Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.



  • Please log in to reply
2 replies to this topic

#1 Beach Plum

Beach Plum

  • Members
  • 32 posts
  • Local time:05:49 AM

Posted 11 July 2012 - 11:27 AM

I am running Windows 7 Professional SP1 on a privately built computer. This machine is not fully updated because of a previously unknown and well researched fatal conflict that makes rebooting to a stable environment tricky. (The fatal crash has been explored by myself and a professional to no conclusion. So, my computer is always on and rarely current.)

And last night I foolishly installed a program with a virus.

I have Norton Security which gave a 'good' rating to the viral program. On execution of the program it began showing much more activity then I thought it should. I found and uninstalled new entries in the program list. Then I ran about using 'the chicken with it's head cut off approach to security' like internal snooping and running CC cleaner at some registry keys that just seemed odd. I did end up at different reputable security sites and Microsoft fixed a couple things like better DEP for me. Coming to grips I installed Malewarebyes and that found and fixed PUP.wxDfast

I really had no desire to keep whatever was in registry at this point and restored an earlier version. The restore hung on boot and startup repair restored to a viral registry (restore point created by the virus). I tried to restore backwards again and however succeeded. I was then unable to use the web because Norton blocked intrusion from 75.75.75 or something. I rebooted again.

I reinstalled Malwarebytes and removed the virus again with two registry keys:

HKCR\scrfile\shell\open\command| (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" /S) -> Quarantined and repaired successfully.
HKCR\regfile\shell\open\command| (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: (regedit.exe "%1") -> Quarantined and repaired successfully.

A couple hours ago, I opened the task manager and found it corrupted, followed MS direction for fixing that.

In the last 45 minutes I have had two 'task completed' sounds. I don't know why.

Any advice would be super.

Malewarebytes scanner is up now and shows all clear.

editing: Forgot, the virus hijacked my homepages and added a search engine to the lists, was why I knew to look for a problem. Did not get a repeat of that.
editing: Also, there was a point where I random chose to go to a Firefox link rather then a homepage, found youtube interface broken, so reinstalled Flash, Quicktime, and Firefox, just in case. Seems OK now.

Edited by Beach Plum, 11 July 2012 - 12:09 PM.

BC AdBot (Login to Remove)


#2 boopme


    To Insanity and Beyond

  • Global Moderator
  • 73,561 posts
  • Gender:Male
  • Location:NJ USA
  • Local time:04:49 AM

Posted 11 July 2012 - 07:46 PM

Hello, I suspect a Boot and/or Root kit at play.

Please download TDSSKiller.zip and and extract it.
  • Run TDSSKiller.exe.
  • Click on Change Parameters
  • Put a check in the box of Detect TDLFS file system
  • Click Start scan.
  • When it is finished the utility outputs a list of detected objects with description.
    The utility automatically selects an action (Cure or Delete) for malicious objects.
    The utility prompts the user to select an action to apply to suspicious objects (Skip, by default). Let the options as it is and click Continue
  • Let reboot if needed and tell me if the tool needed a reboot.
  • Click on Report and post the contents of the text file that will open.

    Note: By default, the utility outputs the log into system disk (it is usually the disk with installed operating system, C:\) root folder. The Log has a name like: TDSSKiller.Version_Date_Time_log.txt.

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Beach Plum

Beach Plum
  • Topic Starter

  • Members
  • 32 posts
  • Local time:05:49 AM

Posted 12 July 2012 - 05:39 PM

Thank you for the programs but neither found anything malicious. I also thought something deep and ugly got in. I'll do a C:\ scan with aswMBR now and post if I have any notable results. (The default of aswMBR was quickscan, though lengthy)

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users