Friends laptop infected

View previous topic View next topic Go down

Friends laptop infected

Post by dapits on 25th June 2011, 2:37 pm

Hello, Trying to help a friend with their laptop. The laptop doesn't want to boot up and when it does it begins the repair process. You have to wait for the process to finish then AVG will pop up with several Trojan infected files. However you can not delete or heal the files as it says they do not exist or are inaccessible. We also can not get OTL to download. Here is the MBAM log:
Malwarebytes' Anti-Malware 1.51.0.1200
[You must be registered and logged in to see this link.]

Database version: 6946

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19088

6/25/2011 10:31:35 AM
mbam-log-2011-06-25 (10-31-35).txt

Scan type: Quick scan
Objects scanned: 198660
Time elapsed: 21 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\Nikki\AppData\Local\Temp\C005.tmp (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
c:\Users\Nikki\AppData\Local\Temp\tmpF104.tmp (Trojan.FakeAV) -> Quarantined and deleted successfully.
c:\Users\Nikki\0.8987253525529151.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Nikki\msiexec.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\System32\config\systemprofile\AppData\Roaming\02000000c534b9211270c.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\Windows\System32\config\systemprofile\AppData\Roaming\02000000c534b9211270o.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\Windows\System32\config\systemprofile\AppData\Roaming\02000000c534b9211270p.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\Windows\System32\config\systemprofile\AppData\Roaming\02000000c534b9211270s.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\Windows\System32\02000000c534b9211270c.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\Windows\System32\02000000c534b9211270o.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\Windows\System32\02000000c534b9211270p.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\Windows\System32\02000000c534b9211270s.manifest (Malware.Trace) -> Quarantined and deleted successfully.

Also Internet explorer will shut down frequently stating there is a problem with it. And once it starts up there is a box in the right lower corner that says Windows has blocked several programs that require permission.
Any suggestions??

dapits
Intermediate
Intermediate

Posts Posts : 128
Joined Joined : 2009-03-30
OS OS : XP
Points Points : 29347
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Friends laptop infected

Post by Pancake on 25th June 2011, 11:07 pm

Download OTL to your desktop.http://oldtimer.geekstogo.com/OTL.exe

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.

Check the boxes beside LOP Check and Purity Check.
Under Custom Scan copy and paste the text from the code box.

Code:


netsvcs
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%systemroot%\System32\antiwpa.dll
%systemroot%\SYSTEM32\wpa.dll
%systemroot%\setup\scripts\biestart.exe
%systemroot%\system32\drivers\royal.sys
%systemroot%\system32\oobe\AntiWPA_Crypt.dll
%TEMP%\antiwpa_crypt.dll
%TEMP%\antiwpa.dll /s
%PROGRAMFILES%\antiwpa.dll /s
%systemroot%\system32\crypt.dll
%TEMP%\crypt.dll
%SYSTEMDRIVE%\*.
%SYSTEMDRIVE%\*.*
%PROGRAMFILES%\*.



Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTL.
Please copy the contents of these files and post them with your next reply.If the text is to big,zip it up or post it in two or three parts.



============================

Download Combofix from [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.] and place it on your Desktop

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.Combofix may be slow to start and appear to be doing nothing before it starts scanning.Just leave it,it will start.

You can get help on disabling your protection programs here : [You must be registered and logged in to see this link.]

Please include the C:\ComboFix.txt in your next reply for further review.


Caution.....
Never use this program to remove files.Only use it with help from an experienced user.Wrongful use can damage your computer.This tool is not a toy and not for everyday use. ComboFix SHOULD NOT be used unless requested by a qualified helper








[You must be registered and logged in to see this link.]

Pancake
Senior
Senior

Posts Posts : 222
Joined Joined : 2010-03-06
Gender Gender : Male
OS OS : Windows 7
Points Points : 28188
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Friends laptop infected

Post by dapits on 26th June 2011, 2:00 am

Ok, We will try again but the last 5 or 6 attempts to download OTL in even safe mode have been unsuccessful:(

dapits
Intermediate
Intermediate

Posts Posts : 128
Joined Joined : 2009-03-30
OS OS : XP
Points Points : 29347
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Friends laptop infected

Post by Pancake on 26th June 2011, 2:45 am

Ok.You could try to put them on a flash drive off of another computer and then run them.






[You must be registered and logged in to see this link.]

Pancake
Senior
Senior

Posts Posts : 222
Joined Joined : 2010-03-06
Gender Gender : Male
OS OS : Windows 7
Points Points : 28188
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Friends laptop infected

Post by dapits on 26th June 2011, 5:22 pm

One question...is it possible to have OTL scan specific drives? It seems the only way to get this machine to run is to remove the hard drive and hook it up to another laptop via a USB. So is it possible to install OTL on the host laptop and scan the hard drive that seems to be infected?

dapits
Intermediate
Intermediate

Posts Posts : 128
Joined Joined : 2009-03-30
OS OS : XP
Points Points : 29347
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Friends laptop infected

Post by Pancake on 26th June 2011, 10:53 pm

Bypass OTL for the time being see if you can run MBAM and Combofix.Run them in safe mode if you have to.






[You must be registered and logged in to see this link.]

Pancake
Senior
Senior

Posts Posts : 222
Joined Joined : 2010-03-06
Gender Gender : Male
OS OS : Windows 7
Points Points : 28188
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum