Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32.Polip.A (B) Re-occuring


  • Please log in to reply
7 replies to this topic

#1 UZI - SUICIDE

UZI - SUICIDE

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:49 AM

Posted 22 July 2013 - 08:58 PM

I had removed this once and since it took a bunch of windows files i reinstalled windows yesterday, today i am infected again.. I Ran the emergency kit scanner but took no action and posted here insteadAttached File  dds.txt   14.57KB   4 downloadsAttached File  attach.txt   2.36KB   4 downloads

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 6.0.2900.5512  BrowserJavaVersion: 10.25.2
Run by UZI - SUICIDE at 18:38:30 on 2013-07-22
.
============== Running Processes ================
.
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\locator.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
BHO: SSVHelper Class: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: iSkysoft Video Converter Ultimate: {C7C3BC26-4F2B-4997-A3CB-163337FE975B} - c:\program files\iskysoft\video converter ultimate\SVRIEPlugin.dll
BHO: Free Download Manager: {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - c:\program files\free download manager\iefdm2.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
EB: Real.com: {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [VirtualCloneDrive] "c:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s
mRun: [DAEMON Tools-1033] "c:\program files\d-tools\daemon.exe"  -lang 1033
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: Download all with Free Download Manager - c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - c:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - c:\program files\free download manager\dlfvideo.htm
IE: Download web site with Free Download Manager - c:\program files\free download manager\dlpage.htm
IE: Download with Free Download Manager - c:\program files\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - <orphaned>
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
TCP: NameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{8D975FA3-024B-4940-A15F-37456907B11E} : DHCPNameServer = 192.168.14.1 64.13.115.12 75.94.255.12
TCP: Interfaces\{8E761127-9922-4573-B6E8-45E03A23F1D8} : DHCPNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{C11722A3-891E-46ED-9490-F30C8BE02463} : DHCPNameServer = 75.75.75.75 75.75.76.76
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\belarcadvisor\system\BAVoilaX.dll
Notify: AtiExtEvent - Ati2evxx.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\uzi - suicide\application data\mozilla\firefox\profiles\ficxhjkl.default\
FF - prefs.js: browser.search.defaulturl -
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/lists/2443966381813
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\uzi - suicide\local settings\application data\facebook\messenger\2.1.4814.0\npFbDesktopPlugin.dll
FF - plugin: c:\documents and settings\uzi - suicide\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20125.0\npctrlui.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_7_700_202.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
FF - ExtSQL: 2013-05-24 04:11; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\documents and settings\uzi - suicide\application data\mozilla\firefox\profiles\ficxhjkl.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
FF - ExtSQL: 2013-05-24 04:48; {b9db16a4-6edc-47ec-a1f4-b86292ed211d}; c:\documents and settings\uzi - suicide\application data\mozilla\firefox\profiles\ficxhjkl.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - ExtSQL: 2013-05-24 07:16; fdm_ffext@freedownloadmanager.org; c:\program files\free download manager\firefox\Extension
FF - ExtSQL: 2013-06-03 01:33; {023e9ca0-63f3-47b1-bcb2-9badf9d9ef28}; c:\documents and settings\uzi - suicide\application data\mozilla\firefox\profiles\ficxhjkl.default\extensions\{023e9ca0-63f3-47b1-bcb2-9badf9d9ef28}.xpi
FF - ExtSQL: 2013-06-03 01:44; {19503e42-ca3c-4c27-b1e2-9cdb2170ee34}; c:\documents and settings\uzi - suicide\application data\mozilla\firefox\profiles\ficxhjkl.default\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}.xpi
FF - ExtSQL: 2013-06-03 01:44; client@anonymox.net; c:\documents and settings\uzi - suicide\application data\mozilla\firefox\profiles\ficxhjkl.default\extensions\client@anonymox.net.xpi
FF - ExtSQL: 2013-06-24 03:13; {c36177c0-224a-11da-8cd6-0800200c9a91}; c:\documents and settings\uzi - suicide\application data\mozilla\firefox\profiles\ficxhjkl.default\extensions\{c36177c0-224a-11da-8cd6-0800200c9a91}.xpi
FF - ExtSQL: 2013-06-24 03:13; smarterwiki@wikiatic.com; c:\documents and settings\uzi - suicide\application data\mozilla\firefox\profiles\ficxhjkl.default\extensions\smarterwiki@wikiatic.com.xpi
FF - ExtSQL: 2013-07-02 21:11; FFSodaPDF5Converter@sodapdf.com; c:\program files\soda pdf 5\FFSoda5Ext
FF - ExtSQL: 2013-07-18 23:36; {845257EF-A892-484e-8EB0-47F563D75939}; c:\program files\iskysoft\video converter ultimate\SVRFirefoxExt
.
============= SERVICES / DRIVERS ===============
.
R? androidusb;Google Device Driver
R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86
R? mbamchameleon;mbamchameleon
R? MBAMProtector;MBAMProtector
R? MBAMScheduler;MBAMScheduler
R? MBAMService;MBAMService
R? RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter
R? SkypeUpdate;Skype Updater
R? Soda PDF 5 Helper Service;Soda PDF 5 Helper Service
R? Soda PDF 5 Service;Soda PDF 5 Service
R? WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0
S? anvsnddrv;AnvSoft Virtual Sound Device
S? cleanhlp;cleanhlp
S? scrcap;scrcap
S? st3wolf;st3wolf
S? stwlfbus;stwlfbus
S? tdudf;TOSHIBA UDF File System Driver
S? WDC_SAM;WD SCSI Pass Thru driver
.
=============== File Associations ===============
.
FileExt: .txt: Applications\WORDPAD.EXE="c:\program files\windows nt\accessories\WORDPAD.EXE" "%1" [UserChoice]
FileExt: .ini: Applications\wordpad.exe="c:\program files\windows nt\accessories\WORDPAD.EXE" "%1" [UserChoice]
ShellExec: Soda PDF 5.exe: open="c:\program files\soda pdf 5\Soda PDF 5.exe""%1"
.
=============== Created Last 30 ================
.
2013-07-22 01:31:58    --------    d-----w-    c:\windows\system32\PreInstall
2013-07-22 00:47:42    --------    d-----w-    c:\windows\system32\SoftwareDistribution
2013-07-21 10:41:01    35144    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2013-07-21 10:27:59    7680    -c--a-w-    c:\windows\system32\dllcache\pwsdata.dll
2013-07-21 10:26:59    43520    -c--a-w-    c:\windows\system32\dllcache\EXCH_fcachdll.dll
2013-07-21 10:23:47    380416    -c--a-w-    c:\windows\system32\dllcache\rstrui.exe
2013-07-21 10:23:47    111104    -c--a-w-    c:\windows\system32\dllcache\wuauclt.exe
2013-07-21 10:22:03    202752    ----a-w-    c:\windows\system32\sndvol32.exe
2013-07-21 10:22:03    138752    -c--a-w-    c:\windows\system32\dllcache\sndvol32.exe
2013-07-21 10:09:42    24661    -c--a-w-    c:\windows\system32\dllcache\spxcoins.dll
2013-07-21 10:09:42    24661    ----a-w-    c:\windows\system32\spxcoins.dll
2013-07-21 10:09:42    13312    -c--a-w-    c:\windows\system32\dllcache\irclass.dll
2013-07-21 10:09:42    13312    ----a-w-    c:\windows\system32\irclass.dll
2013-07-21 09:58:59    78336    -c--a-w-    c:\windows\system32\dllcache\browsewm.dll
2013-07-21 09:44:26    3387976    ----a-w-    C:\advisorinstaller.exe
2013-07-21 08:28:40    16384    -c--a-w-    c:\windows\system32\dllcache\isignup.exe
2013-07-21 08:28:40    16384    ----a-w-    c:\program files\internet explorer\connection wizard\isignup.exe
2013-07-21 08:28:32    73728    -c--a-w-    c:\windows\system32\dllcache\wmplayer.exe
2013-07-21 08:28:32    131072    ----a-w-    c:\program files\windows media player\wmplayer.exe
2013-07-21 08:27:56    46080    -c--a-w-    c:\windows\system32\dllcache\wab.exe
2013-07-21 08:27:56    109056    ----a-w-    c:\program files\outlook express\wab.exe
2013-07-21 08:27:55    60416    -c--a-w-    c:\windows\system32\dllcache\msimn.exe
2013-07-21 08:27:55    120832    ----a-w-    c:\program files\outlook express\msimn.exe
2013-07-21 08:27:52    86016    -c--a-w-    c:\windows\system32\dllcache\icwconn2.exe
2013-07-21 08:27:52    273920    ----a-w-    c:\program files\internet explorer\connection wizard\icwconn1.exe
2013-07-21 08:27:52    214528    -c--a-w-    c:\windows\system32\dllcache\icwconn1.exe
2013-07-21 08:27:52    143360    ----a-w-    c:\program files\internet explorer\connection wizard\icwconn2.exe
2013-07-21 08:27:51    93184    -c--a-w-    c:\windows\system32\dllcache\iexplore.exe
2013-07-21 08:27:51    153600    ----a-w-    c:\program files\internet explorer\IEXPLORE.EXE
2013-07-21 08:26:29    1695232    ----a-w-    c:\program files\messenger\msmsgs.exe
2013-07-21 08:26:28    33792    ----a-w-    c:\program files\messenger\custsat.dll
2013-07-21 08:25:28    340480    ----a-w-    c:\program files\windows nt\pinball\PINBALL.EXE
2013-07-21 08:25:28    281088    -c--a-w-    c:\windows\system32\dllcache\pinball.exe
2013-07-21 01:07:57    --------    d-----w-    C:\WINDOWS.0
2013-07-21 00:08:35    497664    ----a-w-    c:\windows\system32\ac3filter.acm
2013-07-21 00:08:34    --------    d-----w-    c:\program files\AC3Filter
2013-07-21 00:08:00    --------    d-----w-    c:\program files\AviSynth 2.5
2013-07-21 00:07:22    --------    d-----w-    c:\program files\Avi2Dvd
2013-07-20 21:53:16    130    ----a-w-    c:\windows\DeleteOnReboot.bat
2013-07-20 21:28:50    --------    d-----w-    c:\program files\Shotcut
2013-07-20 18:41:00    --------    d-----w-    c:\program files\ePub Reader
2013-07-20 18:40:23    --------    d-----w-    c:\documents and settings\uzi - suicide\AppData
2013-07-20 18:40:18    632656    ----a-w-    c:\windows\system32\msvcr80.dll
2013-07-20 18:40:18    554832    ----a-w-    c:\windows\system32\msvcp80.dll
2013-07-20 18:40:18    479232    ----a-w-    c:\windows\system32\msvcm80.dll
2013-07-20 18:40:18    27136    ----a-w-    c:\windows\system32\ImHttpComm.dll
2013-07-20 18:40:18    1341744    ----a-w-    c:\windows\system32\dmwu.exe
2013-07-20 08:48:34    --------    d-----w-    c:\documents and settings\uzi - suicide\.thumb
2013-07-20 08:48:15    --------    d-----w-    c:\program files\DVDStyler
2013-07-19 06:40:12    --------    d-----w-    c:\documents and settings\all users\application data\xml_param
2013-07-19 06:39:05    --------    d-----w-    c:\documents and settings\uzi - suicide\Videos
2013-07-19 06:37:55    --------    d-----w-    c:\documents and settings\uzi - suicide\application data\{950EB46C-6AC7-4ACC-AB36-9A6A77C08B6A}
2013-07-19 06:37:02    --------    d-----w-    c:\documents and settings\uzi - suicide\local settings\application data\iSkysoft
2013-07-19 06:37:00    --------    d-----w-    c:\program files\common files\iSkysoft
2013-07-19 06:36:48    721917    ----a-w-    c:\windows\system32\ISCM64.dll
2013-07-19 06:36:48    153088    ----a-w-    c:\windows\system32\ISCM32.dll
2013-07-19 06:36:37    --------    d-----w-    c:\documents and settings\all users\application data\iSkysoft Video Converter Ultimate
2013-07-19 06:36:30    --------    d-----w-    c:\program files\iSkysoft
2013-07-19 06:08:36    32896    ----a-w-    c:\windows\system32\drivers\anvsnddrv.sys
2013-07-18 10:06:16    --------    d-----w-    C:\_OTL
2013-07-18 10:00:32    --------    d-----w-    c:\documents and settings\uzi - suicide\local settings\application data\Sun
2013-07-18 09:59:27    867240    ----a-w-    c:\windows\system32\npDeployJava1.dll
2013-07-18 09:59:27    789416    ----a-w-    c:\windows\system32\deployJava1.dll
2013-07-18 09:59:27    144896    ----a-w-    c:\windows\system32\javacpl.cpl
2013-07-18 09:59:22    94632    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2013-07-14 21:34:05    --------    d-----w-    c:\program files\Super_DVD_Creator_9.8
2013-07-14 14:22:52    --------    d-----w-    c:\documents and settings\uzi - suicide\local settings\application data\WSHelper
2013-07-13 17:50:05    --------    d-----w-    c:\program files\Resource Hacker
2013-07-13 17:41:40    --------    d-----w-    C:\EEK
2013-07-13 17:25:53    --------    d-----w-    c:\windows\ERUNT
2013-07-03 04:38:50    --------    d-----w-    c:\windows\system32\wbem\repository\FS
2013-07-03 04:38:50    --------    d-----w-    c:\windows\system32\wbem\Repository
2013-07-03 04:25:52    --------    d-----w-    c:\documents and settings\uzi - suicide\local settings\application data\Temp
2013-07-03 04:25:13    --------    d-----w-    c:\program files\common files\Jasc Software Inc
2013-07-03 04:10:37    --------    d-----w-    c:\documents and settings\all users\application data\Elcomsoft Password Recovery
2013-07-03 04:01:05    --------    d-----w-    c:\program files\Western Digital
2013-06-23 16:47:19    --------    d-----w-    c:\documents and settings\uzi - suicide\local settings\application data\Facebook
.
==================== Find3M  ====================
.
2013-07-19 23:46:01    0    --sh--w-    c:\windows\S5215F761.tmp
2013-06-02 00:41:50    34216    ----a-w-    c:\windows\system32\drivers\wsadb.sys
2013-06-02 00:41:50    1112288    ----a-w-    c:\windows\system32\WdfCoInstaller01007.dll
2013-05-24 13:55:31    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-24 13:55:31    692104    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-05-24 10:52:42    21035    ----a-w-    c:\windows\system32\drivers\AegisP.sys
2013-05-01 10:59:12    94208    ----a-w-    c:\windows\system32\QuickTimeVR.qtx
2013-05-01 10:59:12    69632    ----a-w-    c:\windows\system32\QuickTime.qts
.
============= FINISH: 18:39:29.46 ===============
 


Edited by Noviciate, 24 July 2013 - 02:41 PM.
Added log from attachment.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:49 AM

Posted 27 July 2013 - 10:49 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===
 

It is really dangerous to go online without an antivirus. Without one, you are extremely likely to get infected and the consequences could be even worse next time. All of the following are excellent free versions of commercial antiviruses. Be sure to only install one.
AVG.
If you install AVG it will install Chrome unless you deny it.
avast!.
AVAST will install the Google Chrome if not already installed. If you do not want to keep it just remove it using the Add/Remove Programs list.
AntiVir

===

Search and delete the AdWare, PUP (Potentially Unwanted Program) installed on your computer.

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete tab follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).
===

thisisujrt.gif Please download
Junkware Removal Tool to your Desktop.
  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.
===

Please download ComboFix from one of these locations:
Link 1
Link 2
IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
whatnext.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Third party programs if not up to date can be the cause of infiltration an infection.

Please restart the computer before running this security check..

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.
===

Please paste the logs in your next reply, DO NOT ATTACH THEM
Let me know what problem persists.

#3 UZI - SUICIDE

UZI - SUICIDE
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:49 AM

Posted 28 July 2013 - 11:10 AM

Thank you..
yes I had downloaded the free version of Zone Alarm Antivirus after i posted this, but when it installed it automatically removed all the virus along with some important stuff and my machine wouldnt boot, so i went in safe mode and used Restore to get it back up..
I was waiting for these instructions, and I should probobly back it up too...
After i follow these instructions to get the virus out I will immediatly re-install Zone Alarm Antivirus and/or one of your recommended antivirus programs..



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:49 AM

Posted 28 July 2013 - 12:54 PM


After i follow these instructions to get the virus out I will immediatly re-install Zone Alarm Antivirus


If you have to go on line with this computer to get the tools I suggest you install Zone Alarm Antivirus and the firewall if it comes with the package.
Then download the tools and run them.

#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:49 AM

Posted 03 August 2013 - 08:23 AM

Are you still with me?

#6 UZI - SUICIDE

UZI - SUICIDE
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:49 AM

Posted 04 August 2013 - 08:25 PM

sorry for bailing out and not following thru with this.. I can find the reports if need be but Immediatly after following the instructions almost to the letter.. (I did not reinstall the virus scanner/firewall untill after because it was not untill then I saw that advice, and I did not do the very last report thing because I could not get the software to run after redownloading and many attempts.. other than that i followed the instructions to the teeth..
After ZA and failed attempts at the last of the inst. I played on FaceBook a few minutes but everything was so slow my compter was unusable. Restart.. Toshiba BIOS Screen.. Multi GUI Screen.. Modified but 3 sec. delay I couldnt make it out.. Windows Boot Screen maybe a full second.. Flash of a BSOD.. Auto Restart x3.. So Catch the Multi GUI screen.. Says 1. MS Repair Console 2. DO NOT CHOOSE THIS "debugging" (cant remember exactly but thats the jist) 4. Regular MS Option (WINDOWS1) <default> 5. Regular MS Option (Windows2) Sorry I should have my info strait b4 I did this, but I am sure you know what this means..
I was going to go to safe mode and roll back a day or to, but instead I used "LAST KNOWN GOOD" option and it booted.. ZA detected the very same virus here and there immediatly and everything was very slow at best and completly unusble at worst..  So I run ZA thru a virus check and quarintine everything which are mainly files from/system32/ folder and notepad.. notepad is always the first to go..  So after I let ZA run its course I run MBAM just because OS freezes and i hard restart to BSOD as before.. i choose "LAST KNOWN" option and boot up again. I run ZA quarintine everything (if apply cant remember for sure if it got anything that time)I go to official MS XPsp3 download update, and run it... within seconds starting with notepad and followed by 15 others ZA started logging same virus.. I had ZA to manual and i ignored all they were fresh from MS the file was scanned upon download and the files were fresh from that download and immediatly flagged..  Sorry so long.. But thats where I am at..



#7 UZI - SUICIDE

UZI - SUICIDE
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:49 AM

Posted 04 August 2013 - 08:29 PM

Awaiting instructions I am gathering all docs. that apply to this because smart people like you tend to like things that make sense as compared to large paragraphs of mindless babble.. Heavy lies the crown I guess.. I dont know.. Because I am not very bright.. I just got lucky that way I guess..



#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:49 AM

Posted 05 August 2013 - 08:10 AM

For now just run this tool.

--RogueKiller--
  • Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users