Rootkit scan log: please could someone help me understand it

13»

Comments

  • waddler_8
    waddler_8 Posts: 3,588 Forumite
    edited 1 April 2013 at 1:39PM
    IMPORTANT:
    • Right click the Malwarebytes' Anti-malware system tray icon
    • Uncheck Filesystem Protection & Website Blocking
    • Uncheck Start with windows
    • Reboot your computer
    After reboot run the script below. The script below will stop explorer & your desktop will temporarily disappear (it will return on reboot), & your recycle bin will be emptied.
    • Double-click OTL.exe to start the program.
    • Allow the UAC prompt
    • Copy and Paste all the following code into the customFix.png textbox. Do not include the word Code: 
      :commands
[CREATERESTOREPOINT]

:otl
FF - prefs.js..extensions.enabledAddons: proxytool%40proxylist.co:1.19
FF - prefs.js..network.proxy.ftp: "88.198.96.248"
FF - prefs.js..network.proxy.ftp_port: 8080
FF - prefs.js..network.proxy.gopher: "88.198.96.248"
FF - prefs.js..network.proxy.gopher_port: 8080
FF - prefs.js..network.proxy.http: "88.198.96.248"
FF - prefs.js..network.proxy.http_port: 8080
FF - prefs.js..network.proxy.socks: "88.198.96.248"
FF - prefs.js..network.proxy.socks_port: 8080
FF - prefs.js..network.proxy.ssl: "88.198.96.248"
FF - prefs.js..network.proxy.ssl_port: 8080
FF - prefs.js..network.proxy.type: 0
[2012/10/30 23:17:46 | 000,000,000 | ---D | M] (Lavasoft Search Plugin) -- C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\yzt8ohmd.default\extensions\jid1-yZwVFzbsyfMrqQ@jetpack
[2013/03/13 15:51:03 | 000,012,119 | ---- | M] () (No name found) -- C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\yzt8ohmd.default\extensions\go2appspot@gmail.com.xpi
[2013/02/25 01:52:45 | 000,200,456 | ---- | M] () (No name found) -- C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\yzt8ohmd.default\extensions\jid0-zs24wecdcQo0Lp18D7QOV4WSZFo@jetpack.xpi
[2013/03/13 15:51:34 | 000,690,228 | ---- | M] () (No name found) -- C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\yzt8ohmd.default\extensions\proxytool@proxylist.co.xpi

:files
C:\ProgramData\Premium
C:\Windows\tasks\WxDFastUpdaterTask{5BFB0913-A410-4809-8167-A53B439A8FAC}.job
dir C:\Users\David\AppData\Roaming\.oit /s /c
dir C:\Users\David\AppData\Roaming\TP /s /c
ipconfig /flushdns /c

:commands
[EMPTYTEMP]
[CREATERESTOREPOINT]
    • Then click the Run Fix button at the top.
    • Click btnOK.png.
    • OTL may ask to reboot the machine. Click OK & allow it to do so if asked.
    • The report should appear in Notepad after the reboot.
    • Copy and Paste that report in your next reply.
  • Voyager2002
    Voyager2002 Posts: 16,029 Forumite
    Part of the Furniture 10,000 Posts Name Dropper Combo Breaker
    Here is the OTL report:
    All processes killed
    ========== COMMANDS ==========
    Restore point Set: OTL Restore Point
    ========== OTL ==========
    Prefs.js: proxytool%40proxylist.co:1.19 removed from extensions.enabledAddons
    Prefs.js: "88.198.96.248" removed from network.proxy.ftp
    Prefs.js: 8080 removed from network.proxy.ftp_port
    Prefs.js: "88.198.96.248" removed from network.proxy.gopher
    Prefs.js: 8080 removed from network.proxy.gopher_port
    Prefs.js: "88.198.96.248" removed from network.proxy.http
    Prefs.js: 8080 removed from network.proxy.http_port
    Prefs.js: "88.198.96.248" removed from network.proxy.socks
    Prefs.js: 8080 removed from network.proxy.socks_port
    Prefs.js: "88.198.96.248" removed from network.proxy.ssl
    Prefs.js: 8080 removed from network.proxy.ssl_port
    Prefs.js: 0 removed from network.proxy.type
    C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\yzt8ohmd.default\extensions\jid1-yZwVFzbsyfMrqQ@jetpack\resources\lavasoft_search_plugin\tests folder moved successfully.
    C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\yzt8ohmd.default\extensions\jid1-yZwVFzbsyfMrqQ@jetpack\resources\lavasoft_search_plugin\lib folder moved successfully.
    C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\yzt8ohmd.default\extensions\jid1-yZwVFzbsyfMrqQ@jetpack\resources\lavasoft_search_plugin\data folder moved successfully.
    C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\yzt8ohmd.default\extensions\jid1-yZwVFzbsyfMrqQ@jetpack\resources\lavasoft_search_plugin folder moved successfully.
    C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\yzt8ohmd.default\extensions\jid1-yZwVFzbsyfMrqQ@jetpack\resources\api-utils\lib\windows folder moved successfully.
    C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\yzt8ohmd.default\extensions\jid1-yZwVFzbsyfMrqQ@jetpack\resources\api-utils\lib\utils folder moved successfully.
    C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\yzt8ohmd.default\extensions\jid1-yZwVFzbsyfMrqQ@jetpack\resources\api-utils\lib\traits folder moved successfully.
    C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\yzt8ohmd.default\extensions\jid1-yZwVFzbsyfMrqQ@jetpack\resources\api-utils\lib\tabs folder moved successfully.
    C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\yzt8ohmd.default\extensions\jid1-yZwVFzbsyfMrqQ@jetpack\resources\api-utils\lib\events folder moved successfully.
    C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\yzt8ohmd.default\extensions\jid1-yZwVFzbsyfMrqQ@jetpack\resources\api-utils\lib\dom folder moved successfully.
    C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\yzt8ohmd.default\extensions\jid1-yZwVFzbsyfMrqQ@jetpack\resources\api-utils\lib\content folder moved successfully.
    C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\yzt8ohmd.default\extensions\jid1-yZwVFzbsyfMrqQ@jetpack\resources\api-utils\lib folder moved successfully.
    C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\yzt8ohmd.default\extensions\jid1-yZwVFzbsyfMrqQ@jetpack\resources\api-utils\data folder moved successfully.
    C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\yzt8ohmd.default\extensions\jid1-yZwVFzbsyfMrqQ@jetpack\resources\api-utils folder moved successfully.
    C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\yzt8ohmd.default\extensions\jid1-yZwVFzbsyfMrqQ@jetpack\resources\addon-kit\lib folder moved successfully.
    C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\yzt8ohmd.default\extensions\jid1-yZwVFzbsyfMrqQ@jetpack\resources\addon-kit\data folder moved successfully.
    C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\yzt8ohmd.default\extensions\jid1-yZwVFzbsyfMrqQ@jetpack\resources\addon-kit folder moved successfully.
    C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\yzt8ohmd.default\extensions\jid1-yZwVFzbsyfMrqQ@jetpack\resources folder moved successfully.
    C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\yzt8ohmd.default\extensions\jid1-yZwVFzbsyfMrqQ@jetpack\locale folder moved successfully.
    C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\yzt8ohmd.default\extensions\jid1-yZwVFzbsyfMrqQ@jetpack\defaults\preferences folder moved successfully.
    C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\yzt8ohmd.default\extensions\jid1-yZwVFzbsyfMrqQ@jetpack\defaults folder moved successfully.
    C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\yzt8ohmd.default\extensions\jid1-yZwVFzbsyfMrqQ@jetpack folder moved successfully.
    C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\yzt8ohmd.default\extensions\go2appspot@gmail.com.xpi moved successfully.
    C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\yzt8ohmd.default\extensions\jid0-zs24wecdcQo0Lp18D7QOV4WSZFo@jetpack.xpi moved successfully.
    C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\yzt8ohmd.default\extensions\proxytool@proxylist.co.xpi moved successfully.
    ========== FILES ==========
    C:\ProgramData\Premium\WxDFast\downloads folder moved successfully.
    C:\ProgramData\Premium\WxDFast folder moved successfully.
    C:\ProgramData\Premium folder moved successfully.
    C:\Windows\tasks\WxDFastUpdaterTask{5BFB0913-A410-4809-8167-A53B439A8FAC}.job moved successfully.
    < dir C:\Users\David\AppData\Roaming\.oit /s /c >
    Volume in drive C has no label.
    Volume Serial Number is 3EAA-FB47
    Directory of C:\Users\David\AppData\Roaming\.oit
    16/05/2012 09:24 <DIR> .
    16/05/2012 09:24 <DIR> ..
    15/05/2012 22:15 2,832 PINnbhhv9ls.d
    1 File(s) 2,832 bytes
    Total Files Listed:
    1 File(s) 2,832 bytes
    2 Dir(s) 190,677,413,888 bytes free
    C:\Users\David\Desktop\cmd.bat deleted successfully.
    C:\Users\David\Desktop\cmd.txt deleted successfully.
    < dir C:\Users\David\AppData\Roaming\TP /s /c >
    Volume in drive C has no label.
    Volume Serial Number is 3EAA-FB47
    Directory of C:\Users\David\AppData\Roaming\TP
    03/05/2012 17:01 <DIR> .
    03/05/2012 17:01 <DIR> ..
    0 File(s) 0 bytes
    Total Files Listed:
    0 File(s) 0 bytes
    2 Dir(s) 190,677,409,792 bytes free
    C:\Users\David\Desktop\cmd.bat deleted successfully.
    C:\Users\David\Desktop\cmd.txt deleted successfully.
    < ipconfig /flushdns /c >
    Windows IP Configuration
    Successfully flushed the DNS Resolver Cache.
    C:\Users\David\Desktop\cmd.bat deleted successfully.
    C:\Users\David\Desktop\cmd.txt deleted successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: David
    ->Temp folder emptied: 11260657 bytes
    ->Temporary Internet Files folder emptied: 2656446 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 72021447 bytes
    ->Google Chrome cache emptied: 161731218 bytes
    ->Flash cache emptied: 58144 bytes

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 57616 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Public

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32 (64bit) .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 113049518 bytes
    %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 665288 bytes
    RecycleBin emptied: 183962 bytes

    Total Files Cleaned = 345.00 mb

    Restore point Set: OTL Restore Point

    OTL by OldTimer - Version 3.2.69.0 log created on 04012013_181941

    Files\Folders moved on Reboot...
    C:\Users\David\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
    File\Folder C:\Users\David\AppData\Local\Temp\~DF05D4C37A030F9A83.TMP not found!
    File\Folder C:\Users\David\AppData\Local\Temp\~DF0E68F4E761A85918.TMP not found!
    File\Folder C:\Users\David\AppData\Local\Temp\~DF4975A0E6FF35E355.TMP not found!
    File\Folder C:\Users\David\AppData\Local\Temp\~DF78A0C28C28797BF6.TMP not found!
    File\Folder C:\Users\David\AppData\Local\Temp\~DFA8F045BF2794A544.TMP not found!
    File\Folder C:\Users\David\AppData\Local\Temp\~DFBC31B8651C0D0435.TMP not found!
    File move failed. C:\Windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

    PendingFileRenameOperations files...

    Registry entries deleted on Reboot...
  • waddler_8
    waddler_8 Posts: 3,588 Forumite
    Is the computer running any better now?
  • Voyager2002
    Voyager2002 Posts: 16,029 Forumite
    Part of the Furniture 10,000 Posts Name Dropper Combo Breaker
    waddler_8 wrote: »
    Is the computer running any better now?

    Let me try it.
This discussion has been closed.
Meet your Ambassadors

🚀 Getting Started

Hi new member!

Our Getting Started Guide will help you get the most out of the Forum

Categories

  • All Categories
  • 349.7K Banking & Borrowing
  • 252.6K Reduce Debt & Boost Income
  • 452.9K Spending & Discounts
  • 242.7K Work, Benefits & Business
  • 619.4K Mortgages, Homes & Bills
  • 176.3K Life & Family
  • 255.6K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16.1K Discuss & Feedback
  • 15.1K Coronavirus Support Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.
Update Your Picture