbolicLinkObject[52] : Unknown @ 0x86f43308
[SSDT:Addr(Hook.SSDT)] NtCreateThread[53] : Unknown @ 0x86e98da8
[SSDT:Addr(Hook.SSDT)] NtDebugActiveProcess[57] : Unknown @ 0x87073448
[SSDT:Addr(Hook.SSDT)] NtDuplicateObject[68] : Unknown @ 0x870955b8
[SSDT:Addr(Hook.SSDT)] NtFreeVirtualMemory[83] : Unknown @ 0x870cbbe0
[SSDT:Addr(Hook.SSDT)] NtImpersonateAnonymousToken[89] : Unknown @ 0x87057e08
[SSDT:Addr(Hook.SSDT)] NtImpersonateThread[91] : Unknown @ 0x87057ea0
[SSDT:Addr(Hook.SSDT)] NtLoadDriver[97] : Unknown @ 0x8716adf0
[SSDT:Addr(Hook.SSDT)] NtMapViewOfSection[108] : Unknown @ 0x870cbb28
[SSDT:Addr(Hook.SSDT)] NtOpenEvent[114] : Unknown @ 0x870bd410
[SSDT:Addr(Hook.SSDT)] NtOpenProcess[122] : Unknown @ 0x86f3cbb0
[SSDT:Addr(Hook.SSDT)] NtOpenProcessToken[123] : Unknown @ 0x87095520
[SSDT:Addr(Hook.SSDT)] NtOpenSection[125] : Unknown @ 0x87073598
[SSDT:Addr(Hook.SSDT)] NtOpenThread[128] : Unknown @ 0x86f3cb28
[SSDT:Addr(Hook.SSDT)] NtProtectVirtualMemory[137] : Unknown @ 0x86f433b0
[SSDT:Addr(Hook.SSDT)] NtQueueApcThread[180] : Unknown @ 0x8704d890
[SSDT:Addr(Hook.SSDT)] NtResumeThread[206] : Unknown @ 0x86eb6e80
[SSDT:Addr(Hook.SSDT)] NtSetContextThread[213] : Unknown @ 0x87084460
[SSDT:Addr(Hook.SSDT)] NtSetInformationProcess[228] : Unknown @ 0x870844f8
[SSDT:Addr(Hook.SSDT)] NtSetSystemInformation[240] : Unknown @ 0x870734e0
[SSDT:Addr(Hook.SSDT)] NtSuspendProcess[253] : Unknown @ 0x870bd378
[SSDT:Addr(Hook.SSDT)] NtSuspendThread[254] : Unknown @ 0x86eb6f18
[SSDT:Addr(Hook.SSDT)] NtTerminateProcess[257] : Unknown @ 0x870bf310
[SSDT:Addr(Hook.SSDT)] NtTerminateThread[258] : Unknown @ 0x86eb6f90
[SSDT:Addr(Hook.SSDT)] NtUnmapViewOfSection[267] : Unknown @ 0x870845a0
[SSDT:Addr(Hook.SSDT)] NtWriteVirtualMemory[277] : Unknown @ 0x86d5e318
[ShwSSDT:Addr(Hook.Shadow)] NtUserAttachThreadInput[307] : Unknown @ 0x870c1ac0
[ShwSSDT:Addr(Hook.Shadow)] NtUserGetAsyncKeyState[383] : Unknown @ 0x870c7ae0
[ShwSSDT:Addr(Hook.Shadow)] NtUserGetKeyboardState[414] : Unknown @ 0x86d697b0
[ShwSSDT:Addr(Hook.Shadow)] NtUserGetKeyState[416] : Unknown @ 0x870c7b58
[ShwSSDT:Addr(Hook.Shadow)] NtUserGetRawInputData[428] : Unknown @ 0x870c1a38
[ShwSSDT:Addr(Hook.Shadow)] NtUserMessageCall[460] : Unknown @ 0x86eff288
[ShwSSDT:Addr(Hook.Shadow)] NtUserPostMessage[475] : Unknown @ 0x86d69728
[ShwSSDT:Addr(Hook.Shadow)] NtUserPostThreadMessage[476] : Unknown @ 0x86eff310
[ShwSSDT:Addr(Hook.Shadow)] NtUserSetWindowsHookEx[549] : Unknown @ 0x86f37290
[ShwSSDT:Addr(Hook.Shadow)] NtUserSetWinEventHook[552] : Unknown @ 0x86d6b8a0
[Filter(Kernel.Filter)] \Driver\atapi @ \Device\CdRom1 : \Driver\redbook @ Unknown (\SystemRoot\System32\DRIVERS\redbook.sys)
[Filter(Kernel.Filter)] \Driver\atapi @ \Device\CdRom0 : \Driver\redbook @ Unknown (\SystemRoot\System32\DRIVERS\redbook.sys)

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: SAMSUNG SV1204H +++++
--- User ---
[MBR] f805a109462a5da52bf7725f32d6a765
[BSP] 44e76c70a7a409e06dba851ad28fef86 : Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 114485 MB
User = LL1 ... OK
User = LL2 ... OK

============================================
RKreport_SCN_09052014_073613.log - RKreport_SCN_09052014_091353.log


    Advertisements

Register to Remove


#32 LMac

LMac

    Authentic Member

  • Authentic Member
  • PipPip
  • 42 posts

Posted 05 September 2014 - 02:59 PM

ix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 03-09-2014
Ran by Joe Blow at 2014-09-05 13:48:47 Run:2
Running from C:\Documents and Settings\Joe Blow\Desktop
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
start
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/...//www.yahoo.com
HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://store.presari...&c=2c02&lc=0409
HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/.../search/ie.html
SearchScopes: HKCU - DefaultScope {46A120EA-A6CA-427F-88AA-618F1920B282} URL = http://search.yahoo....=utf-8&fr=b1ie7
SearchScopes: HKCU - {46A120EA-A6CA-427F-88AA-618F1920B282} URL = http://search.yahoo....=utf-8&fr=b1ie7
SearchScopes: HKCU - {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = http://nortonsafe.se...ct=sb&qsrc=2869
Toolbar: HKCU - No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} -  No File
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\UploadMgr => ""="Service"
C:\Documents and Settings\Administrator\Desktop\Hot Deals from Compaq.exe
Folder: C:\Documents and Settings\Administrator\WINDOWS
CMD: ipconfig /flushdns
CMD: netsh winsock reset all
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
CMD: bitsadmin /reset /allusers
EmptyTemp:
end
*****************

HKCU\Software\Microsoft\Internet Explorer\Main\\Search Page => Value was restored successfully.
HKCU\Software\Microsoft\Internet Explorer\Main\\Search Bar => value deleted successfully.
HKLM\Software\\Microsoft\Internet Explorer\Main\\Search Bar => value deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
"HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{46A120EA-A6CA-427F-88AA-618F1920B282}" => Key deleted successfully.
"HKCR\CLSID\{46A120EA-A6CA-427F-88AA-618F1920B282}" => Key not found.
"HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}" => Key deleted successfully.
"HKCR\CLSID\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}" => Key not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} => value deleted successfully.
"HKCR\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}" => Key deleted successfully.
"HKLM\System\CurrentControlSet\Control\SafeBoot\Network\UploadMgr" => Key deleted successfully.
C:\Documents and Settings\Administrator\Desktop\Hot Deals from Compaq.exe => Moved successfully.

========================= Folder: C:\Documents and Settings\Administrator\WINDOWS ========================

2014-09-04 13:50 - 2002-08-02 02:15 - 0000000 ____D () C:\Documents and Settings\Administrator\WINDOWS\system

====== End of Folder: ======

=========  ipconfig /flushdns =========

 

Windows IP Configuration

 

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========

=========  netsh winsock reset all =========

Sucessfully reset the Winsock Catalog.
You must restart the machine in order to complete the reset.

========= End of CMD: =========



#33 LMac

LMac

    Authentic Member

  • Authentic Member
  • PipPip
  • 42 posts

Posted 05 September 2014 - 03:02 PM

Logs provided.

 

programs seemed to uninstall OK

 

Can I delete the programs and log files now?



#34 LiquidTension

LiquidTension

    SuperMember

  • Retired Classroom Teacher
  • 2,566 posts

Posted 05 September 2014 - 04:00 PM

We still have a little more work to do. Malware removal is not a simple process and requires numerous steps.

Please hang fire for the next set of instructions.

50QfLth.png

 

Would you like to help others with malware removal? Join our Classroom and learn how!


#35 LMac

LMac

    Authentic Member

  • Authentic Member
  • PipPip
  • 42 posts

Posted 05 September 2014 - 05:04 PM

Will do thanks



#36 LiquidTension

LiquidTension

    SuperMember

  • Retired Classroom Teacher
  • 2,566 posts

Posted 05 September 2014 - 06:36 PM

Hello Larry, 

 

Please confirm that you checked the two items requested in RogueKiller, and clicked Delete. 
 
STEP 1
BY4dvz9.png.pagespeed.ce.cpqHQmQDB6.png AdwCleaner

  • Please download AdwCleaner and save the file to your Desktop.
  • Double-click AdwCleaner.exe to run the programme.
  • Follow the prompts. 
  • Click Scan
  • Upon completion, click Report. A log (AdwCleaner[R0].txt) will open. Briefly check the log for anything you know to be legitimate. 
  • Ensure anything you know to be legitimate does not have a checkmark, and click Clean
  • Follow the prompts and allow your computer to reboot
  • After rebooting, a log (AdwCleaner[S0].txt) will open. Copy the contents of the log and paste in your next reply.

-- File and registry key backups are made for anything removed using this tool. Should a legitimate entry be removed (otherwise known as a 'false-positive'), simple steps can be taken to restore the entry. Please do not overly concern yourself with the contents of AdwCleaner[R0].txt.
 

STEP 2
xE3feWj5.png.pagespeed.ic.JE3sJIzHrn.png Junkware Removal Tool (JRT)

  • Please download Junkware Removal Tool and save the file to your Desktop.
  • Note: If you unchecked any items in AdwCleaner, please backup the associated folders/files before running JRT.
  • Temporarily disable your anti-virus software. For instructions, please refer to the following link.
  • Double-click JRT.exe to run the programme.
  • Follow the prompts and allow the scan to run uninterrupted. 
  • Upon completion, a log (JRT.txt) will open on your desktop.
  • Re-enable your anti-virus software.
  • Copy the contents of JRT.txt and paste in your next reply.
     

STEP 3
xMgeHyNE.png.pagespeed.ic.49_rDPUa_4.png Batch File

  • Press the Windows Key xpdKOQKY.png.pagespeed.ic.tmAgS1-k6q.png + r on your keyboard at the same time. Type Notepad and click OK.
  • Copy the entire contents of the codebox below and paste into the Notepad document.
    @echo off
    dir C:\Documents and Settings\Administrator\WINDOWS\system /s >C:\Documents and Settings\Joe Blow\Desktop\look.txt
    del %0
  • Click Format. Ensure Wordwrap is unchecked
  • Click FileSave As and name the file batchfile.bat
  • Select All Files as the Save as type.
  • Save the file to your Desktop
  • Locate batchfile.bat xtDIfEhH.png.pagespeed.ic.hUvF_Da3dc.png (XP) on your DesktopDouble-Click the icon.
  • A log (look.txt) will be created on your Desktop. Copy the contents of the log and paste in your next reply.
     

======================================================

STEP 4
xpfNZP4A.png.pagespeed.ic.bp5cRl1pJg.jpg Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

  • Did you delete the two items in RogueKiller?
  • AdwCleaner[S0].txt
  • JRT.txt
  • look.txt

50QfLth.png

 

Would you like to help others with malware removal? Join our Classroom and learn how!


#37 LMac

LMac

    Authentic Member

  • Authentic Member
  • PipPip
  • 42 posts

Posted 06 September 2014 - 09:29 AM

Adam these are the 2 files you asked me to check and delete.

 

I did check and delete 2 files.  The whole description in roguekiller was not displayed only about half.  The half I could read matched and they were the only 2 files that did match.  They were the last two files in the list on roguekiller.

 

I will do the next steps now and post the results in a few minutes

 

 

 

Rans.Gendarm] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\winmgmt\Parameters | ServiceDll : C:\DOCUME~1\ALLUSE~1\APPLIC~1\50BC232.cpp  -> FOUND

 

  • [PUM.SearchPage] HKEY_USERS\S-1-5-21-2291903390-3433162778-840360825-1006\Software\Microsoft\Internet Explorer\Main | Search Page : -> FOUND


#38 LMac

LMac

    Authentic Member

  • Authentic Member
  • PipPip
  • 42 posts

Posted 06 September 2014 - 09:43 AM

# AdwCleaner v3.309 - Report created 06/09/2014 at 08:35:56
# Updated 02/09/2014 by Xplode
# Operating System : Microsoft Windows XP Service Pack 2 (32 bits)
# Username : Joe Blow - OLD_DESK_TOP
# Running from : C:\Documents and Settings\Joe Blow\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

***** [ Scheduled Tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{DCABB943-792E-44C4-9029-ECBEE6265AF9}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{30F06672-0E95-41A9-80CB-DEE386AF99AD}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{30F06672-0E95-41A9-80CB-DEE386AF99AD}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\WEDLMNGR

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702

*************************

AdwCleaner[R0].txt - [2163 octets] - [06/09/2014 08:32:32]
AdwCleaner[S0].txt - [2116 octets] - [06/09/2014 08:35:56]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2176 octets] ##########



#39 LMac

LMac

    Authentic Member

  • Authentic Member
  • PipPip
  • 42 posts

Posted 06 September 2014 - 09:55 AM

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.4 (04.06.2014:1)
OS: Microsoft Windows XP x86
Ran by Joe Blow on Sat 09/06/2014 at  8:44:53.73
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

 

~~~ Registry Keys

 

~~~ Files

 

~~~ Folders

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sat 09/06/2014 at  8:52:19.34
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



#40 LMac

LMac

    Authentic Member

  • Authentic Member
  • PipPip
  • 42 posts

Posted 06 September 2014 - 10:05 AM

Step 3 Batchfile

I followed the direction-  and ensured wrap was off.

 

I ran the batch -  it did not produce a txt file and it deleted itself when finished.


    Advertisements

Register to Remove


#41 LiquidTension

LiquidTension

    SuperMember

  • Retired Classroom Teacher
  • 2,566 posts

Posted 06 September 2014 - 10:15 AM

Hello, 
 
Lets try it a different way. 

YjhLJro.png.pagespeed.ce.__mK8JaB4j.png SystemLook

  • Please download SystemLook (x32) and save the file to your Desktop.
  • Double-click SystemLook.exe to run the programme.
  • Copy the entire contents of the codebox below and paste into the textfield.
    :dir
    C:\Documents and Settings\Administrator\WINDOWS\system /s
  • Click the xJi0XpU4.png.pagespeed.ic.rkYoTeR5E5.png button to start the scan.
  • Upon completion, a log (SystemLook.txt) will open. Copy the contents of the log and paste in your next reply.
  • Note: If the log is very long, please attach the file instead of copy/pasting the contents. 
  • Click the xOCFv7xc.png.pagespeed.ic.8zW6PCGeOh.png button. 

50QfLth.png

 

Would you like to help others with malware removal? Join our Classroom and learn how!


#42 LMac

LMac

    Authentic Member

  • Authentic Member
  • PipPip
  • 42 posts

Posted 06 September 2014 - 10:22 AM

Nortgon classified it as a threat and deleted it.

 

Do you want me to turn off Norton?



#43 LiquidTension

LiquidTension

    SuperMember

  • Retired Classroom Teacher
  • 2,566 posts

Posted 06 September 2014 - 10:26 AM

Yes, please disable Norton temporarily.


50QfLth.png

 

Would you like to help others with malware removal? Join our Classroom and learn how!


#44 LMac

LMac

    Authentic Member

  • Authentic Member
  • PipPip
  • 42 posts

Posted 06 September 2014 - 10:29 AM

  • SystemLook 30.07.11 by jpshortstuff
    Log created at 09:26 on 06/09/2014 by Joe Blow
    Administrator - Elevation successful

    ========== dir ==========

    C:\Documents and Settings\Administrator\WINDOWS\system - Parameters: "/s"

    ---Files---
    None found.

    No folders found.

    -= EOF =-



#45 LiquidTension

LiquidTension

    SuperMember

  • Retired Classroom Teacher
  • 2,566 posts

Posted 06 September 2014 - 10:33 AM

Hi Larry, 

 

Looks like the folder is empty. Nothing of concern there. 

 

STEP 1
xMgeHyNE.png.pagespeed.ic.49_rDPUa_4.png Batch File

  • Press the Windows Key xpdKOQKY.png.pagespeed.ic.tmAgS1-k6q.png + r on your keyboard at the same time. Type Notepad and click OK.
  • Copy the entire contents of the codebox below and paste into the Notepad document.
    @echo off
    rd /s /q "C:\Documents and Settings\Administrator\WINDOWS"
    del %0
  • Click Format. Ensure Wordwrap is unchecked
  • Click FileSave As and name the file batchfile.bat
  • Select All Files as the Save as type.
  • Save the file to your Desktop
  • Locate batchfile.bat xtDIfEhH.png.pagespeed.ic.hUvF_Da3dc.png (XP) on your DesktopDouble-click the icon.
     

STEP 2
xGfiJrQ9.png.pagespeed.ic.HjgFxjvw2Z.jpg Malwarebytes Anti-Malware (MBAM)

  • Please download Malwarebytes Anti-Malware Free to your Desktop.
  • Double-click mbam-setup.x.x.xxxx.exe (x represents the version #) and follow the prompts to install the programme. 
  • Launch the programme and select Update.
  • Once updated, click the Settings tab and tick Scan for rootkits.
  • Click the Scan tab, ensure Threat Scan is checked and click Scan Now.
  • Note: You may see the following message, "Could not load DDA driver". Click Yes, allow your PC to reboot and continue afterwards. 
  • If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
  • Upon completion of the scan (or after the reboot), click the History tab.
  • Click Application Logs and double-click the Scan Log.
  • Click Copy to Clipboard and paste the log in your next reply. 
     

STEP 3
GzlsbnV.png.pagespeed.ce.SLxxSJVib_.png ESET Online Scan
Note: This scan may take a long time to complete. Please do not browse the Internet whilst your Anti-Virus is disabled.

  • Please download ESET Online Scan and save the file to your Desktop.
  • Temporarily disable your anti-virus software. For instructions, please refer to the following link.
  • Double-click esetsmartinstaller_enu.exe to run the programme. 
  • Agree to the EULA by placing a checkmark next to Yes, I accept the Terms of Use. Then click Start.
  • Agree to the Terms of Use once more and click Start. Allow components to download.
  • Place a checkmark next to Enable detection of potentially unwanted applications.
  • Click Hide advanced settings. Place a checkmark next to:
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Ensure Remove found threats is unchecked.
  • Click Start.
  • Wait for the scan to finish. Please be patient as this can take some time.
  • Upon completion, click esetListThreats.png. If no threats were found, skip the next two bullet points. 
  • Click esetExport.png and save the file to your Desktop, naming it something unique such as MyEsetScan.
  • Push the Back button.
  • Place a checkmark next to xKN1w2nv.png.pagespeed.ic.JWqIaEgZi7.png and click SzOC1p0.png.pagespeed.ce.OWDP45O6oG.png.
  • Re-enable your anti-virus software.
  • Copy the contents of the log and paste in your next reply.
     

======================================================
 
STEP 4
xpfNZP4A.png.pagespeed.ic.bp5cRl1pJg.jpg Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

  • Did the batch file run OK?
  • MBAM Scan log
  • ESET Online Scan log

50QfLth.png

 

Would you like to help others with malware removal? Join our Classroom and learn how!

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users