Potential Otorun1 Malware, can't run HiJackThis, SSPyAdware, Malwarebytes, etc

Discussion in 'Malware Help (A Specialist Will Reply)' started by ShizzMoney, May 21, 2009.

  1. ShizzMoney

    ShizzMoney Private E-2

    Running Win XP, everything updated, etc.

    Trying to get rid of some malware and a potential trojan virus that affects my browsing experience on FireFox (I cannot access the malwarebytes website, for example, except for clicking the "cached" page option in the google browser. I also get redirected to websites without clicking anything).

    I can't run HiJackThis, ComboFix, or Malwarebytes. I know this is a key part of the process. Yes, I've tried it safe mode, and no, they won't work there either.

    I ran Avira anti-virus and quarantined/deleted the 22 files it found, some were adware/spybots and I found one trojan, 152336.

    I also ran housecall via the Trend Micro site, and found it found a malware called OTO_RUN1. I was able to run an older version of HiJackThis, the logs (as well as logs from OSLISTIT) are below.

    I still am having problems with my pc being slow, and the fact I can't run the programs above makes me believe something is on this machine.

    Please help, I have no idea what is on this cpu. I've attached a log file from OTListIt2, and one from OSListIt3 is below.

    THERE IS a $5 REWARD via PokerStars if anyone can help me by this week.

    ty

    ========== PROCESSES ==========
    Process explorer.exe killed successfully.
    ========== REGISTRY ==========
    Registry key HKLM\SOFTWARE\TDSS\\ not found.
    Registry key HKLM\SOFTWARE\TDSS#build\\ not found.
    Registry key HKLM\SOFTWARE\TDSS#type\\ not found.
    Registry key HKLM\SOFTWARE\TDSS#affid\\ not found.
    Registry key HKLM\SOFTWARE\TDSS#subid\\ not found.
    Registry key HKLM\SOFTWARE\TDSS#cmddelay\\ not found.
    Registry key HKLM\SOFTWARE\TDSS#serversdown\\ not found.
    Registry key HKLM\SOFTWARE\TDSS\connections\\ not found.
    Registry key HKLM\SOFTWARE\TDSS\connections#87214514\\ not found.
    Registry key HKLM\SOFTWARE\TDSS\connections#8f214514\\ not found.
    Registry key HKLM\SOFTWARE\TDSS\disallowed\\ not found.
    Registry key HKLM\SOFTWARE\TDSS\disallowed\\ not found.
    Registry key HKLM\SOFTWARE\TDSS\disallowed#trsetup.exe\\ not found.
    Registry key HKLM\SOFTWARE\TDSS\disallowed#ViewpointService.exe\\ not found.
    Registry key HKLM\SOFTWARE\TDSS\disallowed#ViewMgr.exe\\ not found.
    Registry key HKLM\SOFTWARE\TDSS\disallowed#SpySweeper.exe\\ not found.
    Registry key HKLM\SOFTWARE\TDSS\disallowed#SUPERAntiSpyware.exe\\ not found.
    Registry key HKLM\SOFTWARE\TDSS\disallowed#SpySub.exe\\ not found.
    Registry key HKLM\SOFTWARE\TDSS\disallowed#SpywareTerminatorShield.exe\\ not found.
    Registry key HKLM\SOFTWARE\TDSS\disallowed#SpyHunter3.exe\\ not found.
    Registry key HKLM\SOFTWARE\TDSS\disallowed#XoftSpy.exe\\ not found.
    Registry key HKLM\SOFTWARE\TDSS\disallowed#SpyEraser.exe\\ not found.
    Registry key HKLM\SOFTWARE\TDSS\disallowed#combofix.exe\\ not found.
    Registry key HKLM\SOFTWARE\TDSS\disallowed#otscanit.exe\\ not found.
    Registry key HKLM\SOFTWARE\TDSS\disallowed#mbam.exe\\ not found.
    Registry key HKLM\SOFTWARE\TDSS\disallowed#mbam-setup.exe\\ not found.
    Registry key HKLM\SOFTWARE\TDSS\disallowed#flash_disinfector.exe\\ not found.
    Registry key HKLM\SOFTWARE\TDSS\disallowed#otmoveit2.exe\\ not found.
    Registry key HKLM\SOFTWARE\TDSS\disallowed#smitfraudfix.exe\\ not found.
    Registry key HKLM\SOFTWARE\TDSS\disallowed#prevxcsifree.exe\\ not found.
    Registry key HKLM\SOFTWARE\TDSS\disallowed#download_mbam-setup.exe\\ not found.
    Registry key HKLM\SOFTWARE\TDSS\disallowed#cbo_setup.exe\\ not found.
    Registry key HKLM\SOFTWARE\TDSS\disallowed#spywareblastersetup.exe\\ not found.
    Registry key HKLM\SOFTWARE\TDSS\disallowed#rminstall.exe\\ not found.
    Registry key HKLM\SOFTWARE\TDSS\disallowed#sdsetup.exe\\ not found.
    Registry key HKLM\SOFTWARE\TDSS\disallowed#vundofixsvc.exe\\ not found.
    Registry key HKLM\SOFTWARE\TDSS\disallowed#daft.exe\\ not found.
    Registry key HKLM\SOFTWARE\TDSS\disallowed#gmer.exe\\ not found.
    Registry key HKLM\SOFTWARE\TDSS\disallowed#catchme.exe\\ not found.
    Registry key HKLM\SOFTWARE\TDSS\disallowed#mcpr.exe\\ not found.
    Registry key HKLM\SOFTWARE\TDSS\disallowed#sdfix.exe\\ not found.
    Registry key HKLM\SOFTWARE\TDSS\disallowed#hjtinstall.exe\\ not found.
    Registry key HKLM\SOFTWARE\TDSS\disallowed#fixpolicies.exe\\ not found.
    Registry key HKLM\SOFTWARE\TDSS\disallowed#emergencyutil.exe\\ not found.
    Registry key HKLM\SOFTWARE\TDSS\disallowed#techweb.exe\\ not found.
    Registry key HKLM\SOFTWARE\TDSS\disallowed#GoogleUpdate.exe\\ not found.
    Registry key HKLM\SOFTWARE\TDSS\disallowed#windowsdefender.exe\\ not found.
    Registry key HKLM\SOFTWARE\TDSS\disallowed#spybotsd.exe\\ not found.
    Registry key HKLM\SOFTWARE\TDSS\injector\\ not found.
    Registry key HKLM\SOFTWARE\TDSS\injector#*\\ not found.
    Registry key HKLM\SOFTWARE\TDSS\versions\\ not found.
    Registry key HKLM\SOFTWARE\TDSS\versions#/tdss/crcmds/init\\ not found.
    Registry key HKLM\SOFTWARE\TDSS\versions#/tdss2/crcmds/init\\ not found.
    Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata\\ not found.
    Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata#affid\\ not found.
    Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata#subid\\ not found.
    Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata#control\\ not found.
    Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata#prov\\ not found.
    Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata#googleadserver\\ not found.
    Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata#flagged\\ not found.
    ========== FILES ==========
    File/Folder C:\Windows\System32\drivers\gxvxcqcxiqudhrxfpyvcppixxipitrwhekywu.sys not found.
    File/Folder C:\Windows\System32\gxvxcdvipfuseggevbxvtpiirxnqkecdjweny.dll not found.
    File/Folder gxvxcdvipfuseggevbxvtpiirxnqkecdjweny.dll not found.
    ========== COMMANDS ==========
    File delete failed. C:\DOCUME~1\Shizz\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\SP0VSBOZ\flashHeader[1]. scheduled to be deleted on reboot.
    File delete failed. C:\DOCUME~1\Shizz\LOCALS~1\Temp\hsperfdata_Shizz\3756 scheduled to be deleted on reboot.
    File delete failed. C:\DOCUME~1\Shizz\LOCALS~1\Temp\autobahn.log scheduled to be deleted on reboot.
    File delete failed. C:\DOCUME~1\Shizz\LOCALS~1\Temp\etilqs_DB92FCwbMiblbA2v2YSB scheduled to be deleted on reboot.
    File delete failed. C:\DOCUME~1\Shizz\LOCALS~1\Temp\Perflib_Perfdata_eac.dat scheduled to be deleted on reboot.
    File delete failed. C:\DOCUME~1\Shizz\LOCALS~1\Temp\WCESLog.log scheduled to be deleted on reboot.
    User's Temp folder emptied.
    User's Internet Explorer cache folder emptied.
    File delete failed. C:\Documents and Settings\Shizz\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
    User's Temporary Internet Files folder emptied.
    Local Service Temp folder emptied.
    File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
    Local Service Temporary Internet Files folder emptied.
    Network Service Temp folder emptied.
    Network Service Temporary Internet Files folder emptied.
    Windows Temp folder emptied.
    Java cache emptied.
    File delete failed. C:\Documents and Settings\Shizz\Local Settings\Application Data\Mozilla\Firefox\Profiles\uzguibpg.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
    File delete failed. C:\Documents and Settings\Shizz\Local Settings\Application Data\Mozilla\Firefox\Profiles\uzguibpg.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
    File delete failed. C:\Documents and Settings\Shizz\Local Settings\Application Data\Mozilla\Firefox\Profiles\uzguibpg.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
    File delete failed. C:\Documents and Settings\Shizz\Local Settings\Application Data\Mozilla\Firefox\Profiles\uzguibpg.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
    File delete failed. C:\Documents and Settings\Shizz\Local Settings\Application Data\Mozilla\Firefox\Profiles\uzguibpg.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
    File delete failed. C:\Documents and Settings\Shizz\Local Settings\Application Data\Mozilla\Firefox\Profiles\uzguibpg.default\XUL.mfl scheduled to be deleted on reboot.
    FireFox cache emptied.
    Temp folders emptied.
    Explorer started successfully

    OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 05212009_184908
     

    Attached Files:

    Last edited: May 21, 2009
    ShizzMoney, May 21, 2009
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Please follow the instructions in the READ & RUN ME FIRST link given futher down and attach the requested logs when you finish these instructions.
    • If you have problems where no tools seem to run, please try following the steps given in the below and then continue on no matter what you find. You only need to try the TDSSserv steps if having problems getting scans in the Read & Run Me First. If TDSSserv is not found, just continue on with the READ & RUN ME.
    READ & RUN ME FIRST. Malware Removal Guide
    • If something does not run, write down the info to explain to us later but keep on going.
    • Do not assume that because one step does not work that they all will not.

    • After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!
    Helpful Notes:

    1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
    2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware, Malwarebytes and Spybot ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
    3. If you cannot seem to login to an infected user account, try using a different user account (if you have one) in either normal or safe boot mode and running only SUPERAntiSpyware and Malwarebytes while logged into this other user account. Then reboot and see if you can log into the problem user account. If you can then run SUPERAntiSpyware, Malwarebytes, ComboFix and MGtools on the infected account as requested in the instructions.
    4. To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:
    Any additional post is a bump which will add more delay. Once you attach the logs, your thread ​
     
    chaslang, May 23, 2009
    #2

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds