Sudden Attack Sea ( Virus or False Positive)?

[SafeSurf]

There will be 2 OTL logs to post (create a new post) -- both logs are located on your desktop.  To attach them to the post: attachment (Additional Options > Attach > Browse (the logs will be on your desktop > Post).

[derekdiong1]

My OTL log.

[derekdiong1]

My extra log.

And the launcher.exe is still being detected...

[SafeSurf]

Thank you for the logs. I'm not surprised you still have things being detected.  Essexboy will work with you later when he returns to the forum.

So now you know how to attach logs, which he will have you do for other tools he uses as well.  Do not make any further changes to your machine, and stay off of it (infected one) for now until you are ready to check the forum again and get further instructions from Essexboy.  Thank you again.

[derekdiong1]

I'm going camping tomorrow till Saturday....

[Asyn]

I'm going camping tomorrow till Saturday....

Have fun..!!
asyn

[essexboy]

When you get back lets run these fixes

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  O33 - MountPoints2\{45f9c9d4-d0e4-11de-8fd6-0024219bb59d}\Shell\AutoRun\command - "" = 9b9w3.exe
  O33 - MountPoints2\{45f9c9d4-d0e4-11de-8fd6-0024219bb59d}\Shell\open\Command - "" = 9b9w3.exe
  O33 - MountPoints2\{56c2b4f1-b7fb-11de-8fa4-0024219bb59d}\Shell\AutoRun\command - "" = RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\service.exe
  O33 - MountPoints2\{56c2b4f1-b7fb-11de-8fa4-0024219bb59d}\Shell\open\command - "" = RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\service.exe
  O33 - MountPoints2\{5a236850-07e8-11df-906a-0024219bb59d}\Shell\AutoRun\command - "" = ahymli.exe
  O33 - MountPoints2\{5a236850-07e8-11df-906a-0024219bb59d}\Shell\open\Command - "" = ahymli.exe
  O33 - MountPoints2\{a8a08354-8c9d-11df-9192-0024219bb59d}\Shell\AutoRun\command - "" = stara\\bagra.exe
  O33 - MountPoints2\{a8a08354-8c9d-11df-9192-0024219bb59d}\Shell\explore\command - "" = stara\bagra.exe
  O33 - MountPoints2\{a8a08354-8c9d-11df-9192-0024219bb59d}\Shell\install\command - "" = stara\bagra.exe
  O33 - MountPoints2\{a8a08354-8c9d-11df-9192-0024219bb59d}\Shell\open\command - "" = stara\bagra.exe
  O33 - MountPoints2\{ef561172-1621-11df-9089-0024219bb59d}\Shell\AutoRun\command - "" = J:\1.exe -- File not found
  
  :Files
  ipconfig /flushdns /c
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [EMPTYFLASH]
  [CREATERESTOREPOINT]
  [Reboot]

  
  
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
  

THEN

Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• Double click on ComboFix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

[derekdiong1]

Thx asyn

And Essexboy i will do that when i come back,will the launcher.exe still be detected after all those steps??

[essexboy]

Don't know yet

[derekdiong1]

All processes killed
========== OTL ==========
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{45f9c9d4-d0e4-11de-8fd6-0024219bb59d}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{45f9c9d4-d0e4-11de-8fd6-0024219bb59d}\ not found.
File 9b9w3.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{45f9c9d4-d0e4-11de-8fd6-0024219bb59d}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{45f9c9d4-d0e4-11de-8fd6-0024219bb59d}\ not found.
File 9b9w3.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{56c2b4f1-b7fb-11de-8fa4-0024219bb59d}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56c2b4f1-b7fb-11de-8fa4-0024219bb59d}\ not found.
File C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\service.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{56c2b4f1-b7fb-11de-8fa4-0024219bb59d}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56c2b4f1-b7fb-11de-8fa4-0024219bb59d}\ not found.
File C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\service.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5a236850-07e8-11df-906a-0024219bb59d}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5a236850-07e8-11df-906a-0024219bb59d}\ not found.
File ahymli.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5a236850-07e8-11df-906a-0024219bb59d}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5a236850-07e8-11df-906a-0024219bb59d}\ not found.
File ahymli.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a8a08354-8c9d-11df-9192-0024219bb59d}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a8a08354-8c9d-11df-9192-0024219bb59d}\ not found.
File stara\\bagra.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a8a08354-8c9d-11df-9192-0024219bb59d}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a8a08354-8c9d-11df-9192-0024219bb59d}\ not found.
File stara\bagra.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a8a08354-8c9d-11df-9192-0024219bb59d}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a8a08354-8c9d-11df-9192-0024219bb59d}\ not found.
File stara\bagra.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a8a08354-8c9d-11df-9192-0024219bb59d}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a8a08354-8c9d-11df-9192-0024219bb59d}\ not found.
File stara\bagra.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ef561172-1621-11df-9089-0024219bb59d}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ef561172-1621-11df-9089-0024219bb59d}\ not found.
File J:\1.exe not found.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Owner\My Documents\Derek's Documents\Anti-virus stuff\cmd.bat deleted successfully.
C:\Documents and Settings\Owner\My Documents\Derek's Documents\Anti-virus stuff\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
 
[EMPTYTEMP]
 
User: All Users
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 56502 bytes
 
User: LocalService
->Temp folder emptied: 65984 bytes
->Temporary Internet Files folder emptied: 6025679 bytes
 
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 1920371 bytes
 
User: Owner
->Temp folder emptied: 106998644 bytes
->Temporary Internet Files folder emptied: 607313161 bytes
->Java cache emptied: 2250268 bytes
->FireFox cache emptied: 65909324 bytes
->Google Chrome cache emptied: 420033713 bytes
->Apple Safari cache emptied: 141659136 bytes
->Opera cache emptied: 29473169 bytes
->Flash cache emptied: 109687 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2142714 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 108098 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 2564768937 bytes
 
Total Files Cleaned = 3,766.00 mb
 
 
[EMPTYFLASH]
 
User: All Users
 
User: Default User
->Flash cache emptied: 0 bytes
 
User: LocalService
 
User: NetworkService
 
User: Owner
->Flash cache emptied: 0 bytes
 
Total Flash Files Cleaned = 0.00 mb
 
Restore point Set: OTL Restore Point (0)
 
OTL by OldTimer - Version 3.2.17.3 log created on 11272010_172013

Files\Folders moved on Reboot...
File move failed. C:\WINDOWS\temp\_avast5_\Webshlock.txt scheduled to be moved on reboot.
File\Folder C:\WINDOWS\temp\Perflib_Perfdata_e18.dat not found!

Registry entries deleted on Reboot...

[derekdiong1]

That was the log after the fix on OTL. Now i'm doing combofix.

[derekdiong1]

When i use the combofix it says that AVG is targeting it and won't let it start!! now my Start toolbar looks old!! PLS REPLY ASAP and tell me how to change my start toolbar new again!!

[derekdiong1]

Ok now i've fix the toolbar problem now pls tell me about the combo fix problem.

[essexboy]

AVG in their wisdom have determined that Combofix is malicious and basically try to destroy the programme (and fail) but Combofix will not run unless AVG is uninstalled

Download the AVG removal tool from here http://www.avg.com/us-en/download-tools

Uninstall AVG then run the tool

On completion run combofix

[derekdiong1]

Have you checked my OTL log is there any problems??