Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected and cant get cleaned!


  • Please log in to reply
28 replies to this topic

#1 Gunner5176

Gunner5176

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:40 PM

Posted 29 December 2009 - 03:11 PM

Hello I have a Dell XPS with a Microsoft Windows XP operating system. On Sunday Dec 27 there was a trojan program that infected my computer and has ever since slowed down the startup and running of my computer. I have tried running numerous times Windows Defender. Each time Defender is run it stalls at the wscui.cpl File. I downloaded McAfee Monday the 28 and it stalled several times as well. I finally got McAfee to run Monday night and it found 14 infections and quarantined, removed, and repaired the infected files. Tuesday morning the computer was back to having the same symptoms of slow startup and running and there seems to be a program running in the background as well. I tried running the McAfee again and it once again stalled. I am at a loss and the virus seems pissed that im tryin to eradicated it. Ive never experienced a bug so determined. What should I do? Please help. Kevin

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:40 PM

Posted 29 December 2009 - 03:28 PM

Hello and welcome please run these next. If you have Spybot installed temporarily disable it.
Next run ATF:
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.

Next run MBAM (MalwareBytes):

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.

Please download Malwarebytes Anti-Malware and save it to your desktop.

alternate download link

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Gunner5176

Gunner5176
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:40 PM

Posted 29 December 2009 - 04:56 PM

The son of a gun got smart for a minute and wouldn't let me connect to the internet to download your recommended software, I downloaded both the ATF and Malware and ran both as you said. The Malwarebytes ended up stalling during the Quarantining and removal process. It stated there were 103 infections. I had to restart the computer and run the Malwarebytes again. It is currently rescanning. Do you have any suggestions if it stalls Malwarebytes again? I will post the results if Malwarebytes is able to complete its process. Thanks Kevin

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:40 PM

Posted 29 December 2009 - 06:41 PM

Run RKill.... Then as quick as you can start MBAm.

Please download Rkill by Grinler and save it to your desktop.Link 2
Link 3
Link 4
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
You will need to run the application again if rebooting the computer occurs along the way.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Gunner5176

Gunner5176
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:40 PM

Posted 30 December 2009 - 01:08 AM

I performed everything as you have stated and it still stalls out the MalwareBytes and the computer. I am having to use another computer to talk to you on because it kills the internet connection a few minutes after start up. I have never had so much trouble out of a damn bug or group of em. Is there anything else I can do to get rid of this thing? Here is the file it stalls the MalwareBytes on. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\InternetExplorer\LowRights\RunDll32Policy\f3SCtr.dll...... Here is the MalwareBytes scan results before I try to Quarantine and remove. Any help is greatly appreciated. If you guys can't fix it I have to pay DELL $130 to fix it. Thanks Kevin Malwarebytes' Anti-Malware 1.42
Database version: 3452
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/29/2009 10:54:11 PM
mbam-log-2009-12-29 (22-53-56).txt

Scan type: Quick Scan
Objects scanned: 152551
Time elapsed: 6 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 29
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 25
Files Infected: 56

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3aa42713-5c1e-48e2-b432-d8bf420dd31d} (Rogue.AntiVirus2008) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/popcaploader.dll (Adware.PopCap) -> No action taken.
HKEY_CLASSES_ROOT\TypeLib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> No action taken.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> No action taken.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\ErrorFix (Rogue.ErrorFix) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\ErrorFix (Rogue.ErrorFix) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
C:\Documents and Settings\HelpAssistant\Application Data\ErrorFix (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\HelpAssistant\Application Data\ErrorFix\Logs (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\HelpAssistant\Application Data\ErrorFix\QuarantineW (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\HelpAssistant\Application Data\ErrorFix\QuarantineW\2009-04-01 12-15-090 (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\HelpAssistant\Application Data\ErrorFix\QuarantineW\2009-04-01 12-15-090 (Rogue.ErrorFix) -> Files: 1600 -> No action taken.
C:\Documents and Settings\HelpAssistant\Application Data\ErrorFix\Results (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\HelpAssistant.PEARL\Application Data\ErrorFix (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\HelpAssistant.PEARL\Application Data\ErrorFix\Logs (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\HelpAssistant.PEARL\Application Data\ErrorFix\QuarantineW (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\HelpAssistant.PEARL\Application Data\ErrorFix\QuarantineW\2009-04-01 12-15-090 (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\HelpAssistant.PEARL\Application Data\ErrorFix\QuarantineW\2009-04-01 12-15-090 (Rogue.ErrorFix) -> Files: 1600 -> No action taken.
C:\Documents and Settings\HelpAssistant.PEARL\Application Data\ErrorFix\Results (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\HelpAssistant.PEARL.000\Application Data\ErrorFix (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\HelpAssistant.PEARL.000\Application Data\ErrorFix\Logs (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\HelpAssistant.PEARL.000\Application Data\ErrorFix\QuarantineW (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\HelpAssistant.PEARL.000\Application Data\ErrorFix\QuarantineW\2009-04-01 12-15-090 (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\HelpAssistant.PEARL.000\Application Data\ErrorFix\QuarantineW\2009-04-01 12-15-090 (Rogue.ErrorFix) -> Files: 1600 -> No action taken.
C:\Documents and Settings\HelpAssistant.PEARL.000\Application Data\ErrorFix\Results (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\Pearl Jones\Application Data\ErrorFix (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\Pearl Jones\Application Data\ErrorFix\Logs (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\Pearl Jones\Application Data\ErrorFix\QuarantineW (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\Pearl Jones\Application Data\ErrorFix\QuarantineW\2009-04-01 12-15-090 (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\Pearl Jones\Application Data\ErrorFix\QuarantineW\2009-04-01 12-15-090 (Rogue.ErrorFix) -> Files: 1600 -> No action taken.
C:\Documents and Settings\Pearl Jones\Application Data\ErrorFix\Results (Rogue.ErrorFix) -> No action taken.
C:\Program Files\ErrorFix (Rogue.ErrorFix) -> No action taken.

Files Infected:
C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> No action taken.
C:\Documents and Settings\HelpAssistant\Application Data\ErrorFix\Logs\2009-03-31 14-51-270.log (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\HelpAssistant\Application Data\ErrorFix\Logs\2009-03-31 15-08-570.log (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\HelpAssistant\Application Data\ErrorFix\Logs\2009-03-31 19-13-550.log (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\HelpAssistant\Application Data\ErrorFix\Logs\2009-03-31 19-25-250.log (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\HelpAssistant\Application Data\ErrorFix\Logs\2009-03-31 19-27-010.log (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\HelpAssistant\Application Data\ErrorFix\Logs\2009-03-31 19-35-150.log (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\HelpAssistant\Application Data\ErrorFix\Logs\2009-03-31 19-40-010.log (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\HelpAssistant\Application Data\ErrorFix\Logs\2009-03-31 20-04-240.log (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\HelpAssistant\Application Data\ErrorFix\Logs\2009-04-01 12-00-010.log (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\HelpAssistant\Application Data\ErrorFix\Logs\2009-04-01 12-00-011.log (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\HelpAssistant\Application Data\ErrorFix\Logs\2009-04-01 12-26-230.log (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\HelpAssistant\Application Data\ErrorFix\Results\Junk.db (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\HelpAssistant\Application Data\ErrorFix\Results\Update.db (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\HelpAssistant.PEARL\Application Data\ErrorFix\Logs\2009-03-31 14-51-270.log (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\HelpAssistant.PEARL\Application Data\ErrorFix\Logs\2009-03-31 15-08-570.log (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\HelpAssistant.PEARL\Application Data\ErrorFix\Logs\2009-03-31 19-13-550.log (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\HelpAssistant.PEARL\Application Data\ErrorFix\Logs\2009-03-31 19-25-250.log (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\HelpAssistant.PEARL\Application Data\ErrorFix\Logs\2009-03-31 19-27-010.log (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\HelpAssistant.PEARL\Application Data\ErrorFix\Logs\2009-03-31 19-35-150.log (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\HelpAssistant.PEARL\Application Data\ErrorFix\Logs\2009-03-31 19-40-010.log (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\HelpAssistant.PEARL\Application Data\ErrorFix\Logs\2009-03-31 20-04-240.log (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\HelpAssistant.PEARL\Application Data\ErrorFix\Logs\2009-04-01 12-00-010.log (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\HelpAssistant.PEARL\Application Data\ErrorFix\Logs\2009-04-01 12-00-011.log (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\HelpAssistant.PEARL\Application Data\ErrorFix\Logs\2009-04-01 12-26-230.log (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\HelpAssistant.PEARL\Application Data\ErrorFix\Results\Junk.db (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\HelpAssistant.PEARL\Application Data\ErrorFix\Results\Update.db (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\HelpAssistant.PEARL.000\Application Data\ErrorFix\Logs\2009-03-31 14-51-270.log (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\HelpAssistant.PEARL.000\Application Data\ErrorFix\Logs\2009-03-31 15-08-570.log (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\HelpAssistant.PEARL.000\Application Data\ErrorFix\Logs\2009-03-31 19-13-550.log (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\HelpAssistant.PEARL.000\Application Data\ErrorFix\Logs\2009-03-31 19-25-250.log (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\HelpAssistant.PEARL.000\Application Data\ErrorFix\Logs\2009-03-31 19-27-010.log (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\HelpAssistant.PEARL.000\Application Data\ErrorFix\Logs\2009-03-31 19-35-150.log (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\HelpAssistant.PEARL.000\Application Data\ErrorFix\Logs\2009-03-31 19-40-010.log (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\HelpAssistant.PEARL.000\Application Data\ErrorFix\Logs\2009-03-31 20-04-240.log (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\HelpAssistant.PEARL.000\Application Data\ErrorFix\Logs\2009-04-01 12-00-010.log (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\HelpAssistant.PEARL.000\Application Data\ErrorFix\Logs\2009-04-01 12-00-011.log (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\HelpAssistant.PEARL.000\Application Data\ErrorFix\Logs\2009-04-01 12-26-230.log (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\HelpAssistant.PEARL.000\Application Data\ErrorFix\Results\Junk.db (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\HelpAssistant.PEARL.000\Application Data\ErrorFix\Results\Update.db (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\Pearl Jones\Application Data\ErrorFix\Logs\2009-03-31 14-51-270.log (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\Pearl Jones\Application Data\ErrorFix\Logs\2009-03-31 15-08-570.log (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\Pearl Jones\Application Data\ErrorFix\Logs\2009-03-31 19-13-550.log (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\Pearl Jones\Application Data\ErrorFix\Logs\2009-03-31 19-25-250.log (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\Pearl Jones\Application Data\ErrorFix\Logs\2009-03-31 19-27-010.log (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\Pearl Jones\Application Data\ErrorFix\Logs\2009-03-31 19-35-150.log (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\Pearl Jones\Application Data\ErrorFix\Logs\2009-03-31 19-40-010.log (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\Pearl Jones\Application Data\ErrorFix\Logs\2009-03-31 20-04-240.log (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\Pearl Jones\Application Data\ErrorFix\Logs\2009-04-01 12-00-010.log (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\Pearl Jones\Application Data\ErrorFix\Logs\2009-04-01 12-00-011.log (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\Pearl Jones\Application Data\ErrorFix\Logs\2009-04-01 12-26-230.log (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\Pearl Jones\Application Data\ErrorFix\Results\Evidence.db (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\Pearl Jones\Application Data\ErrorFix\Results\Junk.db (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\Pearl Jones\Application Data\ErrorFix\Results\Registry.db (Rogue.ErrorFix) -> No action taken.
C:\Documents and Settings\Pearl Jones\Application Data\ErrorFix\Results\Update.db (Rogue.ErrorFix) -> No action taken.
C:\WINDOWS\Tasks\ErrorFix Scan.job (Rogue.ErrorFix) -> No action taken.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:40 PM

Posted 30 December 2009 - 10:58 AM

Let's see if we can run DRWEB.. If safe mode fails use Normal but let me know. This will take a few hours.



Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Gunner5176

Gunner5176
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:40 PM

Posted 30 December 2009 - 12:26 PM

The Computer wont run the program. It keeps rebooting once I push the OK tab to start the scan. It does this in Safe Mode and in Normal Mode.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:40 PM

Posted 30 December 2009 - 12:29 PM

Arrrcgghhh!!
Try this first.. then rerun MBAm as that is operating.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 Gunner5176

Gunner5176
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:40 PM

Posted 30 December 2009 - 12:50 PM

I just tried what you said. All extracted files are on the desktop. There are only two the Notepad and TDSS Rootkit removing tool. I went to run and copied the filename to the directory and it says it cannot find the file. What am I doing wrong?

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:40 PM

Posted 30 December 2009 - 12:59 PM

Ok... I am relly trying to getus in.. Can we run MBAM (quick scan)again on it's own?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 Gunner5176

Gunner5176
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:40 PM

Posted 30 December 2009 - 01:02 PM

Ill try. I will say it hasnt blocked internet usage yet after only a few minutes like it has in the past couple of days.

#12 Gunner5176

Gunner5176
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:40 PM

Posted 30 December 2009 - 01:13 PM

I just ran MBam and it once again froze during the quarantine process on the same file as before. It also killed the internet connection as well. Any suggestions?

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:40 PM

Posted 30 December 2009 - 02:28 PM

See if this fixes your Net issues .

Go to Start ... Run and type in cmd
A dos Window will appear.
Type in the dos window: netsh winsock reset
Click on the enter key.

Reboot your system to complete the process.



Open Task Manger(Press CTR+SHIFT_ESC)
Task Manager open.
Under the Processes Tab
Look for suspicious processes.. (all numbers or something consuming most of the CPU).
Highlight such and click End Process

Try MBAM again
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 Gunner5176

Gunner5176
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:40 PM

Posted 30 December 2009 - 03:50 PM

There was an aawservice.exe and MsMpEngine.exe that were running high upon startup and I had to continously end the processes on both, they kept reappearing. I finally got both of them to end after 4 end processes on each one. MBAM is currently scanning.

#15 Gunner5176

Gunner5176
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:40 PM

Posted 30 December 2009 - 03:52 PM

There are a total of nine servicehost.exe on processes. Should there be that many? None of them are running.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users