Avast WEBforum
Other => Viruses and worms => Topic started by: nanajana on April 21, 2012, 07:07:59 AM
-
Not sure if this is related or not but upon closing Firefox I get a box up that states "Warning: Unresponsive Script" A Script may be busy or it may have stopped responding. You can stop the script now, or you can continue to see if the script will complete.
Script:chrome//browser/content/sanatize.js:135, so what happens is I get this message and before long I get "Welcome to NGINX", instead of my homepage. The address bar shows http:// and my homepage address but alas it does not go there or anywhere. I believe this is an infection but it is not being picked up by antivirus. Any ideas how I can get rid of this malware.
Thanks,
-
I believe this is an infection but it is not being picked up by antivirus. Any ideas how I can get rid of this malware.
Thanks,
This needs further analysis by a malware removal specialist:
Go to this topic http://forum.avast.com/index.php?topic=53253.0 for information on Logs to assist in cleaning malware.
Use the information about getting and using the tools and attach the logs here, not in the LOGS topic.
-
After this post I ran SuperAntiSpyware see attached log. Since then I have my homepage back but everything is running slower than usual. I have gotten this message twice now A script on this page may be busy, or it may have stopped responding. You can stop the script now, or you can continue to see if the script will complete.
Script: chrome://browser/content/sanitize.js:133, after shutting Firefox. Usually this appears 3 or 4 times before my homepage is highjacked to the WELCOME TO NGINX page. I have been opening and closing Firefox but so far so good. I do think the infection is still on my machine though. I went to the page you referenced, ran MalwareBytes (I do have it installed on my computer) it says no malicious items found. See attached.
-
I have this problem again! Welcome to nginx blocks my homepage, but I can go to any other site, either through favourites or typing in url. It started this time by first redirecting me to Ad-Aware browsing, at top of page, and lists different sites, including my home page site but if I click on that site it doesn't do anything. So this happened for a day and then today it brought up the Welcome to nginx page. Nothing else on page and this appears at the top. I have run malewarebytes, superanitspyware, ad-aware, spybot. All say no threats on my computer and of course I have avast running all the time with no threats shown either. I have gotten rid of it by clearing my DNS cache and refreshing page. Info I have found online: "While Nginx is a free, open-source, high-performance HTTP server and reverse proxy, as well as an IMAP/POP3 proxy server and the Welcome to nginx page does not belong to them. Something must be wrong with your operating system settings, home router setup, or browser configuration, if you are trying to access a well known web site and what you get instead is “Welcome to nginx!”. This should NOT happen if your computers and network are clean and safe.
If changing DNS servers to Google Public DNS, flushing DNS resolver cache, fixing your browser configuration, or cleaning "hosts" file (when applicable) have helped, it might be that there's a malware somewhere on your PC or around. Find and clean it using your preferred anti-virus and anti-malware tools.
What do I do now?
-
What do I do now?
follow the link Asyn gave you above....
attach the logs from malwarebytes / OTL / aswMBR
then one of the malware removers will help you when they arrive later today
-
I did as suggested but everytime I tried to open OTL my computer crashed. So I couldn't do it. I successfully ran aswMBR, see attached. But the first time I ran it it said Scan error: Incorrect function. see attached. Hope you can deal with the "infected file".
-
Forgot to attach mbam log so here it is!
-
well aswMBR show one infection as i can see.... a trojan sms.send
did you update malwarebytes before scan?
have you run a quick scan with avast?
anyway the malwarere removers will deal with it when they arrive
-
Hi,
Be sure to run OTL per the instructions on the page given earlier by Asyn and then do the following...
Please download TDSSKiller.zip (http://support.kaspersky.com/downloads/utils/tdsskiller.zip)
- Extract it to your desktop
- Double click TDSSKiller.exe
- when the window opens, click on Change Parameters
- under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
- click OK
- Press Start Scan
- Only if Malicious objects are found then ensure Cure is selected
- Then click Continue > Reboot now
- Attach the log in your next reply
- A copy of the log will be saved automatically to the root of the drive (typically C:\)
----------
-
I was finally able to run OTL in safe mode. Twice when trying to run it Avast wouldn't allow it, felt it may be malicious but did try to run it in sandbox second time but still would not run it. I even tried disabling avast for 10 mins but after that it crashed everytime I tried to run it - blue screen with message A problem has been detected and windows has been shutdown to protect your computer.
I didn't get an extras log only the one log which I have attached. Prior to running a quick scan I inadvertently ran a full scan which did generate an extras log. I will send it if you need it but it was too big of a file to send both at this time.
I will now continue with the rest of your instructions, Thanks!!
-
Hi,
I ran TDSSKILLER.exe. I got one suspicious event, object sptd (LockedFile.Multi.Generic). I wasn't sure what to do so I copied it in quarantine, only other options were, skip and delete. the file that copied is: C:\Windows\system32/Drivers\sptd.sys.
I am waiting for further instructions.
Cheers!
-
Hi,
Please download ERUNT (http://www.snapfiles.com/get/erunt.html) (Emergency Recovery Utility NT). This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed. **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.
----------
Run OTL.exe
- Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:Services
:OTL
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop
IE - HKLM\..\URLSearchHook: {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\prxtbVuze.dll (Conduit Ltd.)
IE - HKLM\..\SearchScopes,DefaultScope = {afdbddaa-5d3f-42ee-b79c-185a7020515b}
IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2653012
IE - HKLM\..\SearchScopes\{CB6F7A3F-076D-4CC4-B363-249E2C3393CA}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&entrypoint={referrer:source?}&FORM=HVDUS7
IE - HKLM\..\SearchScopes\{FD1AAA9E-C6FA-43E8-B3DD-914CFD0F4B72}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
IE - HKCU\..\URLSearchHook: {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\prxtbVuze.dll (Conduit Ltd.)
IE - HKCU\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2653012
FF - prefs.js..browser.search.defaultenginename: "Secure Search"
FF - prefs.js..browser.startup.homepage: "http://www.winnipegfreepress.com"
[2012/04/30 14:49:57 | 000,000,000 | ---D | M] (Vuze Remote Community Toolbar) -- C:\Users\Janice\AppData\Roaming\Mozilla\Firefox\Profiles\cys0nb0e.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}
[2011/05/05 21:55:31 | 000,000,000 | ---D | M] (Conduit Engine) -- C:\Users\Janice\AppData\Roaming\Mozilla\Firefox\Profiles\cys0nb0e.default\extensions\engine@conduit.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Conduit Engine) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngine.dll (Conduit Ltd.)
O2 - BHO: (Vuze Remote Toolbar) - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\prxtbVuze.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (Vuze Remote Toolbar) - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\prxtbVuze.dll (Conduit Ltd.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (Vuze Remote Toolbar) - {BA14329E-9550-4989-B3F2-9732E92D17CC} - C:\Program Files\Vuze_Remote\prxtbVuze.dll (Conduit Ltd.)
O15 - HKCU\..Trusted Domains: internet ([]about in Internet)
O15 - HKCU\..Trusted Domains: umanitoba.ca ([www] https in Trusted sites)
O15 - HKCU\..Trusted Domains: winnipegfreepress.com ([www] https in Trusted sites)
O33 - MountPoints2\{15421b98-126e-11df-a52a-001d6053f73f}\Shell - "" = AutoRun
O33 - MountPoints2\{15421b98-126e-11df-a52a-001d6053f73f}\Shell\AutoRun\command - "" = N:\LaunchU3.exe -a
O33 - MountPoints2\{a81b2902-5e1a-11df-a963-001d6053f73f}\Shell\AutoRun\command - "" = N:\Start.exe
O33 - MountPoints2\{adb96414-df5c-11dd-a76a-001d6053f73f}\Shell - "" = AutoRun
O33 - MountPoints2\{adb96414-df5c-11dd-a76a-001d6053f73f}\Shell\AutoRun\command - "" = H:\LaunchU3.exe -a
O33 - MountPoints2\{d465be05-dc37-11dd-b22b-001d6053f73f}\Shell - "" = AutoRun
O33 - MountPoints2\{d465be05-dc37-11dd-b22b-001d6053f73f}\Shell\AutoRun\command - "" = N:\LaunchU3.exe -a
O33 - MountPoints2\{d465be13-dc37-11dd-b22b-001d6053f73f}\Shell - "" = AutoRun
O33 - MountPoints2\{d465be13-dc37-11dd-b22b-001d6053f73f}\Shell\AutoRun\command - "" = N:\LaunchU3.exe -a
O33 - MountPoints2\{f115c707-e461-11e0-815c-001d6053f73f}\Shell - "" = AutoRun
O33 - MountPoints2\{f115c707-e461-11e0-815c-001d6053f73f}\Shell\AutoRun\command - "" = L:\LaunchU3.exe -a
[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[2012/04/21 20:02:24 | 000,102,400 | ---- | M] () -- C:\Users\Janice\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/03/15 12:11:11 | 000,000,000 | ---D | M] -- C:\Users\Janice\AppData\Roaming\Azureus
[2009/05/05 23:28:59 | 000,000,000 | ---D | M] -- C:\Users\Janice\AppData\Roaming\IObit
[2009/12/28 16:57:59 | 000,000,000 | ---D | M] -- C:\Users\Janice\AppData\Roaming\LimeWire
[2012/04/21 20:31:30 | 000,000,000 | ---D | M] -- C:\Users\Janice\AppData\Roaming\uTorrent
:Files
ipconfig /flushdns /c
:Commands
[purity]
[emptytemp]
[resethosts]
[start explorer]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered. There will be a log created when it completes that I will need in your next reply. Reboot when it is done.
- Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
-
Hi,
I did as instructed but when I ran otl again and after I ran the fix I wasn't able to uncheck LOP & Purity boxes. As soon as I checked all users it automatically checked these boxes. Attached are the two logs generated. Please advise what's next!
Cheers!
-
Hi,
Run OTL.exe
- Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:Services
:OTL
O2 - BHO: (no name) - {30F9B915-B755-4826-820B-08FBA6BD249D} - No CLSID value found.
O2 - BHO: (no name) - {ba14329e-9550-4989-b3f2-9732e92d17cc} - No CLSID value found.
O15 - HKU\.DEFAULT\..Trusted Ranges: Range1 ([http] in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Ranges: Range1 ([http] in Local intranet)
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot when it is done
- Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
----------
Malwarebytes
I see that you have Malwarebytes already on your computer. Please open Malwarebytes, update it and then run a Quick Scan. Save the log that is created for your next reply.
----------
ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan
Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.
As a Vista/Win7 user you will need to right click your browser icon and select "Run as Administrator" in order to run this scan.
- Do not use this instance of your browser for anything besides doing this scan
- When the scan is complete and the results saved, close that instance of your browser
- Open a new one the usual way and post the results in this topic.
[list=1]
- Right-click and Run as Administartor on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan)
- Click the (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png) button.
- For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)[list=1]
- Click on (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png) to download the ESET Smart Installer. Save it to your desktop.
- Double click on the (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png) icon on your desktop.
- Check (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png)
- Click the Start button.
- Accept any security warnings from your browser.
- Check (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png)
- Make sure that the option "Remove found threats" is Unchecked
- Push the Start button.
- ESET will then download updates for itself, install itself, and begin
scanning your computer. Please be patient as this can take some time.
- When the scan completes, push (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png)
- Push (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png), and save the file to your desktop using a unique name, such as
ESETScan. Include the contents of this report in your next reply.
- Push the Back button.
- Push Finish
http://www.eset.com/onlinescan/
----------
In your next reply please attach the logs made by OTL, Malwarebytes and ESET online scanner. :)
-
Whew, this is a lot of work, lol! Anyway I have run otl again but what's with this. I try to run it on my computer, Avast terminates the program but it did run once before crashing my computer. I ran it in safemode but it does not allow me to uncheck LOP or purity boxes. They are unchecked until I click on quick scan and then they automatically check the boxes. I updated and ran Mbam & I have attached the two logs and will continue on with your instructions
-
Hi,
I am finally done! Attached esat scan results.
-
Hi,
Run OTL.exe
- Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:Services
:Files
C:\ProgramData\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch21.zip
C:\ProgramData\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch53.zip
C:\Users\All Users\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch21.zip
C:\Users\All Users\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch53.zip
C:\Users\Janice\AppData\Roaming\iolo\Installers\SystemMechanic7.exe
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[emptytemp]
[clearallrestorepoints]
[start explorer]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot when it is done
- Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
In your next reply please attach the new OTL logs (don't worry if LOP and Purity is checked) and let me know how your system is running. :)
-
Hi,
I did as requested and holy smokes Firefox opens immediately!!! Thunderbird is opening faster too, don't know if this was part of all of this but hey I'm glad its all working faster!! Thanks sooo much, truly appreciate all your help.
Attached is the final log and by the way I was able to open OTL without having to do it in safe mode each time. I did have to shut Avast down as it still wanted to terminate it as suspicious.
Cheers,
Janice
-
Hi,
What about being sent to NGINX any longer?
When you ran OTL the first time there should have been a log created named Extras.txt. If you have that could you attach that please. :)
-
HI,
It doesn't go to NGINX but I had flushed the DNS resolver cache and after that it stopped going to that page. Then we started down our journey right after that and during all of that it never went to that page.
I have attached the extras page. Is there anything else I should be doing. I think one thing I learned is more is not necessarily better so I am just going to let Avast do its thing and maybe run an online scan from time to time.
Cheers,
Janice
-
It doesn't go to NGINX but I had flushed the DNS resolver cache and after that it stopped going to that page. Then we started down our journey right after that and during all of that it never went to that page.
Perfect. :)
--------------
Is there anything else I should be doing.
Now please do the following so we can get some updates installed on your system:
You have an older version of Adobe Reader. You can download the current version HERE (http://www.adobe.com/products/acrobat/readstep2.html)
You may want to consider Foxit Reader (http://www.foxitsoftware.com/downloads/index.php) instead. It may be a bit lighter on resources.
Visit their support forum
Foxit Forum (http://www.foxitsoftware.com/bbs/forumdisplay.php?f=3)
In either case you should uninstall Adobe Reader 9.5.1 first. Be sure to move any PDF documents to another folder first though.
----------
Please download JavaRa (http://raproducts.org/click/click.php?id=1) to your desktop and unzip it to its own
folder- Run JavaRa.exe (double-click for XP/right-click and Run as Administrator for Vista), pick the language of your choice and click Select. Then
click Remove Older Versions.
- Accept any prompts.
- Open JavaRa.exe (double-click for XP/right-click and Run as Administrator for Vista) again and select Search For Updates.
- Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest
Java Runtime Environment (JRE) version for your computer.
----------
In your next reply let me know if you had any problems with the instructions and once again how your system is running. :)
-
Hi,
Well hopefully I have done this right, I think I uninstalled Adobe Reader 9.5.1, anyway I couldn't find it anywhere when I searched for it and installed the latest version. I will have a look at Foxit, checked it briefly. I am the webmaster for an association I belong to and they have supplied me with Adobe Acrobat 9 which I don't find all that user friendly, does Foxit do the same thing? I also hopefully updated Java, I followed your instuctions and then verified that I was downloading the correct JRE update, it is JRE 7ur4 I'm guessing though.
Everything seems fine, Firefox opening to my homepage and no Welcome to NGINX page. Please advise if I need to do anything else.
Cheers,
Janice
-
Hi,
does Foxit do the same thing?
Yes it just is lighter on resources.
----------
Providing there are no other malware related problems...
IT APPEARS THAT YOUR LOGS ARE NOW CLEAN :D SO LETS DO A COUPLE OF THINGS TO WRAP THIS UP!! :D
This infection appears to have been cleaned, but I can not give you any absolute guarantees. As a precaution, I would go ahead and change all of your passwords as this is especially important after an infection.
----------
Clean up with OTL:
- Double-click OTL.exe to start the program.
- Close all other programs apart from OTL as this step will require a reboot
- On the OTL main screen, press the CLEANUP button
- Say Yes to the prompt and then allow the program to reboot your computer.
----------
Any of the logs that you created for use in the forums or remaining tools that have not yet been removed can be deleted so they aren't cluttering up your desktop.
Here are some tips to reduce the potential for spyware infection in the future:
1. Make your Internet Explorer more secure - This can be done by following these simple instructions:
- From within Internet Explorer click on the Tools menu and then click on Options.
- Click once on the Security tab
- Click once on the Internet icon so it becomes highlighted.
- Click once on the Custom Level button.
- Change the Download signed ActiveX controls to Prompt
- Change the Download unsigned ActiveX controls to Disable
- Change the Initialize and script ActiveX controls not marked as safe to Disable
- Change the Installation of desktop items to Prompt
- Change the Launching programs and files in an IFRAME to Prompt
- Change the Navigate sub-frames across different domains to Prompt
- When all these settings have been made, click on the OK button.
- If it prompts you as to whether or not you want to save the settings, press the Yes button.
- Next press the Apply button and then the OK to exit the Internet Properties page.
2. Enable Protected Mode in Internet Explorer. This helps Windows Vista users stay more protected from attack by running Internet Explorer with restricted privileges as well as reducing the ability to write, alter or destroy data on your system or install malicious code. To make sure this is running follow these steps:- Open Internet Explorer
- Click on Tools > Internet Options
- Press Security tab
- Select Internet zone then place check next to Enable Protected Mode if not already done
- Do the same for Local Intranet, Trusted Sites and Restricted Sites and then press Apply
- Restart Internet Explorer and in the bottom right corner of your screen you will see Protected Mode: On showing you it is enabled.
3. Use and update an anti-virus software - I can not overemphasize the need for you to use and update your anti-virus application on a regular basis. With the ever increasing number of new variants of malware arriving on the scene daily, you become very susceptible to an attack without updated protection.
4. Firewall
Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a firewall in its default configuration can lower your risk greatly. A tutorial on firewalls can be found here[/color] (http://www.bleepingcomputer.com/forums/tutorial60.html). **There are firewalls listed in this tutorial that could be downloaded and used but I would personally only recommend using one of the following two below:
Online Armor Free (http://download.cnet.com/Online-Armor-Free/3000-10435_4-10426782.html)
Agnitum Outpost Firewall Free (http://download.cnet.com/Agnitum-Outpost-Firewall-Free/3000-10435_4-10913746.html)
5. Make sure you keep your Windows OS current. Windows XP users can visit Windows update (http://v4.windowsupdate.microsoft.com/en/default.asp) regularly to download and install any critical updates and service packs. Windows Vista/7 users can open the Start menu > All Programs > Windows Update > Check for Updates (in left hand task pane) to update these systems. Without these you are leaving the back door open.
6. WOT (http://www.mywot.com/) (Web of Trust) As "Googling" is such an integral part of internet life, this free browser add on warns you about risky websites that try to scam visitors, deliver malware or send spam. It is especially helpful when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites. WOT has an add-on available for Firefox, Internet Explorer as well as Google Chrome.
7.Finally, I strongly recommend that you read TonyKlein's good advice So how did I get infected in the first place? (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Please reply to this thread once more if you are satisfied so that we can mark the problem as resolved.
-
Hi,
I ran OTL and clicked on clean up. Then I went to Internet Explorer, to the tools menu and Internet Options. I had everything as you advised already in place but I couldn't find Installation of desktop items here? I already had Protected Mode on, I run Site-Advisor as well as Spoofstick. I have everything set to automatically send me updates and use cnet downloads and cnet updates for installed downloads. I will install WOT I think I may have it already or at least I did at one time. I also installed outpost firewall & will turn off Windows firewall.
I just ran a quick scan by malewarebytes it said ok but then Avast came up with this message: ROOTKIT FOUND A suspicious hidden object (rootkit) has been detected on your computer. This may be a sign of a malicious infection. It is recommended to remove the object immediately. File Name: SVC:mbam Rootkit name: Rootkit. I clicked on delete, only other option was to ignore. I am now going to run a boot-time scan as suggested by Avast!! Please advise what's next!!!!
-
Hi,
What else did the warning say? Did it give a file path or can you take a screen shot of the warning?
-
Hi,
No file path, just what I told you, the Avast redbox came up and said to remove it immediately and that was by deleting it. Its gone so I can't take a screen shot. I just finished the boot-time scan which Avast told me to do.
I also get a message about window live essentials everytime I reboot. I don't think this means anything, I went on line to check it out and seems lots of people get this so I just ignore it. Anyway here's what happens: A warning box comes up titled WLStartup.exe - Entry point not found. Red circle with X in it - The procedure entry point ?GetHeight @CRMImage@@QBEHXZ could not be located in the dynamic link library UXCore.dll. So I close that and get - Window Live Essentials has stopped working. Check on line for a solution etc, or Close the program which is what I do.
Cheers, :-[
-
Hi,
I do believe I have resolved the Windows Live Essential problem! It was all about an outdated uxcore.dll. I deleted the old one and replaced it with an updated uxcore.dll. I hope that is the last of that because it is extremely annoying.
-
Hi,
Ok...try the following:
Go into your "c:\program files\windows live\installer" and delete the uxcore.dll. Then go into "c:\program files\windows live\shared" and copy uxcore.dll from this directory. Go back to your installer directory and paste the file.
Should start without an issue...
Error is occuring from an outdated uxcore.dll file that is not being updated in the installer folder.
-
;D You beat me to the punch!!
-
Hi,
Yes that is exactly what I did about Windows Live Essentials! I haven't changed any passwords yet because of Rootkit found? earlier by Avast. So where am I with that? I don't want to change anything until I am sure I'm clean
Cheers,
-
Let's check for the rootkit...
Please download TDSSKiller.zip (http://support.kaspersky.com/downloads/utils/tdsskiller.zip)
- Extract it to your desktop
- Double click TDSSKiller.exe
- when the window opens, click on Change Parameters
- under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
- click OK
- Press Start Scan
- Only if Malicious objects are found then ensure Cure is selected
- Then click Continue > Reboot now
- Attach the log in your next reply
- A copy of the log will be saved automatically to the root of the drive (typically C:\)
----------
-
Arrgghh, I could scream!! Its that locked file, Service: sptd, suspicious object medium risk C:\Windows\system32\Drivers\sptd.sys. I have run TDSSKiller 3 times, quarantined it twice, rebooted once, options are: Skip, Copy all to quarantine, or delete. Not sure what to do about this third one sitting on my desktop because copying to quarantine does nothing. Please advise. Attached logs of same, apparently not as file is too big, hope this one gets to you. Quarantined anyway.
Cheers,
-
Don't worry about that. It is part of the Daemon programs you have on your system. Daemon programs will sometimes use rootkit technology that is picked up occasionally by antivirus programs. It is a false positive. :)
-
Hi,
Well that is good news! I also ran a new eset last night and it didn't find any malicious threats, or for that matter, threats of any kind. So this should be it, we can put this baby to bed!! I will go ahead now and change my passwords, that is going to be a huge job but a necessary one. :(
Cheers, :)
Janice
-
Hi,
Glad that we could help! :)
-
Hi,
Your very welcome and I too am glad that you could help. Thanks again!
Cheers
-
Hi,
I was searching out win32 bagle.gen.zip worm which as you know I had on my computer. TrojanDownloader:Win32/Bagle.gen!A creates the following registry subkeys and entries as part of its installation routine:
Adds value: "frstrunn"
With data: "1"
To subkey: HKCU\Software\bisoft
Adds value: "EnableLUA"
With data: "<value>"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\Security Center\Svc
where <value> is a certain number.
Adds key: HKCU\Software\Local AppWizard-Generated Applications
and all its associated subkeys.
It may also create the following folders:
%AppData%\drivers
%AppData%\drivers\downld
So while preforming regedit, looking for any of this I come across Adds key: HKCU\Software\Local AppWizard-Generated Applications. I found it in HKEY users: Software. Tried looking for the rest but not sure if its not there or I'm not looking in the right spot. Please advise what now!
Cheers
-
Hi,
I ran aswMBR and then OTL, not sure if I should have run OTL first. Attached logs from same.
-
Hi,
Please double click the aswMBR icon to run it.
Vista and Windows 7 users right click the icon and choose "Run as administrator".
- Click the Scan button to start scan.
- When scan finishes, press the Fix Button. Once the Fix is done, press the Save Log button and save the log to your desktop. You need to reboot your computer when its done before you do anything else, then post the log that will be on your desktop.
(http://i1190.photobucket.com/albums/z454/Blottedisk/aswMBRfix-1.png) (http://i1190.photobucket.com/albums/z454/Blottedisk/aswMBRfix.png)
[SIZE="1"]Click the image to enlarge it[/SIZE]
-
HI,
I can't get the scan to finish, its frozen on 13:27 Scanning: C:\Users\Janice\AppData\Local\Microsoft\Windows Live\Installer\catalog\. That's all I can see, so should I click on fix or should I exit and start again.
-
Start it over and see if it will finish. If not, boot to Safe Mode and attempt to run the instructions that I provided.
-
Hi
still trying to run this. had to go out but left it running in safemode, its taking forever and yesterday when i ran avast quick scan it ran for 45 mins and then said no threats!!! anyway i will check it out when i get home but if you don't hear from me i will be away til sunday, shut down the computer and tryagain. if it works i will post the log
cheers
-
Sounds like a plan. :)
-
It completed but said it would damage the partition if I ran fixmbr. So that's it for now, I need a break!!!! Try again Sunday
Cheers
-
I was having the same problem
I was having the same problem tried almost everything in my case when i was deleting the cache through IE's Delete button it didnt fix my problem.
When i manually deleted all the files from
AppData\Local\Microsoft\Windows\Temporary Internet Files
The problem went away you might want to try deleting ur temp files manually.
Same Problem another comp :
Another way i fixed it on my other computer is simply by rightclicking on the tab and refreshing.
-
Hi,
Did aswMBR create a log? If so attach that please. :)
-
HI,
I ran aswMBR, it completed but when I click on fix mbr I get a warning that tells me: Writing a new master boot record to your system partition could damage your patritioin tables and cause your jpartitions to become inaccessible.
This application writed standard Windows MBR code?
Are you sure you want to fix the MBR?
So do I? I will leave everything as is til I hear from you,
Cheers
-
Hi,
jeffce needs to see the log and results of your last scan. Only then will he be able to tell you what you need to do.
-
No I asked you to press the Fix button....not FixMBR. Do not do that yet. Is the Fix button not working?
-
Hi,
No I don't get a fix button just the fixMBR button.
-
Hi,
Here's the log from that run.
Cheers,
Janice
-
Hi,
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)
- Right-click and Run as Administrator SystemLook.exe to run it.
- Copy the content of the following codebox into the main textfield:
:file
F:\Release\TAPBIND1.SYS
C:\Windows\system32\jureg.exe
- Click the Look button to start the scan.
- When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
----------
Please download MBRCheck.exe (http://"http://ad13.geekstogo.com/MBRCheck.exe") to your desktop.
- Be sure to disable your security programs
- Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
- A window will open on your desktop
- if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter[/i] twice.
- If nothing unusual is found just press Enter[/i]
- A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
- Please post the contents of that file.
----------
In your next reply please attach the logs made by SystemLook and MBRCheck.
-
Hi,
I ran SystemLook, see attached file, and tried to run MBRCheck.exe but I get "Server not found, Firefox can't find the server at http" so then I googled MBRCheck but not sure where I should download so will wait to hear from you!
Cheers,
Janice
-
Hi,
I downloaded MBRCheck from geekstogo. See attached file & I await further instructions. I did as you instructed and just exited out for now.
Cheers,
Janice
-
Hi,
Sorry my link was broken earlier. :(
[list=1]
- Run MBRCheck.exe
- Wait until you see the following line: Enter 'Y' and hit ENTER for more options, or 'N' to exit:
- Please push the 'Y' key and then press Enter
- When program ask you Enter your choice: enter 2 and press the Enter key
- Now the program will ask you "Enter the physical disk number to fix (0-99, -1 to cancel):"
- Enter 6 and press the Enter key.
- The program will show Available MBR codes:, followed by a list of operating systems. Please enter 3 for Windows Vista, and then press Enter.
- The program will prompt for confirmation. Type 'YES' and hit Enter.
- Left click on the title bar (where program name and path is written).
- From menu chose Edit -> Select All
- Hit the Enter key on your keyboard to copy selected text.
- Paste that text into Notepad, save it to your desktop as "MBRCheck results.txt"
- Important! Restart your PC for the fix to take effect.
- Post the contents of the MBRCheck results log in your next reply
-
HI,
Okay I did all of the above, see attached file.
Cheers,
-
Sorry....I should have asked you to run MBRCheck again and attach the newly made log as well.
-
Okey-dokey will do, also I keep forgetting to tell you and not sure if it means anything but everytime I ran aswMBR I also got a file? titled MBR with a filmstrip and musical note over it. I never opened it. Rats, does this ever end!!!! I have attached the second file :(
Cheers
Speaking of cheers, I'm going to be needing a drink soon, lol
-
titled MBR with a filmstrip and musical note over it.
No that is fine. Nothing to worry about with that.
-
Hi,
I am wondering what I should and shouldn't be doing on my computer. I have stopped sending emails, I have stopped working on my website of which I am the webmaster. Basically I am only on to hear from you and to look information from time to time.
Cheers
-
Hi,
Just stick to what you are doing right now. I am getting with a colleague about your system. I will return as quickly as I can. :)
-
okay!
Cheers
-
Hi,
What is your M drive? Are you able to boot from that drive? If so, please run MBRCheck on that drive and then post the log. :)
-
My M drive is an external hard drive where I save some of my files to. I don't think I can boot from there. How would I know?
Cheers
-
Hi,
What about booting from a flash drive? I did check out how to do this but will wait to hear from you although I guess I can do the same thing from my external hard drive. Whatever works!
Janice
-
Hi,
Download Combofix from either of the links below, and save it to your desktop.
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
**Note: It is important that it is saved directly to your desktop**
--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216)
--------------------------------------------------------------------
Right-Click and Run as Administrator on ComboFix.exe & follow the prompts. When finished, it will produce a report for you.
- Please post the C:\ComboFix.txt for further review.
-
Hi,
Holy smokes, that's quite the report! When I opened Firefox it came up had my homepage url in the address bar but problem loading page. I couldn't go anywhere on Firefox, yes my heart dropped!! so then I tried Explorer same story. I then went off the net and went back on and everything came up correctly. But now I have nothing showing in my right hand taskbar except my internet connection and Safely remove hardware icon. Though Avast just came up and updated so I guess its still all there!
Cheers
-
Hi,
Make sure the external hard drive you mentioned you had earlier is connected and then do the following:
- Run MBRCheck.exe
- Wait until you see the following line: Enter 'Y' and hit ENTER for more options, or 'N' to exit:
- Please push the 'Y' key and then press Enter
- When program ask you Enter your choice: enter 2 and press the Enter key
- Now the program will ask you "Enter the physical disk number to fix (0-99, -1 to cancel):"
- Enter 6 and press the Enter key.
- The program will show Available MBR codes:, followed by a list of operating systems. Please enter 3 for Windows Vista, and then press Enter.
- The program will prompt for confirmation. Type 'YES' and hit Enter.
- Left click on the title bar (where program name and path is written).
- From menu chose Edit -> Select All
- Hit the Enter key on your keyboard to copy selected text.
- Paste that text into Notepad, save it to your desktop as "MBRCheck results.txt"
- Important! Restart your PC for the fix to take effect.
- Run a new scan with MBRCheck.exe
- Attach the contents of both of the MBRCheck results logs in your next reply
-
HI,
Just to confirm, I'm going to change the BIOS order and make my M drive first in the order?
-
Hi,
No not yet. Just run the instructions as posted. :)
-
HI,
Out of memory!Could not read disk!
Please advise next step!!!
Cheers
-
Hi,
I slapped myself and then reread your instructions, don't know where my head was!! Anyway doing this again correctly but when I restart and try to run mbrcheck my computer crashes. So I ran the first scan in safe mode and trying to run it again after restart. I copied the blue screen results in case it means something to you. So will try to run this scan and send it right away.
Cheers
-
Hi,
Okay here is the log from restart.
Cheers
-
HI,
So where are we at? Have the viruses or virus been taken care of and we are now just dealing with the fake mbr on my external hard drive? If that's the case can I not just transfer to a dvd what I need from that drive and then wipe it clean.
Cheers
Janice
-
How is your system running otherwise...
-
Hi,
You know I can't really tell. Sometimes Firefox opens right away and then again it seems really sluggish. Although I should probably check to see if my Avast ball is running when I'm slowed down.
Cheers
Janice
-
Hi,
Give your system a good run around and let me know how it's working in the morning. :)
-
Hi,
I unplugged my M drive and ran MBRCheck, log attached. I then ran aswMBR and looks like we are back to square one! log attached. If the M drive is one problem fake MBR I can deal with that later. I need to get my computer clean first. I can leave my M drive unplugged til the virus is taken care of. Please advise what's next. Truly frustrated.
Janice
-
Hi,
I know this can be frustrating...malware removal can take some time due to how the viruses will change daily. I have been sitting in your shoes and feeling the same as you, but I do appreciate your patience. :)
----------
OTL
- Right-click and Run as Administrator on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
- Select All Users
- When the window appears, underneath Output at the top change it to Minimal Output.
- Check the boxes beside LOP Check and Purity Check.
- Under the Custom Scan box paste this in
netsvcs
%systemroot%\*. /rp /s
%SYSTEMDRIVE%\*.exe
/md5start
consrv.dll
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
C:\Windows\assembly\tmp\U\*.* /s
%Temp%\smtmp\1\*.*
%Temp%\smtmp\2\*.*
%Temp%\smtmp\3\*.*
%Temp%\smtmp\4\*.*
>C:\commands.txt echo list vol /raw /hide /c
/wait
>C:\DiskReport.txt diskpart /s C:\commands.txt /raw /hide /c
/wait
type c:\diskreport.txt /c
/wait
erase c:\commands.txt /hide /c
/wait
erase c:\diskreport.txt /hide /c
CREATERESTOREPOINT
- Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
- Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.
----------
Please download TDSSKiller.zip (http://support.kaspersky.com/downloads/utils/tdsskiller.zip)
- Extract it to your desktop
- Double click TDSSKiller.exe
- when the window opens, click on Change Parameters
- under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
- click OK
- Press Start Scan
- Only if Malicious objects are found then ensure Cure is selected
- Then click Continue > Reboot now
- Attach the log in your next reply
- A copy of the log will be saved automatically to the root of the drive (typically C:\)
----------
In your next reply please attach the logs made by OTL and TDSSKiller. :)
-
Hi,
Thanks, I needed to hear that this is not all in vain!! Okay I ran OTL but no Extra came up. Not in the OTL folder either. I ran it twice thinking I missed something. Anyway I have attached the log that I did get. In the past the extras log has always shown up on my desktop. I will run TSDDKiller now. Also I was having problems with SuperAntiSpyware, ever since it picked up the 4 threats, it wouldn't run had missing files & I couldn't uninstall or reinstall but finally after much perserverance I installed it to my desktop and it runs. Not sure where this fits in or if at all.
Feeling better,
Janice
-
Hi,
Ran TDSSKiller, found the locked file but only options, move to quarantine (which) I did or skip. No cure option offered. See log.
Janice
-
Hi,
Ok let me look these over...as for the Extras.txt you don't need to worry about that. It is normally only made on the first run of OTL. If I need it we can get another copy. :)
-
Hi,
Please download DDS from either of these links
LINK 1 (http://"http://download.bleepingcomputer.com/sUBs/dds.com")
LINK 2 (http://"http://download.bleepingcomputer.com/sUBs/dds.scr")
and save it to your desktop.
- Disable any script blocking protection
- Right-click and Run as Administrator dds to run the tool.
- When done, two DDS.txt's will open.
- Save both reports to your desktop.
---------------------------------------------------
Please include the contents of the following in your next reply:
DDS.txt
Attach.txt
----------
-
Hi,
The links were broken so I went bleepingcomputers to download. Attached logs as requested. Also I couldn't run as admin had to just open and run.
Cheers
-
Hi,
I am not seeing too much.
I notice that you have several security programs....this could be hindering your performance that you are experiencing. I see remnants of McAfee that we can remove. I also see that you have AdAware antivirus running along with Avast...this will certainly hinder performance.
As a rule of thumb it is best to run 1 antivirus program, 1 firewall and have another antimalware program like Malwarebytes on your system running at once. Any more and there will be problems. Let me know what you would like to keep and I will remove the remaining programs. :)
---------
I need some information on some unidentified files. We will use Virustotal Please submit these files for analysis
To submit a file to virustotal, please click VirusTotal (http://www.virustotal.com)
copy and paste the following into the upload a file box (one at a time if more than one file is listed)
c:\users\janice\appdata\local\temp\Y.exe
c:\users\janice\appdata\local\temp\VFF.exe
scroll down a bit and click "send file", wait for the results and post them in your next reply.
Please note that sometimes the scans take a few minutes. Please ensure that the scan has completed and the results are complete before submitting the next sample. Also please make sure each result is clearly identified as to which sample they belong to.
----------
In your next reply please post the link to the results of VirusTotal and let me know which security programs you would like to keep.
-
HI,
I couldn't copy & paste, when it asked for files to scan and when I clicked on it, it went to my desktop looking for file. So I copied your request onto notepad and ran it that way so I don't know if this is correct. I never got a send button so sent same as rest of scans. If these results are incorrect please advise how to do this differently.
Now I see I'm totally paranoid!! That's a lot of virus checkers.....I want to keep Avast & Malwarebytes & Outpost firewall. Some of these I don't have running but do run from time to time and update at that time as well. Anyway get rid of everything else.
Cheers
-
Hi,
You are running everything just fine. :)
----------
- Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
KillAll::
ClearJavaCache::
DDS::
uStart Page = hxxp://www.umanitoba.ca/
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: {30F9B915-B755-4826-820B-08FBA6BD249D} - No File
BHO: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files\adawaretb\adawareDx.dll
BHO: {ba14329e-9550-4989-b3f2-9732e92d17cc} - No File
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"
TB: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files\adawaretb\adawareDx.dll
TB: {71576546-354D-41C9-AAE8-31F2EC22BF0D} - No File
mRun: [Trend Micro RUBotted V2.0 Beta] c:\program files\trend micro\rubotted\RUBottedGUI.exe
mRun: [Ad-Aware Browsing Protection] "c:\programdata\ad-aware browsing protection\adawarebp.exe"
mRun: [Ad-Aware Antivirus] "e:\downloads\adaware\ad-aware antivirus\AdAwareLauncher" --windows-run
Firefox::
FF - ProfilePath - c:\users\janice\appdata\roaming\mozilla\firefox\profiles\cys0nb0e.default\
FF - prefs.js: browser.search.selectedEngine - Search
FF - prefs.js: browser.startup.homepage - hxxp://www.winnipegfreepress.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
File::
C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe
C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe
E:\Downloads\AdAware\Ad-Aware Antivirus\AdAwareService.exe
C:\Program Files\Trend Micro\RUBotted\RUBotSrv.exe
c:\PROGRA~1\mcafee\SITEAD~1\saui.exe
- Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
(http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif)
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
- ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
- When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------
-
Hi,
I'm not sure what's happening here. I did as you requested, dragged the file to combofix, turned off protection but Outpost comes on, asking about Combofix and whether to allow or block it I suspend it again after clicking on auto-learn. then combofix keeps coming up with an update so I say no at this time, not sure if it is legit and I just want to get this done. I don't get a report, it doesn't reboot but goes to scan right away and lo and behold avast comes up to tell me there is a "trojan name Cfiles.dat original location C:\Combofix". What now!!!! I don't know if I should reboot to get report, if a report ran, actually I did see it running. Prior to all of this my system was running pretty quick (I kept forgetting to tell you and now it is slowed right down and not connecting right away etc etc etc.
Janice
-
Hi,
Right click on the Outpost icon in the tool tray (bottom right next to clock) >> select Suspend Protection >> choose Until Restart. That should stop Outpost.
Disable Avast by going to the Avast icon in the tool tray (near the clock) >> right click the icon >> avast shield controls >> Disable until computer restarts.
Now run the same set of instructions I provided for ComboFix before and if asked, allow it to update. :)
-
Hi,
Okay ran it, see attached. Now should my homepages have changed on Firefox and Explorer. I believe it changed to default. I changed it back but just want to make sure nothing else is happening here.
Cheers,
-
Hi,
Now should my homepages have changed on Firefox and Explorer. I believe it changed to default.
Yes that would have happened. Let me look this over and see what there is. :)
-
HI,
I have been having a heck of a time since running combofix. My desktop has been unstable, I had to call my ISP provider to reset my internet connection, I have rebooted so many times just trying to get things to work again. I think I finally now have it under control :), here's hoping!!! What do you think this is about? Anyway I think it had to do with SuperAntiSpyware which kept coming up as I rebooted, then windows installer came up and then there went my internet connection. I closed it out put the shortcut in the recycle bin and fingers crossed everything seems to be working as it should. Could this be the cause of all my grief!!!
Cheers
-
HI,
Nope of course it couldn't be that easy. This is what's happening, I click on my shortcut to connect to the internet and it does. When I'm finished doing whatever, I click to disconnect from the internet on the same shortcut (which should work) but Windows intstaller comes up and then my computer freezes and I have to reboot it again and again and again. The hourglass comes up and I'm toast.
More than frustrated,
Janice
-
HI,
Well I have worked out a different way of disconnecting my computer from the internet that doesn't freeze my computer. But if I right click my shortcut it still freezes up. I can still open word, excel etc but that's about it. Everything in my right hand taskbar is frozen and I have to reboot.
Still smiling though and hope you are too!!
Cheers
-
Hi,
Yes...still smiling.
I am not positive this is a malware problem any longer but possible a software problem caused by the malware that was on your system. We may just be getting the pieces back to working properly. I am speaking with a colleague about what we are seeing and will return as soon as I can. :)
-
Hi,
Okay it seems anything I right click now on my desktop freezes and I have to reboot. I was thinking of doing a system restore but I will leave it in your capable hands. Again, thanks so much for all your help, this too shall pass!
Cheers,
Janice
-
Hi,
I ran aswMBR again see attached. I do have two other external harddrives which I haven't checked out yet. I also have a backup I did 08/17/2011 on one of the two. I think its a full backup (over 219 gigs, it says) but I do get impatient a times and may have stopped it. I'm hoping not.
Cheers,
Janice
-
Hi,
First open an elevated command prompt > Click Start and type cmd in Start Search.
When cmd.exe populates above, right click it and select Run as Administrator to open an elevated command prompt.
Copy the contents of the code box > right click in the command window and select paste
del C:\Windows\system32\jureg.exe
Press Enter
Close the Command Prompt
----------
Download GMER Rootkit Scanner from here (http://www.gmer.net/gmer.zip) or here (http://www.majorgeeks.com/download.php?det=5198).
- Extract the contents of the zipped file to desktop.
- Right-click and Run as Administrator GMER.exe. If asked to allow gmer.sys driver to load, please consent .
- If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
(http://www.geekstogo.com/misc/guide_icons/GMER_thumb.jpg) (http://www.geekstogo.com/misc/guide_icons/GMER_instructions.jpg)
Click the image to enlarge it
- In the right panel, you will see several boxes that have been checked. Uncheck the following ...
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
- Then click the Scan button & wait for it to finish.
- Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
- Save it where you can easily find it, such as your desktop, and attach it in your reply.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries.
----------
-
Hi Jeff,
So I tried to run cmd but I can't right click, it freezes then I have to reboot. On the plus side the reboots are faster, so far. I can double click and get it cmd but then I guess its not running as admin. So should I continue with the other scans. At this point I'm waiting on your instructions.
I was thinking what you are telling me that running aswMBR is just going to keep telling me the same thing every time so thanks for that little tidbit
Cheers,
Janice
-
Hi,
Please download OTM (http://oldtimer.geekstogo.com/OTM.exe) by OldTimer.
- Save it to your desktop.
- Please Right-click and Run as Administrator OTM and then click >> run.
- Copy the lines inside the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
:Processes
explorer.exe
:Files
C:\Windows\system32\jureg.exe
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
- Return to OTM, right click in the "Paste Instructions for items to be Moved" window (under the yellow bar) and choose Paste.
- Click the red Moveit! button.
- Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
- Close OTM
Note: If an item cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
----------
Now run the instructions that I provided for GMER in the previous post.
---------
In your next reply please attach the logs made by OTM and GMER. :)
-
Hi Jeff,
I absolutely cannot right click, immediately windows installer comes up and then I'm in the deep freeze, Please advise if there's a way around this or what's next.
Cheers,
Janice
-
Hi,
Please do the following...
Run OTL.exe
- Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:Services
:OTL
SRV - (Y) -- C:\Users\Janice\AppData\Local\Temp\Y.exe File not found
SRV - (VFF) -- C:\Users\Janice\AppData\Local\Temp\VFF.exe File not found
SRV - (HIZOGLG) -- C:\Users\Janice\AppData\Local\Temp\HIZOGLG.exe File not found
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (no name) - {30F9B915-B755-4826-820B-08FBA6BD249D} - No CLSID value found.
O2 - BHO: (no name) - {ba14329e-9550-4989-b3f2-9732e92d17cc} - No CLSID value found.
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered. There will be a log created when it completes that I will need in your next reply. Reboot when it is done.
- Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
-
Hi Jeff,
I ran and pasted as you said. I guess I forgot to save the log and just said yes to the reboot. Is there somewhere else it would be. So now opening my browser is really slow but I did wait it out and it did open. Problem now is I can't open my otl to run the second scan. I will keep trying but it seems like it isn't even connecting to problem, ie name doesn't turn blue and hourglass doesn't come up.
Cheers,
Janice
-
Hi Jeff,
YAY! success running OTL had to do it in safe mode, see atttached files. Clicking on desktop getting better but still the occasional dreaded blue screen crash. Not sure why there's 3 reports but sending them all anyway. Now do you want me to do the rest of the above instructions. Please advise what's next.
Cheers,
Janice
-
Yes...please continue with GMER. :)
-
Hi Jeff,
I have a few issues now, first I still get windows installer when I try to right click. I'm finding that when I go into safe mode and right click it sorta freezes but when I hit the start button I can then right click and run as admin. So I did this with GMER and it started nothing said about rootkits so I proceeded, I printed this first but forgot to enlarge the window so I wasn't sure about the ADS button that was checked I think. Anyway it started ran for a bit then shut down and blue screen. How many times can I keep rebooting without damaging my computer. Also and I can't remember if it was this time or not but pretty sure this was when the screen came up "Windows has shut down unexpectly etc" the ribbon was defaulted on "Repair your computer" which I don't recall ever seeing before. I didn't do because I didn't know if I should click on this or not. Could this have to do with the windows installer keeping coming up on right click. Next I go back here to enlarge that window so I can know exactly what to do in GMER then I get "problem loading page" and I then lost my internet connection, fortunately since this has happened a few times as well I now know how to deal with this problem without having to call my ISP.
So now do I leave my C drive checked in Drives/Partition and uncheck D & E and nothing shows in "Show All" so is that how it should be. I will wait to hear back before attempting this again and leave the ADS button checked?
Cheers,
Janice
-
Hi,
I tried running GMER as admin again, had to go to safe mode to do it and again right click then click on start to be able to then right click and run as admin. I was able to get to the box and follow the instructions. I did notice a difference when GMER opened at the top of the box before I ran the scan. The box shows two lines at the top on your gmer scan but my box had 7 lines with the bottom line being the same as the first line you show. My lines start with Device/Driver/atapi etc and gives a value. I don't know if this means anything but if so I can give you what was being scanned. It started scanning then almost immediately it stopped working & I had to reboot (but at least it didn't crash as it usually does) and it also did not ask for gmer system driver. Please advise what's next!
Cheers,
-
The box shows two lines at the top on your gmer scan but my box had 7 lines with the bottom line being the same as the first line you show. My lines start with Device/Driver/atapi etc and gives a value.
This will vary from computer to computer...I have about 15 lines when I start GMER. :)
Ok...Run GMER from Safe Mode again. This time, in addition to the boxes originally asked to be unchecked, be sure to uncheck Libraries and Threads as well this time. Then continue with the instructions. If GMER produces a log attach that please. :)
-
Hi Jeff,
Did as you said absolutely cannot run GMER, it shuts down once the scan runs for a 1/2 a minute or so! This is in safe mode. I also understand now that the "Repair your Computer" button comes up when you press F8 to start in safe mode. So what's next?
Cheers,
Janice
-
In the run box type the following
diskmgmt.msc
When disc management opens expand it so that all drives are visible
Take a screenshot and post it here
Are you able to burn a CD on another computer ?
-------------
-
Hi,
I'm not sure where I do this. Is it after all the commands load up, I don't get a cursor there to type this in. I'm assuming this is in GMER or do you mean somewhere else? Please advise, and yes I could burn a CD on another computer.
Cheers
-
lower left corner START > run > diskmgmt.msc hit enter button
expand the box, take screenshot....... save as gif (that makes it small) and attach
-
Sigh, no it does not respond. I hit enter, nothing.
Cheers
-
so you dont see a box like this?...... see screenshot
well, jeffce will be back and guide you ;)
-
Hi Jeff,
I ran this through Control Panel & administrative tools and YAY! success. One small step on the road to recovery!!
See attached,
Cheers
-
Hi Jeff,
Just to let you know I'm not crashing anymore, still have issues but this one seems resolved, fingers & toes crossed!
Cheers,
Janice
-
Hi Jeff,
It just keeps getting better & better, I have my desktop back, I can right click left click and it all works. I did try running GMER again but it still stopped although it has gone further than before. Do you still want me to run command.exe, I can do it but not sure if we are past that now. Actually what happened is I plugged my M drive back in, and I right click on my internet connection, windows installer came up and wanted to install AdAware. It of course couldn't find the files and so I cancelled the installation and voila, windows installer is stopped now, and right click is back, YAY!! So now what's next?
Cheers,
Janice
-
Hi,
Sorry for the delay in responses...I have mandatory training with work this week and the hours are CRAZY!! LOL!!
Ok....the screenshot that you got looks just fine. Since there are things that are running again explain exactly what problems you are still having. :)
@Pondus:
Thanks for looking over this while I have been out. :)
-
Hi,
Well starting this afternoon everything seems to be good. It is quick to load up, browser comes up fast so I think everything is fine. Do you think we are done? Although I still have that file that would be associated with the virus I had namely win32 bagle.gen.zip worm and the file Adds key: HKCU\Software\Local AppWizard-Generated Applications. So what does it mean to still have this if anything. Also I have the false MBR on my M drive don't I?
Cheers,
Janice
-
Hi,
Could you give me the complete file path of the file you are referring to? :)
----------
- Click Start > Run type Notepad click OK.
- This will open an empty Notepad file.
- Copy/Paste the contents of the box below into Notepad.
@echo off
regedit.exe /e "%userprofile%\Desktop\look.txt" "HKCU\Software\Local AppWizard-Generated Applications"
Notepad.exe %userprofile%\Desktop\look.txt
Del look.txt
Del %0
- Click Format and ensure Wordwrap is unchecked.
- Save as RegExp.bat
- Save as file type All Files or it won't work.
- Now double click on RegExp.bat to run it.
- A file look.txt will open on your Desktop, please post the contents in your next reply.
-
Hi Jeff,
Okay did as requested, see attached. Also in one of the scans I did, I think it was aswMBR it shows a line that says "Unknown MBR code" . Does that mean anything? I am going to clean my M drive as soon as I finish downloading a few files to dvd's so hopefully that will take care of that fake MBR on that drive?
Cheers,
Janice
-
Hi,
I decided to run disk management with my M drive plugged in, see attached. I'm assuming it is all good! No need to worry about my M drive?
Cheers,
Janice
-
Hi,
The unknown MBR is showing from the external drive and since that drive is not used to boot so it is not actually a problem. I am not seeing anything showing in the two screenshots you provided either so that is good. :)
-
Hi,
Okay that's good. So now here's the thing, I have some registry items that belong to the trojan win32/bagle. They are HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications, under HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SROSA\0000 (which I don't have) but under this key there are 6 subkeys and I have one ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1, don't know what any of this means. I noticed I had a locked SPTD on one of the scans and when I researched this I read that this file could be part of Alcohol which was a program I had a few years ago and removed but again not sure about the locked part.
Cheers,
Janice
-
Hi,
Yes the SPTD is related to a CD emulation program like Alcohol or Daemon. That is nothing to worry about. :)
---------
Did you ever follow these instructions so that I can look at that registry key? I asked for this a couple of posts ago?Click Start > Run type Notepad click OK.
This will open an empty Notepad file.
Copy/Paste the contents of the box below into Notepad.
@echo off
regedit.exe /e "%userprofile%\Desktop\look.txt" "HKCU\Software\Local AppWizard-Generated Applications"
Notepad.exe %userprofile%\Desktop\look.txt
Del look.txt
Del %0
Click Format and ensure Wordwrap is unchecked.
Save as RegExp.bat
Save as file type All Files or it won't work.
Now double click on RegExp.bat to run it.
A file look.txt will open on your Desktop, please post the contents in your next reply.
-
Hi Jeff,
Yes it is the scan at the top of this page. I will do it again. Same answer "Cannot find the file, etc"
Cheers,
Janice
-
Were you sure to save the File Type to All Files?
I see where you registered at WTT. :)
-
Hi Jeff,
Yes, I did it exactly as you said and that's what I got. The cmd.exe comes up and pause and then the box "Cannot find file etc".
My computer is running really fast, reboots fast, internet connection is fast and browser opening fast. So that is all good. Just concerned about the registry entries now.
So you did notice that I registered at WTT. I didn't know if you would or not, seems pretty interesting! :)
Cheers,
Janice
-
Hi,
Those entries...if they are what they might be...seem to just be left over parts and really aren't of any concern. :)
-
Hi,
Okay, should I just leave them there, should I delete them? It seems that everything is finally running as it should. :)
Cheers,
Janice
-
I really think that you will be ok with leaving them alone. :)
Providing there are no other malware related problems...
IT APPEARS THAT YOUR LOGS ARE NOW CLEAN :D SO LETS DO A COUPLE OF THINGS TO WRAP THIS UP!! :D
This infection appears to have been cleaned, but I can not give you any absolute guarantees. As a precaution, I would go ahead and change all of your passwords as this is especially important after an infection.
----------
The following will implement some cleanup procedures as well as reset System Restore points:
Click Start > Run and copy/paste the following text into the Run box as shown and click OK.
Combofix /Uninstall
(Note: There is a space between the ..X and the /U that needs to be there.)
(http://i1224.photobucket.com/albums/ee380/jeffce74/CF.jpg)
----------
Clean up with OTL:
- Right-click and Run as Administrator OTL.exe to start the program.
- Close all other programs apart from OTL as this step will require a reboot
- On the OTL main screen, press the CLEANUP button
- Say Yes to the prompt and then allow the program to reboot your computer.
----------
Any of the logs that you created for use in the forums or remaining tools that have not yet been removed can be deleted so they aren't cluttering up your desktop.
Here are some tips to reduce the potential for spyware infection in the future:
1. Make your Internet Explorer more secure - This can be done by following these simple instructions:
- From within Internet Explorer click on the Tools menu and then click on Options.
- Click once on the Security tab
- Click once on the Internet icon so it becomes highlighted.
- Click once on the Custom Level button.
- Change the Download signed ActiveX controls to Prompt
- Change the Download unsigned ActiveX controls to Disable
- Change the Initialize and script ActiveX controls not marked as safe to Disable
- Change the Installation of desktop items to Prompt
- Change the Launching programs and files in an IFRAME to Prompt
- Change the Navigate sub-frames across different domains to Prompt
- When all these settings have been made, click on the OK button.
- If it prompts you as to whether or not you want to save the settings, press the Yes button.
- Next press the Apply button and then the OK to exit the Internet Properties page.
2. Enable Protected Mode in Internet Explorer. This helps Windows Vista users stay more protected from attack by running Internet Explorer with restricted privileges as well as reducing the ability to write, alter or destroy data on your system or install malicious code. To make sure this is running follow these steps:- Open Internet Explorer
- Click on Tools > Internet Options
- Press Security tab
- Select Internet zone then place check next to Enable Protected Mode if not already done
- Do the same for Local Intranet, Trusted Sites and Restricted Sites and then press Apply
- Restart Internet Explorer and in the bottom right corner of your screen you will see Protected Mode: On showing you it is enabled.
3. Use and update an anti-virus software - I can not overemphasize the need for you to use and update your anti-virus application on a regular basis. With the ever increasing number of new variants of malware arriving on the scene daily, you become very susceptible to an attack without updated protection.
4. Firewall
Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a firewall in its default configuration can lower your risk greatly. A tutorial on firewalls can be found here[/color] (http://www.bleepingcomputer.com/forums/tutorial60.html). **There are firewalls listed in this tutorial that could be downloaded and used but I would personally only recommend using one of the following two below:
Online Armor Free (http://download.cnet.com/Online-Armor-Free/3000-10435_4-10426782.html)
Agnitum Outpost Firewall Free (http://download.cnet.com/Agnitum-Outpost-Firewall-Free/3000-10435_4-10913746.html)
5. Make sure you keep your Windows OS current. Windows XP users can visit Windows update (http://v4.windowsupdate.microsoft.com/en/default.asp) regularly to download and install any critical updates and service packs. Windows Vista/7 users can open the Start menu > All Programs > Windows Update > Check for Updates (in left hand task pane) to update these systems. Without these you are leaving the back door open.
6. WOT (http://www.mywot.com/) (Web of Trust) As "Googling" is such an integral part of internet life, this free browser add on warns you about risky websites that try to scam visitors, deliver malware or send spam. It is especially helpful when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites. WOT has an add-on available for Firefox, Internet Explorer as well as Google Chrome.
7.Finally, I strongly recommend that you read TonyKlein's good advice So how did I get infected in the first place? (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Please reply to this thread once more if you are satisfied so that we can mark the problem as resolved.
-
HI,
Okay I ran uninstall combofix but it couldn't find it so I guess I must have removed it already. I ran OTL cleanup. So hopefully we are done with this, YAY! :)
Thanks sooooo much, to have a resource such as this is totally invaluable. Pat yourself on the back!
Cheers,
Janice
-
Hi!!
You are more than welcome and glad that I could help. :)
-
HI,
Last night Avast Screensaver scan showed virus Threat: Win32.malware-gen. It showed it as being in C:\Users\Janice\Desktop\OTL.exe. I moved it to the virus chest and then ran a boot time scan and it came up clean. Would this be a false positive or is the win32\bagle\gen still hanging around? Anything I should be running now to check this out? Please advise.
Cheers,
Janice
-
Hi,
When I posted the instructions in this topic on how to remove OTL did you get that completed? If not please do so. Anyway, it will be a false positive and nothing to be concerned about. If after you run the OTL cleanup instructions the icon is still there...just delete it, empty your Recycle Bin and that should fix you up. :)
-
Hi Jeff,
Okay I'll check that out & make sure I remove as per instructions, thanks yet again!!!
Cheers,
Janice
-
:)
-
Hi Jeff,
I have been checking folders in my registry and came across a folder called Binary Noise. So I checked to see what this is and came across this again for Win32/bagle trojan
These are the keys that are suspect:
HKEY_CURRENT_USER\Software\Binary Noise
HKEY_CURRENT_USER\Software\Binary Noise\mPlayer
HKEY_CURRENT_USER\Software\Binary Noise\mPlayer\[filename of the sample #1] under here I have loader_pc_mprojector.exe & webshots_desktop_installer.exe.
Now at one time I did have webshots installed.
So again not exactly sure if these are still active but am sure it shouldn't be there!
Please advise,
Cheers,
Janice
-
Hi Jeff,
I don't seem to be seeing the .exe files though that go with these entries so would that mean that the virus is effectively gone. I am totally freaked out at the moment!!! but hope that is what it means.
Cheers,
Janice
-
Hi,
We can remove that if you wish? I see where you are concerned.
Please download and run ERUNT (http://www.snapfiles.com/get/erunt.html) (Emergency Recovery Utility NT). This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed. **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.
----------
Next I would like you to take the following steps:- Click Start then Run type Notepad and click Ok
- Copy and Paste the contents of the Code box below into Notepad
Windows Registry Editor Version 5.00
[-HKEY_CURRENT_USER\Software\Binary Noise]
- Save as regfix.reg to your Desktop
- Make sure to save file type as All Files
- Now right-click regfix.reg and select Merge
Go ahead and check to be sure it is not there any longer and let me know.
-
Hi Jeff,
Did as suggested and it is gone! Why would I have a folder called HKEY_CURRENT_USER with sub folders SOFTWARE subfolder Microsoft subfolder Windows subfolder CurrentVersion subfolder RunOnce within the registry entry called HKEY_CURRENT_USER. I don't recall seeing that before but....
Cheers,
Janice
-
Hi Jeff,
Can we also get rid of HKCU\Software\Local AppWizard-Generated Applications which is part of win32/bagle trojan.
Cheers,
Janice
-
- Click Start > Run type Notepad click OK.
- This will open an empty Notepad file.
- Copy/Paste the contents of the box below into Notepad.
@echo off
regedit.exe /e "%userprofile%\Desktop\look.txt" "HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications"
Notepad.exe %userprofile%\Desktop\look.txt
Del look.txt
Del %0
- Click Format and ensure Wordwrap is unchecked.
- Save as RegExp.bat
- Save as file type All Files or it won't work.
- Now double click on RegExp.bat to run it.
- A file look.txt will open on your Desktop, please post the contents in your next reply.
-
HI Jeff,
Okay did as requested, see attached file.
Cheers,
Janice
-
Registry keys are normally not enough to be infected. Most of them look pretty strange but if you aren't experiencing any problems we should leave them alone. :)
-
Hi Jeff,
By "Most of them look pretty strange" do you mean the entries that I attached in my last post? The only entry there I recognize is Zoombrowser entry which is part of my Canon camera software.
TrojanDownloader:Win32/Bagle.gen!A creates the following registry subkeys and entries as part of its installation routine:
Adds value: "frstrunn"
With data: "1"
To subkey: HKCU\Software\bisoft - I DON'T HAVE THIS ONE
Adds value: "EnableLUA"
With data: "<value>"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\Security Center\Svc - I DON'T HAVE THIS ONE
where <value> is a certain number.
Adds key: HKCU\Software\Local AppWizard-Generated Applications
and all its associated subkeys. I JUST HAVE THIS ONE
It may also create the following folders:
%AppData%\drivers
%AppData%\drivers\downld - I DON'T KNOW ABOUT EITHER OF THESE AS I DON'T KNOW WHERE TO LOOK!
Anyway, sorry to be obsessing about this & being such a pest, I just want to be sure I'm free of this virus!
Well okay I will leave this alone. You're the best, thanks soooo much yet again!
Cheers,
Janice
-
I understand your desire to be infection free.
I feel confident that you are and I am glad that I could help. :)
-
Hi Jeff,
If you are confident that I'm virus free then I am confident that I am virus free :) !
Thank you, thank you, thank you!
Cheers,
Janice
-
You are more than welcome. :)
-
HI,
I'm not sure what is going on with my computer, I got the unresponsive script message "Warning: Unresponsive Script" A Script may be busy or it may have stopped responding. You can stop the script now, or you can continue to see if the script will complete. Script:chrome//browser/content/sanatize.js:133 but at least I don't get the "Welcome to NGINX" page yet. I do have a few problems though. From time to time I lose my disconnect from the internet button. I look like I'm disconnected, my connection shows that I have to connect to go on the net but I am actually still on the net. I'm not getting the blue screen of death this go round but I do have to reboot fairly often because things are hanging up and I can't get rid of them example: I had deleted something I wanted back so I went to my trash to restore it, it restored but the restore command stayed on my desktop. My clock will be slow by about 1/2 hr on one reboot but when I reboot again it will be correct. My update from Avast (the green box that comes up), hangs up & I can't get rid of it either until I rebooted. Clicking on the "x" does nothing.
I will admit to being totally paranoid and hope the virus isn't back but don't know if I should run the tools again or if this is a different issue altogether!
Cheers,
Janice
-
Hi,
I hopefully have resolved my connection problem. I called my ISP and even though I have to connect and disconnect differently than I did before they checked to make sure no one else was using my username and password so it's a relief to know that I'm all alone on my computer! They couldn't tell me why this is happening though. Upon reboot it was trying to connect to dial-up connection even though I am connected to broadband.
Cheers,
Janice
PS I am going to be away from my computer for a few days. Will check when I get back.
-
HI,
I have been experiencing a very slow computer and the dreaded BSOD at least 6 times in the last week or so. Mostly comes up when I am trying to install a program. I hope nothing is happening as above but I ran all the logs just to make sure. I have attached below.
Cheers,
Janice
-
Hi,
Could you start a new topic for this so that we don't get anything confused while fixing your system? Thanks. :)
-
Yes I will, thanks.