I’ve run 5 different virus deletion tools including avast, malwarebytes, avg, and kaspersky. None of which have fully worked. I’m able to do most everything I could before the virus. The pop up doesn’t appear anymore, but I still get random sound ads playing from no where, my background is still pure black(have used a hidden file finder and got everything but that back), I’m unable to open a few programs getting critical errors on them, and I’m getting random script messages(every 3 or so minutes) asking me if I want to stop running the script. I’ve been doing this for nearly 15 hours with minimal progress. I thought I would look for a professional to help me. I saw a post before this, but I was unable to reply on the topic. It contained information from Essexboy(also unable to send PM’s, but I believe this is the forums end). He said to download RougeKiller and OTS so I did just that and posted my reports as he said to do.
Operating System: Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User: Owner [Admin rights]
Mode: Remove – Date : 04/22/2011 18:17:11
The OTS was frankly way too long to post with the 10,000 character limit. If it’s absolutely needed I’ll post it, but I don’t want to fill this post with spam >.<
I’m hoping that you can help me out. I’m not much of a pro with computer issues, but this is the first virus that’s given me such a hard time. Also I was having a problem posting this so I had to reboot and run in safemode with networking, when I did, it ran a disk check and I got 2 “Desktop.ini” files on my desktop. Not quite sure what these are or if they offer any help to being able to solve my problem, so I’ll post them with some hope.
[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21769
IconResource=%SystemRoot%\system32\imageres.dll,-183
[LocalizedFileNames]
Windows Movie Maker.lnk=@%ProgramFiles%\Movie Maker\MovieMk.dll,-61403
You can attach the file (Additional Options in the Reply window), which is easier for anyone familiar with analysing it and you don’t have to split it over lots of posts.
Hopefully someone who can analyse it can run with it, unfortunately essexboy who would normally do this will be tucked up in bed, it is a little after 4am in the UK right now, so hopefully he will be back later today.
Hi there this will take several long minutes to run as your temp files are very full
Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.
[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer Settings [HKEY_USERS\.DEFAULT\] > ->
YN -> HKEY_USERS\.DEFAULT\: "ProxyServer" -> http=127.0.0.1:5577
< Internet Explorer Settings [HKEY_USERS\S-1-5-18\] > ->
YN -> HKEY_USERS\S-1-5-18\: "ProxyServer" -> http=127.0.0.1:5577
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-2039977163-748715940-2778053649-1000\] > ->
YN -> HKEY_USERS\S-1-5-21-2039977163-748715940-2778053649-1000\: Main\\"Secondary Start Pages" -> http://www.tinierme.com/tinierme/top.do [binary data]
YN -> HKEY_USERS\S-1-5-21-2039977163-748715940-2778053649-1000\: URLSearchHooks\\"{472734EA-242A-422b-ADF8-83D1E48CC825}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> HKEY_USERS\S-1-5-21-2039977163-748715940-2778053649-1000\: URLSearchHooks\\"{A3BC75A2-1F87-4686-AA43-5347D756017C}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-2039977163-748715940-2778053649-1000\] > -> HKEY_USERS\S-1-5-21-2039977163-748715940-2778053649-1000\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{0FEF2D2C-CDA6-45E4-B2ED-9DF7C50C95FF}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{472734EA-242A-422B-ADF8-83D1E48CC825}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{D4027C7F-154A-4066-A1AD-4243D8127440}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "Adobe ARM" -> ["C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"]
[Files/Folders - Created Within 30 Days]
NY -> WindowsUpdate -> C:\Users\Owner\AppData\Local\WindowsUpdate
[Files/Folders - Modified Within 30 Days]
NY -> ~43114248 -> C:\ProgramData\~43114248
NY -> ~43114248r -> C:\ProgramData\~43114248r
NY -> 43114248 -> C:\ProgramData\43114248
[Files - No Company Name]
NY -> ~43114248 -> C:\ProgramData\~43114248
NY -> ~43114248r -> C:\ProgramData\~43114248r
NY -> 43114248 -> C:\ProgramData\43114248
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here
I will review the information when it comes back in.
Double Click mbam-setup.exe to install the application.
[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
Currently running the quick scan on the infected computer. All the issues are the same as before, the random sound ads that can’t be seen, my background is still pure black, and the same programs won’t run. Attached is 2 screenshots of error messages that I got just during typing this post out. (Edit): I just got a third error message, with more sound ads while scanning.
[]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
[]Double click on ComboFix.exe & follow the prompts.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
I’ve just been looking at one of these I finished yesterday - it was a new variant of TDL4 that neither TDSSKiller nor ASWMbr caught - I am waiting for an mbr dump on that. CF killed it
None of the previous pop-ups since ComboFix was completed. Though now when I attempt to open ANY program including ComboFix or even something as simple as Paint. Attached is the ComboFix log. Also this is the error message I’m getting:
No problem, I’ll get working on those right now for you and post as soon as the scan is done. (Edit): Also because just about everything is coming up with that error, does that mean I would have to uninstall everything on my computer petty much?
No just adobe - once it is uninstalled all should be back to normal - funnily enough I had one similar to this a few weeks ago and it took two days to figure out ;D