danglinfury
Members-
Posts
17 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Everything posted by danglinfury
-
Rootkit and other active infections
danglinfury replied to danglinfury's topic in Resolved Malware Removal Logs
Sorry for the delay. I've installed AVG, Spybot and a firewall utility on the laptop. I've also had the 'security' conversation with my relative. Hopefully I'm done for a while! Thanks for all your help! -
Rootkit and other active infections
danglinfury replied to danglinfury's topic in Resolved Malware Removal Logs
Everything updated fine. The machine appears to be stable, no crashes or BSODs. Thanks for all of your help! -
Rootkit and other active infections
danglinfury replied to danglinfury's topic in Resolved Malware Removal Logs
Here are the contents of the OTL fix log: All processes killed ========== OTL ========== C:\Windows\assembly\Desktop.ini moved successfully. File EY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 not found. File EY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] not found. File EY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64 not found. File EY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] not found. File EY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 not found. File EY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] not found. Folder EY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64\ not found. Folder EY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]\ not found. Folder EY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64\ not found. Folder EY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]\ not found. Mount Point C:\Windows\system64 removed successfully! ========== COMMANDS ========== [EMPTYTEMP] User: All Users User: Default ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 67 bytes ->Flash cache emptied: 56468 bytes User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes ->Flash cache emptied: 0 bytes User: Emily ->Temp folder emptied: 74810 bytes ->Temporary Internet Files folder emptied: 163973529 bytes ->Java cache emptied: 1205385 bytes ->Apple Safari cache emptied: 0 bytes ->Flash cache emptied: 76652 bytes User: Public ->Temp folder emptied: 0 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 0 bytes %systemroot%\System32 .tmp files removed: 0 bytes %systemroot%\System32 (64bit) .tmp files removed: 0 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 51593 bytes %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 17585878 bytes RecycleBin emptied: 0 bytes Total Files Cleaned = 175.00 mb [EMPTYJAVA] User: All Users User: Default User: Default User User: Emily ->Java cache emptied: 0 bytes User: Public Total Java Files Cleaned = 0.00 mb [EMPTYFLASH] User: All Users User: Default ->Flash cache emptied: 0 bytes User: Default User ->Flash cache emptied: 0 bytes User: Emily ->Flash cache emptied: 0 bytes User: Public Total Flash Files Cleaned = 0.00 mb OTL by OldTimer - Version 3.2.69.0 log created on 06282013_175305 Files\Folders moved on Reboot... C:\Users\Emily\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully. C:\Users\Emily\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y9DUGPHE\xd_arbiter[1].htm moved successfully. C:\Users\Emily\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y9DUGPHE\xd_arbiter[2].htm moved successfully. C:\Users\Emily\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MHG6TNT7\index[1].htm moved successfully. C:\Users\Emily\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPXCCX42\fastbutton[1].htm moved successfully. C:\Users\Emily\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CVMJTTGT\like[1].htm moved successfully. C:\Users\Emily\AppData\Local\Microsoft\Windows\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully. File move failed. C:\Windows\temp\dsiwmis.log scheduled to be moved on reboot. PendingFileRenameOperations files... Registry entries deleted on Reboot... -
Rootkit and other active infections
danglinfury replied to danglinfury's topic in Resolved Malware Removal Logs
Ok, here we go, another round of logs. No crashes this time. esetscan 6-27-13.txt Extras.Txt JRT.txt OTL.Txt AdwCleanerR1.txt AdwCleanerS2.txt -
Rootkit and other active infections
danglinfury replied to danglinfury's topic in Resolved Malware Removal Logs
Sorry about that, I should have caught that. Here is a full log. TDSSKiller.2.8.18.0_27.06.2013_17.18.30_log.txt -
Rootkit and other active infections
danglinfury replied to danglinfury's topic in Resolved Malware Removal Logs
Ok, sorry for the delay. I wasn't able to get everything to run properly at first. The machine hard booted a few times. I'm not sure if its hardware related or related to the malware. I was eventually able to run all of the tools and I've attached the logs below. The PC seems to be stable now. It hasn't crashed for a few hours. checkup.txt ComboFix.txt mbar-log-2013-06-25 (21-51-02).txt system-log.txt TDSSKiller.2.8.18.0_25.06.2013_19.01.57_log.txt -
Rootkit and other active infections
danglinfury replied to danglinfury's topic in Resolved Malware Removal Logs
Hi D-FRED-BROWN, Thanks again for helping me out. It'd take me forever to clean this up (I'd probably just reformat, but I think my relatives wouldn't be happy about losing all their data, we're going to have a conversation about backing things up as well.) I ran the Farbar fix and was able to boot back into Windows. I've attached the log as requested. Thanks again, Danglinfury Fixlog.txt -
Hello, I've been volunteered to fix another PC for another relative. This one is stumping me as well. I believe the system is infected by at least one rootkit and other assorted malware. When I try to run MBAR the system freezes and I eventually have to hard boot. Additionally any time I try to access the internet the machine BSODs. I've managed to run the farbar scan tool and I've attached a copy of the farbar scan output I was able to create. Any help you can provide will be much appreciated! Thanks, Danglinfury FRST.txt
-
I loaded up the apps per your recommendations and I plan to relay the importance of the same to my family when I return this PC. Thanks again for all your help and sorry for the delay, real life intervened. I am going to open the a thread for laptop #2 now. Thanks again!
-
Thanks D-FRED-BROWN! Those updates worked fine. I have another laptop I was volunteered to clean up (I'm sure you know the feeling). It has a rootkit or 2 on it as well as other assorted malware. I've tried running MBAR but the machine hard boots before the scan completes. Is farbar necessary to clean rootkits these days? Should I open another thread for this PC? I was hoping to clean this one up myself. I hate to impose further, you've been a huge help!
-
Ok, finished that round as well. The laptop seems to be running along fine. I haven't noticed any aberrant behavior for the last day or so. Here are the logs. 06232013_144428.log AdwCleanerS2.txt
-
Ok, finished that round. I think this may be the most infected PC I've ever worked on. AdwCleanerR1.txt esetscan.txt Extras.Txt JRT.txt OTL.Txt log.txt
-
Here is the scan link: https://www.virustotal.com/en/file/15362a48eff3ddd6c6d9b333cb7f5fe835b60a256b29467ad749dcfac6c761d3/confirmation/?ajax=false&detection-ratio=0/46&blob=AMIfv949Dn8Tw1RycTdAoM0jTENg1Pu3fgYPij-oT-bY1Jm1U7g2bbmLgLXtHKPmmUJlGuulqgv8DFIUGEoih6pz-sUOzw6FDSN9wVa_5scD0fysU8NZtR89YUA2ycWE-tTnWZiMMJQHNGGtjE5EaIo7kFIFBA3UpfCs0ACxJAxKQnOFYh0ObEE&last-analysis=1359009616&filename=C:%5CUsers%5CMatt%5CDesktop%5CCAXHWAZL.sys I definitely hit clean-up when I ran MBAR. The tool removed 1535 viruses, etc. on the first run/cleanup!
-
Here it is; the results of one more MBAR scan. system-log.txt mbar-log-2013-06-22 (09-12-40).txt
-
Ok I think I managed to run all of that correctly. Here are the outputs. The computer appears to be back to normal at this point. I plan to load some AV and AM utilities before returning the laptop. Is there anything specific I should do next as far as this virus goes? checkup.txt ComboFix.txt mbar-log-2013-06-20 (20-41-20).txt system-log.txt TDSSKiller.2.8.18.0_20.06.2013_20.34.09_log.txt
-
Hi D-FRED-BROWN, Thanks for helping me out. I'd love to know how you did that! I've attached my fixlog and I am able to log into Windows. Where do we go from here? C:\ProgramData\20D335367C48AB99000020D31467AFE1 => Moved successfully. C:\ProgramData\1.bmp => Moved successfully. C:\Users\Matt\AppData\Local\2433f433 => Moved successfully. C:\Users\Matt\AppData\Roaming\2433f433 => Moved successfully. C:\ProgramData\2433f433 => Moved successfully. C:\ProgramData\20D335367C48AB99000020D31467AFE1 => File/Directory not found. C:\ProgramData\1.bmp => File/Directory not found. C:\$Recycle.Bin\S-1-5-21-1942894320-713181200-141143642-1001\$693540b43f80fa17592f57901d1b0e79 => Moved successfully. C:\Users\Matt\GoToAssistDownloadHelper.exe => Moved successfully. C:\Users\Matt\AppData\Roaming\skype.dat => Moved successfully. Thanks, Ray
-
Hello. I am trying to fix a laptop running Win7 64bit for a relative. This machine is infected with the Moneypak virus to the point that I cannot access safe mode or anything else for that matter. I've attached a copy of the farbar scan output I was able to create. I hope I did that correctly. I'd love to know the magic you are using to create the custom scripts used to enable someone to boot into windows. Anyway, any help you can provide is much appreciated. FRST.txt