Solved Trojan. AV security. Need assistance removing it.

rpicon · 2010/07/14

unless there's a way for me to identify what folder is infected.

broni · 2010/07/14

unless there's a way for me to identify what folder is infected.
Click to expand...

You would have to open every single piece of mail and scan every single attachment.
I assume, you don't want to do this

Run OTL
Under the [color= "#0000FF"]Custom Scans/Fixes[/color] box at the bottom, paste in the following
Code:
:OTL

:Services

:Reg

:Files
C:\Documents and Settings\Rick Picon\Desktop\desktop\outlookbackup.pst 
C:\Documents and Settings\Rick Picon\Desktop\STUFF\backup.pst 
P:\JohnBackup\documents\Local Settings\Temp\Acr48DD.tmp 
P:\RPBackup\outlookbackup.pst 
T:\JohnBackup\documents\Local Settings\Temp\Acr48DD.tmp 
T:\RPBackup\outlookbackup.pst 

:Commands
[purity]
[emptytemp]
[emptyflash]
[resethosts]
[Reboot]
Then click the [color= "#FF0000"]Run Fix[/color] button at the top

Let the program run unhindered, reboot the PC when it is done

You will get a log that shows the results of the fix. Please post it.

rpicon · 2010/07/15

All processes killed
========== OTL ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
File\Folder C:\Documents and Settings\Rick Picon\Desktop\desktop\outlookbackup.pst not found.
C:\Documents and Settings\Rick Picon\Desktop\STUFF\backup.pst moved successfully.
P:\JohnBackup\documents\Local Settings\Temp\Acr48DD.tmp moved successfully.
P:\RPBackup\outlookbackup.pst moved successfully.
File\Folder T:\JohnBackup\documents\Local Settings\Temp\Acr48DD.tmp not found.
File\Folder T:\RPBackup\outlookbackup.pst not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Copy of Rick Picon

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: dfederman
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: pwalsh
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Rick Picon
->Temp folder emptied: 108992194 bytes
->Temporary Internet Files folder emptied: 148085286 bytes
->Java cache emptied: 2141029 bytes
->FireFox cache emptied: 53197939 bytes
->Flash cache emptied: 2964 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 8756 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 52224 bytes

Total Files Cleaned = 298.00 mb

[EMPTYFLASH]

User: Administrator

User: All Users

User: Copy of Rick Picon

User: Default User

User: dfederman
->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService
->Flash cache emptied: 0 bytes

User: pwalsh
->Flash cache emptied: 0 bytes

User: Rick Picon
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.7.0 log created on 07152010_125033

Files\Folders moved on Reboot...
C:\Documents and Settings\Rick Picon\Local Settings\Temporary Internet Files\Content.IE5\U81MZTWA\Main[1].htm moved successfully.
C:\Documents and Settings\Rick Picon\Local Settings\Temporary Internet Files\Content.IE5\TQ4WD8IB\PLoad[1].htm moved successfully.
C:\Documents and Settings\Rick Picon\Local Settings\Temporary Internet Files\Content.IE5\FUQAS40P\PLoad[1].htm moved successfully.
C:\Documents and Settings\Rick Picon\Local Settings\Temporary Internet Files\Content.IE5\FK7N2K3K\LoadAccountCache[1] moved successfully.
C:\Documents and Settings\Rick Picon\Local Settings\Temporary Internet Files\Content.IE5\DYS2SGUG\QuoteBar[1].htm moved successfully.
C:\Documents and Settings\Rick Picon\Local Settings\Temporary Internet Files\Content.IE5\CGAOYNVN\AccountSwitch[1].htm moved successfully.
C:\Documents and Settings\Rick Picon\Local Settings\Temporary Internet Files\Content.IE5\CGAOYNVN\PLoad[1].htm moved successfully.
C:\Documents and Settings\Rick Picon\Local Settings\Temporary Internet Files\Content.IE5\91VO61CT\PLoad[1].htm moved successfully.
C:\Documents and Settings\Rick Picon\Local Settings\Temporary Internet Files\Content.IE5\91VO61CT\search[3].htm moved successfully.
C:\Documents and Settings\Rick Picon\Local Settings\Temporary Internet Files\AntiPhishing\A0AB7674-8D67-4F4D-B5E1-96FAEADFB79D.dat moved successfully.

Registry entries deleted on Reboot...

broni · 2010/07/15

Good

OTL Clean-Up
Clean up with OTL:

* Double-click OTL.exe to start the program.
* Close all other programs apart from OTL as this step will require a reboot
* On the OTL main screen, press the CLEANUP button
* Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

============================================================

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.

Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore ".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista and 7:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C: ")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

2. Restart computer.

3. Turn System Restore on.

4. Make sure, Windows Updates are current.

[SIZE= "4"]5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately![/SIZE]

6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

7. Run defrag at your convenience.

8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

9. Please, let me know, how is your computer doing.

broni · 2010/07/23

The issue appears to be resolved.

Log in or Sign up

Solved Trojan. AV security. Need assistance removing it.

rpicon Inactive Thread Starter

broni Moderator Malware Analyst

rpicon Inactive Thread Starter

broni Moderator Malware Analyst

broni Moderator Malware Analyst

Share This Page

Log in or Sign up

Solved Trojan. AV security. Need assistance removing it.

rpicon Inactive Thread Starter

broni Moderator Malware Analyst

rpicon Inactive Thread Starter

broni Moderator Malware Analyst

broni Moderator Malware Analyst

Share This Page

Useful Searches