Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer issues


  • This topic is locked This topic is locked
26 replies to this topic

#1 EvaEva

EvaEva

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:36 PM

Posted 06 February 2017 - 06:16 AM

Hello, I would like to have checked my computer. It is the one I downloaded a virus from Skype to and a few days ago someone was using the computer by attaching a removable disk to it.

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,206 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:36 AM

Posted 06 February 2017 - 08:43 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Run the RogueKiller tool and delete this.
¤¤¤ Registry : 1 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ugdirkob (\??\C:\Users\uzivatel\AppData\Local\Temp\ugdirkob.sys) -> Found



Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-3982991693-611816459-160826111-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.50901.0\npctrl.dll [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.50901.0\npctrl.dll [No File]
CHR Extension: (Platby Internetového obchodu Chrome) - C:\Users\uzivatel\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-01-19]
CHR Extension: (Chrome Media Router) - C:\Users\uzivatel\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-12-16]
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx <not found>
S3 FXDrv32; \??\D:\FXDrv64.sys [X]

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixldog.txt and let me know what problem persists.

p.s.
Include also the Addition.txt file that was created by the Farbar tool.

#3 EvaEva

EvaEva
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:36 PM

Posted 06 February 2017 - 10:46 AM

Asked files are attached.

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,206 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:36 AM

Posted 06 February 2017 - 11:22 AM

Nothing suspicious was found in your Addition.txt log.

#5 EvaEva

EvaEva
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:36 PM

Posted 07 February 2017 - 01:04 AM

Today is my computer very slow, I ran GMER scan. Is the scan ok?

Attached Files



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,206 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:36 AM

Posted 07 February 2017 - 08:40 AM


GMER is no longer being supported.

===

We will check your BIOS and Master boot record.

Read carefully and follow these steps.
TDSS
  • Download TDSSKiller and save it to your Desktop.
  • Doubleclick on TDSSKiller.exe to run the application.
  • Then click on Start Scan.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.

    TDSSKillerSuspicious-1.png
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • Important: Do NOT change the default action on your own unless instructed by a malware Helper! Doing so may render your computer unbootable.
    TDSSKillerMal-1.png
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.

    TDSSKillerCompleted.png
  • If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
===

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it.
aswMBRScan.gif
  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please paste the contents of that log in your next reply.
  • There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.
    ===

    Wait for further instructions.

    ==

    p.s.
    If you use a CD emulator disable it before runnint the these tools.

    Disable the CD emulators....

    Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger will now ask to reboot the machine - click OK
    IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

    Do not re-enable these drivers until otherwise instructed. Or when this computer is clean.

    HOW TO: Enable the CD Emulators... < restore only when we are finished.

    To re-enable your Emulation drivers, double click DeFogger to run the tool.
    • The application window will appear
    • Click the Re-enable button to re-enable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger will now ask to reboot the machine - click OK
    IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

    Your Emulation drivers are now re-enabled.
    ===



#7 EvaEva

EvaEva
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:36 PM

Posted 07 February 2017 - 02:23 PM

Thank you, I am attaching 2 files. In the MBR zipped folder were all my private files and family pictures that I have in the computer.

 

I'd like to mention the message that I saw when I turned on the computer today: "You have been logged on with temporary profile. Contact your system administrator. You can not access your files and files created in this profile will be deleted when you log off."

Attached Files



#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,206 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:36 AM

Posted 08 February 2017 - 09:48 AM


You have been logged on with temporary profile

Do you remember the profile you used?

You may have used a profile that was previously deleted.

Check this article.

http://ccm.net/faq/34674-windows-error-message-you-have-been-logged-in-with-a-temporary-profile

Investigate the profiles that are listed in the Registry keys.

Delete the .bak profile if you are sure that the referenced profile was removed.

p.s.
Your last logs submitted are clean.

#9 EvaEva

EvaEva
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:36 PM

Posted 09 February 2017 - 07:07 AM

I am sorry, I have no idea what to do, could not find profile ending with the .bak extension in REGEDIT.



#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,206 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:36 AM

Posted 09 February 2017 - 08:56 AM


Lets check further.

SystemLook.exe
SystemLook_x64.exe
  • Double-click SystemLook.exe/SystemLook_x64.exe
  • to run it.
  • Copy and paste the content of the following bold text into the main textfield:
  • :reg
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList /sub
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  • Note: The log can also be found on your Desktop entitled SystemLook.txt.
  • ===



#11 EvaEva

EvaEva
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:36 PM

Posted 10 February 2017 - 08:44 AM

the log is attached

Attached Files



#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,206 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:36 AM

Posted 10 February 2017 - 10:18 AM


Quoted from your Addition.txt log.

==================== Accounts: =============================

Administrator (S-1-5-21-3982991693-611816459-160826111-500 - Administrator - Disabled) => C:\Users\Administrator
Guest (S-1-5-21-3982991693-611816459-160826111-501 - Limited - Disabled)
uzivatel (S-1-5-21-3982991693-611816459-160826111-1000 - Administrator - Enabled) => C:\Users\uzivatel


Report for the scan.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3982991693-611816459-160826111-1000]
"ProfileImagePath"="C:\Users\uzivatel"
"Flags"= 0x0000000000 (0)
"State"= 0x0000000100 (256)
"Sid"=01 05 00 00 00 00 00 05 15 00 00 00 4d a1 67 ed 0b 94 77 24 ff 02 96 09 e8 03 00 00 (REG_BINARY)
"ProfileLoadTimeLow"= 0x0000000000 (0)
"ProfileLoadTimeHigh"= 0x0000000000 (0)
"RefCount"= 0x0000000001 (1)
"RunLogonScriptSync"= 0x0000000000 (0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3982991693-611816459-160826111-500]
"ProfileImagePath"="C:\Users\Administrator"
"Flags"= 0x0000000000 (0)
"State"= 0x0000000304 (772)
"Sid"=01 05 00 00 00 00 00 05 15 00 00 00 4d a1 67 ed 0b 94 77 24 ff 02 96 09 f4 01 00 00 (REG_BINARY)
"ProfileLoadTimeLow"= 0x0000000000 (0)
"ProfileLoadTimeHigh"= 0x0000000000 (0)
"RefCount"= 0x0000000000 (0)
"RunLogonScriptSync"= 0x0000000000 (0)


You were logged in as UserName: uzivatel when you got the error message.

Just forget about unless you get the message again.
If you do try to remember in which profile you are using at the time.

Any remaining issues?

#13 EvaEva

EvaEva
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:36 PM

Posted 11 February 2017 - 10:23 AM

Ok, thanks a lot. When I turn on the computer, the time always shows year 2007, I have to change it everytime manually. How would I fix it? Also the volume, sound do not work lately.



#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,206 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:36 AM

Posted 12 February 2017 - 08:57 AM

When I turn on the computer, the time always shows year 2007, I have to change it everytime manually

The Cadmium battery on the mother board is dead.
http://www.hardwaresecrets.com/replacing-the-motherboard-battery/

Until you replace it, create or edit the Autoexec.bat file if one exists.

The file should be in the root folder i.e. C:\

Add the following 2 lines
If you do not have one create a file with Notepad name it Autoexec.bat

DATE
TIME


Save the file. Make sure the extension is .bat

Restart the computer normally.
You will then be prompted to change the Data and Time each time you start the computer.

Read about it.
https://en.wikipedia.org/wiki/AUTOEXEC.BAT

---
 

Also the volume, sound do not work lately.

Right click on the sound icon on the TaskBar click the Sound option.
Make sure the Windows Default is set.
Click the Apply button.

There is also a Troubleshooting option that your should try.

If the problem is not solved, lets check your PATH Environment.

Navigate to this page.
http://www.computerhope.com/issues/ch000549.htm

Refer to this section.
Setting the path and variables in Windows Vista and Windows 7

In the PATH details the minimum you should have is this.

Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;

There could be more.

Before you do any change to the PATH please post the current settings for my review.

Edited by nasdaq, 12 February 2017 - 08:58 AM.


#15 EvaEva

EvaEva
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:36 PM

Posted 13 February 2017 - 12:52 AM

I have not done any changes to the Path yet. This is what I have in the PATH now:

%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0;C:\Program Files\RogueKiller;






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users