rootkit.0access problem

[pchope]

should i tick the 'scan archives' below the 'remove threats' box option?

[kevinf80]

Yes please, but make sure Remove found threats is unticked.

[pchope]

there were threats found.

i ran the scan without ticking the 'scan archives' box...i could scan again with it ticked if needed. here is the report:

 

C:\Program Files\FLVPlayer\FLVPlayer.exe Win32/InstallCore.A application
C:\Program Files\Uninstaller\Uninstall.exe MSIL/DomaIQ.A application
C:\Users\IronDragon\AppData\Local\Temp\Low\Temporary Internet Files\Content.IE5\CAG4TT5G\baqkyupnl_2razbave_info[1].htm HTML/Iframe.B.Gen virus
C:\Users\IronDragon\AppData\Local\Temp\Low\Temporary Internet Files\Content.IE5\GFMJX8TX\evwgrucntzm_3razbave_info[1].htm HTML/Iframe.B.Gen virus
C:\Users\IronDragon\Desktop\Tools\keygen.exe a variant of Win32/Keygen.AD application
C:\Users\IronDragon\Desktop\Tools\Grfx&Audio stuff\Random Program Files and Plugins\SetupImgBurn_2.5.7.0.exe a variant of Win32/Bundled.Toolbar.Ask application
C:\Users\IronDragon\Downloads\ARO2013_tbt.exe a variant of Win32/Bundled.Toolbar.Ask.D application
E:\Movies\GraboidVideoSetup-2.03b-Complete.exe Win32/Graboid application
E:\Tools n Stuff\Goldwave\keygen.exe a variant of Win32/Keygen.AD application
 

[pchope]

i did see that 'HTML/Iframe.B.Gen virus' was listed in 2 of the threats. from what ive read up on, this can be nasty....or is it from the 0access problem which is quarantined now?

[kevinf80]

Download OTM from either of the following links and save to your Desktop:

http://oldtimer.geekstogo.com/OTM.exe.
http://www.itxassociates.com/OT-Tools/OTM.com
http://www.itxassociates.com/OT-Tools/OTM.exe  

Double click OTM.exe to start the tool. Vista or Windows 7 users accepy UAC alert. Be aware all processes will be stopped during run, also Desktop will disappear, this will be put back on completion.... If your security alerts to OTM either, accept the alert or turn off security until OTM completes...

• Copy the text from the code box belowbelow to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy). Ensure to start with and include the colon before Files :Filles
  
  

  :FilesC:\Program Files\FLVPlayerC:\Program Files\UninstallerC:\Users\IronDragon\AppData\Local\Temp\Low\Temporary Internet Files\Content.IE5\CAG4TT5G\baqkyupnl_2razbave_info[1].htmC:\Users\IronDragon\AppData\Local\Temp\Low\Temporary Internet Files\Content.IE5\GFMJX8TX\evwgrucntzm_3razbave_info[1].htmC:\Users\IronDragon\Desktop\Tools\keygen.exeC:\Users\IronDragon\Desktop\Tools\Grfx&Audio stuff\Random Program Files and Plugins\SetupImgBurn_2.5.7.0.exeC:\Users\IronDragon\Downloads\ARO2013_tbt.exeE:\Movies\GraboidVideoSetup-2.03b-Complete.exeE:\Tools n Stuff\Goldwave\keygen.exe:Commands[EmptyTemp]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
• Click the red button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTM
  

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If the machine reboots, the Results log can be found here:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.
 

Next,

 

Download CKScanner from here: http://downloads.malwareremoval.com/CKScanner.exe

Important - Save it to your desktop.

Doubleclick CKScanner.exe (Right click and "Run as administrator" in Vista/Win7).

Give permission if necessary, and click Search For Files.

After a very short time, when the cursor hourglass disappears, click Save List To File.

A message box will verify the file saved. Please run the program once only.

Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

[pchope]

ok, done and done...here are the reports:

 

All processes killed
========== FILES ==========
C:\Program Files\FLVPlayer\Uninstall folder moved successfully.
C:\Program Files\FLVPlayer folder moved successfully.
C:\Program Files\Uninstaller folder moved successfully.
C:\Users\IronDragon\AppData\Local\Temp\Low\Temporary Internet Files\Content.IE5\CAG4TT5G\baqkyupnl_2razbave_info[1].htm moved successfully.
C:\Users\IronDragon\AppData\Local\Temp\Low\Temporary Internet Files\Content.IE5\GFMJX8TX\evwgrucntzm_3razbave_info[1].htm moved successfully.
C:\Users\IronDragon\Desktop\Tools\keygen.exe moved successfully.
C:\Users\IronDragon\Desktop\Tools\Grfx&Audio stuff\Random Program Files and Plugins\SetupImgBurn_2.5.7.0.exe moved successfully.
C:\Users\IronDragon\Downloads\ARO2013_tbt.exe moved successfully.
E:\Movies\GraboidVideoSetup-2.03b-Complete.exe moved successfully.
E:\Tools n Stuff\Goldwave\keygen.exe moved successfully.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: All Users
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: IronDragon
->Temp folder emptied: 235300212 bytes
->Temporary Internet Files folder emptied: 26010881 bytes
->Java cache emptied: 88630653 bytes
->Google Chrome cache emptied: 6654592 bytes
->Flash cache emptied: 523 bytes
 
User: Public
 
User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 16938841 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 144400628 bytes
RecycleBin emptied: 0 bytes
 
Total Files Cleaned = 494.00 mb
 
 
OTM by OldTimer - Version 3.1.21.0 log created on 10262013_083231

Files moved on Reboot...
File C:\Users\IronDragon\AppData\Local\Temp\Low\Temporary Internet Files\Content.IE5\QCS7NOFD\on-big,BottomRight,-1,-1_ZAClip,2,76,16,137,verdenab,8,255,255,255,1_ZAon%2520IMDb,2,1,14,137,verdenab,7,255,255,255,1_ZA00_41,103,1,14,36,verdenab,7,255,255,255,1_[1].jpg not found!
File C:\Users\IronDragon\AppData\Local\Temp\Low\Temporary Internet Files\Content.IE5\B4HTKKSS\1_ZAFull%2520Movie,2,76,16,137,verdenab,8,255,255,255,1_ZAat%2520Amazon%2520%25BB,2,1,14,137,verdenab,7,255,255,255,1_ZA135_00,103,1,14,36,verdenab,7,255,255,255,1_[1].jpg not found!
File C:\Users\IronDragon\AppData\Local\Temp\Low\Temporary Internet Files\Content.IE5\5CSWRWNC\,137,verdenab,8,255,255,255,1_ZAon%2520IMDb,2,1,14,137,verdenab,7,255,255,255,1_ZA01_12,103,1,14,36,verdenab,7,255,255,255,1_PIimdb-HDIconMiniWhite,BottomLeft,2,-2_[1].jpg not found!
File C:\Users\IronDragon\AppData\Local\Temp\Low\Temporary Internet Files\Content.IE5\5CSWRWNC\1_ZAFull%2520Movie,2,76,16,137,verdenab,8,255,255,255,1_ZAat%2520Amazon%2520%25BB,2,1,14,137,verdenab,7,255,255,255,1_ZA125_00,103,1,14,36,verdenab,7,255,255,255,1_[1].jpg not found!

Registry entries deleted on Reboot...

 

--------------------------------------------------------------------------------------------------------------------------------------------------------------------

 

CKScanner 2.4 - Additional Security Risks - These are not necessarily bad
c:\users\irondragon\desktop\tools\grfx&audio stuff\3ds max\3dsmax2012\crack\install.txt
c:\users\irondragon\desktop\tools\grfx&audio stuff\3ds max\crack\install.txt
c:\users\irondragon\desktop\tools\grfx&audio stuff\random program files and plugins\video copilot - optical flares (complete package) for adobe after effects\optical flares (pc)\opticalflarescrack(spider).exe
c:\_otm\movedfiles\10262013_083231\c_users\irondragon\desktop\tools\keygen.exe
c:\_otm\movedfiles\10262013_083231\e_tools n stuff\goldwave\keygen.exe
scanner sequence 3.BC.11.DIAPHZ
 ----- EOF -----
 

[kevinf80]

We need to remove FRST, first it is very important to deal with its Quarantine folder using FRST itself..

OK, we continue:

Delete any fixlist.txt file previously used, continue:

 

Download attached fixlist.txt file and save it to the Desktop, or the folder you saved FRST into.

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

 

Run FRST and press the Fix button just once and wait.

The tool will make a log on the Desktop (Fixlog.txt). That will confirm the removal action, delete if successful. 

Next,

 

Delete FRST.exe from your Desktop or the folder it was saved to, navigate to and delete its folder C:\FRST

 

Next,

 

• Download OTC by OldTimer from here http://oldtimer.geekstogo.com/OTC.exe or here http://www.itxassociates.com/OT-Tools/OTC.exe and save to your Desktop.
• Double click icon to start the program.
  If you are using Vista or Windows 7 accept UAC
• Then Click the big button.
• You will get a prompt saying "Begining Cleanup Process". Please select Yes.
• Restart your computer when prompted.
• This will remove tools we have used and itself.
  

Any tools/logs remaining on the Desktop or downloads folder can be deleted.

 

Let me know if any remaining issues or concerns...

 

Kevin

 

 

 

 

 

 

 

 

 

fixlist.txt

[pchope]

when i click on FRST, it tells me my version is outdated and strongly recommends to DL the latest version..should i DL latest version..or continue without updating FRST?

[kevinf80]

No need for the latest version, the one you have will remove the Quarantine folder with the fixlist.txt I attached...

[pchope]

i ran frst without updating, worked fine, deleted qaurantine successfully. deleted frst from desktop as well as frst folder from C: drive. ran otc.exe, worked fine, rebooted pc. ran a full scan with mbam, showed no threats or anything wrong or malicious. computer seems to be nice and clean. pretty awesome job there Mr. Kevin!! i do have 1 more question...

 

i am running windows 7. what do you recommend is the best way to save a permanent restore point to today's date, something where i can name and find later that will be permanent. i get a little confused when it comes to the restore and backup options and how to set them up. and thanks again, i truly appreciate your help with all of this. )

[kevinf80]

The best backup you can create is a system image, that will always be available in case of major problems. Go to the following link for instructions...

 

http://www.howtogeek.com/howto/4241/

 

Also do the following:

 

Create a new restore point:

 

   1. Right-click on Computer and go to Properties.

   2. Next click on the System Protection link.

   3. The System Properties dialog screen opens up and you will want to click on Create.

   4. Type in a description for the restore point which will help you remember the point at which it was created. Click on create.

   5. You should see the message "The restore point was created successfully

 

To remove all but the most recent restore point do the following:

 

   1.      Open Disk Cleanup by clicking the Start button . In the search box, type Disk Cleanup, and then, in the list of results, click Disk Cleanup.

   2.      If prompted, select the drive that you want to clean up, and then click OK.

   3.      In the Disk Cleanup for (usually C:\) dialog box, click Clean up system files. Administrator permission required If you're prompted for an administrator password or confirmation, type the password or provide confirmation.

   4.      If prompted, select the drive that you want to clean up, and then click OK.

   5.      Click the More Options tab, under System Restore and Shadow Copies, click Clean up.

   6.      In the Disk Cleanup dialog box, click Delete.

   7.      Click Delete Files, and then click OK. Re-Boot your PC.

 

If all is ok with no issues here are some tips to reduce the potential for malware infection in the future:

 

Make proper use of your antivirus and firewall

 

Antivirus and Firewall programs are integral to your computer security. However, just having them installed isn't enough. The definitions of these programs are frequently updated to detect the latest malware, if you don't keep up with these updates then you'll be vulnerable to infection. Many antivirus and firewall programs have automatic update features, make use of those if you can. If your program doesn't, then get in the habit of routinely performing manual updates, because it's important.

 

You should keep your antivirus and firewall guard enabled at all times, NEVER turn them off unless there's a specific reason to do so. Also, regularly performing a full system scan with your antivirus program is a good idea to make sure you're system remains clean. Once a week should be adequate. You can set the scan to run during a time when you don't plan to use the computer and just leave it to complete on its own.

 

Install and use WinPatrol from here http://www.winpatrol.com/download.html  This will inform you of any attempted unauthorized changes to your system.

 

WinPatrol features explained here http://www.winpatrol.com/features.html

 

Go here http://www.filehippo.com/updatechecker/ run the FileHippo Update Checker, update all applications as suggested by the Update Checker. Ignore any Beta updates. (Use stand alone version, not a full install)

If Java or Adobe are updated please check under Start > Control Panel > Add/Remove Programs, ensure any old versions are removed. <--- Very important

 

Use a safer web browser

 

Internet Explorer is not the most secure tool for browsing the web. It has been known to be very susceptible to infection, and there are a few good free alternatives:

 

FireFox http://www.mozilla.com/en-US/,

 

Opera http://www.opera.com/, and

 

Chrome http://www.google.com/chrome.

 

All of these are excellent faster, safer, more powerful and functional free alternatives to Internet Explorer. It's definitely worth the short period of adjustment to start using one of these. If you wish to continue using Internet Explorer, it would be a good idea to follow the tutorial here http://www.bleepingcomputer.com/tutorials/tutorial102.html which will help you to make IE MUCH safer.

 

These browser add-ons will help to make your browser safer:

 

Web of Trust warns you about risky websites that try to scam visitors, deliver malware or send spam. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous ones:

 

Available for Firefox and Internet Explorer.

 

Green to go,

Yellow for caution, and

Red to stop.

 

 

Available for Firefox only. NoScript helps to block malicious scripts and in general gives you much better control over what types of things webpages can do to your computer while you're browsing.

 

These are just a couple of the most popular add-ons, if you're interested in more, take a look at this article:

http://browsers.about.com/od/addonsplugi2/tp/browser_security_privacy.htm

 

Here a couple of links by two security experts that will give some excellent tips and advice.

 

So how did I get infected in the first place by Tony Klein from here: http://www.spywareinfoforum.com/index.php?/topic/60955-so-how-did-i-get-infected-in-the-first-place/

 

How to prevent Malware by Miekiemoes from here: http://users.telenet.be/bluepatchy/miekiemoes/prevention.html

 

Finally this link http://www.geekstogo.com/forum/topic/38-free-antivirus-and-antispyware-software will give a comprehensive upto date list of free Security programs. To include - Antivirus, Antispyware, Firewall, Antimalware, Online scanners and rescue CD`s.

 

Don`t forget, the best form of defense is common sense. If you don`t recognize it, don`t open it. If something looks to good to be true, then it aint.

 

Let me know when its OK to close out your thread....

 

Take care,

 

Kevin

[pchope]

Kevin, thank you very much for your time and help. Malwarebytes has always proven useful and effective for me, and your help here is just another possitive notch in my experience with Malwarebytes. i think we are good to go. this thread can be closed out now. no amount of compensation can repay a person for their time, in my opinion...but we shall see what we can do....*wink

[kevinf80]

You`re very welcome, comeback anytime...

[Maurice Naggar]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.