04-10-2011, 08:45 AM
Greetings,
In return for this service, I propose to you two conditions:
Thank you.
Genuinely yours,
Quintus
Whilst I am in the process of scrutinizing your complete set of provided logs for any possible infections or problems, I ask for your forbearance. Understand that the process of analysis requires time and careful examination hence the need for a cautious response. Accuracy is of the essence. Once I come across infections, I shall present the finest methods of removal for your convenience.
In return for this service, I propose to you two conditions:
- You are not to create any new threads regarding the similar topic as it will waste another helper's time.
- You are not to install any new software in your system, as it may hinder our process thus making this futile.
- You are not to modify the logs in any way. Failure to do so will instantly deprive you of this service.
- You are to paste each log separately at PasteBin as it is. That is correct, no syntax highlighting, no editing - just the log purely. Post back the links for each log. You shall not hide them under spoiler codes.
- You are to provide the complete set of requested logs.
- You are to respond to every step I ask you to do using the format provided at the end of my post.
- You agree that I have the right to discontinue the analysis at any time, upon a violation of a single rule.
Thank you.
Genuinely yours,
Quintus
- Pre-Step
Click 'here' to download Temp File Cleaner by OldTimer. Save it to your Desktop.
- Close any open windows.
- Double-click TFC.exe and select 'Run' when prompted to execute the program. It will close all open programs itself in order to run.
- Click the Start button to begin the cleaning process.
- Please let the program run uninterruptedly.
- Once the cleaning has been done, your computer should automatically reboot. Otherwise, please do so when it does not.
- Close any open windows.
- Prerequisite
If you are having a problem running HijackThis as Administrator, please follow the steps below.
- Go to My Computer and navigate to your default disc drive (C: is the most common).
- Go to Program Files > Trend Micro > HijackThis.
- Right-click HiJackThis.exe and run it as Administrator.
- Go to My Computer and navigate to your default disc drive (C: is the most common).
- Step 1
Please run HijackThis as Administrator. Click 'Do a system scan only' and place a check next to the following line(s) if present:
F2 - REG
ystem.ini: Shell=Explorer.exe "C:\Users\Zay\AppData\Roaming\smss.exe"
F2 - REGystem.ini: UserInit=userinit.exe
O2 - BHO: Bing Bar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll" (file missing)
O3 - Toolbar: Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll" (file missing)
O4 - HKLM\..\Run: [Advance adf Bot.exe] C:\Users\Zay\Downloads\Advance adf Bot.exe
O4 - HKLM\..\Run: [TJFAXKBT38DW9] C:\Users\Zay\AppData\Roaming\QZW7PO92F.exe
O4 - HKLM\..\Run: [MSWUpdate] "C:\Users\Zay\AppData\Roaming\smss.exe"
O4 - HKLM\..\Run: [HKLM] C:\install\server.exe
O4 - HKLM\..\Run: [System Restore] C:\Users\Zay\AppData\Roaming\Explorer.exe
O4 - HKLM\..\Run: [Updator] C:\Users\Zay\AppData\Roaming\IwHsh54WE.exe
O4 - HKLM\..\Run: [Windows System] C:\Users\Zay\AppData\Roaming\NL2AH7GTSQ.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files (x86)\BitTorrent\BitTorrent.exe"
O4 - HKCU\..\Run: [TJFAXKBT38DW9] C:\Users\Zay\AppData\Roaming\QZW7PO92F.exe
O4 - HKCU\..\Run: [Testing] C:\Users\Zay\Desktop\Svg64.exe
O4 - HKCU\..\Run: [Windows Update] C:\Users\Zay\AppData\Local\Microsoft\svchost.exe
O4 - HKCU\..\Run: [Q7NZMT7RLB] C:\Users\Zay\AppData\Local\Temp\Rzf.exe
O4 - HKCU\..\Run: [MSWUpdate] "C:\Users\Zay\AppData\Roaming\smss.exe"
O4 - HKCU\..\Run: [HKCU] C:\install\server.exe
O4 - HKCU\..\Run: [winupdater] C:\Windupdt\winupdate.exe
O4 - HKCU\..\Run: [Form1] C:\Users\Zay\AppData\Roaming\binary.exe
O4 - HKCU\..\Run: [Microsoft] C:\Users\Zay\AppData\Roaming
O4 - HKCU\..\Run: [Java] C:\Users\Zay\AppData\Roaming\@off@\csrss.exe
O4 - HKCU\..\Run: [System Restore] C:\Users\Zay\AppData\Roaming\Explorer.exe
O4 - HKCU\..\Run: [Updator] C:\Users\Zay\AppData\Roaming\IwHsh54WE.exe
O4 - HKCU\..\Run: [Windows System] C:\Users\Zay\AppData\Roaming\NL2AH7GTSQ.exe
O4 - HKLM\..\Policies\Explorer\Run: [TJFAXKBT38DW9] C:\Users\Zay\AppData\Roaming\QZW7PO92F.exe
O4 - HKLM\..\Policies\Explorer\Run: [Policies] C:\install\server.exe
O4 - HKLM\..\Policies\Explorer\Run: [System Restore] C:\Users\Zay\AppData\Roaming\Explorer.exe
O4 - HKLM\..\Policies\Explorer\Run: [Windows System] C:\Users\Zay\AppData\Roaming\NL2AH7GTSQ.exe
O4 - HKCU\..\Policies\Explorer\Run: [TJFAXKBT38DW9] C:\Users\Zay\AppData\Roaming\QZW7PO92F.exe
O4 - HKCU\..\Policies\Explorer\Run: [Policies] C:\install\server.exe
Then, close all other open windows and click 'Fix Checked'. You are to reboot your system afterwards.
- Step 2
Please download the OTM File Mover from 'here'.- Save it to your Desktop.
- Please double-click OTM.exe to run it.
- Copy the lines inside the Code box below to the Clipboard by highlighting all of the content and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
Code::Processes
explorer.exe
:Files
C:\Users\Zay\AppData\Roaming\smss.exe
C:\Users\Zay\Downloads\Advance adf Bot.exe
C:\Users\Zay\AppData\Roaming\QZW7PO92F.exe
C:\install\server.exe
C:\Users\Zay\AppData\Roaming\Explorer.exe
C:\Users\Zay\AppData\Roaming\IwHsh54WE.exe
C:\Users\Zay\AppData\Roaming\NL2AH7GTSQ.exe
C:\Users\Zay\Desktop\Svg64.exe
C:\Users\Zay\AppData\Local\Microsoft\svchost.exe
C:\Users\Zay\AppData\Local\Temp\Rzf.exe
C:\Windupdt\winupdate.exe
C:\Users\Zay\AppData\Roaming\binary.exe
C:\Users\Zay\AppData\Roaming\@off@\csrss.exe
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
- Save it to your Desktop.
- Return to OTM, right-click in the Paste Instructions for Items to be Moved window and choose Paste.
- Click the red MoveIt! button.
- Copy everything in the Results window to the Clipboard by highlighting all of the content and by pressing CTRL + C (or, after highlighting, right-click and choose Copy).
- Paste it in your next reply.
- Close OTM.
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the moving process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start > All Programs > Accessories > Notepad) and click File > Open. In the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present. Copy and paste the contents of that document back here in your next post.- Return to OTM, right-click in the Paste Instructions for Items to be Moved window and choose Paste.
- Step 3
Please run a free online scan with ESET Online Scanner by downloading ESET Smart Installer 'here'. Save it to your Desktop.
- Double-click esetsmartinstaller_enu.exe to execute the program.
- Tick 'YES, I accept the Terms of Use'.
- Click 'Start'.
- If this is your first time installing the scanner, allow the 'ActiveX Control' to install.
- Database download may take some time.
- When done, make sure that the option 'Remove found threats' is ticked. Under the and 'Advanced Settings', please put a check on the following options:
- Scan for potentially unwanted applications
- Enable Anti-Stealth Technology
- Scan for potentially unwanted applications
- Click 'Start'.
- Wait for the scan to finish.
- Once it is finished, use Notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txt.
- Copy and paste that log as a reply to this topic.
- Double-click esetsmartinstaller_enu.exe to execute the program.
- Step 4
- Please download Malwarebytes' Anti-Malware 'here'.
- Double-click mbam-setup.exe to install the application.
- Make sure a checkmark is placed next to 'Malwarebytes' Anti-Malware' and 'Launch Malwarebytes' Anti-Malware', then click 'Finish'.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select 'Perform Full Scan', then click 'Scan'. The scan may take some time to finish, so please be patient.
- When the scan is complete, click 'OK', then 'Show Results' to view the results.
- Make sure that everything is checked, and click 'Remove Selected'.
- When disinfection is completed, a log will open in Notepad and you may be prompted to restart. Restart if it tells you to.
- The log is automatically saved by Malwarebytes' Anti-Malware and can be viewed by clicking the 'Logs' tab in the interface.
- Copy and paste the entire report in your next reply.
- Please download Malwarebytes' Anti-Malware 'here'.
- Step 5
Download DDS.scr by sUBs from one of the following links & save it to your desktop.
Link 1
Link 2- Double-Click on dds.scr and a command window will appear. This is normal
- Shortly after two logs will appear, DDS.txt & Attach.txt
- A window will open instructing you save & post the logs.
- Save the logs to a convenient place such as your desktop.
- Copy the contents of both logs & post in your next reply.
- Double-Click on dds.scr and a command window will appear. This is normal
- In your next post, please provide the following:
- A Fresh HijackThis (HJT) Log
- Deckard's System Scanner (DDS) Logs
- DDS.txt
- Attach.txt
- DDS.txt
- A Fresh HijackThis (HJT) Log
- ESET Scan Log
- Malwarebytes' Anti-Malware Scan Log
- OTM Scan Log
- Format of Response
As part of my service terms, you are to fill this up every time you respond to your log. Copy and paste the content inside the code box and write directly after the closing tags. Do not add spaces as they are already provided. An exception applies to the numbers, as they are to be written after the # sign.
Step #1: Change the number accordingly.
Problems Encountered: Put N/A if the operation went smoothly.
Link To Requested Logs: Post the links to the logs I have asked you to produce.
Example: (Click to View)
- Code:
[color=#00BFFF][b]Step #[/b][/color]
[color=#FFD700][b]Problems Encountered:[/b][/color]
[color=#00BFFF][b]Step #[/b][/color]
[color=#FFD700][b]Problems Encountered:[/b][/color]
[color=#00BFFF][b]Step #[/b][/color]
[color=#FFD700][b]Problems Encountered:[/b][/color]
[color=#00BFFF][b]Link To Requested Logs:[/b][/color]