New
#11
Sure, I built the fix script using information from the FRST.txt file.
Instead of me explaining it, I'll post it with instructions. You can look at it and see what it will fix.
The fix is to remove the files in the script. The two World Painter exe files are at the top. If you don't want FRST to remove them, delete those two lines, but ONLY those two lines after you paste the script into a local text file.
The start and end must be there or the script won't work
start
..
..
end
The rest of the files are in your TEMP folder, so you can feel comfortable fixing those.
The instructions and the script are below:
Please open Notepad (Start > All Programs > Accessories > Notepad)
Copy the entire contents of the Farbar script between the lines (but not the lines) below
Save it to your Desktop, and name it: fixlist.txt
start
C:\Users\Andrew\worldpainter_64_1.2.1.exe
C:\Users\Andrew\worldpainter_64_1.6.4.exe
C:\Users\Andrew\AppData\Local\Temp\DivXSetup.exe
C:\Users\Andrew\AppData\Local\Temp\jansi-32-git-Bukkit-1.6.4-R2.0-1-g988f599-b2919jnks.dll
C:\Users\Andrew\AppData\Local\Temp\jansi-64-git-Bukkit-1.6.4-R2.0-1-g988f599-b2919jnks.dll
C:\Users\Andrew\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe
C:\Users\Andrew\AppData\Local\Temp\jre-7u51-windows-i586-iftw.exe
C:\Users\Andrew\AppData\Local\Temp\log4net.dll
C:\Users\Andrew\AppData\Local\Temp\Quarantine.exe
C:\Users\Andrew\AppData\Local\Temp\RSPUpgradeInstaller.exe
C:\Users\Andrew\AppData\Local\Temp\SyncRestarter.exe
C:\Users\Andrew\AppData\Local\Temp\sync_upgrader.exe
end
Once again, run FRST64 as you did before.
When the tool opens click Yes to disclaimer.
Now, press the Fix button, only once, and wait.
When done, FRST produces Fixlog.txt on your Desktop.
Please provide the content of Fixlog.txt on your reply.
Thanks!
Here is fixlog.txt Fixlog.zip
Ok, I take it that you moved the World Painter exe files and TEMP\Quarantine?
If you told me that, I wouldn't have to ask :)
No problem if you did, it's your machine.
However, I don't know what's in Quarantine and I don't want it to come back on you. 99.99% of the time, you can delete anything in your temp folder - that's only temporary storage for things you're working on or installing.
What's the .01% - it's work in progress - a document, spreadsheet, or install. In that case you would wait to remove the file.
I'm cautious too, it's a good trait. But when I deal with Malware, I don't trust it - it is very clever at making itself look important, so that people do not remove it.
Anyway, should I wonder why the FRST fix threw up an error on TEMP\Quarantine ? Is a nasty bug preventing FRSt form doing it's job?
The next thing after you bring me up to date is another Mbam scan.
Close all applications before begining the scan.
Make sure you check for updates and have the scan settings optimized.
edit: If anything is found by the scan you'll have to look at the list and place a checkmark in the box for it to be removed, otherwise, it's only listed per the settings.
Here's what I run on my machine for Mbam
Not a problem, you can delete your own posts.
Clcik on the orange asterisk on the quoted text above - that takes you back to the original post.
on the post you want to delete, click edit, then click delete
that expands the delete options
clcik the rasio button "Delete this msg"
add some explantion in the reason box
and click the "delete this message button"
the ooops msg should be gone.
just make sure you're deleting the correct msg. I've oops that and well ooops it's gone.
Ok, don't sweat quarantine. As I said, TEMP is temporaty storage, whatever createed it might have cleaned up after itself. Some apps aren't real good at housekeeping.
edit: Ok waiting on Mbam scan results.
Okay, MBAM completed and returned absolutely nothing, which I guess is good! Or potentially really bad...
Also, I ran Currports on another P.C on my network (rarely used P.C, WIN7 Ultimate) and it had AppleMobileDeviceService with the remote host being 127.0.0.1 yet the remote host name was [P.C NAME]
As I'm pretty sure my p.c name is NOT 007guard(dot)com I'm left a bit confused here Oh, the other P.C also had an identical Hosts file to me.
P.S There's not delete button for me
EDIT: Sorry, was tired when typing that, my P.C name is just the generic [username-pc]
Last edited by oddblob; 25 Jan 2014 at 18:37.
I need to refresh my memory by reading the thread again.
The hosts files is a means to redirect IP traffic to some address.
127.0.0.1 is the loop back address of every machine. What that means is when a domain name needs to be translated to the IP address, the protocol says look in hosts first, then the DNS.
If a domain is defined in the hosts file, the protocol uses that IP address otherwise it has to call on the DNS server to resolve the name to an IP address.
A std hosts file contains two entries, one for IPv4 and one for IPv6.
127.0.0.1 localhost
::1 localhost #[IPv6]
If there are other entries in the hosts file, then either you put them there or they are part of a defense mechanism of an AV program (Spybot S&D? or RUBotted?). I run Avast! and more scanners than I've suggested her, so it's not those.
Anyway, if the entries are 127.0.0.1 it's not an issue because it loops back to your machine - it doesn't go anywhere.
All of the domain names and addresses I've seen in this thred go into that loop, again that's ok.
127.0.0.1 AppleMobileDeviceService simply means that anything trying to reach AppleMobileDeviceService using IP will not go anywhere. same for anything else,
127.0.0.1 joes.com
127.0.0.1 joes.net
127.0.0.1 tomandjoes.org
putting any of those addesses in your browser won't see the light of day if they are defined in the hosts file as shown above.
Right click on Computer and selct properties - your computer name is on that window a litlte past the 1/2 mark
no delete button referes to deleting a post on this thread?
it has to be your post.
edit, delete, delete radio, delete this msg button
Spybot S&D has added all the 1000+ entries to my hosts file, but I still don't get why some programs remote host name is 007guard(dot)com in Currports
I should also add my P.C name is NOT 007guard(dot)com as I said earlier, that was a pretty bad typo by me there... Very sorry! It's just [{myName}-PC], just the standard. Which still leaves me confused as to why the remote host names are 007guard(dot)com as you've helped me search for malware, and it doesn't seem to be that :S
Also, to do with deleting posts, not sure if it's linked to me being a new user or something, but there's only 'save' 'Go advanced' and 'cancel' Odd :S