Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Should I run rogue remover? Will backup spread my virus?


  • This topic is locked This topic is locked
8 replies to this topic

#1 richardinct

richardinct

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:06 PM

Posted 11 October 2011 - 08:31 PM

I was instructed in the "Am I infected?" forum to post my problem here but I have 2 questions in order to get through the Preparation Guide:

1) About the 'Virus, Spyware and Malware Removal Guides':

I had one of these - I believe it was System Restore, and as far as I can tell, doing a (real) System Restore removed it. The rogue doesn't show up any more, though I have other malware-related symptoms, just not the bogus System Restore popups.

So I just want to check: do I need to follow the removal instructions?

2) About backups:

How do I know my backed-up files won't include the virus/malware/trojan?

BC AdBot (Login to Remove)

 


#2 richardinct

richardinct
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:06 PM

Posted 12 October 2011 - 11:49 PM

I was told in the "Am I Infected?" forum to post here. Link to that thread:

http://www.bleepingcomputer.com/forums/topic423064.html/page__p__2438636#entry2438636



My system: Windows XP Pro, Symantec Anti-Virus, MalwareBytes free version, Spybot Search & Destroy free version.

The problems I have now are:

1) Search Hijacking:

In Firefox, some, but not all, Google search results are hijacked. When I click on a search result, a strange URL appears for about one second in the address bar, and then I am taken to a website advertising something. One of the URLs that flashed by was: “domain-example.com” [that’s the actual URL, not an example], and another was something like “wsc.us” (can't remember this one exactly).

This happens irregularly. I can't detect any pattern of which search result clicks get hijacked.

So far (24+ hours), no hijacking has occurred in Opera.

I never, ever use IE so I can’t say if it has the same hijacking problem.

2) IE popups:

Internet Explorer ads pop up every 10 or 20 minutes, although IE is not open. (btw I never use IE – strictly Opera and Firefox. Probably been years since IE's been opened.)

3) All my desktop icons are greyed out. But if I right-click then uncheck 'Hidden', the icon becomes un-greyed out. Either way, they all seem to function properly.

4) Problems in running GMER. Screengrabs attached for both.

4a) On starting GMER, window pops up saying:

LoadDriver (“C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ufrdauow.sys”) error 0xC000010E: Cannot create a stable subkey under a volatile parent key

4b) All the checkboxes in the main GMER window are greyed out *except* for: Services, Registry, Files, and ADS

5) DNS Cache can't be cleared:

Under normal conditions I frequently need to repair my wireless connection by going to Network Connections > right-click Wireless Connection > Repair. (It's been like this since the computer and USB wireless adapter were brand new.) The problem that began yesterday along with #1 - 4 was the following message:

“Windows could not finish repairing the problem because the following action cannot be completed:
Clearing the DNS cache.
For assistance, contact the person who manages your network”

However - the wireless connection *was* being properly restored, despite that message.

And today I haven't gotten the error message.


The following problems started at the same time, but were all solved by a System Restore – at least, these symptoms are gone:

6) A bogus 'System Scan':

Window popped up, almost identical to the one here:

http://bit.ly/rtTULO (link goes to a picture in the Bleeping Computer thread "Unhide.exe - A introduction as to what this program does")

- except mine was about scanning the computer for viruses or something, rather than a 'main' interface like in the picture.

7) Sudden cascade of about 20 identical error message boxes, saying “delayed write failed. Failed to save all the components for the file \System32\0000390c. The file is corrupted or unreadable. This error may be caused by a PC hardware problem”

8) Balloons in the Quick Launch popping up with message about my hard disk failing; at risk of losing all my data, etc. (Were these fake? The wording and punctuation were odd but sometimes Microsoft's like that)



STEPS I TOOK:

1) Held down power button to shut off computer
2) Re-started in Safe Mode
3) Ran System Restore.
4) Ran full MalwareBytes scan. Found 2 items both called “Trojan.Fake.Alert”. Removed them.
5) Ran full Symantec scan. Nothing found.
6) Ran full Sypbot Search & Destroy scan. Found 4 or so tracking cookies from places like Doubleclick. Deleted them.

RESULT:

Problems 6 – 8 are apparently gone; problems 1 – 4 are still here. Otherwise computer appears to be fine.


Many thanks!

========================================
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_13
Run by Administrator at 23:38:34 on 2011-10-12
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2037.981 [GMT -4:00]
.
AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\WINDOWS\system32\Pmxmiced.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
C:\PROGRA~1\ESRI\License\arcgis9x\ARCGIS.exe
C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\FreePOPs\freepopsservice.exe
C:\Program Files\FreePOPs\freepopsd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\Portrait Displays\Pivot Software\floater.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\xplorer2\xplorer2_UC.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4080126
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4080126
uInternet Settings,ProxyOverride = *.local
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\snagit10\SnagitBHO.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\snagit10\SnagitIEAddin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [Google Update] "c:\documents and settings\administrator\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [PMX Daemon] ICO.EXE
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [BuildBU] c:\dell\bldbubg.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [PivotSoftware] "c:\program files\portrait displays\pivot software\wpctrl.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [M-Audio Taskbar Icon] c:\windows\system32\M-AudioTaskBarIcon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v2\WG111v2.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/55.16/uploader2.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1289578601156
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
TCP: DhcpNameServer = 10.0.1.1
TCP: Interfaces\{BAD0D135-712D-4BF9-B06E-B8125B6A1610} : DhcpNameServer = 10.0.1.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\z99lkom5.default\
FF - prefs.js: browser.search.selectedEngine - Scroogle SSL
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\administrator\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\administrator\local settings\application data\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\documents and settings\administrator\local settings\application data\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\3.0.50106.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPinfotl.dll
FF - plugin: c:\program files\opera\program\plugins\nppdf32.dll
.
============= SERVICES / DRIVERS ===============
.
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 ArcGIS License Manager;ArcGIS License Manager;c:\progra~1\esri\license\arcgis9x\lmgrd.exe [2009-6-30 467968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-11-21 192104]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-11-21 169576]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2007-3-14 1816768]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-7-30 105592]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20111009.009\naveng.sys [2011-10-10 86136]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20111009.009\navex15.sys [2011-10-10 1576312]
R3 pmxmouse;PMXMOUSE;c:\windows\system32\drivers\pmxmouse.sys [2008-1-31 18432]
R3 pmxusblf;PMXUSBLF;c:\windows\system32\drivers\pmxusblf.sys [2008-1-31 14336]
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [2011-8-16 272128]
S3 cpuz134;cpuz134;c:\program files\pc wizard 2010\pcwiz_x32.sys [2011-1-29 20328]
S3 MADFU003;MADFU003;c:\windows\system32\drivers\MADFU003.sys [2011-1-28 75912]
S3 MAUSBAP;Service for M-Audio Audiophile (WDM);c:\windows\system32\drivers\mausbap.sys [2011-1-29 143624]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2007-3-14 116416]
S3 USBNP4X4;M-Audio Audiophile USB Midi;c:\windows\system32\drivers\USBNP4X4.SYS [2011-1-29 29000]
.
=============== Created Last 30 ================
.
2011-10-13 03:05:11 -------- d-----w- C:\! TO BE FILED
2011-10-11 03:07:15 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-10-11 03:07:12 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-10-11 03:07:12 773080 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-10-11 03:07:12 478168 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-10-11 03:07:12 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-10-11 03:07:12 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
2011-10-11 03:07:12 1833944 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-10-11 03:07:12 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-10-10 17:01:45 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-10-10 17:01:45 -------- d-----w- c:\windows\system32\wbem\Repository
2011-10-10 15:27:35 -------- d-----w- c:\program files\Browny02
2011-10-10 14:11:36 77824 ----a-w- c:\windows\system32\BRLMW03A.DLL
2011-10-10 14:11:30 45056 ----a-w- c:\windows\system32\BRTCPCON.DLL
2011-10-10 13:50:30 -------- d-----w- c:\documents and settings\all users\application data\Brother
2011-09-22 02:43:32 -------- d-----w- c:\program files\CANOCO
2011-09-21 13:42:48 -------- d-----w- C:\canoco
2011-09-21 03:53:23 6688 ----a-w- c:\windows\movexe.exe
2011-09-19 18:07:17 -------- d-----w- c:\program files\PC-Ord
2011-09-19 18:07:07 -------- d-----w- c:\program files\New Folder
2011-09-15 22:37:34 -------- d-----w- c:\program files\Microsoft ActiveSync
.
==================== Find3M ====================
.
2011-08-31 21:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-25 17:12:53 1249951 ----a-w- c:\program files\unins000.exe
2010-09-07 21:07:14 15923712 ----a-w- c:\program files\mpciconlib.dll
2010-09-07 21:07:08 9139200 ----a-w- c:\program files\mpc-hc.exe
2010-01-22 05:28:47 176118 ----a-w- c:\program files\Switch Off - timer for shutting down computer.exe
2009-05-19 16:07:59 726348 ----a-w- c:\program files\Lion setup - integrates DictLeo in all Windows.exe
2008-02-20 01:34:27 1139254 ----a-w- c:\program files\wintwins23.exe
2007-09-09 21:40:12 7871283 ----a-w- c:\program files\LMSetup.exe
2007-09-09 11:16:35 494 ----a-w- c:\program files\ESRIFloat.reg
2006-03-20 20:37:00 5689344 ----a-w- c:\program files\mplayerc.exe
.
============= FINISH: 23:45:11.17 ===============

Attached Files


Edited by Orange Blossom, 13 October 2011 - 10:32 AM.
Merged topics. ~ OB


#3 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:06 PM

Posted 16 October 2011 - 05:41 AM

Welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.

We need to create an OTL report,
  • Please download OTL from this link.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in:

    netsvcs
    msconfig
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.sys /90
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\system32\*.exe /lockedfiles
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\*
    %USERPROFILE%\..|smtmp;true;true;true /FP
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    hklm\software\clients\startmenuinternet|command /rs
    hklm\software\clients\startmenuinternet|command /64 /rs
    CREATERESTOREPOINT
  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply.

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


In your reply, please post both OTL logs and the GMER log.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#4 richardinct

richardinct
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:06 PM

Posted 18 October 2011 - 09:55 PM

Thanks so much for the reply.

This is just to let you know that GMER is running as I write this and I already ran OTL and saved the output. I have to get to bed now; tomorrow (Wednesday) I will post all the requested information.

#5 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:06 PM

Posted 19 October 2011 - 05:11 AM

OK, thanks for the update. I'll look for the logs.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#6 richardinct

richardinct
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:06 PM

Posted 19 October 2011 - 02:50 PM

One quick question before I post the logs -

Could the information in them compromise my computer's security?

I realize people do it all the time but it seems like a lot to be posting publicly.

thanks

#7 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:06 PM

Posted 19 October 2011 - 04:53 PM

Unless your full name is in there, there's not much anyone can do with any of the information. Files names in the file section can sometimes be interesting as well. Your IP address isn't posted (but every website you visit knows what it is), nor any personal details short of programs installed and some hardware information.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#8 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:06 PM

Posted 22 October 2011 - 05:58 AM

still with me?


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#9 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:06 PM

Posted 03 November 2011 - 05:39 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users