WiredWX Hobby Weather ToolsLog in

 


Admin Virus

2 posters

descriptionSolvedRe: Admin Virus

more_horiz
I tried downloading the kaspersky software from around seven third party sites to no avail. The browser continues to work and load like the download window is going to pop up, but nothing ever happens. It eventually times out.

descriptionSolvedRe: Admin Virus

more_horiz
Let's try the following...If you cannot complete TDSSKiller, move on to aswMBR...

Please download and run TDSSKiller to your desktop as outlined below:

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

For Windows XP, double-click to start.
For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.


Admin Virus - Page 2 Tdss_1

-------------------------

Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

Admin Virus - Page 2 Tdss_2

------------------------

Click the Start Scan button.

Admin Virus - Page 2 Tdss_3

-----------------------

If a suspicious object is detected, the default action will be Skip, click on Continue
If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
Skip and click on Continue


Admin Virus - Page 2 Tdss_4

----------------------

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.


Admin Virus - Page 2 Tdss_5


--------------------

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.
Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

-------------------

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue
If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
Skip and click on Continue

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.


avast! aswMBR

Please download aswMBR from here


  • Save aswMBR.exe to your Desktop
  • Double click aswMBR.exe to run it
  • Click the Scan button to start the scan as illustrated below


Admin Virus - Page 2 AswMBR_Scan

Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives


  • Once the scan finishes click Save log to save the log to your Desktop
    Admin Virus - Page 2 AswMBR_SaveLog

  • Copy and paste the contents of aswMBR.txt back here for review

descriptionSolvedRe: Admin Virus

more_horiz
TDSSKiller did not load.


aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-09-22 19:15:43
-----------------------------
19:15:43.343 OS Version: Windows 5.1.2600 Service Pack 3
19:15:43.343 Number of processors: 2 586 0x304
19:15:43.343 ComputerName: COMPUTER_1 UserName: owner
19:15:43.734 Initialize success
19:15:56.531 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e
19:15:56.531 Disk 0 Vendor: ST340014AS 3.20 Size: 38166MB BusType: 3
19:15:56.562 Disk 0 MBR read successfully
19:15:56.562 Disk 0 MBR scan
19:15:56.562 Disk 0 Windows XP default MBR code
19:15:56.562 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 38154 MB offset 63
19:15:56.562 Disk 0 scanning sectors +78140160
19:15:56.640 Disk 0 scanning C:\WINDOWS\system32\drivers
19:16:02.281 Service scanning
19:16:17.875 Modules scanning
19:16:26.296 Disk 0 trace - called modules:
19:16:26.296 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
19:16:26.312 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f4eab8]
19:16:26.312 3 CLASSPNP.SYS[f7556fd7] -> nt!IofCallDriver -> \Device\00000064[0x86f3e3b8]
19:16:26.312 5 ACPI.sys[f74cd620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-e[0x86f4fd98]
19:16:26.312 Scan finished successfully
19:16:52.546 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\owner\Desktop\Fix This Computer\MBR.dat"
19:16:52.546 The log file has been saved successfully to "C:\Documents and Settings\owner\Desktop\Fix This Computer\aswMBR.txt"

descriptionSolvedRe: Admin Virus

more_horiz
Please reboot to Safe Mode (tap the F8 key before Windows begins to load and select the Safe Mode option from the menu). Then, try again please.

descriptionSolvedRe: Admin Virus

more_horiz
Booting into safe mode was unsuccessful. It said windows did not load properly and suggested I start windows normally with the last known working configuration.

descriptionSolvedRe: Admin Virus

more_horiz
Scan for malware

Admin Virus - Page 2 Bf_new Please download Malwarebytes Anti-Malware from HERE.


Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If you are prompted to restart, please allow it to restart your computer. Failure to do this, will cause the infection to still be active on the computer.
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • The log can also be found at C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Copy and paste the entire report in your next reply.



Please download OTL to your Desktop. (If you already have it downloaded, then just follow the instructions below).

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Under the Custom Scan box paste this in

    msconfig
    safebootminimal
    activex
    drivers32
    netsvcs
    CreateRestorePoint
    %AppData%\Roaming\Mozilla\Firefox\Profiles\*.default\extensions\ /s /md5
    %AppData%\Local\
    %systemroot%\system32\sysprep
    *.xpi /md5
    %systemroot%\Downloaded Program Files\
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
    hklm\software\clients\startmenuinternet|command /rs
    hklm\software\clients\startmenuinternet|command /64 /rs
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\system32\drivers\*.sys /90
    %systemroot%\System32\config\*.sav
    %SYSTEMDRIVE%\*.exe /md5
    "%WinDir%\$NtUninstallKB*$." /30
    %systemdrive%\Program Files\Common Files\ComObjects\*.* /s
    %systemroot%\*. /mp /s
    %systemroot%\*. /rp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\Installer\ /s
    %systemroot%\system32\Cache\ /s
    %systemroot%\system32\config\systemprofile\Application Data /s
    %PROGRAMFILES%\*.
    %appdata%\*.*
    /md5start
    volsnap.sys
    services.exe
    userinit.exe
    afd.sys
    tcpip.sys
    netbt.sys
    ipsec.sys
    dnsrslvr.dll
    ipnathlp.dll
    netman.dll
    WMIsvc.dll
    srsvc.dll
    sr.sys
    wscsvc.dll
    wuauserv.dll
    qmgr.dll
    es.dll
    cryptsvc.dll
    svchost.exe
    rpcss.dll
    tdx.sys
    wininit.exe
    winlogon.exe
    atapi.sys
    explorer.exe
    /md5stop

  • Click the Run Scanbutton. Do not change any settings unless otherwise told to do so. The scan wont take long.

    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) and paste (Edit->Paste) the contents of these files, one at a time


Note: in the event that OTL fails to run, please use alternate download links to try again:

http://oldtimer.geekstogo.com/OTL.com
http://oldtimer.geekstogo.com/OTL.scr

descriptionSolvedRe: Admin Virus

more_horiz
Malwarebytes Anti-Malware 1.65.0.1400
www.malwarebytes.org

Database version: v2012.09.28.07

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
owner :: COMPUTER_1 [administrator]

10/1/2012 2:25:43 PM
mbam-log-2012-10-01 (14-25-43).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 185415
Time elapsed: 5 minute(s), 50 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{625F420E-A4A9-4B40-BC23-716C1C43893A} (Adware.Adurr) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 5
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableRegistryTools (PUM.Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Documents and Settings\owner\My Documents\Downloads\FreeFileViewer2011Setup.exe (PUP.BundleOffers.IIQ) -> Quarantined and deleted successfully.

(end)

descriptionSolvedRe: Admin Virus

more_horiz
An error occurred during the OTC scan. "Access violation at address CCC0460. Read of address CCCC0460." The program then froze and no reports were produced.

descriptionSolvedRe: Admin Virus

more_horiz
Please download the latest version of Kaspersky GetSystemInfo (GSI) from Kaspersky and save it to your Desktop.

Note: please close all other applications running on your system.

Double click GetSystemInfo.exe to open it. It will display an agreement. Click on I Agree to continue.

Click the Settings button.Admin Virus - Page 2 2hd457o

Admin Virus - Page 2 Settingsslider

Set the slider to Maximum.

Admin Virus - Page 2 Driversports

IMPORTANT! Then, click Customize - choose Driver / Ports tab and uncheck Scan Ports.


Admin Virus - Page 2 Generaltab

On the General tab, make sure all of the boxes are checked.


Admin Virus - Page 2 Misce

On the Misc tab, make sure all the checkboxes are checked.

Then, click OK on the windows that you launched.


Admin Virus - Page 2 2ekm73m
Click Create Report to run it.

Admin Virus - Page 2 Beginscanning
It will begin scanning.

It will create a zip folder called GetSystemInfo_XXXXXXXXXXXXXX.zip on your Desktop.

It should automatically upload it to http://www.getsysteminfo.com. If it does not, then please submit it manually by going to the site and doing the upload process.

It will redirect to a page, where it will provide a sharing URL for specialists. Copy and paste the url of the GSI Parser report in your next reply.

descriptionSolvedRe: Admin Virus

more_horiz
http://www.getsysteminfo.com/read.php?file=01c09ea4395212df93120289072a4c95

descriptionSolvedRe: Admin Virus

more_horiz
Purge old temporary files

Download CCleaner Slim and save it to your Desktop - [URL='http://www.majorgeeks.com/CCleaner_Slim_No_Toolbar_d4191.html']Alternate download link[/URL]

When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
Follow the prompts to install the program.

* Double-click the CCleaner shortcut on the desktop to start the program.
* Click on the Options block on the left, then choose Cookies.
* Under Cookies to Delete, highlight any cookies you would like to retain permanently
* Click the right arrow > to move them to the Cookies to Keep window.
* Go into Options > Advanced & uncheck Only delete files in Windows Temp folders older than 48 hours
* Click Cleaner on the left then Run Cleaner on the right to run the program.
* Important: Make sure that ALL browser windows are closed before selecting Run Cleaner

Caution: Only use the Registry feature if you are very familiar with the registry.
Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.

Any more issues?

We need to know any other issues that are plaguing your computer. Kindly give a summary so we know how to continue from here.

Many of the things to note for us would be:


  • Slow computer
  • Error messages
  • Fake antivirus alerts or the icon in the system tray
  • svchost.exe running at 100%
  • System crashes or blue screen of death

descriptionSolvedRe: Admin Virus

more_horiz
Should I uncheck programs that I do not want deleted? For example I have Office loaded on the machine but no original discs or product keys to load it back on the machine if it gets deleted permanently.

descriptionSolvedRe: Admin Virus

more_horiz
If you're in the Cleaner tab, then no programs will be deleted whatsoever. CCleaner does not delete programs without your permission. However, it chooses to clean up temporary files saved by Microsoft Office, among other products, to help boost the speed of your computer and programs overall. Smile...

Only in the Tools tab do you have the ability to remove programs, and you have to be the one to activate it.

descriptionSolvedRe: Admin Virus

more_horiz
Alright, thank you for clearing that up for me. However, even after running CCleaner, both problems still exist.

descriptionSolvedRe: Admin Virus

more_horiz
Please try the Kaspersky Virus Removal Tool noted here: http://www.GeekPolice.net/t29097p15-admin-virus#202393

descriptionSolvedRe: Admin Virus

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum