Hello
Please can you help me. A virus has got onto my computer and a program called System Check is telling me there are multiple Critical Errors and that I need to pay to fix the hard drive. Presumably this is a virus.
The desktop has gone black and I’ve lost all the icons. It also blocked Task Manager. I’ve downloaded and run all the softwares that you suggested (MBAM, OTL, aswMBR and RogueKiller). I’ll post the logs below.
I’ve got some icons back but the desktop is still black and there is still a shortcut icon for System Check. Also the computer seems slow.
Please can you help?
Thanks
It doesn’t allow me to attach the logs. I’ve tried many times now and keep getting an error.
It tells me the uploader is full…
Hi,
If you have the logs already you can upload them to http://www.mediafire.com/ Once you get the files uploaded you can post the link that mediafire creates and we can get the logs that you created from there.
Thank you
here is the link with the logs:
also update and run Malwarebytes…and post log
I ran Malwarebytes last night. I think it quarantined some files. But I dont remember a log. I’m running it again now
Here is the Malawarebytes log that I just ran (I think).
http://www.mediafire.com/?65s977g8qrugu94
I do remember the log from last night now, but cant seem to find it…
if you open the program…then click the log button…and find the one with the correct date on…last date is at the bottom
OBS: if you have MBAM pro you will find two types of logs…the protection logs are listed at the bottom
then it is just wait for jeffce to arrive…he is on US time
That was a protection log…not scan log
Sorry - here are the logs (including the one from last night)
Just some info: your scan date is from today…but your database is from yesterday
always click the update button before you start a scan…there are already 2 new updates today…
Are you aware that there are proxy settings that are active and being used on your system?
sorry - what does that mean? - im not the most computer literate
i am able to link with a work network. Is that what u mean?
If you are not aware of it you probably didn’t create the settings. A proxy server basically allows a person to access the internet from another point other than their router and surf the internet anonymously. I imagine we need to remove this.
Print out these instructions as we may need to close every window that is open later in the fix.
It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested in this guide on another computer and then transfer them to the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.
Do not reboot your computer after running rkill as the malware programs will start again.
Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 5 different versions. If one of them won’t run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not all of them.
[]rkill.exe
[]rkill.com
[]rkill.scr
[]WiNlOgOn.exe
[*]uSeRiNiT.exe
Do not reboot your computer after running rkill as the malware programs will start again.
Please download and run ERUNT (Emergency Recovery Utility NT). This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed. **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.
Run OTL.exe
[list]
[*]Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:Services
:OTL
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKU\S-1-5-21-1540525505-852103074-1961489307-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
IE - HKU\S-1-5-21-1540525505-852103074-1961489307-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://uk.msn.com/?ocid=iehp
IE - HKU\S-1-5-21-1540525505-852103074-1961489307-1000\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-1540525505-852103074-1961489307-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-1540525505-852103074-1961489307-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http://wwwcache.bris.ac.uk:8080
IE - HKU\S-1-5-21-1540525505-852103074-1961489307-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "AutoConfigURL" = http://wwwcache.bris.ac.uk/cgi-bin/proxy-version3only.pl
FF - prefs.js..network.proxy.autoconfig_url: "http://wwwcache.bris.ac.uk/autoconfig"
FF - prefs.js..network.proxy.type: 2
FF - prefs.js..network.proxy.autoconfig_url: "http://wwwcache.bris.ac.uk/cgi-bin/proxy-version3only.pl"
FF - prefs.js..network.proxy.type: 2
[2012/03/20 22:10:22 | 000,000,264 | -H-- | M] () -- C:\ProgramData\~s8nyO3p8wiRvHU
[2012/03/20 22:10:21 | 000,000,176 | -H-- | M] () -- C:\ProgramData\~s8nyO3p8wiRvHUr
[2012/03/20 22:10:18 | 000,000,629 | ---- | M] () -- C:\Users\Agnieszka\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk
[2012/03/20 22:05:36 | 000,000,440 | ---- | M] () -- C:\ProgramData\s8nyO3p8wiRvHU
[2012/03/20 22:02:03 | 000,000,605 | ---- | M] () -- C:\Users\Agnieszka\Desktop\System Check.lnk
[2011/08/30 12:18:42 | 000,003,584 | -H-- | C] () -- C:\Users\Agnieszka\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
:Files
ipconfig /flushdns /c
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot when it is done
[*]Then run a new scan and post a new OTL log ( don’t check the boxes beside LOP Check or Purity this time )
Yes that is what I meant?
Ok thanks
I will print your instructions and follow the advice now
If you are able to link we need to change one thing prior or you can just reset it later to be sure.