Software > Virus and spyware removal
Questions about Computer Hope's malware removal guide
SuperDave:
--- Quote ---should it take that long?
--- End quote ---
No. It should only be for a few moments. There are other problems. Did you try running MBAM in Safe Mode? If not, please try that. If it still doesn't work, please try this: You will have to create the disk on a working computer.
If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
***********************************
We are going to be using a Windows Recovery Environment to help disinfect the system so it may boot again.
Download the OTLPE Standard REATOGO Windows Recovery Environment.Place a blank CD-R disc in to your CD burning drive.Download OTLPEStd.exe and double-click on it to burn to a CD using the ISO Burner.Reboot your system using the boot CD you just created.
Note : If you do not know how to set your computer to boot from CD follow the steps here
Your system should now display a REATOGO-X-PE desktop.
Double-click on the OTLPE icon.
When asked "Do you wish to load the remote registry", select Yes
When asked "Do you wish to load remote user profile(s) for scanning", select Yes
Ensure the box "Automatically Load All Remaining Users" is checked and press OK
OTL should now start. Change the following settings:
Change Drivers to Non-Microsoft
Press Run Scan to start the scan.
When finished, the file will be saved in drive C:\_OTL\MovedFiles
Copy this file to your USB drive if you do not have internet connection on this system
Please post the contents of the OTL.txt file in your reply.
[/list]
myswtsins:
I tried rkill.exe a couple more times and it worked so I immediately ran exehelper (saved logs) and then Super Anti-Spyware which is still scanning 20hrs later, it goes through files really slowly after a little while. Should I still do the Windows Recovery Enviroment after SAS finishes?
I am doing all of this in regular mode because you never stated whether I could do it in safe mode, just so you know. And I am on my brother's computer right now because mine is scanning so I will post the logs when SAS is done.
SuperDave:
If you can get the scans to run there's no need to do the OTLPE. Just post the logs whenever you can.
myswtsins:
The SAS scan did the same thing where I come back and it is on the main menu with no log recorded so I moved to trying to run the OTLPE but I am a little confused. Do you want me to start up with the CD, run the OTLPE scan and then install and run all the other programs (MBAM, SAS...)?
Also after clicking the OTLPE icon the pop ups did not follow your instructions. First it asked me to choose my windows directory, when I choose Windows (C:) it said it was not win 2000 or later ( I always run XP) so I tried my WinNT folder ( I have NEVER used WinNT, it just came with the PC) it accepted it. I also did not find a option for Drivers - non microsoft. It gave me Drivers - none - use safelist - All, I left it on use safelist (default) and ran a scan (last one).
Here are the old logs (I have encountered NEW problems since this though)
----
Rkill
-----
This log file is located at F:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as jen on 10/23/2010 at 22:54:45.
Services Stopped:
Processes terminated by Rkill or while it was running:
Rkill completed on 10/23/2010 at 23:01:07.
----
exehelper
----
exeHelper by Raktor
Build 20100414
Run at 23:15:21 on 10/23/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--
----
MBAM - ran in safe mode
----
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4883
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 6.0.2900.5512
10/19/2010 3:09:20 PM
mbam-log-2010-10-19 (15-09-20).txt
Scan type: Quick scan
Objects scanned: 150440
Time elapsed: 8 minute(s), 30 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gkahiwifap (Trojan.Hiloti) -> No action taken.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
F:\WINDOWS\gizcsckb.dll (Trojan.Hiloti) -> No action taken.
F:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\WB8BVGUK\setup[1].exe (Trojan.FakeAlert) -> No action taken.
----
SAS - ran in safe mode (definitely did not scan as many files as in normal mode, about half the # of registry files)
----
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 10/26/2010 at 10:51 PM
Application Version : 4.44.1000
Core Rules Database Version : 5754
Trace Rules Database Version: 3566
Scan type : Complete Scan
Total Scan Time : 03:27:12
Memory items scanned : 273
Memory threats detected : 0
Registry items scanned : 7516
Registry threats detected : 0
File items scanned : 269267
File threats detected : 9
Trojan.Agent/Gen-Krazy
F:\DOCUMENTS AND SETTINGS\JEN\APPLICATION DATA\HOTFIX.EXE
F:\DOCUMENTS AND SETTINGS\JEN\LOCAL SETTINGS\TEMP\0.5321170746445714.EXE
Adware.Tracking Cookie
convoad.technoratimedia.com [ F:\Documents and Settings\jen\Application Data\Macromedia\Flash Player\#SharedObjects\K6WJV3KA ]
ia.media-imdb.com [ F:\Documents and Settings\jen\Application Data\Macromedia\Flash Player\#SharedObjects\K6WJV3KA ]
www.naiadsystems.com [ F:\Documents and Settings\jen\Application Data\Macromedia\Flash Player\#SharedObjects\K6WJV3KA ]
media.mtvnservices.com [ F:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\999866TD ]
media1.break.com [ F:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\999866TD ]
objects.tremormedia.com [ F:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\999866TD ]
secure-us.imrworldwide.com [ F:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\999866TD ]
----
OTLPE
----
OTL logfile created on: 11/3/2010 10:18:43 PM - Run
OTLPE by OldTimer - Version 3.1.43.0 Folder = X:\Programs\OTLPE
Microsoft Windows 2000 Service Pack 4 (Version = 5.0.2195) - Type = SYSTEM
Internet Explorer (Version = 5.00.3700.1000)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 89.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 97.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 127.99 Gb Total Space | 97.09 Gb Free Space | 75.85% Space Free | Partition Type: NTFS
Drive D: | 127.99 Gb Total Space | 10.95 Gb Free Space | 8.55% Space Free | Partition Type: NTFS
Drive E: | 170.10 Gb Total Space | 4.91 Gb Free Space | 2.89% Space Free | Partition Type: NTFS
Drive F: | 170.10 Gb Total Space | 141.72 Gb Free Space | 83.32% Space Free | Partition Type: NTFS
Drive G: | 982.13 Mb Total Space | 349.09 Mb Free Space | 35.54% Space Free | Partition Type: FAT
Drive X: | 282.52 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Computer Name: REATOGO | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet001
========== Win32 Services (SafeList) ==========
SRV - File not found [Unavailable] -- -- (IAS)
SRV - [2007/04/20 08:03:02 | 000,411,168 | ---- | M] (Acronis) [Auto] -- C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2003/06/19 12:05:04 | 000,196,706 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINNT\system32\wbem\WinMgmt.exe -- (WinMgmt)
SRV - [2003/06/19 12:05:04 | 000,147,728 | ---- | M] (VERITAS Software Corp.) [On_Demand] -- C:\WINNT\System32\dmadmin.exe -- (dmadmin)
SRV - [2003/06/19 12:05:04 | 000,119,568 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINNT\system32\mstask.exe -- (Schedule)
SRV - [2003/06/19 12:05:04 | 000,094,992 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINNT\system32\FAXSVC.EXE -- (Fax)
SRV - [2003/06/19 12:05:04 | 000,068,368 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINNT\system32\regsvc.exe -- (RemoteRegistry)
SRV - [2003/06/19 12:05:04 | 000,022,800 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINNT\system32\utilman.exe -- (UtilMan)
SRV - [2003/06/19 12:05:04 | 000,019,728 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINNT\system32\hidserv.exe -- (HidServ)
========== Driver Services (SafeList) ==========
DRV - File not found [Kernel | System] -- -- (tga)
DRV - File not found [Kernel | System] -- -- (sglfb)
DRV - File not found [Kernel | System] -- -- (PCIDump)
DRV - File not found [Kernel | On_Demand] -- E:\PciCon.sys -- (PciCon)
DRV - File not found [Kernel | System] -- -- (lbrtfdc)
DRV - File not found [Kernel | System] -- -- (Changer)
DRV - [2007/09/02 18:09:14 | 000,392,320 | ---- | M] (Acronis) [Kernel | Boot] -- C:\WINNT\system32\drivers\timntr.sys -- (timounter)
DRV - [2007/09/02 18:09:14 | 000,032,768 | ---- | M] (Acronis) [File_System | Auto] -- C:\WINNT\system32\drivers\tifsfilt.sys -- (tifsfilter)
DRV - [2007/09/02 18:09:13 | 000,120,992 | ---- | M] (Acronis) [Kernel | Boot] -- C:\WINNT\system32\drivers\snapman.sys -- (snapman)
DRV - [2007/04/13 05:11:08 | 006,704,736 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand] -- C:\WINNT\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2003/06/19 12:05:04 | 000,369,104 | ---- | M] (VERITAS Software Corp.) [Kernel | Disabled] -- C:\WINNT\system32\drivers\dmboot.sys -- (dmboot)
DRV - [2003/06/19 12:05:04 | 000,137,936 | ---- | M] (VERITAS Software Corp.) [Kernel | Boot] -- C:\WINNT\system32\drivers\dmio.sys -- (dmio)
DRV - [2003/06/19 12:05:04 | 000,060,208 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINNT\system32\drivers\parallel.sys -- (Parallel)
DRV - [2003/06/19 12:05:04 | 000,032,848 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINNT\system32\drivers\uhcd.sys -- (uhcd)
DRV - [2003/06/19 12:05:04 | 000,027,440 | ---- | M] (Microsoft Corporation) [File_System | Disabled] -- C:\WINNT\System32\drivers\efs.sys -- (EFS)
DRV - [2003/06/19 12:05:04 | 000,024,784 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINNT\system32\drivers\openhci.sys -- (openhci)
DRV - [2003/06/19 12:05:04 | 000,007,728 | ---- | M] (Microsoft Corporation) [Kernel | Boot] -- C:\WINNT\System32\drivers\diskperf.sys -- (Diskperf)
DRV - [2003/06/19 12:05:04 | 000,007,312 | ---- | M] (VERITAS Software Corp.) [Kernel | Boot] -- C:\WINNT\system32\drivers\dmload.sys -- (dmload)
DRV - [1999/12/07 08:00:00 | 000,021,712 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINNT\system32\drivers\rca.sys -- (RCA)
DRV - [1999/12/07 08:00:00 | 000,009,680 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINNT\system32\drivers\netdtect.sys -- (NetDetect)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com
IE - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKU\x_ON_C\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\system32\blank.htm
IE - HKU\x_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
O1 HOSTS File: ([1999/12/07 08:00:00 | 000,000,734 | ---- | M]) - C:\WINNT\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O3 - HKLM\..\Toolbar: (@msdxmLC.dll,-1@1033,&Radio) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx ()
O4 - HKLM..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe (Acronis)
O4 - HKLM..\Run: [AcronisTimounterMonitor] C:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe (Acronis)
O4 - HKLM..\Run: [Device Detector] File not found
O4 - HKLM..\Run: [MaxBlastMonitor.exe] C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe (Maxtor)
O4 - HKLM..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINNT\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINNT\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINNT\System32\nwiz.exe ()
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKU\x_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O9 - Extra Button: @shdoclc.dll,-866 - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\Web\related.htm ()
O9 - Extra 'Tools' menuitem : @shdoclc.dll,-864 - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\Web\related.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINNT\system32\RNR20.DLL (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O16 - DPF: DirectAnimation Java Classes file://C:\WINNT\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINNT\Java\classes\xmldso.cab (Reg Error: Key error.)
O18 - Protocol\Handler\vnd.ms.radio {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - C:\WINNT\system32\msdxm.ocx ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINNT\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\wzcnotif: DllName - wzcdlg.dll - C:\WINNT\System32\wzcdlg.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (relog_ap) - C:\WINNT\System32\relog_ap.dll (Acronis)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/09/02 17:33:33 | 000,000,000 | -H-- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
========== Files/Folders - Created Within 30 Days ==========
[1 C:\WINNT\System32\*.tmp files -> C:\WINNT\System32\*.tmp -> ]
[1 C:\WINNT\*.tmp files -> C:\WINNT\*.tmp -> ]
========== Files - Modified Within 30 Days ==========
[1 C:\WINNT\System32\*.tmp files -> C:\WINNT\System32\*.tmp -> ]
[1 C:\WINNT\*.tmp files -> C:\WINNT\*.tmp -> ]
========== Files Created - No Company Name ==========
[2007/09/02 17:32:47 | 000,021,952 | -H-- | C] () -- C:\Program Files\folder.htt
[2007/09/02 13:25:32 | 000,004,073 | ---- | C] () -- C:\WINNT\ODBCINST.INI
[2007/04/13 05:11:14 | 001,662,976 | ---- | C] () -- C:\WINNT\System32\nvwdmcpl.dll
[2007/04/13 05:11:14 | 001,019,904 | ---- | C] () -- C:\WINNT\System32\nvwimg.dll
[2007/04/13 05:11:14 | 000,466,944 | ---- | C] () -- C:\WINNT\System32\nvshell.dll
[2007/04/13 05:11:14 | 000,286,720 | ---- | C] () -- C:\WINNT\System32\nvnt4cpl.dll
[2007/04/13 05:11:12 | 001,470,464 | ---- | C] () -- C:\WINNT\System32\nview.dll
[1999/12/07 08:00:00 | 000,176,400 | ---- | C] () -- C:\WINNT\System32\qcut.dll
[1999/12/07 08:00:00 | 000,033,552 | ---- | C] () -- C:\WINNT\System32\efsadu.dll
[1999/12/07 08:00:00 | 000,007,265 | ---- | C] () -- C:\WINNT\System32\iasperf.ini
[1999/12/07 08:00:00 | 000,001,505 | ---- | C] () -- C:\WINNT\System32\faxperf.ini
[1999/12/07 08:00:00 | 000,000,023 | ---- | C] () -- C:\WINNT\welcome.ini
[1999/09/25 06:36:24 | 000,088,816 | ---- | C] () -- C:\WINNT\System32\drivers\lvcam.sys
[1999/09/25 06:36:22 | 000,017,424 | ---- | C] () -- C:\WINNT\System32\drivers\lvsound.sys
========== LOP Check ==========
[2007/09/08 10:14:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\x\Application Data\ACD Systems
========== Purity Check ==========
< End of report >
SuperDave:
Please run MBAM again and, this time, let it fix the infections. Then try booting in Normal Mode and run SAS and MBAM again.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version