Solved aswMBR keeps crashing midway?

virtue1boy · 2012/05/02

You don't see norton because I uninstalled it before I ran Combofix. I followed the intructions to disable norton it but combofix kept saying it was running. Log will be posted soon.

broni · 2012/05/02

Reinstall Norton as soon as possible.

broni · 2012/05/06

Still with me?

virtue1boy · 2012/05/06

Yes i'm working on everything. Get back to you soon.

broni · 2012/05/06

Ok.........

virtue1boy · 2012/05/06

Results of screen317's Security Check version 0.99.24
Windows Vista Service Pack 2 x86 (UAC is enabled)
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
Norton Internet Security
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:
Java(TM) 6 Update 32
Adobe Flash Player 11.2.202.235
````````````````````````````````
Process Check:
objlist.exe by Laurent
Malwarebytes' Anti-Malware mbamservice.exe
``````````End of Log````````````

Farbar Service Scanner Version: 30-04-2012 01
Ran by Kerry (administrator) on 06-05-2012 at 19:21:17
Running from "C:\Users\Kerry\Desktop "
Microsoft® Windows Vista™ Ultimate Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.

Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall "=DWORD:0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall "=DWORD:0

System Restore:
============

System Restore Disabled Policy:
========================

C:\ProgramData\Microsoft\Windows\DRM\B1F0.tmp Win32/Olmarik.AYD trojan cleaned by deleting - quarantined
C:\Users\Kerry\Downloads\WinRAR.exe multiple threats deleted - quarantined

broni · 2012/05/06

I still need a log from OTL fix.

virtue1boy · 2012/05/07

All processes killed
========== OTL ==========
Starting removal of ActiveX control {67DABFBF-D0AB-41FA-9C46-CC0F21721616}
C:\Windows\Downloaded Program Files\DivXPlugin.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{67DABFBF-D0AB-41FA-9C46-CC0F21721616}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{67DABFBF-D0AB-41FA-9C46-CC0F21721616}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{67DABFBF-D0AB-41FA-9C46-CC0F21721616}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{67DABFBF-D0AB-41FA-9C46-CC0F21721616}\ not found.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
C:\Windows\Downloaded Program Files\gp.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Kerry
->Temp folder emptied: 19260290 bytes
->Temporary Internet Files folder emptied: 3794514 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 456 bytes

User: Public
->Temp folder emptied: 0 bytes

User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 946495 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 23.00 mb

[EMPTYJAVA]

User: All Users

User: Default

User: Default User

User: Kerry
->Java cache emptied: 0 bytes

User: Public

User: UpdatusUser

Total Java Files Cleaned = 0.00 mb

[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: Kerry
->Flash cache emptied: 0 bytes

User: Public

User: UpdatusUser

Total Flash Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.42.3 log created on 05072012_152757

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

virtue1boy · 2012/05/07

Broni,

I have a new slew of folders in my Local Disk (C including:

Program Data (shouldn't this folder be hidden?)
Perflogs
MSO Cache (shouldn't this folder be hidden?)
Boot
Qoobox
ComboFix (text doc)
JavaRa (text doc)

Which ones do I hide? and which ones can I delete???

broni · 2012/05/07

Open Windows Explorer, go Tools>Folder options>View tab, checkmark:
- Do not show hidden files and folders
- Hide protected operating system files

As for other see what will be left after following last steps....

virtue1boy · 2012/05/07

Well I tried that already and they are still visible. Let me change the system file folders....MSO Cache and Program Data to "hidden ", Perflogs is ok. The others appear to be remnants of the exe stuff we've been running and will be deleted after cleaning is complete.

broni · 2012/05/09

Still with me?

virtue1boy · 2012/05/12

Yea...whats next? I'm ready to finish this project?

broni · 2012/05/12

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following:
Code:
:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[emptyjava]
[CLEARALLRESTOREPOINTS]
[Reboot]
Then click the Run Fix button at the top

Let the program run unhindered, reboot the PC when it is done

Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

Double-click OTL.exe to start the program.

Close all other programs apart from OTL as this step will require a reboot

On the OTL main screen, press the CLEANUP button

Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current.

4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. (Windows XP only) Run defrag at your convenience.

11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

13. Please, let me know, how your computer is doing.

virtue1boy · 2012/05/13

umm

Norton refuses to let me download OTL. It deletes it automatically. Any other suggestions?????

broni · 2012/05/13

Disable Norton until you're done with OTL.

virtue1boy · 2012/05/14

Disabling doesn't work that why I had to uninstall it. Any other suggestions???

broni · 2012/05/14

Download OTL from safe mode with networking.

virtue1boy · 2012/05/15

I downloaded it to a usb on another computer. Here you go...

All processes killed
========== OTL ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Kerry
->Temp folder emptied: 250131 bytes
->Temporary Internet Files folder emptied: 250575261 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 3796 bytes

User: Public
->Temp folder emptied: 0 bytes

User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 25876867 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 264.00 mb

[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: Kerry
->Flash cache emptied: 0 bytes

User: Public

User: UpdatusUser

Total Flash Files Cleaned = 0.00 mb

[EMPTYJAVA]

User: All Users

User: Default

User: Default User

User: Kerry
->Java cache emptied: 0 bytes

User: Public

User: UpdatusUser

Total Java Files Cleaned = 0.00 mb

Restore point Set: OTL Restore Point

OTL by OldTimer - Version 3.2.43.0 log created on 05152012_093559

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

broni · 2012/05/15

Good.
Go on....

Log in or Sign up

Solved aswMBR keeps crashing midway?

virtue1boy Inactive Thread Starter

broni Moderator Malware Analyst

broni Moderator Malware Analyst

virtue1boy Inactive Thread Starter

broni Moderator Malware Analyst

virtue1boy Inactive Thread Starter

broni Moderator Malware Analyst

virtue1boy Inactive Thread Starter

virtue1boy Inactive Thread Starter

broni Moderator Malware Analyst

virtue1boy Inactive Thread Starter

broni Moderator Malware Analyst

virtue1boy Inactive Thread Starter

broni Moderator Malware Analyst

virtue1boy Inactive Thread Starter

broni Moderator Malware Analyst

virtue1boy Inactive Thread Starter

broni Moderator Malware Analyst

virtue1boy Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Log in or Sign up

Solved aswMBR keeps crashing midway?

virtue1boy Inactive Thread Starter

broni Moderator Malware Analyst

broni Moderator Malware Analyst

virtue1boy Inactive Thread Starter

broni Moderator Malware Analyst

virtue1boy Inactive Thread Starter

broni Moderator Malware Analyst

virtue1boy Inactive Thread Starter

virtue1boy Inactive Thread Starter

broni Moderator Malware Analyst

virtue1boy Inactive Thread Starter

broni Moderator Malware Analyst

virtue1boy Inactive Thread Starter

broni Moderator Malware Analyst

virtue1boy Inactive Thread Starter

broni Moderator Malware Analyst

virtue1boy Inactive Thread Starter

broni Moderator Malware Analyst

virtue1boy Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Useful Searches