1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Virus Problem (Black Internet rootkit)

Discussion in 'Malware and Virus Removal Archive' started by Pete, 2010/06/20.

Page 7 of 7
  1. 2010/06/27
    Pete

    Pete Inactive Thread Starter

    Joined:
    2010/06/20
    Messages:
    73
    Likes Received:
    0
    This time , I didnt get the 1:00 Timer , dialog

    I've just noticed explorer close, fix ran fine.

    Log produced :

    All processes killed
    ========== OTL ==========
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    C:\Documents and Settings\Pete\DoctorWeb\Quarantine\Keygen.exe moved successfully.
    C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\22\27c3f96-2cef6799 moved successfully.
    File\Folder C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\22\27c3f96-2cef6799 not found.
    C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\53\68e558f5-32056746 moved successfully.
    File\Folder C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\53\68e558f5-32056746 not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Pete
    ->Temp folder emptied: 109595105 bytes
    ->Temporary Internet Files folder emptied: 200448 bytes
    ->Java cache emptied: 128094 bytes
    ->FireFox cache emptied: 36155393 bytes
    ->Apple Safari cache emptied: 0 bytes
    ->Flash cache emptied: 1221 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 139.00 mb


    [EMPTYFLASH]

    User: Administrator

    User: All Users

    User: Default User
    ->Flash cache emptied: 0 bytes

    User: LocalService

    User: NetworkService

    User: Pete
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0.00 mb

    C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
    HOSTS file reset successfully

    OTL by OldTimer - Version 3.2.6.1 log created on 06272010_233952

    Files\Folders moved on Reboot...

    Registry entries deleted on Reboot...
     
    Pete,
    #121
  2. 2010/06/27
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    It looks like after 7 days journey, we're coming to a happy ending :)

    OTL Clean-Up
    Clean up with OTL:

    * Double-click OTL.exe to start the program.
    * Close all other programs apart from OTL as this step will require a reboot
    * On the OTL main screen, press the CLEANUP button
    * Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    ==========================================================

    Your computer is clean :)

    1. Turn off System Restore:

    - Windows XP:
    1. Click Start.
    2. Right-click the My Computer icon, and then click Properties.
    3. Click the System Restore tab.
    4. Check "Turn off System Restore ".
    5. Click Apply.
    6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
    7. Click OK.
    - Windows Vista:
    1. Click Start.
    2. Right-click the Computer icon, and then click Properties.
    3. Click on System Protection under the Tasks column on the left side
    4. Click on Continue on the "User Account Control" window that pops up
    5. Under the System Protection tab, find Available Disks
    6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C: ")
    7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
    8. Click OK

    2. Restart computer.

    3. Turn System Restore on.

    4. Make sure, Windows Updates are current.

    5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    7. Run defrag at your convenience.

    8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    9. Please, let me know, how is your computer doing.
     
    broni,
    #122


  3. to hide this advert.

  4. 2010/06/28
    Pete

    Pete Inactive Thread Starter

    Joined:
    2010/06/20
    Messages:
    73
    Likes Received:
    0
    Will post tomorrow morning.
     
    Pete,
    #123
  5. 2010/06/28
    Pete

    Pete Inactive Thread Starter

    Joined:
    2010/06/20
    Messages:
    73
    Likes Received:
    0
    My Windows updates dont work, like I mentioned earlier.
    Its ok, I can live with that I guess.

    I have 2 startup entries as Win logon - cryptnet.dll and crypt32chain - crypt32.dll. should i disable them ?

    Also Can you tell me how I actually got this virus ? I am very careful about what I download and browse and I dont understand why this happened in the first place.

    Wow more than 72 posts and lot of days afterwards, its finally over ! :)

    Thanks a million for all your effort and time !! :)

    I hope I dont have to come back here anytime soon lol

    Take Care !
    Cheers,
    Pete
     
    Last edited: 2010/06/28
    Pete,
    #124
  6. 2010/06/28
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    You're very welcome :)
    I'm glad too, it's over and glad even more, because we fixed it :)
    We hit over 1,000 views on this topic...hehehe

    As for those two files, they're legit Windows files.

    As for Windows updates, try this: http://support.microsoft.com/kb/971058

    How did you get infected?
    Frankly speaking, it's impossible to say. If you read #8 from my previous reply, possible sources are countless.

    Good luck and stay safe :)
     
    broni,
    #125
Page 7 of 7

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...