Police malware - removal from another machine

[echium]

I have a Windows XP machine affected by this malware. Safemode with networking and safe mode with command prompt don't work.

I have a new Windows 8 machine, and by attaching the XP hard disk as an external drive I can access all the XP files which are undamaged. I am unfamiliar with Windows 8, but it doesn't appear to give me as much control over the XP disk as I would like. A search for files downloaded on the key day shows some files but no .exe files and no temporary internet files. It also says I don't have permission to look in certain places.

Question - is it possible to run Malware bytes from the Windows 8 machine, on the XP hard disk. Can Malware bytes get into the registry of an external hard disk as opposed to the W8 hard disk

I am reluctant to try in case I am allowed to download the free Malwarebytes only once, which would be wasted.

I am aware of a third option of booting from a Hitmanpro flashdrive (I don't have a flashdrive) - but I will then need Malwarebytes.

 

[Fiery]

Hi echium and welcome to MalwareTips!

I'm Fiery and I would gladly assist you in removing the malware on your computer.

PLEASE NOTE: The first 3 posts of ALL new members require approval by mods/admins. Please be patient if you don't see your post immediately after submitting it.

Before we start:

• Note that the removal process is not immediate. Depending on the severity of your infection, it could take a long time.
• Malware removal can be dangerous. I cannot guarantee the safety of your system as malware can be unpredictable. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system. Therefore, I would advise you to backup all your important files before we start.
• Please be patient and stay with me until I give you the green lights and inform you that your PC is clean.
• Some tools may be flagged by your antivirus as harmful. Rest assure that ALL the tools we use are safe, the detections are false positives.
• The absence of symptoms does not mean your PC is fully disinfected.
• If you are unclear about the instructions, please stop and ask. Following the steps in the order that I post them in is vital.
• Lastly, if you have requested help on other sites, that will delay and hinder the removal process. Please only stick to one site.

<hr>
Please print these instruction out so that you know what you are doing

• Download OTLPENet.exe to your desktop
• Download Farbar Recovery Scan Tool and save it to a flash drive.
  
• Ensure that you have a blank CD in the drive
• Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
• Reboot your system using the boot CD you just created.
  Note : If you do not know how to set your computer to boot from CD follow the steps here
• Wait for the CD to detect your hardware and load the operating system
• Your system should now display a Reatogo desktop
  Note : as you are running from CD it is not exactly speedy
• Insert the USB with FRST
• Locate the flash drive with FRST and double click
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

 

[echium]

Hi Fiery - many thanks for your welcome. I really do appreciate your attempt to help.

I appreciate the dangers involved and have backed up all my data.

Since my first post I have purchased a flash drive. I tried Hitmanpro in it, but none of the three options offered worked. I left the first option (ie bypass) for an hour in case Hitman was scanning the whole disk.

However I have just tried your suggestion above. And am delighted to say that I managed to get a log - attached below.

If necessary I am quite willing to remove the offending bits by hand - including those in the registry (I have done this before) but I have no idea how to access the registry or some other areas, which don't show up in Windows 8 explorer.

The log:-
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 02-06-2013 03
Ran by SYSTEM on 02-06-2013 22:19:31
Running from D:\
Microsoft Windows XP (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [VTTimer] VTTimer.exe [x]
HKLM\...\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe [376912 2003-01-27] (BroadJump, Inc.)
HKLM\...\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN [2061552 2007-08-07] (Virgin Broadband)
HKLM\...\Run: [AVG_UI] "C:\Program Files\AVG\AVG2013\avgui.exe" /TRAYONLY [3147384 2012-12-10] (AVG Technologies CZ, s.r.o.)
HKU\Peter\...\Run: [qcgce2mrvjq91kk1e7pnbb19m52fx] C:\Documents and Settings\Peter\My Documents\139d2e78.exe [ 2013-05-31] (Adobe Systems Incorporated)
HKU\Peter\...\Winlogon: [Shell] cmd.exe [ 2008-04-13] (Microsoft Corporation) <==== ATTENTION
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Exif Launcher 2.lnk
ShortcutTarget: Exif Launcher 2.lnk -> C:\Program Files\FinePixViewer\QuickDCF2.exe (FUJI PHOTO FILM CO., LTD.)
Startup: C:\Documents and Settings\Peter\Start Menu\Programs\Startup\Launch Internet Explorer Browser.lnk
ShortcutTarget: Launch Internet Explorer Browser.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
Startup: C:\Documents and Settings\Peter\Start Menu\Programs\Startup\Outlook Express.lnk
ShortcutTarget: Outlook Express.lnk -> C:\Program Files\Outlook Express\msimn.exe (Microsoft Corporation)
BootExecute: autocheck autochk * C:\PROGRA~1\AVG\AVG2013\avgrsx.exe /sync /restart

========================== Services (Whitelisted) =================

S2 AVGIDSAgent; C:\Program Files\AVG\AVG2013\avgidsagent.exe [5814904 2012-11-15] (AVG Technologies CZ, s.r.o.)
S2 avgwd; C:\Program Files\AVG\AVG2013\avgwdsvc.exe [196664 2012-10-22] (AVG Technologies CZ, s.r.o.)
S2 bgsvcgen; C:\WINDOWS\system32\bgsvcgen.exe [86016 2005-04-30] (B.H.A Corporation)
S2 gupdate1c9aa80b3607a30; C:\Program Files\Google\Update\GoogleUpdate.exe [133104 2009-03-21] (Google Inc.)
S2 MSSQL$SQLEXPRESS; c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [29293408 2010-12-10] (Microsoft Corporation)
S4 msvsmon90; C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x86\msvsmon.exe [3004416 2007-11-07] (Microsoft Corporation)
S3 AppMgmt; %SystemRoot%\System32\appmgmts.dll [x]
S4 HidServ; %SystemRoot%\System32\hidserv.dll [x]

==================== Drivers (Whitelisted) ====================

S1 AmdK8; C:\Windows\System32\DRIVERS\AmdK8.sys [36864 2006-06-18] (Advanced Micro Devices)
S1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdriverx.sys [179936 2012-10-22] (AVG Technologies CZ, s.r.o. )
S0 AVGIDSHX; C:\Windows\System32\DRIVERS\avgidshx.sys [55776 2012-10-14] (AVG Technologies CZ, s.r.o. )
S1 AVGIDSShim; C:\Windows\System32\DRIVERS\avgidsshimx.sys [19936 2012-09-20] (AVG Technologies CZ, s.r.o. )
S1 Avgldx86; C:\Windows\System32\DRIVERS\avgldx86.sys [159712 2012-10-01] (AVG Technologies CZ, s.r.o.)
S0 Avglogx; C:\Windows\System32\DRIVERS\avglogx.sys [177376 2012-09-20] (AVG Technologies CZ, s.r.o.)
S0 Avgmfx86; C:\Windows\System32\DRIVERS\avgmfx86.sys [94048 2012-11-15] (AVG Technologies CZ, s.r.o.)
S0 Avgrkx86; C:\Windows\System32\DRIVERS\avgrkx86.sys [35552 2012-09-13] (AVG Technologies CZ, s.r.o.)
S1 Avgtdix; C:\Windows\System32\DRIVERS\avgtdix.sys [164832 2012-09-20] (AVG Technologies CZ, s.r.o.)
S1 Cdr4_xp; C:\Windows\System32\Drivers\Cdr4_xp.sys [64208 2003-01-13] (Roxio)
S1 Cdralw2k; C:\Windows\System32\Drivers\Cdralw2k.sys [24839 2003-01-13] (Roxio)
S1 cdudf_xp; C:\Windows\System32\Drivers\cdudf_xp.sys [249344 2003-01-13] (Roxio)
S3 dvd_2K; C:\Windows\System32\Drivers\dvd_2K.sys [21654 2003-01-13] (Roxio)
S3 FETND5BV; C:\Windows\System32\DRIVERS\fetnd5bv.sys [42496 2004-12-16] (VIA Technologies, Inc. )
S3 FETNDIS; C:\Windows\System32\DRIVERS\fetnd5.sys [27165 2001-08-17] (VIA Technologies, Inc. )
S3 HDAudBus; C:\Windows\System32\DRIVERS\HDAudBus.sys [144384 2008-04-13] (Windows (R) Server 2003 DDK provider)
S3 mmc_2K; C:\Windows\System32\Drivers\mmc_2K.sys [22758 2003-01-13] (Roxio)
S3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [5810 2004-08-14] ()
S1 pwd_2k; C:\Windows\System32\Drivers\pwd_2k.sys [118422 2003-01-13] (Roxio)
S3 S3GIGP; C:\Windows\System32\DRIVERS\S3gIGPm.sys [659456 2006-09-11] (S3 Graphics Co., Ltd.)
S1 UdfReadr_xp; C:\Windows\System32\Drivers\UdfReadr_xp.sys [206464 2003-01-13] (Roxio)
S0 videX32; C:\Windows\System32\DRIVERS\videX32.sys [9216 2006-10-22] (VIA Technologies, Inc.)
S4 Abiosdsk; No ImagePath
S4 abp480n5; No ImagePath
S4 adpu160m; No ImagePath
S4 Aha154x; No ImagePath
S4 aic78u2; No ImagePath
S4 aic78xx; No ImagePath
S4 AliIde; No ImagePath
S4 amsint; No ImagePath
S4 asc; No ImagePath
S4 asc3350p; No ImagePath
S4 asc3550; No ImagePath
S4 Atdisk; No ImagePath
S4 cd20xrnt; No ImagePath
S1 Changer; No ImagePath
S4 CmdIde; No ImagePath
S4 Cpqarray; No ImagePath
S4 dac2w2k; No ImagePath
S4 dac960nt; No ImagePath
S4 dpti2o; No ImagePath
S4 hpn; No ImagePath
S1 i2omgmt; No ImagePath
S4 i2omp; No ImagePath
S4 ini910u; No ImagePath
S4 IntelIde; No ImagePath
S1 lbrtfdc; No ImagePath
S4 mraid35x; No ImagePath
S1 PCIDump; No ImagePath
S3 PDCOMP; No ImagePath
S3 PDFRAME; No ImagePath
S3 PDRELI; No ImagePath
S3 PDRFRAME; No ImagePath
S4 perc2; No ImagePath
S4 perc2hib; No ImagePath
S4 ql1080; No ImagePath
S4 Ql10wnt; No ImagePath
S4 ql12160; No ImagePath
S4 ql1240; No ImagePath
S4 ql1280; No ImagePath
S2 RPSKT; system32\DRIVERS\rp_skt32.sys [x]
S4 Simbad; No ImagePath
S4 Sparrow; No ImagePath
S4 symc810; No ImagePath
S4 symc8xx; No ImagePath
S4 sym_hi; No ImagePath
S4 sym_u3; No ImagePath
S4 TosIde; No ImagePath
S4 ultra; No ImagePath
S3 WDICA; No ImagePath
S1 WS2IFSL;

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-06-02 22:19 - 2013-06-02 22:19 - 00000000 ____D C:\FRST
2013-06-02 10:19 - 2013-06-02 10:19 - 00004850 ____A C:\Windows\setupapi.log
2013-05-31 07:13 - 2013-05-31 07:13 - 00116787 ____A C:\Documents and Settings\Peter\Application Data\2433f433
2013-05-31 07:13 - 2013-05-31 07:13 - 00116760 ____A C:\Documents and Settings\Peter\Local Settings\Application Data\2433f433
2013-05-31 07:13 - 2013-05-31 07:13 - 00116752 ____A C:\Documents and Settings\All Users\Application Data\2433f433
2013-05-31 07:13 - 2013-05-31 07:13 - 00043520 ____A (Adobe Systems Incorporated) C:\Documents and Settings\Peter\My Documents\139d2e78.exe
2013-05-31 07:13 - 2013-05-31 07:13 - 00043520 ____A (Adobe Systems Incorporated) C:\Documents and Settings\Peter\My Documents\139d2e78.dll

==================== One Month Modified Files and Folders ========

2013-06-02 22:19 - 2013-06-02 22:19 - 00000000 ____D C:\FRST
2013-06-02 12:25 - 2008-01-30 05:24 - 00000278 __ASH C:\Documents and Settings\Peter\ntuser.ini
2013-06-02 12:25 - 2008-01-30 05:21 - 00032590 ____A C:\Windows\SchedLgU.Txt
2013-06-02 12:25 - 2008-01-30 05:21 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-06-02 12:25 - 2008-01-30 05:16 - 01416166 ____A C:\Windows\WindowsUpdate.log
2013-06-02 11:53 - 2009-07-01 04:27 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-06-02 11:30 - 2009-07-01 04:27 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-06-02 11:30 - 2008-01-30 05:41 - 00000412 ____A C:\Windows\Tasks\Symantec NetDetect.job
2013-06-02 11:29 - 2008-01-30 05:24 - 00000062 __ASH C:\Documents and Settings\Peter\Local Settings\desktop.ini
2013-06-02 11:29 - 2008-01-30 05:21 - 00000062 __ASH C:\Documents and Settings\LocalService\Local Settings\desktop.ini
2013-06-02 11:29 - 2008-01-30 05:19 - 00000062 __ASH C:\Documents and Settings\NetworkService\Local Settings\desktop.ini
2013-06-02 10:19 - 2013-06-02 10:19 - 00004850 ____A C:\Windows\setupapi.log
2013-06-02 05:19 - 2006-02-28 08:00 - 00013646 ____A C:\Windows\System32\wpa.dbl
2013-06-01 15:37 - 2008-11-23 16:55 - 00000000 ____D C:\Utilities
2013-05-31 07:19 - 2008-01-30 05:04 - 00000216 ____A C:\Windows\wiadebug.log
2013-05-31 07:19 - 2008-01-30 05:04 - 00000049 ____A C:\Windows\wiaservc.log
2013-05-31 07:13 - 2013-05-31 07:13 - 00116787 ____A C:\Documents and Settings\Peter\Application Data\2433f433
2013-05-31 07:13 - 2013-05-31 07:13 - 00116760 ____A C:\Documents and Settings\Peter\Local Settings\Application Data\2433f433
2013-05-31 07:13 - 2013-05-31 07:13 - 00116752 ____A C:\Documents and Settings\All Users\Application Data\2433f433
2013-05-31 07:13 - 2013-05-31 07:13 - 00043520 ____A (Adobe Systems Incorporated) C:\Documents and Settings\Peter\My Documents\139d2e78.exe
2013-05-31 07:13 - 2013-05-31 07:13 - 00043520 ____A (Adobe Systems Incorporated) C:\Documents and Settings\Peter\My Documents\139d2e78.dll
2013-05-31 07:05 - 2008-03-03 13:37 - 00008312 ____A C:\Windows\I_VIEW32.INI
2013-05-31 06:09 - 2008-02-02 11:55 - 00007436 ____A C:\Windows\123R4.INI
2013-05-31 04:52 - 2010-11-11 06:17 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\MFAData
2013-05-30 17:17 - 2008-02-03 10:12 - 00000090 ____A C:\Windows\CIV.INI
2013-05-30 14:42 - 2013-04-01 18:13 - 00000000 ____D C:\Winda
2013-05-16 15:06 - 2008-11-23 16:56 - 00000000 ____D C:\Program Files\DOSBox-0.72
2013-05-06 15:04 - 2008-02-02 09:02 - 00000000 ____D C:\1
2013-05-05 17:37 - 2008-03-02 15:30 - 00000000 ____D C:\Documents and Settings\Peter\My Documents\Elliot Financial

==================== Known DLLs (Whitelisted) ============


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points (XP) =====================

RP: -> 2013-06-02 12:13 - 024576 _restore{3D0D144D-5C6C-4EF5-A3FD-E6CEB2D37281}\RP469

RP: -> 2013-05-28 15:01 - 024576 _restore{3D0D144D-5C6C-4EF5-A3FD-E6CEB2D37281}\RP468

RP: -> 2013-05-15 15:07 - 024576 _restore{3D0D144D-5C6C-4EF5-A3FD-E6CEB2D37281}\RP467

RP: -> 2013-04-28 06:21 - 024576 _restore{3D0D144D-5C6C-4EF5-A3FD-E6CEB2D37281}\RP466

RP: -> 2013-04-26 13:00 - 024576 _restore{3D0D144D-5C6C-4EF5-A3FD-E6CEB2D37281}\RP465

RP: -> 2013-04-22 05:39 - 024576 _restore{3D0D144D-5C6C-4EF5-A3FD-E6CEB2D37281}\RP464

RP: -> 2013-04-20 08:25 - 024576 _restore{3D0D144D-5C6C-4EF5-A3FD-E6CEB2D37281}\RP463

RP: -> 2013-04-19 06:21 - 024576 _restore{3D0D144D-5C6C-4EF5-A3FD-E6CEB2D37281}\RP462

RP: -> 2013-04-18 06:13 - 024576 _restore{3D0D144D-5C6C-4EF5-A3FD-E6CEB2D37281}\RP461

RP: -> 2013-04-17 06:04 - 024576 _restore{3D0D144D-5C6C-4EF5-A3FD-E6CEB2D37281}\RP460

RP: -> 2013-04-16 05:57 - 024576 _restore{3D0D144D-5C6C-4EF5-A3FD-E6CEB2D37281}\RP459

RP: -> 2013-04-14 11:16 - 024576 _restore{3D0D144D-5C6C-4EF5-A3FD-E6CEB2D37281}\RP458

RP: -> 2013-04-11 17:29 - 024576 _restore{3D0D144D-5C6C-4EF5-A3FD-E6CEB2D37281}\RP457

RP: -> 2013-04-10 15:10 - 024576 _restore{3D0D144D-5C6C-4EF5-A3FD-E6CEB2D37281}\RP456

RP: -> 2013-04-08 06:20 - 024576 _restore{3D0D144D-5C6C-4EF5-A3FD-E6CEB2D37281}\RP455

RP: -> 2013-04-02 06:29 - 024576 _restore{3D0D144D-5C6C-4EF5-A3FD-E6CEB2D37281}\RP454

RP: -> 2013-03-30 11:30 - 024576 _restore{3D0D144D-5C6C-4EF5-A3FD-E6CEB2D37281}\RP453

RP: -> 2013-03-28 09:13 - 024576 _restore{3D0D144D-5C6C-4EF5-A3FD-E6CEB2D37281}\RP452

RP: -> 2013-03-24 12:32 - 024576 _restore{3D0D144D-5C6C-4EF5-A3FD-E6CEB2D37281}\RP451

RP: -> 2013-03-23 12:20 - 024576 _restore{3D0D144D-5C6C-4EF5-A3FD-E6CEB2D37281}\RP450

RP: -> 2013-03-21 11:33 - 024576 _restore{3D0D144D-5C6C-4EF5-A3FD-E6CEB2D37281}\RP449

RP: -> 2013-03-18 07:27 - 024576 _restore{3D0D144D-5C6C-4EF5-A3FD-E6CEB2D37281}\RP448

RP: -> 2013-03-15 07:24 - 024576 _restore{3D0D144D-5C6C-4EF5-A3FD-E6CEB2D37281}\RP447

RP: -> 2013-03-13 12:25 - 024576 _restore{3D0D144D-5C6C-4EF5-A3FD-E6CEB2D37281}\RP446

RP: -> 2013-03-12 07:53 - 024576 _restore{3D0D144D-5C6C-4EF5-A3FD-E6CEB2D37281}\RP445

RP: -> 2013-03-11 07:31 - 024576 _restore{3D0D144D-5C6C-4EF5-A3FD-E6CEB2D37281}\RP444

RP: -> 2013-03-09 09:25 - 024576 _restore{3D0D144D-5C6C-4EF5-A3FD-E6CEB2D37281}\RP443

RP: -> 2013-03-08 09:16 - 024576 _restore{3D0D144D-5C6C-4EF5-A3FD-E6CEB2D37281}\RP442

RP: -> 2013-03-07 09:04 - 024576 _restore{3D0D144D-5C6C-4EF5-A3FD-E6CEB2D37281}\RP441

RP: -> 2013-03-06 08:14 - 024576 _restore{3D0D144D-5C6C-4EF5-A3FD-E6CEB2D37281}\RP440

RP: -> 2013-03-02 08:34 - 024576 _restore{3D0D144D-5C6C-4EF5-A3FD-E6CEB2D37281}\RP439

RP: -> 2013-02-28 13:24 - 024576 _restore{3D0D144D-5C6C-4EF5-A3FD-E6CEB2D37281}\RP438

RP: -> 2013-02-26 08:48 - 024576 _restore{3D0D144D-5C6C-4EF5-A3FD-E6CEB2D37281}\RP437

RP: -> 2013-02-24 15:54 - 024576 _restore{3D0D144D-5C6C-4EF5-A3FD-E6CEB2D37281}\RP436


==================== Memory info ===========================

Percentage of memory in use: 14%
Total physical RAM: 1919.22 MB
Available physical RAM: 1649.11 MB
Total Pagefile: 1750.61 MB
Available Pagefile: 1688.59 MB
Total Virtual: 2047.88 MB
Available Virtual: 1986.02 MB

==================== Drives ================================

Drive b: (RAMDisk) (Fixed) (Total:0.06 GB) (Free:0.06 GB) NTFS
Drive c: () (Fixed) (Total:149.04 GB) (Free:106.5 GB) NTFS ==>[Drive with boot components (Windows XP)]
Drive d: (HITMANPRO) (Removable) (Total:7.44 GB) (Free:7.42 GB) FAT32
Drive x: (ReatogoPE) (CDROM) (Total:0.43 GB) (Free:0 GB) CDFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 149 GB) (Disk ID: F433F433)
Partition 1: (Active) - (Size=149 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 7 GB) (Disk ID: FAD5A12A)
Partition 1: (Active) - (Size=7 GB) - (Type=0B)

==================== End Of Log ============================

Again - many thanks

 

[echium]

Just looked through the log more carefully.

I can locate all the references to 139d2e78 and 2433f433 on the XP disk from my Window8 m/c. But will not try to delete anything till I hear from you.

Hopefully a breakthrough.

 

[Fiery]

Hi,

On another PC, Open notepad and copy & paste the following:

start
HKU\Peter\...\Run: [qcgce2mrvjq91kk1e7pnbb19m52fx] C:\Documents and Settings\Peter\My Documents\139d2e78.exe [ 2013-05-31] (Adobe Systems Incorporated)
HKU\Peter\...\Winlogon: [Shell] cmd.exe [ 2008-04-13] (Microsoft Corporation) <==== ATTENTION
2013-05-31 07:13 - 2013-05-31 07:13 - 00116787 ____A C:\Documents and Settings\Peter\Application Data\2433f433
2013-05-31 07:13 - 2013-05-31 07:13 - 00116760 ____A C:\Documents and Settings\Peter\Local Settings\Application Data\2433f433
2013-05-31 07:13 - 2013-05-31 07:13 - 00116752 ____A C:\Documents and Settings\All Users\Application Data\2433f433
2013-05-31 07:13 - 2013-05-31 07:13 - 00043520 ____A (Adobe Systems Incorporated) C:\Documents and Settings\Peter\My Documents\139d2e78.exe
2013-05-31 07:13 - 2013-05-31 07:13 - 00043520 ____A (Adobe Systems Incorporated) C:\Documents and Settings\Peter\My Documents\139d2e78.dll
end

and save it as fixlist.txt onto your flash drive.

Then, boot to OTLPE, plug in your flash drive, open FRST and click fix. Post the generated log.

Then attempt to boot normally (pull out the OTLPE CD). If successful,

Download Malwarebytes Anti-Rootkit from here to your Desktop

• Unzip the contents to a folder on your Desktop.
• Open the folder where the contents were unzipped and run mbar.exe
• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
• Make sure there is a check next to Create Restore Point and click the Cleanup button to remove any threats. Reboot if prompted to do so.
• After the reboot, perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If there are threats, click Cleanup once more and reboot.
• When done, please post the two logs in the MBAR folder(mbar-log.txt and system-log.txt)

Please download AdwCleaner by Xplode onto your desktop.

• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool(For Vista or Windows 7, right-click and select Run as Administrator to start)
• Click delete
• Please post the content of that logfile with your next reply.
• You can find the logfile at C:\AdwCleaner[S1].txt

Download & SAVE to your Desktop RogueKiller or from here

• Quit all programs that you may have started.
• Please disconnect any USB or external drives from the computer before you run this scan!
• For Vista or Windows 7, right-click and select Run as Administrator to start
• Wait until Prescan has finished, then click on "Scan" button
• Wait until the Status box shows "Scan Finished"
• Click delete and wait until it saids deleting finished
• Click on "Report" and copy/paste the content of the Notepad into your next reply.
• The log should be found in RKreport[1].txt on your Desktop
  Exit/Close RogueKiller+

 

[echium]

Hi Fiery

Thanks for your very quick reply. Its late now - so I will have a go tomorrow. I don't want to rush it.

But I will omit the last two lines, as I know what they are. C:\windows\123r4 is Lotus 123 which I still use and C:\1 is a directory of my Lotus files. Designated as 1 to appear at the top of the list.

Again many thanks

 

[Fiery]

Ok

 

[echium]

I have carried out your last instructions and it has not totally worked - but we have some progress.

After FIXing, the log was very short and showed that all the offending files had been removed. However it didn't allow me to close the m/c down. After 10 minutes I had to pull the plug.

When I rebooted normally - the Police screen was still there.

I repeated the process, booting from the CD, and did a scan file FRST1 attached, which shows all the malicious files had returned.

I repeated the FIX - Fixlog1 attached. It showed that the offending files had been removed. And I repeated the scan - FRST2 attached. It confirmed that the files had gone. However I was still unable to close the system. So I pulled the plug again.

I then rebooted in normal mode - but without attachment to the internet. And it booted normally into my desktop. A quick check with a couple of programs indicated they were working OK.

It appears that there is something else in there that is reloading the offending files. Unless I hear from you to the contrary, I will try and download the three other programs you suggested and run them with no internet connection.

I think we are getting closer.
[attachment=4713]
[attachment=4714]
[attachment=4715]

 

[echium]

Hot update.

To write the above thread, I had to boot the infected machine from the CD to be able to have it attached to the internet. But when I went to shut down the machine afterwards - it allowed me to do so. And when I rebooted normally - the Police screen had gone.

Perhaps the act of booting without the internet and thus being able to close properly, allowed the machine to write the appropriate registry files etc on closedown.

I am very pleased and grateful. But of course I will run the software mentioned above.

 

[echium]

I have now booted my machine several times and it seems to be working fine.

I ran the three extra programs. Malware bytes found three entries the first time, but none the second time. Adwcleaner removed lots of (minor?) stuff, and then nothing. I was a bit surprised to see that Rogue killer still managed to find a 139d2e78 in the registry. I did two runs, and all the logs are attached.
[attachment=4716][attachment=4717][attachment=4720][attachment=4718][attachment=4719]

So it looks like it is OK. Perhaps you can confirm.
I would like to say how very grateful I am and would like to make a contribution.

 

[Fiery]

Looking good 2 more scans and we will clean up.

Please download Malwarebytes' Anti-Malware from here to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
  • Update Malwarebytes' Anti-Malware
  • and Launch Malwarebytes' Anti-Malware
• then click Finish.
• If an update is found, it will download and install the latest version.
• When it prompts you to try their 30-day trail, click decline
• Once the program has loaded, select Perform quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Run Eset NOD32 Online AntiVirus here

Note: You will need to use Internet Explorer for this scan.
Vista / 7 users: You will need to to right-click on the Internet Explorer icon and select Run as Administrator

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Disable your current antivirus software. You can usually do this with its Notfication Tray icon near the clock.
• Make sure that the option "Remove found threats" is Un-checked, and the following Advance Settings are Checked
  • Scan unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology
• Click Scan
• Wait for the scan to finish
• When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
• Save that text file on your desktop. Copy and paste the contents of that log in your next reply to this topic.
• The log can also be found in logfile located at C:\Program Files\ESET\Eset Online Scanner\log.txt

 

[echium]

Have run the above two programs and attached log files.
[attachment=4733][attachment=4734]

 

[Fiery]

How is your PC now? We need to clear your restore points as they are infected. No big deal though, we will clean them after.

Download Security Check by screen317 from here

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A notepad document should open automatically called checkup.txt.
• Please post the contents of that document in your next reply. Please do not attach it!

 

[echium]

Thanks Fiery - done
The machine seems to be working perfectly.

Results of screen317's Security Check version 0.99.64
Windows XP Service Pack 3 x86
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
AVG 2013
ESET Online Scanner v3
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.75.0.1300
CCleaner
Java(TM) 6 Update 3
Java version out of Date!
Adobe Reader 9 Adobe Reader out of Date!
````````Process Check: objlist.exe by Laurent````````
AVG avgwdsvc.exe
AVG avgnsx.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 4%
````````````````````End of Log``````````````````````

 

[Fiery]

If you are no longer experiencing any other issues, your PC is now clean!

Double click on OTL to run it

• Click on the Cleanup button at the top.
• You will be asked to reboot the machine to finish the Cleanup process. Choose Yes
• This will remove itself and other tools we may have used.

Also, open adwCleaner and click Uninstall

---

Now that your PC is clean, I recommend you to create a new System Restore point then purge the old ones after.

For XP
How to create a Restore Point in XP
Delete all restore points except the most recent one

---

Keep your system updated
Please go to control panel and uninstall the following:

Java™ 6 Update 3
Adobe Reader 9

Delete older Java version from your computer by downloading JavaRa

• Run JavaRa.exe, then click Remove JRE.
• Let the tool run
• Once it finishes, close JavaRa

Currently, the following programs on your PC are outdated:

• Java - Update Java here
• Adobe reader - Update Adobe Reader here

Keeping your programs (especially Adobe and Java products) updated is essential. Outdated programs make your PC more vulnerable to future malware threats. To help you:

• Download and install Update Checker. It will notify you if any of your programs require an update.
• Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office product bugs and vulnerabilities.
• Please ensure you update your system regularly and have automatic updates on. You can learn how to turn Automatic Updates on here

---

I also recommend you to switch your antivirus program to a better one. Here are some suggestions:

• avast! 8 Free Antivirus
• Avira AntiVir Personal
• Microsoft Security Essentials

In addition to your antivirus, you need additional protection such as a firewall and behavioural blocker. However, adding one of these programs may slow down performance. It is for you to decide the trade off between more security and a faster PC.

• Online Armor
• Comodo Firewall - If you are an advance user
• ZoneAlarm Free Firewall

Other steps that you may want to do to further protect your system/files:

• Sandboxie - "Quarantines" your browser so anything that you do in it will be isolated from your system.
• Backup important files regulary to an external hard-drive or USB

Here are only a few suggestions that will improve your system security. Should you wish to allow us to make full recommendations and set your PC up with maximum security, please start a thread here. Our community of PC enthusiasts and experts will give you feedback and help you secure your system from future malware infections.

Should you want to try a product but don't know how it performs, here is a list of current reviews to help you decide.

---

Internet Explorer may be the most popular browser but it's definitely not the most secure browser. Consider using other browsers with addition add-ons to safeguard your system while browsing the internet.

Firefox is a more secure, faster browser than Internet Explorer. Firefox contains less vulnerabilities, reducing the risk of drive-by downloads. In addition, you can add the following add-ons to increase security.

• KeyScramber - Encrypts your keystrokes to protect you against keyloggers that steals personal & banking information
• AdBlock - Disable/blocks advertisements on websites so you won't accidentally click on a malicious ad.
• NoScript - Disables Flash & Java contents to avoid exploits or drive-by attacks
• Web of Trust - Shows the website rating by other users and blocks dangerous and poor-rated sites

Google Chrome is another good browser that is faster and more secure than Internet Explorer by having a sandbox feature. Additionally, you can add the following add-on to Chrome to heighten security.

• AdBlock

---

Lastly, it is important to perform system maintenance on a regular basis. Here are a few tools and on-demand scanners that you should keep & use every 1-2 weeks to keep your system healthy.

• CCleaner
• Malwarebytes Anti-Malware

Other than that, stay safe out there! If you have any other questions or concerns, feel free to ask

My virus removal help is always free. Should you wish to show your appreciation via a donation, it will be much appreciated.
​

 

[echium]

Thanks for all that info Fiery - I have printed it all out.

I downloaded OTL again (I wasn't sure if it was the same as OTLPeNet.exe) and clicked clean up, then I downloaded JavaRa and removed the old Java.

Then three strange things happened.

1) I suddently found I was running Zone Alarm. I never to my knowledge downloaded it - is this something that one of your programs installed. I assume it is a safe program, but it makes the machine boot very slowly. I thought I had another problem the first time it booted.

2) When downloading JavaRa a screen came up saying thank you for downloading Wajam. Again I never asked for this. I have since uninstalled it.

3) A bit more worryingly, when after rebooting a couple of times Zone Alarm said that TopArcadeHits.loader.exe was trying to contact the internet. I said no. Then AVG detected it and said it was malware and had removed it. This is about the first time AVG has detected anything. I have since run Adwcleaner, which says my registry is clean.

Is this a pure coincidence? I have been on almost no sites other than downloading your programs. And is is gone, and was it nasty, and do I have a longer term virus problem?

The reason I don't update programs is that I am always worried that loads of stuff I never asked for will be downloaded at the same time as any updates.

Other than the slow boot with Zone Alarm - everything else seems to be running very well, thank you.

 

[echium]

I have just downloaded the latest Adobe Reader from your link. But I noticed that it also downloaded and installed Google Chrome, which I never requested.

I do get concerned that even sites such as Adobe are hijacking my computer.

 

[Fiery]

Hi

1) I suddently found I was running Zone Alarm. I never to my knowledge downloaded it - is this something that one of your programs installed. I assume it is a safe program, but it makes the machine boot very slowly. I thought I had another problem the first time it booted.[/b]

It is a safe program. Not sure how Zone alarm got installed. I'm assuming the firewall got installed since it detected the executable file. You can go to Start > control Panel > Add/remove programs and uninstall zone alarm there.

My suspicion is the javaRA file. I apologize if that caused problems. Can you tell me how Adobe is hijacking your computer?

Since Zone alarm firewall got installed, it is in learning mode. Like all other firewalls, it will detect every application that tries to access the internet and asks you for permission.

 

[echium]

Hi Fiery.

Previously I had deleted the old version of Adobe Reader, so your link installed from scratch - rather than updating.

I have just now un-installed Adobe Reader and Google Chrome and repeated the download. It failed the first two times till I realised I had to disable AVG, which I didn't have to do originally. Your link took me to get.adobe.com page. I clicked on the download button (the only button on the page). Then a small blue screen appeared - "Zone Alarm File Download". The file name was install_reader11_uk_mssa_awe_aih_.exe. I clicked RUN. Then an oblong page appeared saying Adobe Reader installer. Below was a moving horizontal line showing the progress, saying Adobe Reader at the left. However below that was another line showing a second program was being installed at the same time. The first time it was Google Chrome, but this time it was McAfee Security Scan.

The second download was quite open - I can't say the site had been hijacked. It was clearly a "two for the price of one day" but with no option to decline the second download. Obviously not dangerous - but still a bit unethical.

I suspect that the Zone Alarm and Wajam downloads came about in a similar way - perhaps from the Java site. But it was not obvious they were being downloaded.

I am assuming that the TopArcadeHits.loader.exe, which has been removed is not a problem.

 

[Fiery]

On my side, for each download, there was an option to not download any other programs except for Adobe. I didn't get the zonealarm download but I saw the McAfee one.

On the Adobe page, you can uncheck the "download Mcafee Security Scan." Not sure where ZoneAlarm came from honestly. You can use adwCleaner again to clean anythign left behind from Wajam.

Please download AdwCleaner by Xplode onto your desktop.

• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool(For Vista or Windows 7, right-click and select Run as Administrator to start)
• Click delete
• Please post the content of that logfile with your next reply.
• You can find the logfile at C:\AdwCleaner[S1].txt