Logs from Windows XP Malware Removal/Cleaning Procedure

Discussion in 'Malware Help (A Specialist Will Reply)' started by rhisiart, Sep 17, 2013.

  1. rhisiart

    rhisiart Private E-2

    I had the FBI virus and it was deleted or disabled by a friend.

    Now however, I have an "Encryption" virus that is encrypting some of my files and telling me to download a fix. I have not done this of course.

    Also, before I started your procedure, I tried to run Restore but found that all restore points were deleted except for the current day.

    I have followed all of the steps and instructions on your Windows XP Malware Removal/Cleaning Procedure.

    My logs are attached
     

    Attached Files:

    rhisiart, Sep 17, 2013
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Can you attach the log from running Hitman please?

    By the way, I cannot open your MGlogs.zip, it appears to be corrupted.
    Can you run MGTools.exe again and attach the new log please?
     
    Kestrel13!, Sep 17, 2013
    #2
  3. rhisiart

    rhisiart Private E-2

    Thank you. Yes, I will follow your requests. How do I reply with the info?
     
    rhisiart, Sep 17, 2013
    #3
  4. rhisiart

    rhisiart Private E-2

    Ok, I am attaching the Hitman Pro log (which by the way is detecting a trojan in MGtools.exe.)

    I did not attach the rerun of MGtools.exe because I got a recurring error message all through the process: "zip error : Could not create output file (C:\MGlogs.zip)" This happened the first time as well.

    which may be the reason that the zip file I sent you is corrupt, you think?
     

    Attached Files:

    rhisiart, Sep 17, 2013
    #4
  5. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Re run Hitman and have it delete Potential Unwanted Programs.

    Now try to run MGTools in safe mode please.
     
    Kestrel13!, Sep 17, 2013
    #5
  6. rhisiart

    rhisiart Private E-2

    Ok. I ran Hitman Pro again, told it to delete "unwated programs, rebooted in safe mode, ran MG tools again with the same result.
    Attached are the new HitmanPro log. MG.exe still won't open so I copied the onscreen log to a Word file and am attaching that.
    I really appreciate your patience and help.

    Richard Jones
     

    Attached Files:

    rhisiart, Sep 18, 2013
    #6
  7. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Download OTL to your desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Vista and Windows 7 users Right-click OTL and choose Run as Administrator)
    • When the window appears, underneath Output at the top change it to Minimal Output.
    • Check the boxes beside LOP Check and Purity Check.
    • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

    When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

    Attach both of these logs into your next reply.
     
    Kestrel13!, Sep 18, 2013
    #7
  8. rhisiart

    rhisiart Private E-2

    Here are the OTL logs that you requested.
     

    Attached Files:

    rhisiart, Sep 19, 2013
    #8
  9. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    We need to run an OTL Fix

    • Right-click OTL.exe And select " Run as administrator " to run it. If Windows UAC prompts you, please allow it.
    • Copy and Paste the following code into the textbox. Do not include the word Code

    Code:
    :otl
@Alternate Data Stream - 146 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 136 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4
@Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1CA73D29

:files
DRV - (1452D9) -- globalroot\C:\WINDOWS\system32\drivers\1452D9.sys File not found
IE - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2455}: "URL" = http://search.fantastigames.com/web?src=ieb&appid=103&systemid=455&sr=0&q={searchTerms}
IE - HKCU\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2455}: "URL" = http://search.fantastigames.com/web?src=ieb&appid=103&systemid=455&sr=0&q={searchTerms}
[2013/01/13 10:30:31 | 000,401,792 | ---- | C] () -- C:\WINDOWS\System32\iegd3dg3(9).dll
[2013/01/13 10:30:31 | 000,401,792 | ---- | C] () -- C:\WINDOWS\System32\iegd3dg3(8).dll
[2013/01/13 10:30:31 | 000,401,792 | ---- | C] () -- C:\WINDOWS\System32\iegd3dg3(7).dll
[2013/01/13 10:30:31 | 000,401,792 | ---- | C] () -- C:\WINDOWS\System32\iegd3dg3(6).dll
[2013/01/13 10:30:31 | 000,401,792 | ---- | C] () -- C:\WINDOWS\System32\iegd3dg3(56).dll
[2013/01/13 10:30:31 | 000,401,792 | ---- | C] () -- C:\WINDOWS\System32\iegd3dg3(55).dll
[2013/01/13 10:30:31 | 000,401,792 | ---- | C] () -- C:\WINDOWS\System32\iegd3dg3(54).dll
[2013/01/13 10:30:31 | 000,401,792 | ---- | C] () -- C:\WINDOWS\System32\iegd3dg3(53).dll
[2013/01/13 10:30:31 | 000,401,792 | ---- | C] () -- C:\WINDOWS\System32\iegd3dg3(52).dll
[2013/01/13 10:30:31 | 000,401,792 | ---- | C] () -- C:\WINDOWS\System32\iegd3dg3(51).dll
[2013/01/13 10:30:31 | 000,401,792 | ---- | C] () -- C:\WINDOWS\System32\iegd3dg3(50).dll
[2013/01/13 10:30:31 | 000,401,792 | ---- | C] () -- C:\WINDOWS\System32\iegd3dg3(5).dll
[2013/01/13 10:30:31 | 000,401,792 | ---- | C] () -- C:\WINDOWS\System32\iegd3dg3(49).dll
[2013/01/13 10:30:31 | 000,401,792 | ---- | C] () -- C:\WINDOWS\System32\iegd3dg3(48).dll
[2013/01/13 10:30:31 | 000,401,792 | ---- | C] () -- C:\WINDOWS\System32\iegd3dg3(47).dll
[2013/01/13 10:30:31 | 000,401,792 | ---- | C] () -- C:\WINDOWS\System32\iegd3dg3(46).dll
[2013/01/13 10:30:31 | 000,401,792 | ---- | C] () -- C:\WINDOWS\System32\iegd3dg3(45).dll
[2013/01/13 10:30:31 | 000,401,792 | ---- | C] () -- C:\WINDOWS\System32\iegd3dg3(44).dll
[2013/01/13 10:30:31 | 000,401,792 | ---- | C] () -- C:\WINDOWS\System32\iegd3dg3(43).dll
[2013/01/13 10:30:31 | 000,401,792 | ---- | C] () -- C:\WINDOWS\System32\iegd3dg3(42).dll
[2013/01/13 10:30:31 | 000,401,792 | ---- | C] () -- C:\WINDOWS\System32\iegd3dg3(41).dll
[2013/01/13 10:30:31 | 000,401,792 | ---- | C] () -- C:\WINDOWS\System32\iegd3dg3(40).dll
[2013/01/13 10:30:31 | 000,401,792 | ---- | C] () -- C:\WINDOWS\System32\iegd3dg3(4).dll
[2013/01/13 10:30:31 | 000,401,792 | ---- | C] () -- C:\WINDOWS\System32\iegd3dg3(39).dll
[2013/01/13 10:30:31 | 000,401,792 | ---- | C] () -- C:\WINDOWS\System32\iegd3dg3(38).dll
[2013/01/13 10:30:31 | 000,401,792 | ---- | C] () -- C:\WINDOWS\System32\iegd3dg3(37).dll
[2013/01/13 10:30:31 | 000,401,792 | ---- | C] () -- C:\WINDOWS\System32\iegd3dg3(36).dll
[2013/01/13 10:30:31 | 000,401,792 | ---- | C] () -- C:\WINDOWS\System32\iegd3dg3(35).dll
[2013/01/13 10:30:31 | 000,401,792 | ---- | C] () -- C:\WINDOWS\System32\iegd3dg3(34).dll
[2013/01/13 10:30:31 | 000,401,792 | ---- | C] () -- C:\WINDOWS\System32\iegd3dg3(33).dll
[2013/01/13 10:30:31 | 000,401,792 | ---- | C] () -- C:\WINDOWS\System32\iegd3dg3(32).dll
[2013/01/13 10:30:31 | 000,401,792 | ---- | C] () -- C:\WINDOWS\System32\iegd3dg3(31).dll
[2013/01/13 10:30:31 | 000,401,792 | ---- | C] () -- C:\WINDOWS\System32\iegd3dg3(30).dll
[2013/01/13 10:30:31 | 000,401,792 | ---- | C] () -- C:\WINDOWS\System32\iegd3dg3(3).dll
[2013/01/13 10:30:31 | 000,401,792 | ---- | C] () -- C:\WINDOWS\System32\iegd3dg3(29).dll
[2013/01/13 10:30:31 | 000,401,792 | ---- | C] () -- C:\WINDOWS\System32\iegd3dg3(28).dll
[2013/01/13 10:30:31 | 000,401,792 | ---- | C] () -- C:\WINDOWS\System32\iegd3dg3(27).dll
[2013/01/13 10:30:31 | 000,401,792 | ---- | C] () -- C:\WINDOWS\System32\iegd3dg3(26).dll
[2013/01/13 10:30:31 | 000,401,792 | ---- | C] () -- C:\WINDOWS\System32\iegd3dg3(25).dll
[2013/01/13 10:30:31 | 000,401,792 | ---- | C] () -- C:\WINDOWS\System32\iegd3dg3(24).dll
[2013/01/13 10:30:31 | 000,401,792 | ---- | C] () -- C:\WINDOWS\System32\iegd3dg3(23).dll
[2013/01/13 10:30:31 | 000,401,792 | ---- | C] () -- C:\WINDOWS\System32\iegd3dg3(22).dll
[2013/01/13 10:30:31 | 000,401,792 | ---- | C] () -- C:\WINDOWS\System32\iegd3dg3(21).dll
[2013/01/13 10:30:31 | 000,401,792 | ---- | C] () -- C:\WINDOWS\System32\iegd3dg3(20).dll
[2013/01/13 10:30:31 | 000,401,792 | ---- | C] () -- C:\WINDOWS\System32\iegd3dg3(2).dll
[2013/01/13 10:30:31 | 000,401,792 | ---- | C] () -- C:\WINDOWS\System32\iegd3dg3(19).dll
[2013/01/13 10:30:31 | 000,401,792 | ---- | C] () -- C:\WINDOWS\System32\iegd3dg3(18).dll
[2013/01/13 10:30:31 | 000,401,792 | ---- | C] () -- C:\WINDOWS\System32\iegd3dg3(17).dll
[2013/01/13 10:30:31 | 000,401,792 | ---- | C] () -- C:\WINDOWS\System32\iegd3dg3(16).dll
[2013/01/13 10:30:31 | 000,401,792 | ---- | C] () -- C:\WINDOWS\System32\iegd3dg3(15).dll
[2013/01/13 10:30:31 | 000,401,792 | ---- | C] () -- C:\WINDOWS\System32\iegd3dg3(14).dll
[2013/01/13 10:30:31 | 000,401,792 | ---- | C] () -- C:\WINDOWS\System32\iegd3dg3(13).dll
[2013/01/13 10:30:31 | 000,401,792 | ---- | C] () -- C:\WINDOWS\System32\iegd3dg3(12).dll
[2013/01/13 10:30:31 | 000,401,792 | ---- | C] () -- C:\WINDOWS\System32\iegd3dg3(11).dll
[2013/01/13 10:30:31 | 000,401,792 | ---- | C] () -- C:\WINDOWS\System32\iegd3dg3(10).dll


  
:commands
[EMPTYTEMP]
[RESETHOSTS]
[REBOOT]
    • Then click the Run Fix button at the top.
    • Click Image.
    • OTL may ask to reboot the machine. Please do so if asked.
    • The report should appear in Notepad after the reboot. ATTACH that report in your next reply.


    http://imageshack.us/a/img841/7292/thisisujrt.gif Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.


    • Re run OTL again (just a scan) and attach log.
    • Now explain how things are running.
     
    Kestrel13!, Sep 19, 2013
    #9
  10. rhisiart

    rhisiart Private E-2

    The download of OTL is version 3.2.69.0 I cannot find any selection for "Run as administrator". I'm going ahead and pasting your text into the box and run it anyway. Ok?
     
    Last edited by a moderator: Sep 22, 2013
    rhisiart, Sep 21, 2013
    #10
  11. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Yes please go ahead and run it anyway. My instructions are out of date.
     
    Kestrel13!, Sep 22, 2013
    #11
  12. rhisiart

    rhisiart Private E-2

    I am having some trouble running the OTL fix. After clicking the Fix button, almost everything is frozen, including restart. At the bottom of the OTL window, there is a message: "Killing processes. No not interrupt". So I haven't interrupted for about 3 hours now and I can't see that anything is happening?

    Suggestions?
     
    rhisiart, Sep 23, 2013
    #12
  13. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Can you end OTL with task manager and then re run the instructions in safe mode please. Then carry on with any further instruction beyond that in normal mode. :) Let me know how you get on.
     
    Kestrel13!, Sep 23, 2013
    #13
  14. rhisiart

    rhisiart Private E-2

    I won't go into the convolutions I went through to get these logs, but finally I stumbled through to them. Here are the logs that you requested.

    I noticed that there was a window in OTL that says "File Age" which shows 30 days. My problems with these viruses started before that. Is that a problem? Also, I looked at some graphic files in CompuPic and found many still encrypted.
     

    Attached Files:

    rhisiart, Sep 23, 2013
    #14
  15. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    What kind of files are encrypted exactly? What kind of extension do the files have? Are they just graphic/picture files or are there more? :confused

    All these files still need deleting:
    The original file that should remain untouched is: C:\WINDOWS\System32\iegd3dg3.dll

    So can you delete all those copies with extra numbers in brackets?
     
    Kestrel13!, Sep 24, 2013
    #15
  16. rhisiart

    rhisiart Private E-2

    This is a sample. I can't tell what they are. Here are samples. Their extension was .jpg but I had to rename the extensions .png to upload ?
     

    Attached Files:

    rhisiart, Sep 24, 2013
    #16
  17. rhisiart

    rhisiart Private E-2

    I am having trouble attaching these encrypted files. First Windows Explorer said I had to change the extension from .jpg to .png. I did that but three wouldn't attach. I will try to send one.
     

    Attached Files:

    rhisiart, Sep 24, 2013
    #17
  18. rhisiart

    rhisiart Private E-2

    I neglected to mention that I deleted all of the .dll files that you identified.
     
    rhisiart, Sep 24, 2013
    #18
  19. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Kestrel13!, Sep 24, 2013
    #19

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds