Jump to content

Recommended Posts

Hello plss help me . i cant remove this virus that cause my programs corrupt and slow and makes firewall and windows update disabled

Here is the DDS LOG

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by Owner at 10:42:31 on 2012-09-05

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1983.1221 [GMT 8:00]

.

.

============== Running Processes ===============

.

C:\Program Files\IObit\Advanced SystemCare 6\ASCService.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Documents and Settings\All Users\Application Data\DatacardService\DCService.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Sun Broadband Wireless\Sun Broadband Wireless.exe

C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

.

============== Pseudo HJT Report ===============

.

mWinlogon: SfcDisable=-99 (0xffffff9d)

BHO: IDM integration (IDMIEHlprObj Class): {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files\internet download manager\IDMIECC.dll

BHO: Advanced SystemCare Browser Protection: {ba0c978d-d909-49b6-afe2-8bde245dc7e6} - c:\progra~1\iobit\advanc~1\brower~1\ASCPLU~1.DLL

uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe

uRun: [Google Update] "c:\documents and settings\owner\local settings\application data\google\update\GoogleUpdate.exe" /c

uRun: [iDMan] c:\program files\internet download manager\IDMan.exe /onboot

uRun: [Advanced SystemCare 6] "c:\program files\iobit\advanced systemcare 6\ASCTray.exe" /AutoStart

mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC

mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName

mRun: [nwiz] nwiz.exe /installquiet

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N

mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)

mPolicies-system: EnableLUA = 0 (0x0)

IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm

IE: Download with IDM - c:\program files\internet download manager\IEExt.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

TCP: DhcpNameServer = 202.138.128.50 202.138.128.54

TCP: Interfaces\{3D944068-B018-452F-9F38-9157AC010FA8} : DhcpNameServer = 202.138.128.50 202.138.128.54

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SecurityProviders: schannel.dll, credssp.dll, digest.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\m839ur2s.default\

FF - plugin: c:\documents and settings\owner\local settings\application data\google\update\1.3.21.111\npGoogleUpdate3.dll

.

---- FIREFOX POLICIES ----

FF - user.js: network.http.pipelining.maxrequests - 8

FF - user.js: network.http.request.max-start-delay - 0

FF - user.js: network.http.max-connections - 48

FF - user.js: network.http.max-connections-per-server - 16

FF - user.js: network.http.max-persistent-connections-per-proxy - 16

FF - user.js: network.http.max-persistent-connections-per-server - 8

FF - user.js: browser.turbo.enabled - true

FF - user.js: browser.display.show_image_placeholders - true

FF - user.js: browser.chrome.favicons - false

FF - user.js: browser.urlbar.autocomplete.enabled - true

FF - user.js: browser.cache.memory.capacity - 65536

FF - user.js: content.notify.ontimer - true

FF - user.js: content.interrupt.parsing - true

FF - user.js: content.max.tokenizing.time - 2250000

FF - user.js: content.switch.threshold - 750000

FF - user.js: plugin.expose_full_path - true

FF - user.js: ui.submenuDelay - 0

.

============= SERVICES / DRIVERS ===============

.

R0 mv61xxmm;mv61xxmm;c:\windows\system32\drivers\mv61xxmm.sys [2011-9-16 13616]

R0 mv64xxmm;mv64xxmm;c:\windows\system32\drivers\mv64xxmm.sys [2011-9-16 5632]

R0 mvxxmm;mvxxmm;c:\windows\system32\drivers\mvxxmm.sys [2011-9-16 13616]

R0 nvlegacy;nvlegacy;c:\windows\system32\drivers\nvlegacy.sys [2011-9-16 100736]

R1 IDMTDI;IDMTDI;c:\windows\system32\drivers\idmtdi.sys [2012-8-31 109768]

R2 AdvancedSystemCareService6;Advanced SystemCare Service 6;c:\program files\iobit\advanced systemcare 6\ASCService.exe [2012-9-3 1026432]

R2 DCService.exe;DCService.exe;c:\documents and settings\all users\application data\datacardservice\DCService.exe [2010-5-8 229376]

R2 PfFilter;PfFilter;c:\program files\iobit\protected folder\pffilter.sys [2012-9-4 140976]

R3 amsint32;amsint32;\??\c:\windows\system32\drivers\gesmf.sys --> c:\windows\system32\drivers\gesmf.sys [?]

R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [2012-9-2 117504]

R3 huawei_enumerator;huawei_enumerator;c:\windows\system32\drivers\ew_jubusenum.sys [2012-9-2 70656]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-9-3 22344]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-9-5 40776]

S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-9-3 655944]

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2012-9-3 1691480]

S3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\drivers\ew_hwusbdev.sys [2012-9-2 101504]

S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2012-9-3 35144]

S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-9-3 114144]

S3 WinRing0_1_2_0;WinRing0_1_2_0;c:\program files\iobit\game booster 3\driver\WinRing0.sys [2012-9-4 14416]

.

=============== Created Last 30 ================

.

2012-09-05 01:41:56 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2012-09-04 01:58:37 98816 ----a-w- c:\windows\sed.exe

2012-09-04 01:58:37 518144 ----a-w- c:\windows\SWREG.exe

2012-09-04 01:58:37 256000 ----a-w- c:\windows\PEV.exe

2012-09-04 01:58:37 208896 ----a-w- c:\windows\MBR.exe

2012-09-04 01:58:34 -------- d-s---w- C:\ComboFix

2012-09-04 00:51:05 85504 ----a-w- c:\windows\system32\ff_vfw.dll

2012-09-04 00:51:03 -------- d-----w- c:\program files\ffdshow

2012-09-03 09:45:25 -------- d-----w- c:\documents and settings\owner\application data\IObit

2012-09-03 09:45:25 -------- d-----w- c:\documents and settings\owner\AppData

2012-09-03 09:45:25 -------- d-----w- c:\documents and settings\all users\application data\IObit

2012-09-03 09:45:21 -------- d-----w- c:\program files\IObit

2012-09-03 06:56:07 -------- d-----w- c:\program files\CCleaner

2012-09-03 06:55:52 -------- d-----w- c:\program files\Defraggler

2012-09-03 06:49:55 -------- d-----w- c:\program files\Speccy

2012-09-03 06:18:29 99328 ----a-w- C:\urcff.exe

2012-09-03 05:33:07 35144 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys

2012-09-03 02:47:18 -------- d-----w- c:\documents and settings\owner\application data\Malwarebytes

2012-09-03 02:47:12 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2012-09-03 02:47:11 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-09-03 02:47:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-09-03 00:49:51 -------- d-----w- c:\windows\system32\appmgmt

2012-09-03 00:31:50 -------- d-----w- c:\windows\system32\Lang

2012-09-03 00:29:55 32768 ----a-w- c:\program files\common files\installshield\professional\runtime\Objectps.dll

2012-09-03 00:29:55 204800 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\iuser.dll

2012-09-03 00:29:55 1706640 ----a-r- c:\windows\RtlExUpd.dll

2012-09-03 00:29:54 757760 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\iKernel.dll

2012-09-03 00:29:54 69715 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\ctor.dll

2012-09-03 00:29:54 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\DotNetInstaller.exe

2012-09-03 00:29:54 274432 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\iscript.dll

2012-09-03 00:29:54 200836 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\iGdi.dll

2012-09-03 00:29:53 331908 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\setup.dll

2012-09-03 00:27:02 -------- d-----w- c:\documents and settings\all users\application data\NVIDIA Corporation

2012-09-03 00:26:08 -------- d-----w- c:\windows\system32\ReinstallBackups

2012-09-03 00:26:05 215656 ----a-r- c:\windows\system32\NVCOSMB.DLL

2012-09-03 00:22:35 -------- d-----w- c:\documents and settings\owner\local settings\application data\WinZip

2012-09-02 08:34:07 -------- d--h--w- c:\windows\PIF

2012-09-02 02:44:00 16928 ------w- c:\windows\system32\spmsgXP_2k3.dll

.

==================== Find3M ====================

.

2012-08-02 00:23:14 109768 ----a-w- c:\windows\system32\drivers\idmtdi.sys

2012-06-12 10:10:44 6138512 ----a-w- c:\windows\system32\drivers\RtkHDAud.sys

.

============= FINISH: 10:42:46.75 ===============

The Scan log

Malwarebytes Anti-Malware (Trial) 1.62.0.1300

www.malwarebytes.org

Database version: v2012.09.03.09

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

Owner :: ANONYMOUS [administrator]

Protection: Disabled

9/5/2012 9:42:05 AM

mbam-log-2012-09-05 (10-36-21).txt

Scan type: Full scan (C:\|D:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 217333

Time elapsed: 54 minute(s),

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 2

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AMSINT32 (Virus.Sality) -> No action taken.

HKLM\SYSTEM\CurrentControlSet\Services\amsint32 (Virus.Sality) -> No action taken.

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 3

HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Detected: 0

(No malicious items detected)

Files Detected: 2

C:\urcff.exe (Trojan.Agent) -> No action taken.

D:\hpkh.pif (Trojan.Agent) -> No action taken.

(end)

I hope someone can help me to fix my problem

Share this post


Link to post
Share on other sites

Hello and welcome to MalwareBytes forums.

Step 1

1. Go >> Here << and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT

(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.

Step 2

Set Windows to show all files and all folders.

On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.

Next, un-check Hide extensions for known file types.

Next un-check Hide protected operating system files.

Step 3

Temporarily turn off your antivirus program, so that it does not interfere.

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Save and close any work documents, close any apps that you started.

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab and then the General Settings sub-tab. Make sure all option lines have a checkmark.

Then click the Scanner settings sub-tab in second row of tabs. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

If prompted for a Restart, do that.

When done, click the Scanner tab.

Do a FULL Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

When all done, Copy and Paste the contents of the scan log.

Now, re-enable your antivirus program.

Share this post


Link to post
Share on other sites

Hey thanks for reply and help . Here is the Scan log of my computer

Malwarebytes Anti-Malware (Trial) 1.62.0.1300

www.malwarebytes.org

Database version: v2012.09.07.06

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

Owner :: ANONYMOUS [administrator]

Protection: Enabled

9/7/2012 7:39:31 PM

mbam-log-2012-09-07 (19-48-29).txt

Scan type: Full scan (C:\|D:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 191610

Time elapsed: 8 minute(s), 50 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 1

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AMSINT32 (Virus.Sality) -> No action taken.

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 3

HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Detected: 0

(No malicious items detected)

Files Detected: 5

C:\urcff.exe (Trojan.Agent) -> No action taken.

C:\System Volume Information\_restore{01E4AB69-E7F7-493E-A42E-C6542972D34E}\RP17\A0015529.exe (Trojan.Agent) -> No action taken.

C:\System Volume Information\_restore{01E4AB69-E7F7-493E-A42E-C6542972D34E}\RP17\A0015638.exe (Trojan.Agent) -> No action taken.

C:\System Volume Information\_restore{01E4AB69-E7F7-493E-A42E-C6542972D34E}\RP17\A0015791.exe (Trojan.Agent) -> No action taken.

D:\hpkh.pif (Trojan.Agent) -> No action taken.

(end)

Share this post


Link to post
Share on other sites

Why did you not select all those items to be removed? You shoulda' done that.

Redo a new run of MBAM.

When it shows the tagged items,

Make sure that everything is checked, and click Remove Selected.

Share this post


Link to post
Share on other sites

Ohh sorry sorry okay here ..

Malwarebytes Anti-Malware (Trial) 1.62.0.1300

www.malwarebytes.org

Database version: v2012.09.07.06

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

Owner :: ANONYMOUS [administrator]

Protection: Enabled

9/7/2012 7:57:37 PM

mbam-log-2012-09-07 (19-57-37).txt

Scan type: Full scan (C:\|D:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 192139

Time elapsed: 10 minute(s), 47 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 1

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AMSINT32 (Virus.Sality) -> Quarantined and deleted successfully.

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 3

HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 0

(No malicious items detected)

Files Detected: 5

C:\urcff.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{01E4AB69-E7F7-493E-A42E-C6542972D34E}\RP17\A0015529.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{01E4AB69-E7F7-493E-A42E-C6542972D34E}\RP17\A0015638.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{01E4AB69-E7F7-493E-A42E-C6542972D34E}\RP17\A0015791.exe (Trojan.Agent) -> Quarantined and deleted successfully.

D:\hpkh.pif (Trojan.Agent) -> Quarantined and deleted successfully.

(end)

Share this post


Link to post
Share on other sites

OK. You did good there.

Why do I not see an antivirus program shown in your earlier DDS log ?

How long has this system been without an antivirus program ?

Download and Save McAfee Stinger to your Desktop

http://www.mcafee.com/us/downloads/free-tools/stinger.aspx

Close all browsers before starting. Disable your antivirus program and anti-malware,if any.

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

On Windows 7 & Vista systems, Right Click stinger-icon.gif and select Run as Administrator.

On XP, double-click to start it.

The GUI interface will look like this

stinger2.png

The C drive is the default for scanning.

Press the Preferences button. In the top right-block "On virus detection", click Rename

In the bottom block "Heuristic network check for suspicious files" select High

Click the Scan Now button.

When done, use the File menu and select Save report to file

Stinger.txt is the log report and will be saved to your Desktop. I will need a copy of that log.

RE-Enable your anti-virus program.

Stinger is a standalone utility used to detect and remove specific malware. It is not a full scan for all types of malware or viruses.

It is not intended as virus protection.

Step 2

Download Dr.Web CureIt to the desktop.

  • Turn OFF your antivirus program.
    How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
  • Doubleclick the drweb-cureit.exe file, then on Start and allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, chose the Complete Scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow drweb.jpg at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look and see if you can click the following icon next to the files found:
    check.gif
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    move.gif
  • This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer to allow files that were in use to be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

NOTE: During the scan, a pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.

Re-Enable your antivirus program when all done.

Share this post


Link to post
Share on other sites

When i try to download Antivirus , the virus always remove it and dont install it .

I cant load or download the mccafee stinger and Dr. web curelt ? i dont know why ?

Share this post


Link to post
Share on other sites

We will return to those 2 tools in a bit.

Download TFC by OldTimer to your desktop

  • Please double-click TFC.exe to run it. (Note: If you are running on Vista or Windows 7, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
  • IF prompted to Reboot, reply "Yes".

NEXT,

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do NOT turn off the firewall

Please download Rkill by Grinler and save it to your desktop.


Link 2
Link 3
Link 4
Double-click on the Rkill desktop icon to run the tool.
If using Vista or Windows 7, right-click on it and Run As Administrator.
A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
If not, delete the file, then download and use the one provided in Link 2.
If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
If the tool does not run from any of the links provided, please let me know.
If your antivirus program gives a prompt message, respond positive to allow RKILL to run.
If a malware-rogue gives a message regarding RKILL, proceed forward to running RKILL

IF you still have a problem running RKILL, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.

AFTER you have completed these 2 tools, go back and do the STINGER step

after that is done, do the Dr Web Cure-It

Share this post


Link to post
Share on other sites

I have to ask, How long has your computer been without an installed antivirus program?

How long have you had this computer?

Do you by any chance have access to a clean computer ? (obviously, one different from this )

Do you have a new unused flash-USB-thumb-drive ?

What browser are you using? Explain in painful detail how you can not download?

Do you get to the site ? yes/ no

Do you get to Save ? yes/no

As this system has been without an antivirus program, I believe we will eventually get to the conclusion that you should wipe the system clean and start over from scratch.

What brand is this computer ?

Do you have the Windows XP CD ?

Do you have a recent backup of this system (offline, on external drive or CD or DVD) from before this infection ??

(which by the way, it looks like you have had for a few months !! )

Share this post


Link to post
Share on other sites

I have to ask, How long has your computer been without an installed antivirus program? Since the windows XP installed

How long have you had this computer? 2009

Do you by any chance have access to a clean computer ? (obviously, one different from this ) No sorry

Do you have a new unused flash-USB-thumb-drive ? Yes i have

What browser are you using? Explain in painful detail how you can not download?I use Chrome . I can download avast but when i try to install it it always crash my pc then restart it then after that the avast installer is gone .

Do you get to the site ? yes/ no i cant go to mccafee and dr web curelt

Do you get to Save ? yes/no i can save the dr . web curelt but it wont start downloading always 0.00%

As this system has been without an antivirus program, I believe we will eventually get to the conclusion that you should wipe the system clean and start over from scratch.

What brand is this computer ? I dont know what brand is my computer ( noobs here >.<)

Do you have the Windows XP CD I dont have

Do you have a recent backup of this system (offline, on external drive or CD or DVD) from before this infection ?? I dont have :(

(which by the way, it looks like you have had for a few months !! )

Share this post


Link to post
Share on other sites

Given it's been 3 & 1/2 years without an antivirus, I have serious doubts this can be fully recovered. Sorry to be blunt, but that is beeing frank.

Instead of Chrome, (which you should Close & Exit). Use Internet Explorer. Select it from the Start menu.

and now try slowly & very carefully to get the 2 tools I asked you to get

Share this post


Link to post
Share on other sites

Clearly confirm for me: Did you run RKILL ?

Did you run TFC ?

No, stinger & drWeb Cure-it are only at the sites I listed.

You are not writing clearly. When was this pc reformated ??

Where did you buy this system ?

I cannot believe it was sold without an antivirus :excl:

Share this post


Link to post
Share on other sites

Clearly confirm for me: Did you run RKILL ? Yes i run it

Did you run TFC ? Yes

No, stinger & drWeb Cure-it are only at the sites I listed.

You are not writing clearly. When was this pc reformated ??

Where did you buy this system ? My brother got this from his friend

I cannot believe it was sold without an antivirus ~

Share this post


Link to post
Share on other sites

  • Download & SAVE to your Desktop >> Tigzy's RogueKillerfrom here << or
    >> from here <<
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.
    For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on Scan button at upper right of screen.
  • Wait until the Status box shows "Scan Finished"
  • Click on Report and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Do NOT press any Fix button.
  • Exit/Close RogueKiller

Share this post


Link to post
Share on other sites

RogueKiller V8.0.2 [08/31/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User : Owner [Admin rights]

Mode : Scan -- Date : 09/07/2012 22:34:16

¤¤¤ Bad processes : 1 ¤¤¤

[sUSP PATH] DCService.exe -- C:\Documents and Settings\All Users\Application Data\DatacardService\DCService.exe -> KILLED [TermProc]

¤¤¤ Registry Entries : 8 ¤¤¤

[HJPOL] HKCU\[...]\System : disableregistrytools (0) -> FOUND

[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND

[HJ] HKLM\[...]\Security Center : AntiVirusDisableNotify (1) -> FOUND

[HJ] HKLM\[...]\Security Center : FirewallDisableNotify (1) -> FOUND

[HJ] HKLM\[...]\Security Center : UpdatesDisableNotify (1) -> FOUND

[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD16 00AAJS-00PSA SCSI Disk Device +++++

--- User ---

[MBR] 8fdebe2fca2bc9e07a8f23047a1e5af2

[bSP] b3aad4fe3b9de60b603917d6e42b4d65 : Windows XP MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 80003 Mo

1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 163846935 | Size: 72614 Mo

User = LL1 ... OK!

Error reading LL2 MBR!

Finished : << RKreport[1].txt >>

RKreport[1].txt

Share this post


Link to post
Share on other sites

  • Please disconnect any USB or external drives from the computer before you run this scan!
  • Right-Click RogueKiller and select Run as Administrator.
  • Wait until Prescan finishes.
  • On the RogueKiller console, click the Registry tab.
  • Then press the Delete button.
  • When done, logoff & Restart the system.
  • The log will be found as RKreport
    Copy & Paste the contents into next reply.

Share this post


Link to post
Share on other sites

RogueKiller V8.0.2 [08/31/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User : Owner [Admin rights]

Mode : Remove -- Date : 09/07/2012 23:18:43

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 8 ¤¤¤

[HJPOL] HKCU\[...]\System : disableregistrytools (0) -> DELETED

[HJ] HKLM\[...]\System : EnableLUA (0) -> REPLACED (1)

[HJ] HKLM\[...]\Security Center : AntiVirusDisableNotify (1) -> REPLACED (0)

[HJ] HKLM\[...]\Security Center : FirewallDisableNotify (1) -> REPLACED (0)

[HJ] HKLM\[...]\Security Center : UpdatesDisableNotify (1) -> REPLACED (0)

[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

[HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD16 00AAJS-00PSA SCSI Disk Device +++++

--- User ---

[MBR] 8fdebe2fca2bc9e07a8f23047a1e5af2

[bSP] b3aad4fe3b9de60b603917d6e42b4d65 : Windows XP MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 80003 Mo

1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 163846935 | Size: 72614 Mo

User = LL1 ... OK!

Error reading LL2 MBR!

Finished : << RKreport[4].txt >>

RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt

Share this post


Link to post
Share on other sites

Please understand that there should be NO websurfing on this system, NO online games, NO online shopping, No banking.

Only go to this forum and the websites I guide you to.

Confirm for me, if this is your pc or if this is owned by someone else.

Look on the computer housing: what is the name-manufacturer of this system ?

Also, why does this system have NLite ??

What is the main use of this computer?

Be especially aware, again, the likelyhood of having to wipe the system from scratch is very high.

The system should never, ever have been without an antivirus.

Step 1

Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from

>>> here <<<

  • Double-click FixPolicies.exe.
  • Click the "Install" button on the bottom toolbar of the box that will open.
  • The program will create a new Folder called FixPolicies.
  • Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
  • A black box will briefly appear and then close.
  • This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.

Step 2

Please read carefully and follow these steps.

  • Download TDSSKiller and save it to your Desktop.
  • Double-Click on TDSSKiller.exe to run the application, then on Start Scan.
    If running Vista or Windows 7, do a RIGHT-Click and select Run as Administrator to start TDSSKILLER.exe.
  • If an infected file is detected, the default action will be Cure, click on Continue.
    TDSSKillerMal-1.png
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
    Skip and click on Continue
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    TDSSKillerCompleted.png
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Step 3

  • Please download CKScanner from >>Here<<
  • Important: - Save it to your desktop.
  • Right-click CKScanner.exe & select Run as administrator to start.
  • then click Search For Files.
  • After a very short time, when the cursor hourglass disappears, click Save List To File.
  • A message box will verify the file saved. Please Run the program only once.
  • Copy/paste the contents of CKFiles.txt in your next reply.

Share this post


Link to post
Share on other sites

Press the More Reply Options button. You can attach log files into a reply.

Share this post


Link to post
Share on other sites

This thread will be closed if I do not hear back from you before end-of-day 9 SEPT

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.