Other > Viruses and worms
Sirefef-PL [RTK]
argus:
Hi Sonofnelak,
Need to uninstall Comodo Internet Security if the active anti-virus component.
If only a firewall, do not touch.
Step1
Re-run OTL.exe.
[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
[/list]
--- Code: ---
:OTL
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}: "URL" = http://www.searchqu.com/web?src=ieb&appid=102&systemid=406&sr=0&q={searchTerms}
IE - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}: "URL" = http://www.searchqu.com/web?src=ieb&appid=102&systemid=406&sr=0&q={searchTerms}
IE - HKU\S-1-5-18\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-1703362208-2428590436-2978447147-1000\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}: "URL" = http://www.searchqu.com/web?src=ieb&appid=102&systemid=406&sr=0&q={searchTerms}
IE - HKU\S-1-5-21-1703362208-2428590436-2978447147-1000\..\SearchScopes\{A59C167F-298F-30E1-8F0D-B7ED3F450647}: "URL" = http://www.startnow.com/s/?q={searchTerms}&src=defsearch&provider=Bing&provider_code=Z057&partner_id=333&product_id=519&affiliate_id=&channel=SB1&toolbar_id=200&toolbar_version=2.0&install_country=US&install_date=20110703&user_guid=DE0CBDDCE28F4133A2EDD28F58C65553&machine_id=cd500c751680770a42910e0ef821e741&browser=IE&os=win&os_version=6.1-x64-SP1
IE - HKU\S-1-5-21-1703362208-2428590436-2978447147-1000\..\SearchScopes\{F5906B4E-31E9-486B-94AE-AC9FBAF9A19C}: "URL" = http://start.funmoods.com/results.php?f=4&a=bndlr&q={searchTerms}
[2011/09/21 19:47:20 | 000,000,000 | ---D | M] (Searchqu Toolbar) -- C:\Users\Paul Kallen\AppData\Roaming\Mozilla\Firefox\Profiles\7040a65o.default\extensions\{99079a25-328f-4bd4-be04-00955acaa0a7}
[2012/04/18 22:00:49 | 000,001,799 | ---- | M] () -- C:\Users\Paul Kallen\AppData\Roaming\Mozilla\Firefox\Profiles\7040a65o.default\searchplugins\funmoods.xml
O2:[b]64bit:[/b] - BHO: (Loader Class) - {9D717F81-9148-4f12-8568-69135F087DB0} - C:\Program Files (x86)\Windows iLivid Toolbar\Datamngr\x64\BrowserConnection.dll (Bandoo Media, inc)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Searchqu Toolbar) - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\Program Files (x86)\Windows iLivid Toolbar\Datamngr\ToolBar\searchqudtx.dll ()
O2 - BHO: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files (x86)\Search Toolbar\SearchToolbar.dll ()
O2 - BHO: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files (x86)\Search Toolbar\SearchToolbar.dll ()
O2 - BHO: (Loader Class) - {9D717F81-9148-4f12-8568-69135F087DB0} - C:\Program Files (x86)\Windows iLivid Toolbar\Datamngr\BrowserConnection.dll (Bandoo Media, inc)
O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3 - HKLM\..\Toolbar: (Searchqu Toolbar) - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\Program Files (x86)\Windows iLivid Toolbar\Datamngr\ToolBar\searchqudtx.dll ()
O3 - HKLM\..\Toolbar: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files (x86)\Search Toolbar\SearchToolbar.dll ()
O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3 - HKU\S-1-5-21-1703362208-2428590436-2978447147-1000\..\Toolbar\WebBrowser: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files (x86)\Search Toolbar\SearchToolbar.dll ()
O4 - HKLM..\Run: [DATAMNGR] C:\Program Files (x86)\Windows iLivid Toolbar\Datamngr\datamngrUI.exe (Bandoo Media, inc)
:files
C:\Program Files (x86)\Windows iLivid Toolbar
C:\Users\Paul Kallen\AppData\Local\facemoods.bmp
C:\windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a
C:\Users\Paul Kallen\AppData\Local\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}
ipconfig /flushdns /c
:Commands
[purity]
[emptytemp]
[CLEARRESTOREPOINTS]
[EMPTYJAVA]
[Reboot]
--- End code ---
[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.[/list]
**************
Step2
> Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.
> Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this Instruction.
How to disable avast:
[*]Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
[*]In the window that opens on the top right corner, click Settings.
[*]In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.
[*]Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes. [/list]
Note: Do not forget to turn on this option after the cleaning.
> Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix's window while it is running.
> When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt )
Attach log reports ( ComboFix.txt) back to topic.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Sonofnelak:
I've done all the necessary steps so far, however I'm having a problem with installing ComboFix. The program doesn't finish installing past this message:
Output folder: C: \32788R22FWJFW
The program stayed at this part of the installation for some time, not progressing. Is it normal for it to take that long to install?
argus:
--- Quote ---The program stayed at this part of the installation for some time, not progressing. Is it normal for it to take that long to install?
--- End quote ---
Stop the ComboFix.
[*]Download FRST64 to a USB flash drive.
[*]Plug the USB drive into the infected machine.[/list]
Boot your computer into Recovery Environment
[*]Restart the computer and press F8 repeatedly until the Advanced Options Menu appears.
[*]Select Repair your computer.
[*]Select Language and click Next
[*]Enter password (if necessary) and click OK, you should now see the screen below ...[/list]
[*]Select the Command Prompt option.
[*]A command window will open.
[*]Type notepad then hit Enter.
[*]Notepad will open.
[*]Click File > Open then select Computer.
[*]Note down the drive letter for your USB Drive.
[*]Close Notepad.[/list][/list]
[*]Back in the command window ....
[*]Type e:/frst64.exe and hit Enter (where e: is replaced by the drive letter for your USB drive)
[*]FRST will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]When finished scanning it will make a log FRST.txt on the flash drive.[/list][/list]
[*]Next
[*]Type Explorer.exe;Services.exe into the Search: field in FRST then click the Search File(s) button.
[*]FRST will search your computer for files and when finished it will produce a log Search.txt on the flash drive.
[*]Exit FRST.[/list]
[*]Close the command window.
[*]Boot back into normal mode and post me the FRST.txt and Search.txt logs please.[/list]
Sonofnelak:
Is there any chance that the virus will be transferred via flashdrive if it's put into another computer?
Sonofnelak:
Alright, here's the FRST.txt and Search.txt logs.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version