Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Access Denied when installing Malwarebytes


  • This topic is locked This topic is locked
8 replies to this topic

#1 RobClark

RobClark

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 18 June 2011 - 09:54 AM

I've removed volsnap rootkit. I've restored the missing start menu folders and shortcuts out of the smtmp folder in the temp directory. But now it appears that what ever version of this fraud virus that was on here is, it has changed the permissions on some of the folders so that i can't install Malwarebytes and/or update the version that is already on the computer. When I try to run Malwarebytes update, it says its already up to date which i know is incorrect, and the date is blank under the current database information section.
When I try to reinstall mbam-setup.exe, the install makes it to the part where it says "Saving uninstall information...", and windows pops up a Setup window, "Access is denied". I hit ok and another window pops up, "Error", "Setup was not completed. Please correct the problem and run Setup again", I hit ok, and the computer roles back the installation.
How can I fix the permissions? And I fear I probably need to fix the permissions on more than one folder....

Here are the contents of the dds.txt file.

.
DDS (Ver_2011-06-12.02) - NTFSx86 NETWORK
Internet Explorer: 8.0.7600.16385
Run by ROB at 10:29:45 on 2011-06-18
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3061.2229 [GMT -4:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\ctfmon.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\System32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\explorer.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Installer\wlstartup.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Citrix\GoToAssist Express Customer\290\g2ax_service.exe
C:\Program Files\Citrix\GoToAssist Express Customer\290\g2ax_comm_customer.exe
C:\Program Files\Citrix\GoToAssist Express Customer\290\g2ax_system_customer.exe
C:\Program Files\Citrix\GoToAssist Express Customer\290\g2ax_user_customer.exe
C:\Program Files\Citrix\GoToAssist Express Customer\290\g2ax_host.exe
C:\Program Files\Windows Live\Installer\wlarp.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\cleanddm.lnk - c:\users\rob\appdata\local\cleanddm.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 68.87.64.150 68.87.75.198
TCP: Interfaces\{9796C22C-B8A2-4AB4-A56A-9CF1E1C04B50} : DhcpNameServer = 68.87.64.150 68.87.75.198
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: GoToAssist Express Customer - c:\program files\citrix\gotoassist express customer\290\g2ax_winlogon.dll
Notify: igfxcui - igfxdev.dll
.
============= SERVICES / DRIVERS ===============
.
R3 GoToAssist Express Customer;GoToAssist Express Customer;c:\program files\citrix\gotoassist express customer\290\g2ax_service.exe [2011-6-14 161144]
R3 k57nd60x;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\k57nd60x.sys [2010-1-8 273448]
S2 APCPBEAgent;APC PBE Agent;c:\program files\apc\powerchute business edition\agent\pbeagent.exe [2010-1-20 28672]
S2 APCPBEServer;APC PBE Server;c:\program files\apc\powerchute business edition\server\pbeserver.exe [2010-1-20 45134]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-11-28 1962136]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-2-28 183560]
S3 SavRoam;SavRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-11-28 122008]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-3-11 1343400]
.
=============== Created Last 30 ================
.
2011-06-18 14:03:33 110456 ----a-w- c:\users\rob\g2ax_customer_downloadhelper_win32_x86.exe
2011-06-18 13:52:58 -------- d-sh--w- C:\$RECYCLE.BIN
2011-06-18 13:52:57 -------- d-----w- c:\users\rob\appdata\local\temp
2011-06-18 13:47:17 98816 ----a-w- c:\windows\sed.exe
2011-06-18 13:47:17 518144 ----a-w- c:\windows\SWREG.exe
2011-06-18 13:47:17 256512 ----a-w- c:\windows\PEV.exe
2011-06-18 13:47:17 208896 ----a-w- c:\windows\MBR.exe
2011-06-18 13:10:04 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-17 09:57:51 6962000 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{371f9d5d-469b-4d3f-b170-855aad5b4def}\mpengine.dll
2011-06-14 11:31:47 -------- d-----w- c:\users\rob\appdata\local\Symantec
2011-05-24 23:17:35 26496 ----a-w- c:\windows\system32\drivers\Diskdump.sys
.
==================== Find3M ====================
.
2011-06-18 13:09:06 245328 ----a-w- c:\windows\system32\drivers\volsnap.sys
2011-05-29 13:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-09 06:13:06 3957632 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-04-09 06:13:06 3901824 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-04-09 05:56:38 123904 ----a-w- c:\windows\system32\poqexec.exe
2011-03-25 03:06:46 258560 ----a-w- c:\windows\system32\drivers\usbhub.sys
2011-03-25 03:06:25 284160 ----a-w- c:\windows\system32\drivers\usbport.sys
2011-03-25 03:06:23 75776 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2011-03-25 03:06:12 43008 ----a-w- c:\windows\system32\drivers\usbehci.sys
2011-03-25 03:06:11 20480 ----a-w- c:\windows\system32\drivers\usbohci.sys
2011-03-25 03:06:10 24064 ----a-w- c:\windows\system32\drivers\usbuhci.sys
2011-03-25 03:06:06 5888 ----a-w- c:\windows\system32\drivers\usbd.sys
.
============= FINISH: 10:29:54.70 ===============

And the gmer.log
GMER 1.0.15.15627 - http://www.gmer.net
Rootkit scan 2011-06-18 11:11:09
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD800AAJS-75M0A0 rev.02.03E02
Running: gmer.exe; Driver: C:\Users\ROB\AppData\Local\Temp\kxloqpog.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13BD 81C7E569 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 81CA3092 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
? system32\drivers\75241289.sys The system cannot find the path specified. !
? system32\drivers\tsk8FFF.tmp The system cannot find the path specified. !
? C:\Users\ROB\AppData\Local\Temp\catchme.sys The system cannot find the file specified. !
? C:\Users\ROB\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1460] USER32.dll!UnhookWindowsHookEx 7600CC7B 5 Bytes JMP 6EA083A2 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1460] USER32.dll!CallNextHookEx 7600CC8F 5 Bytes JMP 6E9E9D94 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1460] USER32.dll!CreateWindowExW 76010E51 5 Bytes JMP 6E9F8197 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1460] USER32.dll!SetWindowsHookExW 7601210A 5 Bytes JMP 6E9A463B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1460] USER32.dll!DialogBoxIndirectParamW 76034AA7 5 Bytes JMP 6EB1FED8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1460] USER32.dll!DialogBoxParamW 7603564A 5 Bytes JMP 6E914BA7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1460] USER32.dll!DialogBoxParamA 7604CF6A 5 Bytes JMP 6EB1FE75 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1460] USER32.dll!DialogBoxIndirectParamA 7604D29C 5 Bytes JMP 6EB1FF3B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1460] USER32.dll!MessageBoxIndirectA 7605E8C9 5 Bytes JMP 6EB1FE0A C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1460] USER32.dll!MessageBoxIndirectW 7605E9C3 5 Bytes JMP 6EB1FD9F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1460] USER32.dll!MessageBoxExA 7605EA29 5 Bytes JMP 6EB1FD3D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1460] USER32.dll!MessageBoxExW 7605EA4D 5 Bytes JMP 6EB1FCDB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1460] ole32.dll!OleLoadFromStream 77405BF6 5 Bytes JMP 6EB2022B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1460] ole32.dll!CoCreateInstance 7745590C 5 Bytes JMP 6E9F8C85 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2452] USER32.dll!CreateWindowExW 76010E51 5 Bytes JMP 6E9F8197 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2452] USER32.dll!DialogBoxIndirectParamW 76034AA7 5 Bytes JMP 6EB1FED8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2452] USER32.dll!DialogBoxParamW 7603564A 5 Bytes JMP 6E914BA7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2452] USER32.dll!DialogBoxParamA 7604CF6A 5 Bytes JMP 6EB1FE75 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2452] USER32.dll!DialogBoxIndirectParamA 7604D29C 5 Bytes JMP 6EB1FF3B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2452] USER32.dll!MessageBoxIndirectA 7605E8C9 5 Bytes JMP 6EB1FE0A C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2452] USER32.dll!MessageBoxIndirectW 7605E9C3 5 Bytes JMP 6EB1FD9F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2452] USER32.dll!MessageBoxExA 7605EA29 5 Bytes JMP 6EB1FD3D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2452] USER32.dll!MessageBoxExW 7605EA4D 5 Bytes JMP 6EB1FCDB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \Driver\volsnap \Device\HarddiskVolumeShadowCopy1 tsk8FFF.tmp
Device \Driver\volsnap \Device\HarddiskVolumeShadowCopy2 tsk8FFF.tmp
Device \Driver\volsnap \Device\HarddiskVolumeShadowCopy3 tsk8FFF.tmp

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 tsk8FFF.tmp
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 tsk8FFF.tmp
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 tsk8FFF.tmp

Device \Driver\ACPI_HAL \Device\0000004c halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
Device \FileSystem\fastfat \Fat 8A7CB130

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Merged 3 posts. ~ OB

Attached Files

  • Attached File  DDS.txt   7.95KB   0 downloads

Edited by Orange Blossom, 18 June 2011 - 07:46 PM.


BC AdBot (Login to Remove)

 


#2 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:06:52 PM

Posted 25 June 2011 - 05:36 PM

Hello and welcome to the forums!

My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. :)

I am very sorry for the delay in responding, but as you can see we are at the moment being flooded with logs which, when paired with the never-ending shortage of helpers, resulted in the delayed responding to your thread.

I would be glad to take a look at your log and help you with solving any malware problems.

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:

  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
  • Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
  • If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
  • Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together ;)
    Because of this, you must reply within three days
    failure to reply will result in the topic being closed!
  • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system.
    Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.

____________________________________________________

Rootkit UnHooker (RkU)
Please download Rootkit Unhooker from one of the following links and save it to your desktop.
Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

  • Double-click on RKUnhookerLE.exe to start the program.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth Code, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your Desktop.
  • Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".



NEXT:


Running OTL

We need to create a FULL OTL Report
  • Please download OTL from here:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Change the "Extra Registry" option to "SafeList"
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized

NEXT:


Please provide an update on how things are running in your next reply.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#3 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:06:52 PM

Posted 27 June 2011 - 10:11 AM

Hi!

It's been several days since I last posted instructions for you to complete. Do you still require assistance in getting your computer cleaned up?

Please Note: Unless notified in advance, threads with no response in 3 days get closed.

If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave & if there is no contact for that amount of time I will have to assume you have abandoned your topic.


Thanks,
SweetTech.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#4 RobClark

RobClark
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 27 June 2011 - 11:01 AM

I've tried to reply, not sure why nothing happened. I was dealing with this issue last week and have left it at the client whereby I believe I've removed the virus, but the user has no shortcuts or anything that shows up in his start menu. All the applications seem to work when you browse to the installed locations and he is surviving because he had copied all the shortcuts that he normally uses to his desktop. I would like to fix the shortcuts on the start menu, but I am not onsite, nor will I be for two more days. If you can hold off for that time I will gladly proceed.

#5 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:06:52 PM

Posted 27 June 2011 - 11:06 AM

Yep.

You should be able to restore the shortcuts by doing this;

Please download UnHide.exe by Grinler.

It will unhide folders/files that were set to be hidden by the infection you had.



NEXT:



If the above does not work, then you can restore the defaults for the Start Menu and Administrative Tools as follows:
For any other missing program shortcuts you will probably need to reinstall the application or manually create new shortcuts.

To manually recreate "All Programs" entries, follow these steps...

  • Download App Paths
  • Double click on AppPaths.exe to run the program.
  • Keep the program open.

In this example I'll recreate an entry for Avast antivirus program.
  • Go Start>All Programs.
  • Right click on Avast entry, click "Properties".

Posted Image
NOTE. Make sure, you right click on Avast program, NOT on Avast folder.

  • You'll see this window:

Posted Image

Due to the damage caused by the infection, you'll find "Target" box empty.

  • Go back to AppPaths window and find Avast entry.
  • Right click on Avast line, click "Edit".
  • A pop-up window will open:

Posted Image

  • Highlight everything in "Path" box, right click on it, click "Copy"
  • Go back to Avast "Properties" window, right click inside "Target" box, click "Paste".
  • IMPORTANT! Add quotation marks at the beginning of the path and at the end
  • Click OK and you're done.

Posted Image


In case, program's link shows as (empty):

Posted Image

  • Open Windows Explorer, navigate to Avast folder in Program Files
  • Right click on Avast ".exe" file, click "Create shortcut":

Posted Image

  • Copy that shortcut, go back to Start menu.
  • Right click on avast!Free Antivirus, click "Paste".
  • You'll see Avast shortcut recreated replacing (empty) entry.

Alternatively....
...you paste that shortcut in:
(XP) - C:\Documents and Settings\All Users\Start Menu\Programs\Avast
(Vista/7) - C:\Program Data\Start Menu\Programs\Avast


Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#6 RobClark

RobClark
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 27 June 2011 - 11:10 AM

I will give that a shot. Would love to know how to read the OTL file. You've got some neat tools.

#7 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:06:52 PM

Posted 27 June 2011 - 11:15 AM

You can read more about OTL here: http://www.geekstogo.com/forum/topic/277391-otl-tutorial-how-to-use-oldtimer-listit/

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#8 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:06:52 PM

Posted 30 June 2011 - 11:36 AM

Are you still with me?

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#9 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:06:52 PM

Posted 03 July 2011 - 11:10 AM

Due to lack of feedback this thread will now be closed. If you still require assistance, and would like to have your thread re-opened, please feel free to send me a Private Message (PM) being sure to include a link to your topic, and I'd be happy to re-open it.


Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users