Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

I BELIEVE I HAVE AN RAI

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: I BELIEVE I HAVE AN RAI

Unread postby p_huero » December 15th, 2013, 12:25 pm

I do have a recovery partition, on drive D:, which I've never used. I was able to backup my files...but that will mean a lot of hassle. I don't use online banking or any of those other services on this machine anyway, as it's mostly used for internet forums, craigslist, and facebook. It also seems that since this is a trojan with an encrypted file system, there's really no way to know if it's been eliminated without repaving. If I ask you to help me target this one, it could just come right back anyway. I'll repost in an hour...I just need to think about how I can go about it, since I can't spend any money on this. I could download those free AV programs to an SD card, though, then reinstall them...so hmmm....
p_huero
Regular Member
 
Posts: 30
Joined: December 7th, 2013, 4:08 am
Advertisement
Register to Remove

Re: I BELIEVE I HAVE AN RAI

Unread postby p_huero » December 15th, 2013, 2:04 pm

OK. I can always repave later. On the assumption that I am planning to do so in the future, is there a way to contain/neutralize this threat for now? I'd rather wait until I can get the fundage together to buy a WIN7 OS and do the repave correctly. I don't trust the recovery partition enough to try it...
p_huero
Regular Member
 
Posts: 30
Joined: December 7th, 2013, 4:08 am

Re: I BELIEVE I HAVE AN RAI

Unread postby nunped » December 15th, 2013, 2:26 pm

Hi p_huero,

Ok, let's try to clean as best as possible.

Fix with FRST
  • Click Start
  • Type notepad.exe in the search programs and files box and click Enter.
  • A blank Notepad page should open.
    • Copy and Paste the following script into Notepad, Do not include the words Code: select all
    • (Click the select all button next to code to select the entire script).
    Code: Select all
    C:\Users\SYSAD\AppData\Roaming\desktop.ini
    C:\ProgramData\PKP_DLdu.DAT
    C:\ProgramData\PKP_DLdw.DAT
    
  • Save it to your USB flashdrive as fixlist.txt.

Boot into Recovery Environment
  • Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....
    • Press the Fix button once and wait.
    • FRST will process fixlist.txt
    • When finished, it will produce a log fixlog.txt on your USB flashdrive.
  • Exit out of Recovery Environment and post the log.
User avatar
nunped
MRU Honors Grad Emeritus
 
Posts: 1210
Joined: August 17th, 2011, 5:03 pm
Location: Portugal

Re: I BELIEVE I HAVE AN RAI

Unread postby p_huero » December 15th, 2013, 9:19 pm

I can't seem to download frst64 anymore. Mcafee blocks the site, then deletes it as soon as I try to move it onto the flashdrive. I'm really stuck it seems. FRST it has no problem with; but I've tried frst64 five times now and I'm really quite frustrated...
p_huero
Regular Member
 
Posts: 30
Joined: December 7th, 2013, 4:08 am

Re: I BELIEVE I HAVE AN RAI

Unread postby nunped » December 16th, 2013, 11:50 am

Hi p_huero,

We could try to temporarily disable McAfee, but let's see if OTL can deal with these files in Normal mode:

Step 1 - Fix with OTL
  • Right click OTL.exe and select "Run as Administrator" to launch the program.
  • Copy/Paste the contents of the code box below into the Custom Scans/Fixes box.
Do not include the words "Code: Select all". Press "Select all" to automatically select all the text on the box.
Code: Select all
:commands
[createrestorepoint]

:OTL
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O3 - HKU\S-1-5-21-3637950117-3411936004-4287588756-1004\..\Toolbar\WebBrowser: (no name) - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No CLSID value found.
O15 - HKLM\..Trusted Domains: //about.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //Exclude.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //FWEvent.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //LanguageSelection.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //Message.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //MyAgttryCmd.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //MyAgttryNag.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //MyNotification.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //NOCLessUpdate.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //quarantine.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //ScanNow.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //strings.vbs/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //Template.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //Update.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //VirFound.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafee.com ([*] http in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafee.com ([*] https in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafeeasap.com ([betavscan] http in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafeeasap.com ([betavscan] https in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafeeasap.com ([vs] http in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafeeasap.com ([vs] https in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafeeasap.com ([www] http in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafeeasap.com ([www] https in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: internet ([]about in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: mcafee.com ([]http in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: mcafee.com ([]https in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: internet ([]about in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: mcafee.com ([]http in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: mcafee.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-3637950117-3411936004-4287588756-1002\..Trusted Domains: internet ([]about in Trusted sites)
O15 - HKU\S-1-5-21-3637950117-3411936004-4287588756-1002\..Trusted Domains: mcafee.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-3637950117-3411936004-4287588756-1002\..Trusted Domains: mcafee.com ([]https in Trusted sites)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.7.0/jinsta ... s-i586.cab (Java Plug-in 10.45.2)
O16 - DPF: {CAFEEFAC-0017-0000-0025-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinsta ... s-i586.cab (Java Plug-in 1.7.0_25)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinsta ... s-i586.cab (Java Plug-in 10.45.2)

:files
ipconfig /flushdns /c
C:\Users\SYSAD\AppData\Roaming\desktop.ini
C:\ProgramData\PKP_DLdu.DAT
C:\ProgramData\PKP_DLdw.DAT

:commands
[emptytemp]

  • Click the Run Fix button.
  • OTL will now process the instructions.
  • When finished a box will open asking you to open the fix log, click OK.
  • The fix log will open.
  • Copy/Paste the log in your next reply please.

Note: If necessary, OTL may re-boot your computer, or request that you do so, if it does, re-boot your computer. A log will be produced upon re-boot.

Step 2 - AdwCleaner Download and Run

Click on this link to download : ADWCleaner
Click on the Download Now button and save it to your desktop.

NOTE: If using Internet Explorer and you get an alert that stops the program downloading click on Tools > Smartscreen Filter > Turn off Smartscreen Filter then click on OK in the box that opens. Then click on the link again.

Close your browser and double click on this icon on your desktop:

Image

You will then see the screen below. Click on the Scan button (as indicated), accept any prompts that appear and allow it to run.
It may take several minutes to complete. When it is done click on the Clean button, accept any prompts that appear and allow the system to reboot.
You will then be presented with the report. Copy & Paste it into your next post.

Image
User avatar
nunped
MRU Honors Grad Emeritus
 
Posts: 1210
Joined: August 17th, 2011, 5:03 pm
Location: Portugal

Re: I BELIEVE I HAVE AN RAI

Unread postby p_huero » December 16th, 2013, 12:11 pm

McAfee deleted the ADWcleaner file too. I think it's site advisor--it blocks the site, I DL the file anyway, then as soon as it's done, I get the "File deleted" box with no settings or ways to disable it.
p_huero
Regular Member
 
Posts: 30
Joined: December 7th, 2013, 4:08 am

Re: I BELIEVE I HAVE AN RAI

Unread postby nunped » December 16th, 2013, 12:49 pm

I don't personally use McAfee, but see if this helps:

  • Double-click the taskbar icon to open SecurityCenter
  • Click Advanced Menu (bottom)
  • Click Configure (left)
  • Click Computer & Files (top left)
  • You can disable VirusScan and tell it for how long over at the right.
  • If you click the Advanced button at the right you can then go to Active Protection on the left and uncheck it. Don't forget to click Apply and OK.
User avatar
nunped
MRU Honors Grad Emeritus
 
Posts: 1210
Joined: August 17th, 2011, 5:03 pm
Location: Portugal

Re: I BELIEVE I HAVE AN RAI

Unread postby p_huero » December 16th, 2013, 1:43 pm

I have Security-as-a-service. My menus are quite different. I tried to use the "restore quarantined files" option but it immediately deleted them. I'm starting to think repaving is the only way. Can these trojans corrupt your antivirus systems to the point of making them impossible to remove?
p_huero
Regular Member
 
Posts: 30
Joined: December 7th, 2013, 4:08 am

Re: I BELIEVE I HAVE AN RAI

Unread postby nunped » December 17th, 2013, 8:00 am

Hi p_huero,

Can these trojans corrupt your antivirus systems to the point of making them impossible to remove?

They can corrupt quite a lot and in very unpredictable ways, but the problems you are facing are related to the normal behavior of Mcafee towards the programs we use to clean computers.

Is your computer used to any kind of business activity?
User avatar
nunped
MRU Honors Grad Emeritus
 
Posts: 1210
Joined: August 17th, 2011, 5:03 pm
Location: Portugal

Re: I BELIEVE I HAVE AN RAI

Unread postby p_huero » December 19th, 2013, 1:38 am

No, it's strictly private. It's my only way to get online and look for work, and I don't have the money to spend buying software to replace what I already have. If I could just go buy Win 7 (ha ha) I'd just bin the lot, and have done with it. I'd hate to find out that after backing up all my files, they can't be restored because I went to a UNIX OS which doesn't recognize them. Also I'd have to buy an antivirus that actually works, since McAfee clearly didn't in this case. So I must admit, I'm a bit stumped.
My version of Mcafee doesn't have the menus or options you describe. Also the SiteAdvisor seems to be the reason these programs are being deleted. However, I believe the dates for AVG and SiteAdvisor are the same, leading me to believe I might have clicked on a fake screen "from" McAfee which I still see about once a week. Sods...as for AVG, I never wanted it, and now it's got me locked in a death spiral. McAfee warns me that "You have more than one anti-virus product installed"...but I can't seem to figure out how to remove it...that is, without your help of course! I never use online banking, and this is a good reason why--they'd have my info by now I'm sure, but at least I can contain the damage for now...
p_huero
Regular Member
 
Posts: 30
Joined: December 7th, 2013, 4:08 am

Re: I BELIEVE I HAVE AN RAI

Unread postby nunped » December 19th, 2013, 12:28 pm

Hi p_huero,

I couldn't find a good way of deactivating your version of Mcafee...

So, please run the OTL fix as instructed before and then:

ESET NOD32 Online Scan
Note: If using Mozilla Firefox you will need to download "esetsmartinstaller_enu.exe" when prompted... then right click on it and select "run as administrator" to install.
Please temporarily disable your Anti-virus real-time protection. If active, it could impact the online scan.
Do NOT use the computer while the scan is running... make sure all other programs and windows are closed!


Please go to ESET Online Scanner - © ESET All Rights Reserved... to run an online scan.
  • Click the [Run ESET Online Scanner] button.
  • Read the End User License Agreement and check the box: [Yes, I accept the terms of use].
  • Click the green [Start] button.
  • Accept any security warnings from your browser and allow the download/installation of any require files.
    If your browser blocks or halts a download, please allow it to download any required files.
  • Under scan settings:
    • Check "Scan archives"
    • Remove found threats is UNCHECKED
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click the [Start] button.
    ESET will install itself, download virus signature database updates and begin scanning your computer.
    The scan will take a while so please be patient. Do NOT use the computer while the scan is running.
  • When the scan completes, press the text: Image
  • Press the text: Image ... then save the file to your desktop as ESETScan.txt.
  • Press the [Back] button, then press the [Finish] button.
  • Copy and paste the contents of ESETScan.txt in your next reply.
    Note: If no threats are found, there is no option to create a log. Just report back to me there was nothing found.

Remember to enable your Anti-virus protection before continuing!
User avatar
nunped
MRU Honors Grad Emeritus
 
Posts: 1210
Joined: August 17th, 2011, 5:03 pm
Location: Portugal

Re: I BELIEVE I HAVE AN RAI

Unread postby p_huero » December 19th, 2013, 3:36 pm

Right, OTL fix results:

All processes killed
========== COMMANDS ==========
Restore point Set: OTL Restore Point
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
Registry value HKEY_USERS\S-1-5-21-3637950117-3411936004-4287588756-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\//about.htm/\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\//Exclude.htm/\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\//FWEvent.htm/\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\//LanguageSelection.htm/\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\//Message.htm/\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\//MyAgttryCmd.htm/\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\//MyAgttryNag.htm/\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\//MyNotification.htm/\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\//NOCLessUpdate.htm/\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\//quarantine.htm/\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\//ScanNow.htm/\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\//strings.vbs/\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\//Template.htm/\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\//Update.htm/\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\//VirFound.htm/\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mcafee.com\*\ deleted successfully.
Invalid CLSID key: *
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mcafee.com\*\ not found.
Invalid CLSID key: *
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mcafeeasap.com\betavscan\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mcafeeasap.com\betavscan\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mcafeeasap.com\vs\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mcafeeasap.com\vs\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mcafeeasap.com\www\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mcafeeasap.com\www\ not found.
Registry key HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\internet\ deleted successfully.
Registry key HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mcafee.com\ deleted successfully.
Registry key HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mcafee.com\ not found.
Registry key HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\internet\ not found.
Registry key HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mcafee.com\ not found.
Registry key HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mcafee.com\ not found.
Registry key HKEY_USERS\S-1-5-21-3637950117-3411936004-4287588756-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\internet\ not found.
Registry key HKEY_USERS\S-1-5-21-3637950117-3411936004-4287588756-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mcafee.com\ not found.
Registry key HKEY_USERS\S-1-5-21-3637950117-3411936004-4287588756-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mcafee.com\ not found.
Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0017-0000-0025-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0017-0000-0025-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0025-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0017-0000-0025-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0025-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\D-QUAD\Downloads\cmd.bat deleted successfully.
C:\Users\D-QUAD\Downloads\cmd.txt deleted successfully.
C:\Users\SYSAD\AppData\Roaming\desktop.ini moved successfully.
C:\ProgramData\PKP_DLdu.DAT moved successfully.
C:\ProgramData\PKP_DLdw.DAT moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: D-QUAD
->Temp folder emptied: 77706502 bytes
->Temporary Internet Files folder emptied: 142462869 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 17799194 bytes
->Flash cache emptied: 598 bytes

User: Default
->Temp folder emptied: 16768131 bytes
->Temporary Internet Files folder emptied: 101433 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: NAB
->Temp folder emptied: 24259907 bytes
->Temporary Internet Files folder emptied: 8435092 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 28369078 bytes
->Flash cache emptied: 11546 bytes

User: Public

User: SYSAD
->Temp folder emptied: 259285918 bytes
->Temporary Internet Files folder emptied: 1001500 bytes
->Java cache emptied: 48094 bytes
->FireFox cache emptied: 104452387 bytes
->Flash cache emptied: 3555 bytes

User: TEMP
->Temp folder emptied: 33533 bytes
->Temporary Internet Files folder emptied: 101433 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 324926470 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 1925783 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 25855 bytes

Total Files Cleaned = 961.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 12192013_112216

Files\Folders moved on Reboot...
File move failed. C:\Windows\temp\avg_secure_search.log scheduled to be moved on reboot.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

****
Quite comforting, that. I'm working on the eset scan now...
p_huero
Regular Member
 
Posts: 30
Joined: December 7th, 2013, 4:08 am

Re: I BELIEVE I HAVE AN RAI

Unread postby p_huero » December 19th, 2013, 5:57 pm

OK, and now for the eset results:

C:\Program Files\Common Files\DVDVideoSoft\TB\DVDVideoSoftTB.exe a variant of Win32/Toolbar.Conduit.B application
C:\Program Files\MarineAquarium3Free_57EI\Installr\1.bin\57EIPlug.dll Win32/Toolbar.MyWebSearch application
C:\Program Files\MarineAquarium3Free_57EI\Installr\1.bin\57EZSETP.dll Win32/Toolbar.MyWebSearch.Q application
C:\Program Files\MarineAquarium3Free_57EI\Installr\1.bin\NP57EISb.dll Win32/Toolbar.MyWebSearch application
C:\Users\SYSAD\AppData\Roaming\0D0S1L2Z1P1B\Codec Package Packages\uninstaller.exe Win32/InstallCore.AZ application
C:\Users\SYSAD\AppData\Roaming\DigitalSite\UpdateProc\UpdateTask.exe a variant of Win32/DealPly.H application
C:\Users\SYSAD\Downloads\CodecPackage.exe a variant of Win32/InstallCore.CW application
C:\Users\SYSAD\Downloads\finalmediaplayer_732.exe a variant of Win32/InstallIQ.A application
C:\Users\SYSAD\Downloads\FinalVideoDownloaderSetup.exe a variant of Win32/InstallCore.CU application
C:\Users\SYSAD\Downloads\freefileconverter2_1422.exe a variant of Win32/InstallIQ.A application
D:\RCA\rcaDVM_setup.exe multiple threats

The RCA program is for a digital recording device. I might have to download it again but it's expendable.
I sure wish I could have had eset delete all that stuff...but I realize these steps have to be done in order...
p_huero
Regular Member
 
Posts: 30
Joined: December 7th, 2013, 4:08 am

Re: I BELIEVE I HAVE AN RAI

Unread postby p_huero » December 19th, 2013, 6:00 pm

I should also add, that USER=TEMP is not known to me. I never created that account, nor does it show on my login screen. Would it help to re-enable User Account Control? I wonder if I'd have seen this happening if it was on at the time.
p_huero
Regular Member
 
Posts: 30
Joined: December 7th, 2013, 4:08 am

Re: I BELIEVE I HAVE AN RAI

Unread postby nunped » December 19th, 2013, 6:44 pm

Hi p_huero,

ESET sometimes flags legit files, so I prefer to check them first.
Don't worry about the "User: TEMP" line. It shows in every OTL fix.

So, to check the files found by ESET:
Online Multi Antivirus file scan
Please go to Virus Total and upload -only one file per scan- the following file(s) for scanning:
C:\Program Files\Common Files\DVDVideoSoft\TB\DVDVideoSoftTB.exe
C:\Program Files\MarineAquarium3Free_57EI\Installr\1.bin\57EIPlug.dll
C:\Program Files\MarineAquarium3Free_57EI\Installr\1.bin\57EZSETP.dll
C:\Program Files\MarineAquarium3Free_57EI\Installr\1.bin\NP57EISb.dll
C:\Users\SYSAD\AppData\Roaming\0D0S1L2Z1P1B\Codec Package Packages\uninstaller.exe
C:\Users\SYSAD\AppData\Roaming\DigitalSite\UpdateProc\UpdateTask.exe
C:\Users\SYSAD\Downloads\CodecPackage.exe
C:\Users\SYSAD\Downloads\finalmediaplayer_732.exe
C:\Users\SYSAD\Downloads\FinalVideoDownloaderSetup.exe
C:\Users\SYSAD\Downloads\freefileconverter2_1422.exe
D:\RCA\rcaDVM_setup.exe


  • Press the Browse button and navigate to -one- of the files in the list.
  • Double click the located file name. The file name should now appear in the online scanner's text entry box.
  • Click on Send File button.
  • The file will be queued, uploaded and scanned by various antivirus scanners. This may take a few minutes.
      If you receive the message: File has already been analysed:
      Please press the Reanalyse file now button, so your file will be scanned.
  • When all scans have completed the results page is displayed
  • Please highlight and copy the page web address link from your browser window.
    Example of web address :
    Image
  • Please repeat this procedure for each file listed above.
  • Paste the Web address link(s) for the scan results in your next reply.
User avatar
nunped
MRU Honors Grad Emeritus
 
Posts: 1210
Joined: August 17th, 2011, 5:03 pm
Location: Portugal
Advertisement
Register to Remove

PreviousNext

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 44 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware