Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP Deluxe Protector-can it stop me using the internet?


  • This topic is locked This topic is locked
15 replies to this topic

#1 andy_r

andy_r

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:41 PM

Posted 01 August 2009 - 05:43 PM

I have a Windows XP system.

I started getting these pop-ups about 10 weeks ago:

1 'XP Deluxe Protector
Full PC Scan
. . . . Warning XP Deluxe has found 24 useless and UNWANTED files on your computer

Activate Now'

2 'Firewall Warning
Hidden file transfer to remote host was detected

Blocking is recommended'

3 'Trojan detected

A piece of malicious code wasfound in your system. It can replicate itself if no action is taken. Click here to have your system cleaned by XP Deluxe Protector'

4 'Update available.
XP Deluxe Protector has detected that a new threat database is available.'

5 There is also a phoney Windows security alert

'Click here to get your XP Deluxe Protector licence.'

I scanned and quarantined, using Superantispyware, Malwarebytes free downloads and bought a PC tools package, which between them found several files to quarantine, but the problem remained. I came on Bleeping Computer and identifed several of the pop-ups in the guide you have posted on XP Deluxe Protector. I tried again the remedy that was suggested.

Still pop-ups.

I prepared to send in a HTL log and discovered I cannot get connected to the internet on that computer, which I had stopped using by then, so I am sending this to you from another computer.

Earlier in the year I had a problem with an unwanted file BG SVCGEN.EXE, which appeared in none of my program lists. MY computer was passed as clean but this programme was not uninstalled. Could this be the root of the problem?

Most all what should I do now?

Would a system restore work?

I will be grateful for any suggestions/plans of action.

andy_r

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:08:41 AM

Posted 01 August 2009 - 09:42 PM

You can try a system restore
You can also try booting into safe mode w/networking and see if you can connect
Also try to boot into normal mode and open Task Manager
In the Application window,close all running tasks
Then start a new task and type explorer.exe and click OK
That should bring up the Desktop where you can run some scans
The scans I recommend can be downloaded to a flash drive or burnt to a CD
-------------------------------------------------------------

The process of cleaning your computer may require you to temporarily disable some security programs. If you are using SpyBot Search and Destroy, please refer to Note 2 at the bottom of this page.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note:
-- If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Note 2:
-- MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes (like Spybot's Teatimer), they may interfere with the fix or alert you after scanning with MBAM. Please disable such programs until disinfection is complete or permit them to allow the changes. To disable these programs, please view this topic: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

---------------------------------

Some types of malware will disable Malwarebytes Anti-Malware and other security tools. If MBAM will not install, try renaming it first.
  • Right-click on the mbam-setup.exe file file and rename it to mysetup.exe.
  • Double-click on mysetup.exe to start the installation.
  • If that did not work, then try renaming and changing the file extension. <- click this link if you do not see the file extension
  • Right-click on the mbam-setup.exe file, rename it to mysetup and change the .exe extension to .scr, .com, .pif, or .bat.
  • Then double-click on mysetup.scr (or whatever extension you renamed it) to begin installation.
If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files.
  • Right-click on mbam.exe, rename it to myscan.exe.
  • Double-click on myscan.exe to launch the program.
  • If that did not work, then try renaming and change the .exe extension in the same way as noted above.
  • Double-click on myscan.scr (or whatever extension you renamed it) to launch the program.
If using Windows Vista, refer to How to Change a File Extension in Windows Vista.

Be sure to update MBAM through the program's interface (preferable method) or manually download the definition updates and just double-click on mbam-rules.exe to install. Then perform a Quick Scan in normal mode and check all items found for removal. Don't forgot to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the report in your next reply.

Note: MBAM uses Inno Setup instead of the Windows Installer Service to install the program. If installation fails in normal mode, try installing in safe mode. Doing this is usually not advised as MBAM is designed to be at full power when running in normal mode and loses some effectiveness for detection & removal when used in safe mode. For optimal removal, normal mode is recommended so it does not limit the abilities of MBAM. Therefore, after completing a scan it is recommended to uninstall MBAM, then reinstall it in normal mode and perform another Quick Scan.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 andy_r

andy_r
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:41 PM

Posted 03 August 2009 - 05:02 PM

Hi Mark,

Thanks a lot for your post. I ended up using the 'explorer exe' route and I am enclosing the MBam log:

Malwarebytes' Anti-Malware 1.39
Database version: 2421
Windows 5.1.2600 Service Pack 3

03/08/2009 01:29:50
mbam-log-2009-08-03 (01-29-50).txt

Scan type: Quick Scan
Objects scanned: 141519
Time elapsed: 35 minute(s), 49 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 7

Memory Processes Infected:
C:\Documents and Settings\Andy\XP Deluxe Protector\xpdeluxe.exe (Rogue.DeluxeProtector) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\XP Deluxe Protector (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xpprotect (Rogue.DeluxeProtector) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Andy\XP Deluxe Protector (Rogue.DeluxeProtector) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sysloc (Trojan.BHO) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Andy\XP Deluxe Protector\xpdeluxe.exe (Rogue.DeluxeProtector) -> Quarantined and deleted successfully.
c:\documents and settings\Andy\local settings\temporary internet files\Content.IE5\2DE7BKEO\iehostcx32[1].dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\Andy\local settings\temporary internet files\Content.IE5\DDB9OL4K\xpdeluxe[1].exe (Rogue.DeluxeProtector) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\sysloc\sysloc.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Andy\Start Menu\XP Deluxe Protector.LNK (Rogue.DeluxeProtector) -> Quarantined and deleted successfully.
C:\Documents and Settings\Andy\Desktop\XP Deluxe Protector.LNK (Rogue.DeluxeProtector) -> Quarantined and deleted successfully.
c:\487656.bat (Malware.Trace) -> Quarantined and deleted successfully.

. . . . . . . . . . . . . .

The pop-ups have gone and the XP Deluxe Protector has been uninstalled! I don't know if it was because of the updates to the Malwarebytes programme, as I had previously done the same scan. Anyway, I am very relieved, so thank you very much.

One loose end is I still can't get on the internet (due to changes made by the malware?) Can you advise me how I change the settings back?

andy_r

#4 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:08:41 AM

Posted 03 August 2009 - 08:05 PM

One loose end is I still can't get on the internet (due to changes made by the malware?) Can you advise me how I change the settings back?


We still might have some issues

Update mbam and run a FULL scan
Please post the results

Then run ATF and SAS


ATF
Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

------------------------------------

SAS,may take a long time to scan
Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
---------------------------

Finish scanning with Dr Web

Please download Dr.Web CureIt, the free version & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#5 andy_r

andy_r
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:41 PM

Posted 07 August 2009 - 04:44 AM

Hi Mark,

Sorry for the delay. The results are for the MBAM:

Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 3

06/08/2009 13:08:56
mbam-log-2009-08-06 (13-08-56).txt

Scan type: Full Scan (A:\|C:\|)
Objects scanned: 307214
Time elapsed: 2 hour(s), 46 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

. . . . . . .

The next one is the SuperAntiSpyware:

#6 andy_r

andy_r
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:41 PM

Posted 07 August 2009 - 07:11 AM

Hi Mark,

Sorry about the interruption.

Firstly I used the ATF Cleaner and it removed nearly 2GB of temp files! Then I used the SAS and the log is:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/06/2009 at 07:26 PM

Application Version : 4.27.1000

Core Rules Database Version : 4023
Trace Rules Database Version: 1963

Scan type : Complete Scan
Total Scan Time : 02:49:22

Memory items scanned : 290
Memory threats detected : 0
Registry items scanned : 6094
Registry threats detected : 0
File items scanned : 175086
File threats detected : 2

Trojan.Agent/Gen-FakeAlert-XPDPO
C:\DOCUMENTS AND SETTINGS\ANDY\LOCAL SETTINGS\TEMP\C.EXE
C:\DOCUMENTS AND SETTINGS\ANDY\LOCAL SETTINGS\TEMP\DEFENDER.EXE

. . . . . . . .

I then did the DrWeb CureIt scan with no results. I can't copy and paste the report but it took 7. 39. 24 hrs and scanned 367,214 objects and found 0 infected.

I still can't get on the Internet but can I change the Settings to sort this out? Also, I have the free SAS loaded on my computer. Should I reverse the changes we made to the Start-up and scanning options for my future use?

Andy

#7 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:08:41 AM

Posted 07 August 2009 - 08:07 PM

Should I reverse the changes we made to the Start-up and scanning options for my future use?


What changes did I have you make to the Startup items?

C:\DOCUMENTS AND SETTINGS\ANDY\LOCAL SETTINGS\TEMP\C.EXE
C:\DOCUMENTS AND SETTINGS\ANDY\LOCAL SETTINGS\TEMP\DEFENDER.EXE


We still have to deal with these
-----------------------------------

Please download Sysclean Package and the latest Virus Pattern Files - (Pattern files are usually named lptxxx.zip, where xxx is the pattern file number) and save them to your desktop.
  • Be sure to print out and follow the instructions provided in the How to Use System Cleaner for performing a scan.
  • If you get a message that "required files are missing", click Ok and wait for sysclean.com to unpack them.
  • This tool generates a log file (sysclean.log) in the same folder where you ran it - C:\Sysclean.
-- When using Sysclean its best to use the Administrator's account or an account with Administrative rights otherwise you will not have access rights to scan some locations. You can Use the "Run As" Command to Start a Program as an Administrator. Even when doing that, the scanning process may result in "Access Denied" messages for some files. This is normal because these files are protected by the system.

-- Some anti-virus programs will alert you of a virus attack when running sysclean so it's best to disable them before performing a scan.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#8 andy_r

andy_r
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:41 PM

Posted 08 August 2009 - 08:18 PM

Hi Mark,

These were the changes I made to SAS.

Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining.

I have had problems with the SYSCLEAN scan. The downloading of the SYSCLEAN.COM and the latest pattern file to a C:\ folder went oK but when I tried to run it I got the Missing pattern file for 2 files and haven't been able to download.

Andy

#9 andy_r

andy_r
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:41 PM

Posted 09 August 2009 - 06:10 AM

Hi Mark,

I thought this was going too well!?

I've tried again this morning to run the Sysclean package.

I have downloaded it and saved it to a new temp folder in C:|| drive on our laptop (Windows Vista, no viruses and with the working internet connection). I have then dowloaded and saved the Official Pattern Release for Viruses from trend.micro. I highlighted the Zip folder and clicked on a tab at the top to unpack. This seemed to work. (I had also downloaded an evaluation copy of Winzip121 and saved it to this folder-did this help?)

I then opened Explorer and put the C:\sysclean address into the the address bar and opened it, double clicked on the MSDos Application file. It attempted to run but two error messages come up telling me 2 required files need downloading from trend.micro, namely ssapiptn.da5 and lpt$vpn* . I managed to locate these files at trend micro and downloaded the files, unzipping them too. However, when I tried again, the messages came up again asking for these files to be downloaded.

I am now a bit stumped. I am also wondering if I am finally able to run this on our laptop, which has an internet connection, will I be able to copy it over to the PC that has the virus and run it there, as it has no internet connection?

Any thoughts . . ?

Andy

#10 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:08:41 AM

Posted 09 August 2009 - 07:42 PM

Go ahead and uninstall Sysclean

will I be able to copy it over to the PC that has the virus and run it there, as it has no internet connection?


You have me slightly confused. I thought we were just working on one computer?
Download Root Repeal and run it on the infected computer



We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive.
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Edited by garmanma, 09 August 2009 - 07:44 PM.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#11 andy_r

andy_r
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:41 PM

Posted 10 August 2009 - 04:09 AM

Hi Mark,

To clarify the computer system. I am using an uninfected laptop that can go online to e-mail bleeping computer and to download software. I am then transferring the downloads to my infected and currently offline computer.

I am going on a short break this week to visit family and do some hill-walking in the north of England, so I will try the root kits, when I return. Thanks for all your help so far. I hope you will still be around when I get back!

Kind regards,
Andy

#12 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:08:41 AM

Posted 10 August 2009 - 08:02 PM

No problem
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#13 andy_r

andy_r
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:41 PM

Posted 20 August 2009 - 06:30 PM

Hi Mark,

Back home now and have tried sysclean again and managed to run it, following all instructions and got this report:

175872 files have been read.
175872 files have been checked.
175800 files have been scanned.
362050 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.

. . . . . . . . . . . . . .

Not helpful. The scan did not include a spyware check as i couldn't get the right file for this to download but was otherwise exactly as shown in the guide.
. . . . . . . . . . . .
I tried the root repeal downloads. I followed the instructions ( although I was a bit unsure here). I downloaded the zip files for the Primary mirror, Secondary mirror and Secondary mirror and saved them to a folder naming them rootrepeal1 . .2 . .3. I then extracted the files from these three and then using a memory stick copied them over to the infected computer and double clicked on the RootRepeal.exe. from the Primary mirror file. All the steps up to Step 9 went fine as in your guide and then a message said 'Please wait. Initializing the scan' but then the computer froze and when I returned later had logged me out. This happened three times.

Andy

#14 andy_r

andy_r
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:41 PM

Posted 26 August 2009 - 04:58 PM

Hi Mark,

Know you must be busy but I wondered if you could continue with the advice, which has been very helpful so far. Or should I start a new topic, as I have been away? Any advice about how to proceed would be helpful..

Thanks,

Andy

#15 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:08:41 AM

Posted 28 August 2009 - 09:05 AM

C.EXE
DEFENDER.EXE


While you were gone, I managed to do some more reading plus we've had a change in policy
You have a very persistent rootkit. The newer strain is impossible to get rid of with the tools allowed in this forum
You need to submit a DDS / HJT log. following these instructions
If you cannot run the DDS scan, post back and I will give you another option to try

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

The HJT team is very busy and it will take awhile to get to your post
Please be patient and good luck

Edited by garmanma, 28 August 2009 - 09:08 AM.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users