We’d like to remind Forumites to please avoid political debate on the Forum.

This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.

📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
The Forum now has a brand new text editor, adding a bunch of handy features to use when creating posts. Read more in our how-to guide

Potential Virus - Help please

1235789

Comments

  • DCodd
    DCodd Posts: 8,187 Forumite
    Part of the Furniture Combo Breaker
    Rkill 2.6.1 by Lawrence Abrams (Grinler)
    http://www.bleepingcomputer.com/
    Copyright 2008-2013 BleepingComputer.com
    More Information about Rkill can be found at this link:
    http://www.bleepingcomputer.com/forums/topic308364.html
    Program started at: 09/06/2013 01:51:10 PM in x86 mode.
    Windows Version: Microsoft Windows XP Service Pack 3
    Checking for Windows services to stop:
    * No malware services found to stop.
    Checking for processes to terminate:
    * No malware processes found to kill.
    Checking Registry for malware related settings:
    * No issues found in the Registry.
    Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
    Performing miscellaneous checks:
    * Windows Defender Disabled
    [HKLM\SOFTWARE\Microsoft\Windows Defender]
    "DisableAntiSpyware" = dword:00000001
    Checking Windows Service Integrity:
    * No issues found.
    Searching for Missing Digital Signatures:
    * No issues found.
    Checking HOSTS File:
    * HOSTS file entries found:
    127.0.0.1 localhost
    Program finished at: 09/06/2013 01:52:29 PM
    Execution time: 0 hours(s), 1 minute(s), and 19 seconds(s)
    Always get a Qualified opinion - My qualifications are that I am OLD and GRUMPY:p:p
  • DCodd
    DCodd Posts: 8,187 Forumite
    Part of the Furniture Combo Breaker
    Hi waddler_8

    The Avast rootkit scanner "encoutered a problem and needed to close" half way through the scan, it did pick up on the fact that acer erecovery was "infected".

    Will try again later.

    Thanks
    Always get a Qualified opinion - My qualifications are that I am OLD and GRUMPY:p:p
  • DCodd
    DCodd Posts: 8,187 Forumite
    Part of the Furniture Combo Breaker
    Can't post. will e-mail.

    Thanks for this waddler_8
    Always get a Qualified opinion - My qualifications are that I am OLD and GRUMPY:p:p
  • waddler_8
    waddler_8 Posts: 3,588 Forumite
    DCodd wrote: »
    it did pick up on the fact that acer erecovery was "infected".
    I'm pretty sure that's a false positive. Things look good with ZeroAccess no longer being detected.

    We'll check for residual damage by ZA.

    Download Farbar's Service Scanner from the link below.

    LINK
    • Double click FSS.exe to run it.
    • Check (tick) the following checkboxes (All)
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
    • Other Services
    • Click Scan
    • When finished, notepad will open. Post the contents in your next reply (Or email me it).
    The log can also be found on your desktop named FSS.txt
  • DCodd
    DCodd Posts: 8,187 Forumite
    Part of the Furniture Combo Breaker
    Hi Waddler_8

    Having difficulty with the laptop. Just forced a close as it was still loading from boot after 35 min. Was able launch task manager and CPU was running between 60 and 90% constantly. Will she how reboot goes. Chrome wouldn't launch either.
    Thanks
    Always get a Qualified opinion - My qualifications are that I am OLD and GRUMPY:p:p
  • DCodd
    DCodd Posts: 8,187 Forumite
    Part of the Furniture Combo Breaker
    Back on line. Probably just a glitch?
    Always get a Qualified opinion - My qualifications are that I am OLD and GRUMPY:p:p
  • DCodd
    DCodd Posts: 8,187 Forumite
    Part of the Furniture Combo Breaker
    Farbar Service Scanner Version: 05-09-2013
    Ran by Admins (administrator) on 06-09-2013 at 21:56:44
    Running from "C:\Documents and Settings\Admins\Desktop"
    Microsoft Windows XP Professional Service Pack 3 (X86)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo.com is accessible.


    Windows Firewall:
    =============

    Firewall Disabled Policy:
    ==================
    "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\\EnableFirewall" registry value does not exist.


    System Restore:
    ============

    System Restore Disabled Policy:
    ========================


    Security Center:
    ============


    Windows Update:
    ============

    Windows Autoupdate Disabled Policy:
    ============================


    Other Services:
    ==============


    File Check:
    ========
    C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
    C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
    C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
    C:\WINDOWS\system32\netman.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\srsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
    C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
    C:\WINDOWS\system32\qmgr.dll => MD5 is legit
    C:\WINDOWS\system32\es.dll => MD5 is legit
    C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
    C:\WINDOWS\system32\svchost.exe => MD5 is legit
    C:\WINDOWS\system32\rpcss.dll => MD5 is legit
    C:\WINDOWS\system32\services.exe => MD5 is legit

    Extra List:
    =======
    AegisP(14) aswTdi(17) Gpc(8) IPSec(6) irda(3) NdisFilt(11) NetBT(7) NETMNT(10) PSched(9) RFCOMM(4) s24trans(13) Tcpip(5)
    0x11000000060000000100000002000000030000000400000005000000110000000C000000100000000700000008000000090000000A0000000B0000000D0000000E0000000F000000
    IpSec Tag value is correct.
    Always get a Qualified opinion - My qualifications are that I am OLD and GRUMPY:p:p
  • waddler_8
    waddler_8 Posts: 3,588 Forumite
    Again that looks good. It was probably just a glitch - we'll see how things go.

    Download OTM by Old Timer from the link below and save it to your Desktop.

    LINK

    The script below will stop explorer & your desktop will temporarily disappear (it will return on reboot), & your recycle bin will be emptied.
    • Double click OTM.exe to run it.
    • Highlight & copy all the following code inside the codebox below. Do not include the word Code: 
      :Commands
[CreateRestorePoint]

:reg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=dword:00000001

:services
RapportMgmtServicestisvc

:Files
c:\windows\system32\2107949594.dat
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\SETB.tmp
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll

:Commands
[CreateRestorePoint]
[EMPTYTEMP]
    • Return to OTM, right click in the Paste instructions for Items to be Moved window (under the yellow bar) and choose Paste.
    • Push the large MoveIt! button.
    • Click OK to the prompt
    • OTM may ask to reboot the machine. Please Allow it to do so if asked.
    • The report should appear in Notepad after the reboot. Copy/paste the contents of that report back here in your next reply.
  • DCodd
    DCodd Posts: 8,187 Forumite
    Part of the Furniture Combo Breaker
    All processes killed
    ========== COMMANDS ==========
    Restore point Set: OTM Restore Point
    ========== REGISTRY ==========
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\\"EnableFirewall"|dword:00000001 /E : value set successfully!
    ========== SERVICES/DRIVERS ==========
    Service RapportMgmtServicestisvc stopped successfully!
    Service RapportMgmtServicestisvc deleted successfully!
    ========== FILES ==========
    c:\windows\system32\2107949594.dat moved successfully.
    DllUnregisterServer procedure not found in c:\windows\system32\packet.dll
    c:\windows\system32\packet.dll moved successfully.
    DllUnregisterServer procedure not found in c:\windows\system32\pthreadVC.dll
    c:\windows\system32\pthreadVC.dll moved successfully.
    c:\windows\system32\SETB.tmp moved successfully.
    DllUnregisterServer procedure not found in c:\windows\system32\WanPacket.dll
    c:\windows\system32\WanPacket.dll moved successfully.
    LoadLibrary failed for c:\windows\system32\wpcap.dll
    c:\windows\system32\wpcap.dll moved successfully.
    ========== COMMANDS ==========
    Restore point Set: OTM Restore Point

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Admins
    ->Temp folder emptied: 1109727 bytes
    ->Temporary Internet Files folder emptied: 9994374 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 3467599 bytes
    ->Google Chrome cache emptied: 16874370 bytes
    ->Flash cache emptied: 1887711 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 507904 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 242898 bytes
    ->Flash cache emptied: 13571 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 102569 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 2577 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 130533184 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 86274427 bytes
    RecycleBin emptied: 913408 bytes

    Total Files Cleaned = 240.00 mb


    OTM by OldTimer - Version 3.1.21.0 log created on 09062013_231054

    Files moved on Reboot...
    File C:\WINDOWS\temp\_avast_\Webshlock.txt not found!
    C:\WINDOWS\temp\T30DebugLogFile.txt moved successfully.

    Registry entries deleted on Reboot...



    Thanks waddler_8
    Always get a Qualified opinion - My qualifications are that I am OLD and GRUMPY:p:p
  • waddler_8
    waddler_8 Posts: 3,588 Forumite
    Once again it all looks very good - Any improvement?

    Try re-installing Malwarebytes from here:

    http://downloads.malwarebytes.org/mbam-download.php

    Can you run a quick scan?
This discussion has been closed.
Meet your Ambassadors

🚀 Getting Started

Hi new member!

Our Getting Started Guide will help you get the most out of the Forum

Categories

  • All Categories
  • 353.5K Banking & Borrowing
  • 254.1K Reduce Debt & Boost Income
  • 455K Spending & Discounts
  • 246.6K Work, Benefits & Business
  • 602.9K Mortgages, Homes & Bills
  • 178K Life & Family
  • 260.5K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16K Discuss & Feedback
  • 37.7K Read-Only Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.
Update Your Picture