Had a virus, ran MBAM, rebooted to fix the problem and now it's worse....

Page 1 of 3 1, 2, 3  Next

View previous topic View next topic Go down

Had a virus, ran MBAM, rebooted to fix the problem and now it's worse....

Post by MBanks on Mon 09 May 2011, 2:57 pm

Windows sometimes loads now but it will the show the blue screen of death with some text which disappears to quick to read, then reboots. Sometimes it will not even reboot, the screen just turns off and on on my laptop.

When the laptop does decide to load properly I can't load up in safemode to even get the MBAM log to post here!!

Does anyone have any suggestions on what I can do? This has put me in a very bad situation!

Any help is grately appreciated.
Thanks,
Martin

MBanks

Rookie Surfer
Rookie Surfer

Posts : 92
Joined : 2010-09-15
Operating System : Windows XP Home Edition SP3

View user profile

Back to top Go down

Re: Had a virus, ran MBAM, rebooted to fix the problem and now it's worse....

Post by Gabethebabe on Mon 09 May 2011, 8:26 pm

Hi there Martin!

I am Gabethebabe and I will be helping you with this issue. Before we start some general remarks/rules:
  • Whilst I´m helping you, please follow my instructions carefully and do not experiment on your own or accept help from other persons.
  • Feel free to ask questions! Especially if my instructions are not clear. I´m here to help, not confuse you.
  • I will try and respond quickly, but please understand I do have a real life (job, wife, 3 kids, kinky hobbies).
  • Stick with me till the end. If your computer starts running better, doesn´t mean it is clean yet!

====================

A couple of questions:
1) You are on Windows XP, right? Do you have a Windows XP setup disk (or can you get one from anywhere?
2) What parts of the bott process go well, which startup screens do you see and where exactly does it fail?

Gabethebabe

Tech Advisor
Tech Advisor

Posts : 1568
Joined : 2010-03-07
Operating System : WIN7 64bit, Ubuntu 12.04 LTS

View user profile

Back to top Go down

Re: Had a virus, ran MBAM, rebooted to fix the problem and now it's worse....

Post by Gabethebabe on Thu 12 May 2011, 5:07 pm

Any update on this? Do you still require my assistance?

Gabethebabe

Tech Advisor
Tech Advisor

Posts : 1568
Joined : 2010-03-07
Operating System : WIN7 64bit, Ubuntu 12.04 LTS

View user profile

Back to top Go down

Re: Had a virus, ran MBAM, rebooted to fix the problem and now it's worse....

Post by MBanks on Wed 18 May 2011, 10:20 am

Sorry, I still require your assistance!! When I used this forum before I got an email when someone had replied to a post and that didn't happen this time, guess I didn't click in some tick box!

OK, so now I'm back I'll be checking the site to see if you've replied. I'm at work now so I'll do my best to answer those questions...

1) I am on Win XP, and I don't have a start up CD or a CD drive. The laptop with the problem is an EeePC netbook which came with Windows installed and doesn't have a CD drive.


2) The booting up process either:

a)lets windows start up, I enter my password windows loads and then after a while the computer comes up with the blue screen error message which is too quick to read, then reboots. Sometimes this reboot with do the same thing, get to Windows and then blue screen again.....or.....it will power off, try to restart and then the laptop screen will just turn on and off in a loop without the computer restarting. The typing cursor shows up in the top left corner showing that it's trying to turn on.

Any help to get this problem fix would be a HUGE bonus as there is still important data on there that I need to retrieve!! And also having my computer working again would be more than benificial!

I hope can help,
Regards,
Martin.


MBanks

Rookie Surfer
Rookie Surfer

Posts : 92
Joined : 2010-09-15
Operating System : Windows XP Home Edition SP3

View user profile

Back to top Go down

Re: Had a virus, ran MBAM, rebooted to fix the problem and now it's worse....

Post by MBanks on Wed 18 May 2011, 10:21 am

P.S. I just found the watch this topic button so I shouldn't be slow at replying anymore!


MBanks

Rookie Surfer
Rookie Surfer

Posts : 92
Joined : 2010-09-15
Operating System : Windows XP Home Edition SP3

View user profile

Back to top Go down

Re: Had a virus, ran MBAM, rebooted to fix the problem and now it's worse....

Post by Gabethebabe on Wed 18 May 2011, 5:37 pm

OK, I´m going to fire off some questions here.

  • Have you tried to boot to Last Known Good Configuration?
  • It appears that pressing F9 during boot process will provide you with EeePC recovery options that are built into the EeePC. Is that correct? Watch out that if it does, the restore to factory settings will erase all your data. What options do you find for your computer?
  • Since you don´t have a CD, I suppose you are able to boot from an USB stick. Can you verify that? I´ve found some info that you need to press F2 to enter BIOS and in BIOS you can change boot device sequence. I suppose removable drive is one of them?

Gabethebabe

Tech Advisor
Tech Advisor

Posts : 1568
Joined : 2010-03-07
Operating System : WIN7 64bit, Ubuntu 12.04 LTS

View user profile

Back to top Go down

Re: Had a virus, ran MBAM, rebooted to fix the problem and now it's worse....

Post by MBanks on Wed 18 May 2011, 9:34 pm

I tried to reboot to Last Know Configuration, however when I select the shut down button it gives me no other options as the link suggests, it just shuts down, or restarts.

I tried pressing F9 and also tried to start in safe mode however I've had no luck with these. At the moment it hardly even loads up, it just gets stuck and the screen turning on and off.

I managed to get it to open BIOS just now, and the boot options I have are:
ATAPI CD-ROM
HDD: PM-ST980811AS
Revmovable Dev.

I'm guessing that the removable device is the USB stick.

I managed to snap a quick photo of the blue screen before it restarted and this is what is says:

A problem has been detected and Windows has been shut down to prevent damage to your computer.

If this is the first time you've seen this stop error screen, restart your computer. If this screen appears again follow these steps:

Check to make sure you have adequate disk space. If a driver is identified in the stop message, disable the driver or check with the manufacturer for driver updates. Try changing video adapters.

Check with your hardware vendor for any BIOS updates. Disable any BIOS memory options such as caching or shadowing. If you need to use Safe Mode to remove or disable components, restart your computer, press F8 to select Advanced Start Up Options, and then select Safe Mode.

Technical Information:

*** STOP: 0x0000008E (0xC0000005,0xF73F571D,0xA95CA570,0x00000000)

*** atapi.sys - Address F73F571D base at F73EB000, DateStamp 4802539d

Beginning of dump of physical memory
Physical memory dump complete
Contact your system administrator or tech support group for further assistance.


And that's the end of the message on the blue screen. I haven't done anything that it suggests as I will wait for your next suggestion to see if this blue screen message sheds any light on the problem for you.

Thanks,
Martin.


MBanks

Rookie Surfer
Rookie Surfer

Posts : 92
Joined : 2010-09-15
Operating System : Windows XP Home Edition SP3

View user profile

Back to top Go down

Re: Had a virus, ran MBAM, rebooted to fix the problem and now it's worse....

Post by Gabethebabe on Wed 18 May 2011, 10:48 pm

Have you tried to find the EeePC recovery options? Is there a system restore that you can get to?


Can you try and create the OTLPE usb drive, as described here and see if you can boot from it?
If it does, proceed with the following:
  • Finally you should see the REATOGO-X-PE desktop. Find the OTLPE icon and double click it to run OTLPE
  • Answer Yes and OK to all prompts
  • Ensure the option Automatically Load All Remaining Users is checked
  • OTL should now start. Set the option Drivers to Non-Microsoft
  • Copy and paste the following text into the Custom Scans/Fixes field:
    /md5start
    atapi.sys
    iastor.sys
    ndis.sys
    userinit.exe
    winlogon.exe
    /md5stop
  • Click Run Scan to start the scan
  • When finished, a log file C:\OTL.txt will be created
  • Please post the contents of the file in your next reply


Gabethebabe

Tech Advisor
Tech Advisor

Posts : 1568
Joined : 2010-03-07
Operating System : WIN7 64bit, Ubuntu 12.04 LTS

View user profile

Back to top Go down

Re: Had a virus, ran MBAM, rebooted to fix the problem and now it's worse....

Post by MBanks on Thu 19 May 2011, 8:32 am

I can't get into the Eeepc Recvoery options, I also disabled the boot booster in BIOS to see if that would help open the Eeepc recovery options, however when it reboots and I hold down F9 nothing happens.

I can't seem to open anything in Windows before the laptop reboots so i can't open any System Restore.

I will try creating the USB stick to boot from when at work. I can create it on another PC without affecting/damaging that PC before I use the USB to boot from on the broken laptop...is that right? As I will not be able to create the USB stick on the broken laptop as it won't give me long enough to use the computer to create it. I do not want to effect/damage the computer I will create the USB boot drive on either as I can't afford for that to happen at work and I have no other option.

Thanks for your help, I await your response before creating the USB boot drive.
Martin

MBanks

Rookie Surfer
Rookie Surfer

Posts : 92
Joined : 2010-09-15
Operating System : Windows XP Home Edition SP3

View user profile

Back to top Go down

Re: Had a virus, ran MBAM, rebooted to fix the problem and now it's worse....

Post by Gabethebabe on Thu 19 May 2011, 5:33 pm

Creating the USB boot stick is completely safe and you indeed need to do that on a working computer.

Gabethebabe

Tech Advisor
Tech Advisor

Posts : 1568
Joined : 2010-03-07
Operating System : WIN7 64bit, Ubuntu 12.04 LTS

View user profile

Back to top Go down

Re: Had a virus, ran MBAM, rebooted to fix the problem and now it's worse....

Post by MBanks on Thu 19 May 2011, 9:48 pm

I created the USB boot stick with no problems, I started up in BIOS in the broken laptop and changed the boot disk to the USB key, however when it now boots up it goes to a black screen and says:

Remove disks or other media
Press any key to restart.

If I don't take out the USB and press a key it just boots into windows normally.

If I take the key out and press any key it just starts up into Windows normally.

Where could I be going wrong, or is it the laptops problem?


MBanks

Rookie Surfer
Rookie Surfer

Posts : 92
Joined : 2010-09-15
Operating System : Windows XP Home Edition SP3

View user profile

Back to top Go down

Re: Had a virus, ran MBAM, rebooted to fix the problem and now it's worse....

Post by Gabethebabe on Thu 19 May 2011, 10:21 pm

Looks like the USB is not bootable ...
Can you try the USB boot disk on another computer?
If it doesn´t work on another computer either, probably the USB boot disk was not properly created.

A quick summary to make sure I get it all right
- You are unable to get to desktop in normal mode in any of the existing user profiles
- The same as above for Windows safe mode
- If you try Last Known Good Configuration, you cannot boot either.

Both safe mode and Last Known Good Configuration are available in the advanced boot menu, press F8 during startup, before Windows starts to load, to get to the advanced boot menu.


Gabethebabe

Tech Advisor
Tech Advisor

Posts : 1568
Joined : 2010-03-07
Operating System : WIN7 64bit, Ubuntu 12.04 LTS

View user profile

Back to top Go down

Re: Had a virus, ran MBAM, rebooted to fix the problem and now it's worse....

Post by MBanks on Fri 20 May 2011, 12:34 am

I will try the USB boot on another computer when I can, I followed the instructions EXACTLY as they were worded on the website as I want to get this exactly right so that I can get my laptop working ASAP and so that I don't break anything any further by getting something wrong. But I will get back to you when I've tried it on something else.

I can get to the desktop sometimes on the broken laptop in the only user profile I have on it, however it's not long after loading that the blue screen appears and it restarts.

It won't load into safe more for some reason, pressing the F8 key for safe mode, or the F9 key for the Eeepc mode does nothing.

I will try these all again, however I am away tomorrow and will not be able to try until Sunday at the earliest. Thank you so much for all your help so far, I hope we can sort this out!
Martin

MBanks

Rookie Surfer
Rookie Surfer

Posts : 92
Joined : 2010-09-15
Operating System : Windows XP Home Edition SP3

View user profile

Back to top Go down

Re: Had a virus, ran MBAM, rebooted to fix the problem and now it's worse....

Post by Gabethebabe on Fri 20 May 2011, 7:45 pm

You cannot get to safe mode? Make sure you start jamming the F8 key when your computer is booting and still showing BIOS messages. It must be done BEFORE you get the first "Windows loading" screen.

Gabethebabe

Tech Advisor
Tech Advisor

Posts : 1568
Joined : 2010-03-07
Operating System : WIN7 64bit, Ubuntu 12.04 LTS

View user profile

Back to top Go down

Re: Had a virus, ran MBAM, rebooted to fix the problem and now it's worse....

Post by MBanks on Sun 22 May 2011, 8:59 pm

I had some time to try and work with the laptop.

I eventually managed to get it to start up in Safe Mode and I managed to copy off some of my data that I need. However I'd still like to fix the laptop without having to format it if possible.

I tried F9 over and over again to see if I could get it to load into the Eeepc recovery mode but with no luck.

I managed to use F8 to bring up the different options of Safe Mode again and noticed that it had the Last Known Configuration option under it too, so I loaded Windows using that option. It loaded, I left the computer on without doing anything, and like before, within a couple of minutes the blue screen came up with the same message and the laptop tried to restart.

What would you suggest next? Should I try and System Restore in normal safe mode? or something else entirely?

Thanks,
Martin.

MBanks

Rookie Surfer
Rookie Surfer

Posts : 92
Joined : 2010-09-15
Operating System : Windows XP Home Edition SP3

View user profile

Back to top Go down

Re: Had a virus, ran MBAM, rebooted to fix the problem and now it's worse....

Post by Gabethebabe on Mon 23 May 2011, 3:28 am

The Eeepc recovery mode is probably only accessible if you see some message during bootup. E.g. "Press [KEY] for recovery options". If you do not see such a message, it means that there are no recovery options available.

You have been able to get the computer running in safe mode. That is good news. Lets see if we can get some of our tools running.

Please download OTL by OldTimer from here and save it to your desktop.
  • Close all windows and double click OTL.exe.
  • The Extra Registry setting should be Use Safelist
  • Copy and paste the following text into the Custom Scans/Fixes box:

Code:
netsvcs
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\system32\*.exe /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\system32\drivers\*.sys
%systemroot%\system32\drivers\*.dll
%systemroot%\system32\drivers\*.ini
%systemroot%\system32\drivers\*.exe
%SYSTEMDRIVE%\*.*
%PROGRAMFILES%\*.
/md5start
atapi.sys
explorer.exe
iastor.sys
userinit.exe
winlogon.exe
/md5stop
  • Click the Run Scan button and allow it to run.
  • It will produce two logs for you, OTL.txt and Extras.txt. Please post both logs in this thread.
  • You may need multiple posts to get it all.


You will probably need to download otl.exe from a clean computer and copy it to the problem computer´s desktop with an USB drive.

Gabethebabe

Tech Advisor
Tech Advisor

Posts : 1568
Joined : 2010-03-07
Operating System : WIN7 64bit, Ubuntu 12.04 LTS

View user profile

Back to top Go down

Re: Had a virus, ran MBAM, rebooted to fix the problem and now it's worse....

Post by MBanks on Mon 23 May 2011, 7:45 pm

OK, so I ran OTL and here are the logs....

OTL Log:

OTL logfile created on: 5/23/2011 6:00:00 PM - Run 1
OTL by OldTimer - Version 3.2.23.0 Folder = C:\Documents and Settings\Intel\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1015.05 Mb Total Physical Memory | 836.39 Mb Available Physical Memory | 82.40% Memory free
2.39 Gb Paging File | 2.32 Gb Available in Paging File | 97.27% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 39.99 Gb Total Space | 6.03 Gb Free Space | 15.07% Space Free | Partition Type: NTFS
Drive D: | 34.49 Gb Total Space | 1.60 Gb Free Space | 4.65% Space Free | Partition Type: NTFS

Computer Name: EPC | User Name: Intel | Logged in as Administrator.
Boot Mode: SafeMode | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/05/23 07:23:00 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Intel\Desktop\OTL.exe
PRC - [2008/07/03 21:38:24 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2011/05/23 07:23:00 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Intel\Desktop\OTL.exe
MOD - [2008/04/14 06:12:52 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (Ialaervnwlrx)
SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - [2010/12/20 18:38:58 | 000,363,344 | ---- | M] (Malwarebytes Corporation) [Auto | Stopped] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2010/11/15 15:50:58 | 000,211,968 | ---- | M] (Mediafour Corporation) [Auto | Stopped] -- C:\Program Files\Common Files\Mediafour\iPod\M4iPodWPDService.exe -- (M4iPodWPDService)
SRV - [2010/01/15 22:49:20 | 000,227,232 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe -- (McComponentHostService)
SRV - [2008/11/10 06:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Stopped] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2007/05/03 18:12:40 | 000,364,629 | ---- | M] (Atheros) [Auto | Stopped] -- C:\WINDOWS\system32\acs.exe -- (ACS)


========== Driver Services (SafeList) ==========

DRV - [2010/12/20 18:38:40 | 000,020,952 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2010/11/15 15:50:56 | 000,145,504 | ---- | M] (EldoS Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\cbfs.sys -- (CbFs)
DRV - [2009/09/28 13:02:18 | 000,259,176 | ---- | M] (Mediafour Corporation) [File_System | Boot | Stopped] -- C:\WINDOWS\System32\drivers\MDFSYSNT.SYS -- (MDFSYSNT)
DRV - [2008/08/12 11:00:54 | 000,007,680 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\massfilter.sys -- (massfilter)
DRV - [2008/06/14 01:41:16 | 004,754,944 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/04/19 06:35:22 | 000,103,936 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ZTEusbser6k.sys -- (ZTEusbser6k)
DRV - [2008/04/19 06:35:22 | 000,103,936 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ZTEusbnmea.sys -- (ZTEusbnmea)
DRV - [2008/04/19 06:35:22 | 000,103,936 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ZTEusbmdm6k.sys -- (ZTEusbmdm6k)
DRV - [2008/04/08 16:29:28 | 000,010,752 | ---- | M] (ASUSTeK Computer Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ASUSACPI.SYS -- (AsusACPI)
DRV - [2008/03/12 04:07:00 | 000,036,864 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\l1e51x86.sys -- (L1e)
DRV - [2007/05/02 19:30:58 | 000,546,976 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ar5211.sys -- (AR5211)
DRV - [2007/03/28 20:22:20 | 000,057,024 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wsimd.sys -- (WSIMD)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.param.yahoo-fr: "chrf-ytbm"
FF - prefs.js..browser.search.param.yahoo-fr-cjkt: "chrf-ytbm"
FF - prefs.js..browser.search.param.yahoo-type: "${8}"
FF - prefs.js..browser.startup.homepage: "[You must be registered and logged in to see this link.]
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.0
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.1.1.20091029021655
FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:4.2.0.5198
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: {23fcfd51-4958-4f00-80a3-ae97e717ed8b}:2.1.1.94
FF - prefs.js..extensions.enabledItems: {6904342A-8307-11DF-A508-4AE2DFD72085}:2.1.1.94


FF - HKLM\software\mozilla\Firefox\extensions\\{23fcfd51-4958-4f00-80a3-ae97e717ed8b}: C:\Program Files\DivX\DivX Plus Web Player\firefox\html5video [2011/04/07 23:03:11 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{6904342A-8307-11DF-A508-4AE2DFD72085}: C:\Program Files\DivX\DivX Plus Web Player\firefox\wpa [2011/04/07 23:03:12 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.17\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/04/30 14:05:14 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.17\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/04/30 14:05:14 | 000,000,000 | ---D | M]

[2010/10/02 16:39:42 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Intel\Application Data\Mozilla\Extensions
[2011/05/06 18:48:07 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Intel\Application Data\Mozilla\Firefox\Profiles\63op53yi.default\extensions
[2010/10/03 10:29:47 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\Intel\Application Data\Mozilla\Firefox\Profiles\63op53yi.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2011/05/06 18:48:07 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/10/06 17:58:03 | 000,000,000 | ---D | M] (Skype extension for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
[2011/01/29 08:49:01 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
[2011/04/07 23:03:11 | 000,000,000 | ---D | M] (DivX Plus Web Player HTML5 <video>) -- C:\PROGRAM FILES\DIVX\DIVX PLUS WEB PLAYER\FIREFOX\HTML5VIDEO
[2011/04/07 23:03:12 | 000,000,000 | ---D | M] (DivX HiQ) -- C:\PROGRAM FILES\DIVX\DIVX PLUS WEB PLAYER\FIREFOX\WPA
[2010/10/02 16:33:32 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2010/11/12 19:23:06 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

Hosts file not found
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (DivX Plus Web Player HTML5

MBanks

Rookie Surfer
Rookie Surfer

Posts : 92
Joined : 2010-09-15
Operating System : Windows XP Home Edition SP3

View user profile

Back to top Go down

Re: Had a virus, ran MBAM, rebooted to fix the problem and now it's worse....

Post by MBanks on Mon 23 May 2011, 7:54 pm

Sorry if there is any overlap of code, it said I had characters remaining when I pasted it section by section but it's cut some off so here is more of it....

O2 - BHO: (DivX Plus Web Player HTML5

MBanks

Rookie Surfer
Rookie Surfer

Posts : 92
Joined : 2010-09-15
Operating System : Windows XP Home Edition SP3

View user profile

Back to top Go down

Re: Had a virus, ran MBAM, rebooted to fix the problem and now it's worse....

Post by MBanks on Mon 23 May 2011, 7:56 pm

I don't know what's going on with this post....I copy and pasted in loads of the code for the last post and it's only put in that tiny bit!!?!?!

MBanks

Rookie Surfer
Rookie Surfer

Posts : 92
Joined : 2010-09-15
Operating System : Windows XP Home Edition SP3

View user profile

Back to top Go down

Re: Had a virus, ran MBAM, rebooted to fix the problem and now it's worse....

Post by Gabethebabe on Mon 23 May 2011, 8:20 pm

MBanks wrote:I don't know what's going on with this post....I copy and pasted in loads of the code for the last post and it's only put in that tiny bit!!?!?!
some weird forum error. If you click the quote button of you own post, you will see it is all there.

Looking at your logs. bbl

Gabethebabe

Tech Advisor
Tech Advisor

Posts : 1568
Joined : 2010-03-07
Operating System : WIN7 64bit, Ubuntu 12.04 LTS

View user profile

Back to top Go down

Post by MBanks on Mon 23 May 2011, 8:34 pm

Ah, ok, I'll try and post the Extras Log now then:

OTL Extras logfile created on: 5/23/2011 6:00:00 PM - Run 1
OTL by OldTimer - Version 3.2.23.0 Folder = C:\Documents and Settings\Intel\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1015.05 Mb Total Physical Memory | 836.39 Mb Available Physical Memory | 82.40% Memory free
2.39 Gb Paging File | 2.32 Gb Available in Paging File | 97.27% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 39.99 Gb Total Space | 6.03 Gb Free Space | 15.07% Space Free | Partition Type: NTFS
Drive D: | 34.49 Gb Total Space | 1.60 Gb Free Space | 4.65% Space Free | Partition Type: NTFS

Computer Name: EPC | User Name: Intel | Logged in as Administrator.
Boot Mode: SafeMode | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_CURRENT_USER\SOFTWARE\Classes\]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:TCP" = 1900:TCP:LocalSubNet:Enabled:UDP 1900

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0990B5DF-92C3-4AD6-A18D-BF3ADF311240}" = Super Hybrid Engine
"{19F5658D-92E8-4A08-8657-D38ABB1574B2}" = Asus ACPI Driver
"{1F698102-5739-441E-96F0-74F4EA540F06}" = Atheros Ethernet Utility
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java(TM) 6 Update 23
"{28006915-2739-4EBE-B5E8-49B25D32EB33}" = Atheros Client Installation Program
"{2CE5A2E7-3437-4CE7-BCF4-85ED6EEFF9E4}" = iTunes
"{3108C217-BE83-42E4-AE9E-A56A2A92E549}" = Atheros Communications Inc.(R) AR8121/AR8113/AR8114 Gigabit/Fast Ethernet Driver
"{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform
"{31851B85-C98E-44DE-8750-9843BCD63963}" = Adobe After Effects 5.5
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{4539863D-69F5-457B-901A-6A36C46AB2BD}" = XPlay 3
"{474F25F5-BDC9-40E5-B1B6-F6BF23FC106F}" = Windows Live Essentials
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{587178E7-B1DF-494E-9838-FA4DD36E873C}" = ASUSUpdate for Eee PC
"{5A13987D-55F4-4271-A40E-76AC9B1B38FD}" = OpenOffice.org 3.2
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{6E4DAE31-7CF3-441A-B6E5-B014D63C80CD}" = Eee Instant Key
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{85E3CFBC-9B1B-470C-AF72-54EACA0F1322}" = ECAP
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{93D34EE3-99B3-4DB1-8B0A-0A657466F90D}" = Telstra Turbo Connection Manager
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9559F7CA-5E34-4237-A2D9-D856464AD727}" = Project64 1.6
"{981029E0-7FC9-4CF3-AB39-6F133621921A}" = Skype Toolbars
"{9811A185-3D3D-11D6-9E14-00036D172B00}" = Adobe MPEG Encoder
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.3
"{B194272D-1F92-46DF-99EB-8D5CE91CB4EC}" = Adobe AIR
"{B57EAFF2-D6EE-4C6C-9175-ED9F17BFC1BC}" = Windows Live Messenger
"{BDCF27CA-BFC4-4F49-8D24-A925C9505AB8}" = Windows Rights Management Client with Service Pack 2
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{CCA1EEA3-555E-4D05-AC46-4B49C6C5D887}" = Apple Mobile Device Support
"{D0B9F312-2CAC-4EB0-AF68-E9D6C88935A7}" = AiGuru U1
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{DAEAFD68-BB4A-4507-A241-C8804D2EA66D}" = Apple Application Support
"{E6158D07-2637-4ECF-B576-37C489669174}" = Windows Live Call
"{E7004147-2CCA-431C-AA05-2AB166B9785D}" = QuickTime
"{EC905264-BCFE-423B-9C42-C3A106266790}" = Windows Rights Management Client Backwards Compatibility SP2
"{EFB21DE7-8C19-4A88-BB28-A766E16493BC}" = Adobe Photoshop CS
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{FF1C31AE-0CDC-40CE-AB85-406F8B70D643}" = Bonjour
"7-Zip" = 7-Zip 9.20
"Ableton Live_is1" = Ableton Live v6.0.3
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Premiere 6.5" = Adobe Premiere 6.5
"ASIO4ALL" = ASIO4ALL
"DivX Setup.divx.com" = DivX Setup
"Elantech" = ETDWare PS/2-x86 7.0.4.3 WHQL
"HDMI" = Intel(R) Graphics Media Accelerator Driver
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"McAfee Security Scan" = McAfee Security Scan Plus
"Microsoft Silverlight" = Microsoft Silverlight
"Mozilla Firefox (3.6.17)" = Mozilla Firefox (3.6.17)
"RarZilla Free Unrar" = RarZilla Free Unrar
"RNCompiler 6.0" = Advanced RealMedia Export Plug-in for Premiere 6.0
"ScummVM_is1" = ScummVM 1.2.0
"ST6UNST #1" = Address Book
"Vimeo Video Downloader_is1" = Vimeo Video Downloader 3.17
"VirtualCloneDrive" = VirtualCloneDrive
"VLC media player" = VLC media player 1.1.5
"Windows Rights Management Client" = Windows Rights Management Client with Service Pack 2
"Windows Rights Management Client Backwards" = Windows Rights Management Client Backwards Compatibility SP2
"WinLiveSuite_Wave3" = Windows Live Essentials
"Wudf01009" = Microsoft User-Mode Driver Framework Feature Pack 1.9
"Yahoo! Software Update" = Yahoo! Software Update
"Yahoo!7 Messenger" = Yahoo!7 Messenger

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2/1/2011 7:08:40 PM | Computer Name = EPC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 2/1/2011 7:08:40 PM | Computer Name = EPC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 3859

Error - 2/1/2011 7:08:40 PM | Computer Name = EPC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 3859

Error - 2/2/2011 5:47:43 AM | Computer Name = EPC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 2/2/2011 5:47:43 AM | Computer Name = EPC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 3172

Error - 2/2/2011 5:47:43 AM | Computer Name = EPC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 3172

Error - 2/2/2011 6:15:45 AM | Computer Name = EPC | Source = Bonjour Service | ID = 100
Description = 248: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)

Error - 2/3/2011 5:28:23 AM | Computer Name = EPC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 2/3/2011 5:28:23 AM | Computer Name = EPC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 3219

Error - 2/3/2011 5:28:23 AM | Computer Name = EPC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 3219

[ System Events ]
Error - 5/22/2011 3:34:13 AM | Computer Name = EPC | Source = Service Control Manager | ID = 7001
Description = The Bonjour Service service depends on the TCP/IP Protocol Driver
service which failed to start because of the following error: %%31

Error - 5/22/2011 3:34:13 AM | Computer Name = EPC | Source = Service Control Manager | ID = 7001
Description = The IPSEC Services service depends on the IPSEC driver service which
failed to start because of the following error: %%31

Error - 5/22/2011 3:34:13 AM | Computer Name = EPC | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
AFD CbFs ElbyCDIO Fips intelppm IPSec MDFSYSNT MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip

Error - 5/22/2011 5:13:06 AM | Computer Name = EPC | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 5/22/2011 5:13:14 AM | Computer Name = EPC | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 5/22/2011 5:40:29 AM | Computer Name = EPC | Source = Service Control Manager | ID = 7022
Description = The M4iPodWPDService service hung on starting.

Error - 5/23/2011 3:49:35 AM | Computer Name = EPC | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 5/23/2011 3:49:40 AM | Computer Name = EPC | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 5/23/2011 3:51:54 AM | Computer Name = EPC | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 5/23/2011 3:52:37 AM | Computer Name = EPC | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}


< End of report >



Thanks for taking a look I hope we can sort it!

MBanks

Rookie Surfer
Rookie Surfer

Posts : 92
Joined : 2010-09-15
Operating System : Windows XP Home Edition SP3

View user profile

Back to top Go down

Re: Had a virus, ran MBAM, rebooted to fix the problem and now it's worse....

Post by Gabethebabe on Mon 23 May 2011, 8:35 pm

  • Please run OTL.exe again
  • Under the Custom Scans/Fixes box at the bottom, copy and paste in the following:

Code:

:files
C:\WINDOWS\Tasks\Eqhricgkht.job
C:\WINDOWS\Tasks\Odjkrgccrh.job
C:\WINDOWS\Tasks\Tddcnjakch.job
C:\WINDOWS\System32\rasauto6.dll
C:\WINDOWS\System32\dplayl.dll

:otl
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O4 - HKLM..\Run: [] File not found
O33 - MountPoints2\{2440d391-cecd-11df-be11-00235411e6aa}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{2440d391-cecd-11df-be11-00235411e6aa}\Shell\AutoRun\command - "" = G:\DARKAN\\\sharic.exe
O33 - MountPoints2\{2440d391-cecd-11df-be11-00235411e6aa}\Shell\explore\command - "" = G:\DARKAN\\\\sharic.exe
O33 - MountPoints2\{2440d391-cecd-11df-be11-00235411e6aa}\Shell\open\command - "" = G:\DARKAN\\\\sharic.exe
O33 - MountPoints2\{79a2273e-ce24-11df-be0a-00235411e6aa}\Shell\AutoRun\command - "" = F:\goga/sekulac.exe
O33 - MountPoints2\{79a2273e-ce24-11df-be0a-00235411e6aa}\Shell\Explore\command - "" = F:\goga/sekulac.exe
O33 - MountPoints2\{79a2273e-ce24-11df-be0a-00235411e6aa}\Shell\Open\command - "" = F:\goga/sekulac.exe
O33 - MountPoints2\{a3e86527-16d6-11e0-bede-00235411e6aa}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{a3e86527-16d6-11e0-bede-00235411e6aa}\Shell\AutoRun\command - "" = G:\danisampopila\\\basdobro.exe
O33 - MountPoints2\{a3e86527-16d6-11e0-bede-00235411e6aa}\Shell\explore\command - "" = G:\danisampopila\\\basdobro.exe
O33 - MountPoints2\{a3e86527-16d6-11e0-bede-00235411e6aa}\Shell\Install\command - "" = G:\danisampopila\\\basdobro.exe
O33 - MountPoints2\{a3e86527-16d6-11e0-bede-00235411e6aa}\Shell\open\command - "" = G:\danisampopila\\\basdobro.exe
O33 - MountPoints2\{ba8067a6-d2d4-11df-be25-00235411e6aa}\Shell\AutoRun\command - "" = F:\
O33 - MountPoints2\{ba8067a6-d2d4-11df-be25-00235411e6aa}\Shell\Explore\command - "" = F:\goga/sekulac.exe
O33 - MountPoints2\{ba8067a6-d2d4-11df-be25-00235411e6aa}\Shell\Open\command - "" = F:\
O33 - MountPoints2\{ccdc789c-2846-11e0-bf18-00235411e6aa}\Shell - "" = AutoRun
O33 - MountPoints2\{ccdc789c-2846-11e0-bf18-00235411e6aa}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{ccdc789c-2846-11e0-bf18-00235411e6aa}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RuNdLl32.EXE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
:commands
[resethosts]
[reboot]
  • Then click the Run Fix button at the top.
  • Allow it to run. It may take some time and you may see some things happen to your desktop - this is normal.
  • If it asks to reboot the computer, allow it to reboot.
  • If the program freezes, and the computer fails to reboot - let me know.
  • Finally, post the contents of the log. (Located at C:\_OTL\Moved Files)


Hopefully that went well.

====================

Now that you managed to get OTL running, lets try an even more powerful tool and see if we get lucky!
Time to use ComboFix by sUBs, a powerful tool that you are advised not to run without supervision of a trained malware helper. Please visit this webpage and read the tutorial on using ComboFix very carefully. After that download the tool and save it to your desktop.

Doubleclick ComboFix.exe to run the tool. Please post its log back here.
(if you don´t have www opn the problem computer, obviously use the usb flash disk trick again).

Gabethebabe

Tech Advisor
Tech Advisor

Posts : 1568
Joined : 2010-03-07
Operating System : WIN7 64bit, Ubuntu 12.04 LTS

View user profile

Back to top Go down

Re: Had a virus, ran MBAM, rebooted to fix the problem and now it's worse....

Post by MBanks on Mon 23 May 2011, 8:52 pm

I copy and pasted the Fix and ran it, it took no time and all and then tried to reboot. If failed to reboot and just did the screen turning on and off again.

I managed to get it to start in Safe Mode after a couple of tries.

Here are the results of the log:

========== FILES ==========
C:\WINDOWS\Tasks\Eqhricgkht.job moved successfully.
C:\WINDOWS\Tasks\Odjkrgccrh.job moved successfully.
C:\WINDOWS\Tasks\Tddcnjakch.job moved successfully.
C:\WINDOWS\System32\rasauto6.dll moved successfully.
C:\WINDOWS\System32\dplayl.dll moved successfully.
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2440d391-cecd-11df-be11-00235411e6aa}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2440d391-cecd-11df-be11-00235411e6aa}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2440d391-cecd-11df-be11-00235411e6aa}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2440d391-cecd-11df-be11-00235411e6aa}\ not found.
File G:\DARKAN\\\sharic.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2440d391-cecd-11df-be11-00235411e6aa}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2440d391-cecd-11df-be11-00235411e6aa}\ not found.
File G:\DARKAN\\\\sharic.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2440d391-cecd-11df-be11-00235411e6aa}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2440d391-cecd-11df-be11-00235411e6aa}\ not found.
File G:\DARKAN\\\\sharic.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{79a2273e-ce24-11df-be0a-00235411e6aa}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{79a2273e-ce24-11df-be0a-00235411e6aa}\ not found.
File F:\goga/sekulac.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{79a2273e-ce24-11df-be0a-00235411e6aa}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{79a2273e-ce24-11df-be0a-00235411e6aa}\ not found.
File F:\goga/sekulac.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{79a2273e-ce24-11df-be0a-00235411e6aa}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{79a2273e-ce24-11df-be0a-00235411e6aa}\ not found.
File F:\goga/sekulac.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a3e86527-16d6-11e0-bede-00235411e6aa}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a3e86527-16d6-11e0-bede-00235411e6aa}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a3e86527-16d6-11e0-bede-00235411e6aa}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a3e86527-16d6-11e0-bede-00235411e6aa}\ not found.
File G:\danisampopila\\\basdobro.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a3e86527-16d6-11e0-bede-00235411e6aa}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a3e86527-16d6-11e0-bede-00235411e6aa}\ not found.
File G:\danisampopila\\\basdobro.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a3e86527-16d6-11e0-bede-00235411e6aa}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a3e86527-16d6-11e0-bede-00235411e6aa}\ not found.
File G:\danisampopila\\\basdobro.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a3e86527-16d6-11e0-bede-00235411e6aa}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a3e86527-16d6-11e0-bede-00235411e6aa}\ not found.
File G:\danisampopila\\\basdobro.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ba8067a6-d2d4-11df-be25-00235411e6aa}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ba8067a6-d2d4-11df-be25-00235411e6aa}\ not found.
Item F:\ is whitelisted and cannot be moved.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ba8067a6-d2d4-11df-be25-00235411e6aa}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ba8067a6-d2d4-11df-be25-00235411e6aa}\ not found.
File F:\goga/sekulac.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ba8067a6-d2d4-11df-be25-00235411e6aa}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ba8067a6-d2d4-11df-be25-00235411e6aa}\ not found.
Item F:\ is whitelisted and cannot be moved.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ccdc789c-2846-11e0-bf18-00235411e6aa}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ccdc789c-2846-11e0-bf18-00235411e6aa}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ccdc789c-2846-11e0-bf18-00235411e6aa}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ccdc789c-2846-11e0-bf18-00235411e6aa}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ccdc789c-2846-11e0-bf18-00235411e6aa}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ccdc789c-2846-11e0-bf18-00235411e6aa}\ not found.
File C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RuNdLl32.EXE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn not found.
========== COMMANDS ==========
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.23.0 log created on 05232011_194217



Shall I now run ComboFix and post the log?




MBanks

Rookie Surfer
Rookie Surfer

Posts : 92
Joined : 2010-09-15
Operating System : Windows XP Home Edition SP3

View user profile

Back to top Go down

Re: Had a virus, ran MBAM, rebooted to fix the problem and now it's worse....

Post by Gabethebabe on Mon 23 May 2011, 9:41 pm

yes

I don´t suppose you can boot to normal mode yet?

high % probability of glorious blue screens while running combofix on your instable system, but OK. Install the recovery console when prompted by Combofix - very important.

Gabethebabe

Tech Advisor
Tech Advisor

Posts : 1568
Joined : 2010-03-07
Operating System : WIN7 64bit, Ubuntu 12.04 LTS

View user profile

Back to top Go down

Re: Had a virus, ran MBAM, rebooted to fix the problem and now it's worse....

Post by MBanks on Mon 23 May 2011, 10:48 pm

I installed the recovery console, ran combofix...it said it found something, I think it was a Rootbot or Rootfix (sorry I can't remember exactly) and said it may take longer, it then said it needed to reboot because of the Rootthing. It tried to reboot but got stuck on the black screen with the flashing white line.

I have managed to get it to load up whilst pressing F8, I selected Safe Mode and now the scree has 3 other options:

Microsofy Recovery Console
do not select this [debugger enabled]
Microsoft Windows XP Professional.

Which one should I select, I don't think Combofix finished, as it said it needed restarting. Please let me know further instructions on what to do.
Many thanks,
Martin

MBanks

Rookie Surfer
Rookie Surfer

Posts : 92
Joined : 2010-09-15
Operating System : Windows XP Home Edition SP3

View user profile

Back to top Go down

Re: Had a virus, ran MBAM, rebooted to fix the problem and now it's worse....

Post by Sponsored content Today at 4:22 am


Sponsored content


Back to top Go down

Page 1 of 3 1, 2, 3  Next

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum