-
Posts
35 -
Joined
-
Last visited
Reputation
0 Neutral-
help with stubborn virus
mbsouthpaw1 replied to mbsouthpaw1's topic in Resolved Malware Removal Logs
OK, I'm thinking I'm on the right track now. Should have looked up the DWH temp thing!! Thank you again. I'll work with Symantec and such to clean up this last problem. Mike -
help with stubborn virus
mbsouthpaw1 replied to mbsouthpaw1's topic in Resolved Malware Removal Logs
I have to attach the file; it was too long when I attempted to cut and paste. symantec risk log 101613.txt -
help with stubborn virus
mbsouthpaw1 replied to mbsouthpaw1's topic in Resolved Malware Removal Logs
OK, any ideas on what could be causing the hundreds of Trojan.gen.2 to pop up in increasing numbers in the past 2 weeks? Thank you in advance MrC. -
help with stubborn virus
mbsouthpaw1 replied to mbsouthpaw1's topic in Resolved Malware Removal Logs
RogueKiller V8.7.4 [Oct 16 2013] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://www.adlice.com/forum/ Website : http://www.adlice.com/softwares/roguekiller/ Blog : http://tigzyrk.blogspot.com/ Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version Started in : Normal mode User : mbelchik [Admin rights] Mode : Scan -- Date : 10/16/2013 14:39:32 | ARK || FAK || MBR | ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 4 ¤¤¤ [HJ POL][PUM] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND [HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND [HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND [HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Scheduled tasks : 0 ¤¤¤ ¤¤¤ Startup Entries : 0 ¤¤¤ ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤ ¤¤¤ External Hives: ¤¤¤ ¤¤¤ Infection : ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> %SystemRoot%\System32\drivers\etc\hosts 127.0.0.1 localhost 192.168.164.23 domsat 192.168.164.23 domsat.yuroktribe.nsn.us 192.168.164.126 ytep-sql 192.168.164.126 ytep-sql.yuroktribe.nsn.us 192.168.168.12 fiscalsql 192.168.168.1 ytmain 192.168.168.1 ytmain.yuroktribe.nsn.us 192.168.168.12 fiscalsql.yuroktribe.nsn.us 192.168.168.4 www.myspace.com 192.168.168.4 myspace.com 127.0.0.1 ad.a8.net 127.0.0.1 asy.a8ww.net 127.0.0.1 www.abcsearcher.com #[spamdexing][Microsoft.Strider] 127.0.0.1 www.acezip.net #[Win32/Adware.180Solutions] 127.0.0.1 adserver.adbunker.com 127.0.0.1 phpadsnew.abac.com 127.0.0.1 a.abnad.net 127.0.0.1 b.abnad.net 127.0.0.1 c.abnad.net #[iE-SpyAd] [...] ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ SCSI) (Standard disk drives) - TOSHIBA MK2561GSYFN +++++ --- User --- [MBR] f151f49702d3728140a62fbf3881ba92 [bSP] 6bce99382969da86bc939937211cb209 : Windows 7/8 MBR Code Partition table: 0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo 1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 750 Mo 2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 1617920 | Size: 237684 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[0]_S_10162013_143932.txt >> -
help with stubborn virus
mbsouthpaw1 replied to mbsouthpaw1's topic in Resolved Malware Removal Logs
I had 637 Trojan horse detections today; and this was the exact symptom that caused me to contact you, although there were fewer detections when we started. I'm just thinking that maybe something happened during the clean, or there's some evidence of what's still going on in the system (maybe if I run roguekiller and such it will show up again?). I unplug from the internet (manually shut off the wireless) and the notifications keep coming. Is that what you were asking me? -
help with stubborn virus
mbsouthpaw1 replied to mbsouthpaw1's topic in Resolved Malware Removal Logs
Hi there MrC. It appears that the virus is back. I'm getting the same symptoms as when I started (i.e. something's allowing or writing Trojan horse (gen.2) in to the system. Would it be productive to try from the start again? I did not try the paypal yet, because I'm still worried about logging on to sensitive sites yet. MrB -
help with stubborn virus
mbsouthpaw1 replied to mbsouthpaw1's topic in Resolved Malware Removal Logs
OK, thanks MrC. I posted some positive feedback on your profile page, and working on the paypal thing. You were a great help. -
help with stubborn virus
mbsouthpaw1 replied to mbsouthpaw1's topic in Resolved Malware Removal Logs
OK, did most of it; but by "manual delete" you mean move the files and/or application and/or folders to recycle and then empty the recycling bin? -
help with stubborn virus
mbsouthpaw1 replied to mbsouthpaw1's topic in Resolved Malware Removal Logs
Ran the security check... Results of screen317's Security Check version 0.99.74 Windows 7 Service Pack 1 x64 (UAC is enabled) Internet Explorer 10 ``````````````Antivirus/Firewall Check:`````````````` Windows Firewall Enabled! Symantec Endpoint Protection WMI entry may not exist for antivirus; attempting automatic update. `````````Anti-malware/Other Utilities Check:````````` MVPS Hosts File Malwarebytes Anti-Malware version 1.75.0.1300 JavaFX 2.1.1 Java 6 Update 31 Java 7 Update 25 Java version out of Date! Adobe Reader 10.1.8 Adobe Reader out of Date! Mozilla Firefox 12.0 Firefox out of Date! Google Chrome 29.0.1547.76 Google Chrome 30.0.1599.69 ````````Process Check: objlist.exe by Laurent```````` Norton ccSvcHst.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C: 3% ````````````````````End of Log`````````````````````` -
help with stubborn virus
mbsouthpaw1 replied to mbsouthpaw1's topic in Resolved Malware Removal Logs
OK, meeting was canceled; I will run the software mentioned above and paste log in. -
help with stubborn virus
mbsouthpaw1 replied to mbsouthpaw1's topic in Resolved Malware Removal Logs
Thank you for getting back to me. I will have to pick this up this afternoon; I have a work meeting today. Mike -
help with stubborn virus
mbsouthpaw1 replied to mbsouthpaw1's topic in Resolved Malware Removal Logs
I cannot thank you enough, MrC. I don't have a paypal, but I'll try to get one up and running and send you something; I've been meaning to do that anyway. One final question: given the warning you sent me about the zeroaccess, should I still be nervous? Is my only absolute guarantee to wipe the system? I don't handle confidential customer data, but I do personal banking on the machine. MrB (yes, those are really my initials) -
help with stubborn virus
mbsouthpaw1 replied to mbsouthpaw1's topic in Resolved Malware Removal Logs
Done, thanks for responding. RogueKiller V8.7.2 [Oct 3 2013] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://www.adlice.com/forum/ Website : http://www.adlice.com/softwares/roguekiller/ Blog : http://tigzyrk.blogspot.com/ Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version Started in : Normal mode User : mbelchik [Admin rights] Mode : Scan -- Date : 10/14/2013 17:14:23 | ARK || FAK || MBR | ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 4 ¤¤¤ [HJ POL][PUM] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND [HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND [HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND [HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Scheduled tasks : 0 ¤¤¤ ¤¤¤ Startup Entries : 0 ¤¤¤ ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤ ¤¤¤ External Hives: ¤¤¤ ¤¤¤ Infection : ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> %SystemRoot%\System32\drivers\etc\hosts 127.0.0.1 localhost 192.168.164.23 domsat 192.168.164.23 domsat.yuroktribe.nsn.us 192.168.164.126 ytep-sql 192.168.164.126 ytep-sql.yuroktribe.nsn.us 192.168.168.12 fiscalsql 192.168.168.1 ytmain 192.168.168.1 ytmain.yuroktribe.nsn.us 192.168.168.12 fiscalsql.yuroktribe.nsn.us 192.168.168.4 www.myspace.com 192.168.168.4 myspace.com 127.0.0.1 ad.a8.net 127.0.0.1 asy.a8ww.net 127.0.0.1 www.abcsearcher.com #[spamdexing][Microsoft.Strider] 127.0.0.1 www.acezip.net #[Win32/Adware.180Solutions] 127.0.0.1 adserver.adbunker.com 127.0.0.1 phpadsnew.abac.com 127.0.0.1 a.abnad.net 127.0.0.1 b.abnad.net 127.0.0.1 c.abnad.net #[iE-SpyAd] [...] ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ SCSI) (Standard disk drives) - TOSHIBA MK2561GSYFN +++++ --- User --- [MBR] f151f49702d3728140a62fbf3881ba92 [bSP] 6bce99382969da86bc939937211cb209 : Windows 7/8 MBR Code Partition table: 0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo 1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 750 Mo 2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 1617920 | Size: 237684 Mo User = LL1 ... OK! User = LL2 ... OK! +++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ USB) (Standard disk drives) - Staples Relay USB Device +++++ --- User --- [MBR] 2b4d681ebbcb82be2958055edccbd202 [bSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code Partition table: 0 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 56 | Size: 7788 Mo User = LL1 ... OK! Error reading LL2 MBR! Finished : << RKreport[0]_S_10142013_171423.txt >> RKreport[0]_D_10102013_172655.txt;RKreport[0]_H_10102013_172734.txt;RKreport[0]_S_10102013_170002.txt RKreport[0]_S_10102013_172231.txt -
help with stubborn virus
mbsouthpaw1 replied to mbsouthpaw1's topic in Resolved Malware Removal Logs
Not sure what you mean, because although Symantec is finding stuff, it never did locate the original zero access Trojan like you did with those other programs. Are you saying the next step is to run a Symantec scan and use one of their removal tools, and abandon roguekiller, combofix, etc. ? Help!! thx, MrB