Computer ravaged with viruses - windows cookie pop up

Discussion in 'Malware Help (A Specialist Will Reply)' started by masta1, Aug 13, 2012.

  1. masta1

    masta1 Private E-2

    Hello Computer is just running really badly has been for quite some time.
    Examples are programs like Photoshop just closing also a new thing where a pop up for cookies being deleted will appear out of nowhere - it hasn't popped up since running the help on here but hoping someone can help.

    Windows XP 32 bit.

    Cheers
     

    Attached Files:

    masta1, Aug 13, 2012
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Still need the log from running C:\MGTools.exe ---C:\MGLogs.zip.
     
    TimW, Aug 14, 2012
    #2
  3. masta1

    masta1 Private E-2

    I have tried everything to get that running.

    It says Windows cannot access the specified device, path, or file.
     
    masta1, Aug 14, 2012
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please click Start, All Program, Accessories and you will see ( among other things ) a Command Prompt entry.

    • Right click the Command Prompt entry and select Run As Administrator.
      • It is critical that you run it this way.

    • If you do this properly, a command prompt window will open with a title of Administrator Command Prompt.
    • Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The purple/brown is merely informational.

    cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>
    GetRunKey<-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
    ShowNew<-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
     
    TimW, Aug 15, 2012
    #4
  5. masta1

    masta1 Private E-2

    I get to where I have selected run as and my username is selected I click the box below to run as administrator however the password field is blank and I cannot select it! I have no idea why I am not admin there is no other users.
     
    masta1, Aug 15, 2012
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Download OTL to your desktop.


    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Vista and Windows 7 users Right-click OTL and choose Run as Administrator)
    • When the window appears, underneath Output at the top change it to Minimal Output.
    • Check the boxes beside LOP Check and Purity Check.
    • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.


    When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

    Attach both of these logs into your next reply.
     
    TimW, Aug 15, 2012
    #6
  7. masta1

    masta1 Private E-2

    Thankyou here we go
     

    Attached Files:

    masta1, Aug 15, 2012
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Double-click OTL.exe to start the program.

    • Copy and Paste the following code into the Custom Scans/Fixes textbox. Do not include the word Code

    Code:
    :processes
:killallprocesses
:files
@Alternate Data Stream - 99 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:6DFF1A8A
@Alternate Data Stream - 368 bytes -> C:\Documents and Settings\Mastacraft\Local Settings\Application Data\desktop.ini:722b2b1c349a06abf0e866180e5a7e63
@Alternate Data Stream - 226 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F4CA4D70
@Alternate Data Stream - 1382 bytes -> C:\Program Files\Outlook Express:1JcZTTrJXFFer0vxJWEHvkVnt1
@Alternate Data Stream - 1375 bytes -> C:\Program Files\Common Files\Microsoft Shared:rV4SeGxErGdtLwKH9pq
@Alternate Data Stream - 1297 bytes -> C:\Program Files\Outlook Express:YjbAiDeNCzwYTEX1DwysF
@Alternate Data Stream - 1295 bytes -> C:\Documents and Settings\All Users\Application Data\Microsoft:9aVFdYTm5hHS1Hypo
@Alternate Data Stream - 1283 bytes -> C:\Documents and Settings\All Users\Application Data\Microsoft:0zzfhzPDKoHo1hlwlCCSULoV4s9C
@Alternate Data Stream - 1261 bytes -> C:\Documents and Settings\All Users\Application Data\Microsoft:zES2DArpLekmcm6Ec4kUTztn
@Alternate Data Stream - 1252 bytes -> C:\Documents and Settings\All Users\Application Data\Microsoft:PF59dxAhhzypbJkSRixiE
@Alternate Data Stream - 1251 bytes -> C:\Program Files\Common Files\System:GcmPtmB7RtP0jiVaRR62De
@Alternate Data Stream - 1238 bytes -> C:\Documents and Settings\All Users\Application Data\Microsoft:i5zEawDoVPVexXM0PA
@Alternate Data Stream - 1234 bytes -> C:\Documents and Settings\All Users\Application Data\Microsoft:NRuT9ylcSmsYjCETqL9Ibaw7
@Alternate Data Stream - 1216 bytes -> C:\Documents and Settings\All Users\Application Data\Microsoft:cXd65eod1keBv2w7yGtCrn7
@Alternate Data Stream - 1191 bytes -> C:\Documents and Settings\Mastacraft\Local Settings\Application Data\qX3Yztoyw9ju:SAMRPvftZqxx2VaWUgkTg
@Alternate Data Stream - 1181 bytes -> C:\Documents and Settings\All Users\Application Data\Microsoft:tPCdFBy6veo3KvjM8feqjJx
@Alternate Data Stream - 1147 bytes -> C:\Documents and Settings\All Users\Application Data\Microsoft:LNmMZ7SBWyCnN3D9CZmGkIditz24
@Alternate Data Stream - 1137 bytes -> C:\Program Files\Common Files\Microsoft Shared:SJDKD30sKieIvH7nDELXR0l1cmt
@Alternate Data Stream - 1105 bytes -> C:\Program Files\Common Files\Microsoft Shared:nXCVZpYYQTUGz3W5Whl1DpFLsRm
@Alternate Data Stream - 1083 bytes -> C:\Documents and Settings\All Users\Application Data\Microsoft:K4yEPAxVzSAJXdvCbDRH
@Alternate Data Stream - 1072 bytes -> C:\Documents and Settings\All Users\Application Data\Microsoft:bVZSrszebiYEQqn7jK48sLFy
@Alternate Data Stream - 1060 bytes -> C:\Program Files\WindowsUpdate:POZvJnrJEQgGtuWZmFO1rhB
@Alternate Data Stream - 106 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0CE7F3C9
:commands
[PURITY]
[EMPTYTEMP]
[RESETHOSTS]
[REBOOT]
    • Then click the Run Fix button at the top.
    • Click the OK button.
    • OTL may ask to reboot the machine. Please do so if asked.
    • The report should appear in Notepad after the reboot. Just close notepad and attach this log form OTL to your next message.


    Tell me how things are running now.
     
    TimW, Aug 16, 2012
    #8
  9. masta1

    masta1 Private E-2

    Tim everytime I run the OTL.exe put everything in correct my computer freezes while it says DO NOT INTERRUPT THIS PROCESS it stays like that for ages till I have to manually shut the PC down.
     
    masta1, Aug 27, 2012
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Re-run RogueKiller. When it opens, press the Scan button
    Now click the Processes tab and locate these detections:


    • [ZeroAccess] n -- c:\windows\system32\n -> UNLOADED
      [SUSP PATH] xsecva.exe -- C:\Documents and Settings\Mastacraft\Application Data\xsecva\xsecva.exe -> KILLED [TermProc]
      [SUSP PATH] pinhn.dll -- C:\Documents and Settings\Mastacraft\Application Data\pinhn.dll -> KILLED [TermProc]
      [SUSP PATH] ClickClean.exe -- C:\Documents and Settings\Mastacraft\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\ghgabhipcejejjmhhchfonmamedcbeod\7.9_0\plugin\ClickClean.exe -> KILLED [TermProc]
      [SVCHOST] svchost.exe -- C:\WINDOWS\System32\svchost.exe -> KILLED [TermProc]
      [ZeroAccess] n -- c:\windows\system32\n -> UNLOADED

      Now click the Registry tab and locate these detections:
      [BLACKLIST DLL] HKLM\[...]\Run : ondet (rundll32.exe "C:\Documents and Settings\Mastacraft\Application Data\ondet.dll",PszEscapeMenuStringA) -> FOUND
      [BLACKLIST DLL] HKLM\[...]\Run : pinhn ("C:\WINDOWS\system32\rundll32.exe" "C:\Documents and Settings\Mastacraft\Application Data\pinhn.dll",vSetParentWindow) -> FOUND
      [SUSP PATH] HKLM\[...]\Policies\Explorer\Run : XSECVA ("C:\Documents and Settings\Mastacraft\Application Data\xsecva\xsecva.exe" -s) -> FOUND
      [SUSP PATH] HKLM\[...]\Winlogon : Userinit (C:\WINDOWS\system32\userinit.exe,"C:\Documents and Settings\Mastacraft\Application Data\xsecva\xsecva.exe" -s,) -> FOUND
      [RESIDU] ParetoLogic Registration.job @ : C:\WINDOWS\system32\rundll32.exe -> FOUND
      [ZeroAccess] HKCR\[...]\InprocServer32 : (C:\Documents and Settings\Mastacraft\Local Settings\Application Data\{a909d389-21bf-33bf-7f24-1cbe2b62ae75}\n.) -> FOUND
      [HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

      Now click the Files/folders tab and locate these detections:
      [ZeroAccess][FILE] n : c:\documents and settings\mastacraft\local settings\application data\{a909d389-21bf-33bf-7f24-1cbe2b62ae75}\n --> FOUND
      [ZeroAccess][FILE] @ : c:\documents and settings\mastacraft\local settings\application data\{a909d389-21bf-33bf-7f24-1cbe2b62ae75}\@ --> FOUND
      [ZeroAccess][FOLDER] U : c:\documents and settings\mastacraft\local settings\application data\{a909d389-21bf-33bf-7f24-1cbe2b62ae75}\U --> FOUND
      [ZeroAccess][FOLDER] L : c:\documents and settings\mastacraft\local settings\application data\{a909d389-21bf-33bf-7f24-1cbe2b62ae75}\L --> FOUND
      [ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac\desktop.ini --> FOUND

      Click the delete button and when it is finished, there will be a log on your desktop called: RKreport[2].txt
      Attach RKreport[2].txt to your next message. (How to attach)

      Reboot and re-run RogueKiller and attach the new log.
     
    TimW, Aug 27, 2012
    #10
  11. masta1

    masta1 Private E-2

    I couldn't find anything in processes or these in the tabs.

    I have re attatched the file.

    My PC is running very slow now should I defrag? Also it freezes a lot the folders.
     

    Attached Files:

    masta1, Oct 10, 2012
    #11
  12. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Since you are having difficulties running various scans, can you do a system restore to before this occurred?
     
    TimW, Oct 10, 2012
    #12
  13. masta1

    masta1 Private E-2

    It only lets me go back 3 weeks which isn't far enough :(
    Appreciate the time here Tim.
     
    masta1, Oct 10, 2012
    #13
  14. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Take it back three weeks and then see if you can run the scans in the Read and Run first sticky.
     
    TimW, Oct 10, 2012
    #14
  15. masta1

    masta1 Private E-2

    I can still run those scans even in this one.

    Basically the PC is really slow, Explorer is really glitchy as well (not IE) but the PC's explorer. Sometimes folders open will freeze i'll have to ctrl alt del terminate it and then I can re open my computer.
     
    masta1, Oct 11, 2012
    #15
  16. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    If you can run the scans, do so and attach the logs.
     
    TimW, Oct 11, 2012
    #16

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds