+- Support Forums (https://www.supportforums.net)
+-- Forum: Categories (https://www.supportforums.net/forumdisplay.php?fid=87)
+--- Forum: Virus Protection, Removals, and HJT Team (https://www.supportforums.net/forumdisplay.php?fid=56)
+---- Forum: Virus Removal, Hijack This Logs, and Support (https://www.supportforums.net/forumdisplay.php?fid=48)
+---- Thread: Rogue Antivirus (/showthread.php?tid=18135)
RE: Rogue Antivirus - Deltron - 04-23-2011
Blue Screen View
RE: Rogue Antivirus - Quintus - 04-23-2011
Oh. Now I see.
The log, please.
RE: Rogue Antivirus - Deltron - 04-23-2011
It said the scan wouldn't take long. It's taking long.
RE: Rogue Antivirus - Deltron - 04-23-2011
I have my log. It's giving me the "connection was reset" whenever I try to submit through Pastebin or post a reply here. I'm going to get on my brother's laptop. Just a moment.
RE: Rogue Antivirus - Quintus - 04-23-2011
It is because I added extra areas. BTW, your BSOD is not caused by the infection. I remember noticing you recently updated using Windows Update. Let's fix that issue.- Go here and click "View and request hotfix downloads".
- Provide your real E-mail. Once you receive it, it will include a link to the hotfix as well as the "password".
- By default, it'll go to C:\. Create a folder if you wish.
- Execute it. You'll need to restart your computer.
RE: Rogue Antivirus - Deltron - 04-23-2011
OTL Log
My computer froze.
Let me restart, install, and restart again. Just a moment.
All done.
RE: Rogue Antivirus - Quintus - 04-24-2011
Disable System Restore. After the steps below, perform a full scan with Avira and choose a firewall.
- Step 30
Please download the OldTimer's Move-It (OTM) from 'here'.- Save it to your desktop.
- Please double-click OTM.exe to run it.
- Copy the lines inside the Code box below to the Clipboard by highlighting all of the content and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
Code::Files
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[EMPTYFLASH]
[Reboot]
- Save it to your desktop.
- Return to OTM, right-click in the Paste Instructions for Items to be Moved window and choose Paste.
- Click the red MoveIt! button.
- Copy everything in the Results window to the Clipboard by highlighting all of the content and by pressing CTRL + C (or, after highlighting, right-click and choose Copy).
- Paste it in your next reply.
- Close OTM.
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the moving process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start > All Programs > Accessories > Notepad) and click File > Open. In the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest log file present. Copy and paste the contents of that document back here in your next post.- Return to OTM, right-click in the Paste Instructions for Items to be Moved window and choose Paste.
- Step 31
Please download GooredFix from one of the locations below and save it to your desktop.
'Link 1'
'Link 2'
- Ensure all Firefox windows are closed.
- To run the tool, double-click it (Windows XP), or right-click and select Run As Administrator (Windows Vista & Windows 7).
- Select Yes when prompted.
- GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).
- Ensure all Firefox windows are closed.
- Step 32
Download TDSSKiller from 'here' and save it to your desktop.
- Make sure all other windows are closed and to let it run uninterrupted.
- Run the file. Windows Vista and Windows 7 users should run it as an administrator.
- Then select Start Scan.
- If an infected file is detected, the default action will be Cure, click on Continue.
- If a suspicious file is detected, the default action will be Skip, click on Continue.
- It may ask you to reboot the computer to complete the process. Click on Reboot Now.
- If an infected file is detected, the default action will be Cure, click on Continue.
- Once done, simply click Close.
- Click the Report button and copy and paste the contents of the log into your next reply. A log file will be created in the C:\ directory as well.
- Make sure all other windows are closed and to let it run uninterrupted.
- Step 33
Run OTL.exe.- Copy and paste the following text written inside of the code box into the Custom Scans & Fixes box located at the bottom of OTL.
Code::OTL
PRC - C:\Windows\Temp\Lbd.exe ()
DRV - (catchme) -- C:\Users\Tyler\AppData\Local\Temp\catchme.sys File not found
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll File not found
O13 - gopher Prefix: missing
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O32 - HKLM CDRom: AutoRun - 1
O35 - HKLM\..exefile [open] -- "C:\Windows\system32\config\systemprofile\AppData\Local\xnf.exe" -a "%1" %* File not found
O37 - HKLM\...exe [@ = exefile] -- "C:\Windows\system32\config\systemprofile\AppData\Local\xnf.exe" -a "%1" %* File not found
MsConfig - StartUpReg: [b]Google Update[/b] - hkey= - key= - C:\Users\Tyler\AppData\Local\Google\Update\GoogleUpdate.exe File not found
MsConfig - StartUpReg: [b]SunJavaUpdateSched[/b] - hkey= - key= - C:\Program Files\Common Files\Java\Java Update\jusched.exe File not found
[2011/04/23 21:13:25 | 000,000,000 | ---D | C] -- C:\Users\Tyler\AppData\Local\{80B887DD-089F-4648-A2CC-ACD1A32615E1}
[2011/04/23 23:18:02 | 000,020,512 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/04/23 23:18:02 | 000,020,512 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/04/23 21:48:16 | 000,000,120 | ---- | M] () -- C:\Users\Tyler\AppData\Local\Txorakezako.dat
[2011/04/23 21:48:16 | 000,000,000 | ---- | M] () -- C:\Users\Tyler\AppData\Local\Amava.bin
[1 C:\Users\Tyler\Desktop\*.tmp files -> C:\Users\Tyler\Desktop\*.tmp -> ]
[2011/04/23 23:08:22 | 000,032,584 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2011/04/23 23:13:42 | 000,000,252 | -H-- | M] () -- C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
:Files
C:\Windows\Temp\Lbd.exe
C:\Windows\system32\config\systemprofile\AppData\Local\xnf.exe
C:\Users\Tyler\AppData\Local\{80B887DD-089F-4648-A2CC-ACD1A32615E1}
C:\Windows\tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
:Commands
[purity]
[emptytemp]
- Copy and paste the following text written inside of the code box into the Custom Scans & Fixes box located at the bottom of OTL.
- Then click the Run Fix button at the top.
- Let the program run unhindered; it will reboot when it is done. If it does not, please reboot your system.
- You will need to post two logs:
- The log that you will see upon rebooting your system.
- A new OTL log (don't check the boxes beside LOP Check or Purity this time).
- The log that you will see upon rebooting your system.
- Then click the Run Fix button at the top.
- In your next post, please provide the following:
- Doesn't Do Squat (DDS) Logs
- DDS.txt
- Attach.txt
- DDS.txt
- Doesn't Do Squat (DDS) Logs
- GooredFix Log
- OTL Log
- OTM Log
- TDSSKiller Log
- Format of Response
Code:[b]Step # [/b]
[b]Problems Encountered: [/b]
[b]Step # [/b]
[b]Problems Encountered: [/b]
[b]Step # [/b]
[b]Problems Encountered: [/b]
[b]Step # [/b]
[b]Problems Encountered: [/b]
[b]Link To Requested Logs: [/b]
RE: Rogue Antivirus - Deltron - 04-24-2011
Running the fixes right now. Just to note, I recall us removing Lbd.exe through HijackThis; this is still a running process.
RE: Rogue Antivirus - Quintus - 04-24-2011
I will be away for three or more hours. If the scans finish, post the results. In addition, run this. Remember to do them one at a time and with the Internet connection disabled. Best turn off the modem or router.
- Step 34
Please download GMER from one of the following locations and save it to your desktop:
'Link 1'- This links to a randomly named GMER copy. (Recommended)
- This links to GMER in a ZIP file which you'll need to extract to a folder.
- Disconnect from the Internet and close all running programs. Make sure you disable your security programs as well, as they may interfere with the program.
- Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
- GMER will open to the Rootkit and Malware tab and perform an automatic quick scan when first ran. Do not use the computer while the scan is in progress.
- If you receive a warning about rootkit activity and are asked to fully scan your system, click No.
- Now click the Scan button. If you see a rootkit warning window, click OK.
- When the scan is finished, click the Save button to save the scan results to your desktop. Save the file as gmer.log.
- Click the Copy button and paste the results into your next reply.
- Exit GMER and re-enable your security programs when done.
- Disconnect from the Internet and close all running programs. Make sure you disable your security programs as well, as they may interfere with the program.
RE: Rogue Antivirus - Deltron - 04-24-2011
Got a BSOD while posting the links. Then I had to verify my Windows key because it said my copy wasn't genuine. All is fine now.
Likewise. I will be away for about ten hours.