Jump to content

Recurrent Malware Issue? Involuntary Backups?

Recommended Posts

It didn't create the report. This is what the text box said when it was finished running:


Scanning threads...     completed

Scanning processes...   completed

Fixing registry...           completed


Monitoring thread started


Sality Reg Cure: Restoring General Registry Keys

Sality Reg Cure: Fixing system ini

Scanning Drives...

Scanning c:\...

Scanning D:\...

Monitoring thread stopped



Infected files: 0

Infected processes: 0

Infected threads: 0

Cured files: 0

Will be cured on reboot: 0

Executed registry scripts: 1

Link to post
Share on other sites
  • Replies 220
  • Created
  • Last Reply

Top Posters In This Topic

  • Root Admin

Well that's good news that you don't have Sality on the system.
Let's try one more tool before possibly calling it quits and rebuilding the computer.

1.Please download HitmanPro.

  • For 32-bit Operating System - dEMD6.gif.
  • This is the mirror - dEMD6.gif
  • For 64-bit Operating System - dEMD6.gif
  • This is the mirror - dEMD6.gif

2.Launch the program by double clicking on the 5vo5F.jpg icon. (Windows Vista/7 users right click on the HitmanPro icon and select run as administrator).

Note: If the program won't run please then open the program while holding down the left CTRL key until the program is loaded.

3.Click on the next button. You must agree with the terms of EULA. (if asked)

4.Check the box beside "No, I only want to perform a one-time scan to check this computer".

5.Click on the next button.

6.The program will start to scan the computer. The scan will typically take no more than 2-3 minutes.

7.When the scan is done click on drop-down menu of the found entries (if any) and choose - Apply to all => Ignore <= IMPORTANT!!!

8.Click on the next button.

9.Click on the "Save Log" button.

10.Save that file to your desktop and post the content of that file in your next reply.

Link to post
Share on other sites
HitmanPro   Computer name . . . . : FREEBIRD-PC   Windows . . . . . . . :   User name . . . . . . : FreeBird-PC\Free Bird   UAC . . . . . . . . . : Enabled   License . . . . . . . : Free   Scan date . . . . . . : 2013-09-24 20:37:31   Scan mode . . . . . . : Normal   Scan duration . . . . : 3m 54s   Disk access mode  . . : Direct disk access (SRB)   Cloud . . . . . . . . : Internet   Reboot  . . . . . . . : No   Threats . . . . . . . : 0   Traces  . . . . . . . : 888   Objects scanned . . . : 1,816,574   Files scanned . . . . : 29,118   Remnants scanned  . . : 503,778 files / 1,283,678 keysCookies _____________________________________________________________________   C:\Users\Free Bird\AppData\Roaming\Microsoft\Windows\Cookies\EL4P9GG0.txt   C:\Users\Free Bird\AppData\Roaming\Microsoft\Windows\Cookies\V65P4KQB.txt   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:247realmedia.com   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:2o7.net   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:a1.interclick.com   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:ad.360yield.com   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:ad.auditude.com   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:ad.doubleclick.net   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:ad.e-kolay.net   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:ad.mlnadvertising.com   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:ad.yabuka.com   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:ad.yieldmanager.com   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:adinterax.com   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:adlegend.com   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:ads.dnainfo.com   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:ads.p161.net   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:ads.pointroll.com   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:ads.pubmatic.com   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:ads.undertone.com   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:adserver.adtechus.com   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:adtech.de   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:adtechus.com   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:advertising.com   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:apmebf.com   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:ar.atwola.com   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:at.atwola.com   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:atdmt.com   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:atwola.com   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:bs.serving-sys.com   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:burstnet.com   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:c.atdmt.com   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:c1.atdmt.com   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:casalemedia.com   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:cbsdigitalmedia.112.2o7.net   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:collective-media.net   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:doubleclick.net   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:emjcd.com   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:eset.122.2o7.net   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:fastclick.net   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:getclicky.com   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:gntbcstglobal.112.2o7.net   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:in.getclicky.com   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:interclick.com   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:interland.122.2o7.net   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:invitemedia.com   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:kaspersky.122.2o7.net   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:kontera.com   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:leeenterprises.112.2o7.net   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:medhelpinternational.112.2o7.net   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:media6degrees.com   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:mediaplex.com   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:network.realmedia.com   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:oracle.112.2o7.net   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:overture.com   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:pointroll.com   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:pool-eu-ie.creative-serving.com   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:questionmarket.com   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:realmedia.com   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:revsci.net   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:rotator.adjuggler.com   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:ru4.com   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:server.cpmstar.com   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:serving-sys.com   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:specificclick.net   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:stat.dealtime.com   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:statcounter.com   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:stats.paypal.com   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:statse.webtrendslive.com   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:tacoda.at.atwola.com   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:track.adform.net   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:tribalfusion.com   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:wileypublishing.112.2o7.net   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:www.googleadservices.com   C:\Users\Free Bird\AppData\Roaming\Mozilla\Firefox\Profiles\eciapt2f.default\cookies.sqlite:zedo.com
Link to post
Share on other sites
  • Root Admin

Wow, that was a let down.  I was hoping it could find and fix at least some settings or something besides useless cookie stuff.

Okay, let's start over and take it step by step otherwise you're going to end up having to rebuild the computer if we don't get it cleaned correctly.


Please look for any of the following software and uninstall it if you find it from the Control Panel, Programs applet.

ARO 2013
AVG SafeGuard toolbar
Google anything
(save any bookmarks you may need but otherwise uninstall ALL Google software)

Let's start back from scratch and get a basic log of what's going on with the system now.

Please run the following scanner and send back the logs.

Download DDS from one of the locations below and save to your Desktop

Temporarily disable any script blocker if your Anti-Virus/Anti-Malware has it.
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.
Then double click dds.scr or dds.com to run the tool.
Click the Run button if prompted with an Open File - Security Warning dialog box.
A black DOS console should open and run for a moment.

  • When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt
  • Save both reports to your desktop
  • Please include the following logs in your next reply as an attachment: DDS.txt and Attach.txt
  • You can ignore the note about zipping the Attach.txt file and just post it or attach it.


Please create an mbam-check log:

  • Download mbam-check.exe from here and save it to your desktop
  • Double-click on mbam-check.exe to run it, it should then open a log file
  • Please do not copy and paste the entire contents of the log into your next post, instead please attach the log CheckResults.txt file which should now be located on your desktop to your next post
Link to post
Share on other sites

Its not looking good.


I uninstalled Aro 2013 (stinks, because I paid for that)


I uninstalled Google Chrome


I thought I was following your directions, and I uninstalled Real Player, rather than Real Downloader (oops) - but I don't think I have Real Downloader


I tried to uninstall AVG toolbar, but it just didn't respond at all to uninstalling. Still there.


Tried to uninstall Zipeg - but I can't do that until I install Java - which I think I can't do - because fragments of Java still remain.


Couldn't uninstall Google Earth - got this message: "Error 1711 An error occured while writing installation information to disk. Check to make sure enough disk space is available, click Retry or Cancel to end installation."


So... Rebuilding is going to be pretty terrible? I don't have SO much to lose, if I back up my files, right? It will be a big learning experience for me. (One I don't really have time for right now).


Oh forgot - also -  don't think I have any anti-virus or the like running in my computer. Is there a way to find out if I do? I have Malwarebytes - but I don't think I have the deluxe version. So when I read the link about disabling security and anti-virus, I don't do anything because I don't think I have any of the listed programs running.

Link to post
Share on other sites
  • Root Admin

No I'm pretty sure you don't have an antivirus running which is what I noticed today as I had overlooked it.


Don't lose hope yet, we can probably fix a lot of this.  Don't worry too much about it for now, but do make sure you have your files backed up because not only malware can damage you can have hardware failure out of the blue too which could cause bad data loss.


Please run the DDS scan and post back those logs and we'll use Combofix or FRST to help us remove anything we want to manually if needed.


Once that is done then please install avast antivirus and update it and do a Full System scan and let me know what it finds.



Link to post
Share on other sites

OK, for a couple of days, I have a project to finish, so I'm going to hold off on scanning until I get it done.


I think I have most all of my computer protections down right now. Should I put them back up for these next couple of days while I'm working, or just leave it all as is, and basically stay off the internet, except for gmail? I'm just using Scribus.


Really, all of my programs work, except for the ones with Java - which is only iTunes and Zipeg. I can live without iTunes. It's just a shame that the computer can't ever finish updating, and stays stuck on trying to update all the time. Its a waste of energy. Probably not good for the computer, running hot all the time. I have to keep it propped up so it doesn't overheat itself on the desk.


I'll be back in a couple of days to follow your steps.


Thanks so much for all of your help, Mr. Ron.

Link to post
Share on other sites

Hi Ron,


I didn't see your message about Avira until now. I've tried to install it - I got this message:


"Installation of the Microsoft Runtime Redistributable Kit has failed. The probable cause is a Windows update running in parallel. Please check whether Windows update is in progress and run Avira Free Anti Virus set up again a little later. If the installation fails again, please contact Avira support."


Anyhow, I'm back to follow your instructions.

Link to post
Share on other sites
  • Root Admin

Since we're having trouble running these other tools we'll probably need to do the following.  Please download the following tool from Kaspersky and burn it to CD from a clean working computer and then boot from it on the affected computer.


Make sure you watch this video which describes how to create the CD to use it.


How to create the Kaspersky Rescue Disk 10 CD



Please visit the Kaspersky site and review the information and then download and burn the ISO image to CD to use on the affected computer.

Make sure you update the definitions for Kaspersky before doing the actual scan.  Make sure to also write down what it finds or does as some users have trouble saving and accessing the log afterwards.

Link to post
Share on other sites
  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

OK - I'm trying to do this on my husband's computer. I'm following along with your "How to Burn Image to Disk" video - but when I am in the Burn ISO program, and I select the Kaspersky Rescue Disk 10 from Downloads - I get this error message:


"Invalid or unsupported image file format!

Reason: First image file part is less than 2048 bytes in size."


So then I wondered: "Is it because I didn't properly install Kaspersky Rescue Disk 10?"

So I went to the link to download it again, and saved it again - ended up having the same problem.


I restarted, and went to the link a third time. Rather than saving Kaspersky Rescue 10, I selected the "open with Power-To-Go" and now have the option to let this other program burn the image to disk. Should I go ahead and let Power To Go burn the image to disk, or should I do something else?

Link to post
Share on other sites
  • Root Admin

Please try using Active@ ISO Burner.  I'm not sure if Power To Go will burn the ISO image or if it will burn it as a regular file.

This tool is designed specifically to burn an ISO image.




Then extract the zip file and run the application.

Select the file to burn and burn the disk.

Link to post
Share on other sites

OK,  on my husband's computer, I dragged the Kapersky 10 image from the downloads folder into the running Active ISO program, burnt the disk, put it into my computer, turned my computer on, and didn't get the boot options that the "How to Use the Kapersky Rescue Disk" instructions talk about.


I didn't get a "Press any key to enter the menu" Option. I only got choice to start in Safe Mode or Start Normally. I tried it a second time - it just started normally into Windows...

Link to post
Share on other sites
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.