schrauber

Hi, Please go here and have a look how you can disable your security software. Download Combofix from any of the links below but rename it to <schrauber> before saving it to your desktop. Link 1 Link 2 -------------------------------------------------------------------- Double click on the renamed Combofix.exe & follow the prompts. When finished, it will produce a report for you. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: http://img.photobucket.com/albums/v706/ried7/whatnext.png Click on Yes, to continue scanning for malware. When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply. This tool is not a toy and not for everyday use. ComboFix SHOULD NOT be used unless requested by a forum helper If you need help, see this link: A guide and tutorial on using ComboFix

Please follow the rest of the instructions above. Also please do this: Download MBRCheck.exe to your desktop XP users > double click on MBRCheck.exe to run it Vista and Windows 7 users > right click on MBRCheck.exe and select Run as Administrator It will show a black screen with some data on it Click on the black C:\ in the upper left hand corner of the black screen Choose Edit > Select All > Press Enter to copy the data to your clip board Press Enter again to close MBRCheck Now open up notepad or wordpad and paste the data in (press Control+V) Post the results in your reply

Hi, Please uninstall Ashampoo Antimalware. Do you use a router? Please download this file http://download.bleepingcomputer.com/bats/routeexp.bat to your desktop and run it with doubleclick. A logfile will open, please post the content here in the thread.

Ok :)

Hi, Remove them all, then do this please: Please run a BitDefender Online Scan Click I Agree to agree to the EULA. Allow the ActiveX control to install when prompted. Click Click here to scan to begin the scan. Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan. When the scan is finished, click on Click here to export the scan results. Save the report to your desktop so you can post it in your next reply. Also please reopen OTL, set the extra registry tab to use safe list and hit the run scan button, post back with the 2 logfiles.

Hi, http://www.malwarebytes.org/forums/style_images/1/bf_new.gif Please download Malwarebytes' Anti-Malware from Here. Double Click mbam-setup.exe to install the application. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. If an update is found, it will download and install the latest version. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient. When the scan is complete, click OK, then Show Results to view the results. Make sure that everything is checked, and click Remove Selected. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note) The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. Copy&Paste the entire report in your next reply. Extra Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly. Please run a free online scan with the ESET Online Scanner Note: You will need to use Internet Explorer for this scan Tick the box next to YES, I accept the Terms of Use Click Start When asked, allow the ActiveX control to install Click Start Make sure that the options Remove found threats and the option Scan unwanted applications is checked Click Scan (This scan can take several hours, so please be patient) Once the scan is completed, you may close the window Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt Copy and paste that log as a reply to this topic

Hello, seedy21 Welcome to the FreePcHelp Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems. Please take note of some guidelines for this fix: Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix. If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken. Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post. Please set your system to show all files. Click Start, open My Computer, select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders. Uncheck: Hide file extensions for known file types Uncheck the Hide protected operating system files (recommended) option. Click Yes to confirm. Please download OTL from one of the following mirrors: This is THE Mirror [*]Save it to your desktop. [*]Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/OTL/otlDesktopIcon.png icon on your desktop. [*]Under the Custom Scan box paste this in netsvcs %SYSTEMDRIVE%\*.exe /md5start eventlog.dll scecli.dll netlogon.dll cngaudit.dll sceclt.dll ntelogon.dll logevent.dll iaStor.sys nvstor.sys atapi.sys IdeChnDr.sys viasraid.sys AGP440.sys vaxscsi.sys nvatabus.sys viamraid.sys nvata.sys nvgts.sys iastorv.sys ViPrt.sys eNetHook.dll ahcix86.sys KR10N.sys /md5stop %systemroot%\*. /mp /s CREATERESTOREPOINT [*]Push the Quick Scan button. [*]Two reports will open, copy and paste them in a reply here: OTL.txt <-- Will be opened Extra.txt <-- Will be minimized Download GMER from Here. Note the file's name and save it to your root folder, such as C:\. Disconnect from the Internet and close all running programs. Temporarily disable any real-time active protection so your security program drivers will not conflict with this file. Click on this link to see a list of programs that should be disabled. Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator") Allow the driver to load if asked. You may be prompted to scan immediately if it detects rootkit activity. If you are prompted to scan your system click "No", save the log and post back the results. If not prompted, click the "Rootkit/Malware" tab. On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked. Select all drives that are connected to your system to be scanned. Click the Scan button to begin. (Please be patient as it can take some time to complete) When the scan is finished, click Save to save the scan results to your Desktop. Save the file as Results.log and copy/paste the contents in your next reply. Exit the program and re-enable all active protection when done. Download MBRCheck.exe to your desktop XP users > double click on MBRCheck.exe to run it Vista and Windows 7 users > right click on MBRCheck.exe and select Run as Administrator It will show a black screen with some data on it Click on the black C:\ in the upper left hand corner of the black screen Choose Edit > Select All > Press Enter to copy the data to your clip board Press Enter again to close MBRCheck Now open up notepad or wordpad and paste the data in (press Control+V) Post the results in your reply

OTL has only a few MB. Please go to start >> system control panel >> folder options. There you can change the settings.

Hello, carolineseed Welcome to the FreePcHelp Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems. Please take note of some guidelines for this fix: Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix. If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken. Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post. Please set your system to show all files. Click Start, open My Computer, select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders. Uncheck: Hide file extensions for known file types Uncheck the Hide protected operating system files (recommended) option. Click Yes to confirm. Please download OTL from one of the following mirrors: This is THE Mirror [*]Save it to your desktop. [*]Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/OTL/otlDesktopIcon.png icon on your desktop. [*]Under the Custom Scan box paste this in netsvcs %SYSTEMDRIVE%\*.exe /md5start eventlog.dll scecli.dll netlogon.dll cngaudit.dll sceclt.dll ntelogon.dll logevent.dll iaStor.sys nvstor.sys atapi.sys IdeChnDr.sys viasraid.sys AGP440.sys vaxscsi.sys nvatabus.sys viamraid.sys nvata.sys nvgts.sys iastorv.sys ViPrt.sys eNetHook.dll ahcix86.sys KR10N.sys /md5stop %systemroot%\*. /mp /s CREATERESTOREPOINT [*]Push the Quick Scan button. [*]Two reports will open, copy and paste them in a reply here: OTL.txt <-- Will be opened Extra.txt <-- Will be minimized

Hi, Thanks for letting me know, and you're welcome. A little hint: her :D

Malware has locked me out of everything. Please help! - MajorGeeks Support Forums As Kestrel mentioned, please choose one board and notify the other one to close the thread. 2 persons working at the same system is waste of time and can bring your system into nirvana.

Nope, still some work :) 1. Close any open browsers. 2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. 3. Open notepad and copy/paste the text in the quotebox below into it: Save this as CFScript.txt, in the same location as ComboFix.exe http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif Refering to the picture above, drag CFScript into ComboFix.exe When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply. Download GMER from Here. Note the file's name and save it to your root folder, such as C:\. Disconnect from the Internet and close all running programs. Temporarily disable any real-time active protection so your security program drivers will not conflict with this file. Click on this link to see a list of programs that should be disabled. Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator") Allow the driver to load if asked. You may be prompted to scan immediately if it detects rootkit activity. If you are prompted to scan your system click "No", save the log and post back the results. If not prompted, click the "Rootkit/Malware" tab. On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked. Select all drives that are connected to your system to be scanned. Click the Scan button to begin. (Please be patient as it can take some time to complete) When the scan is finished, click Save to save the scan results to your Desktop. Save the file as Results.log and copy/paste the contents in your next reply. Exit the program and re-enable all active protection when done. Please download OTL from one of the following mirrors: This is THE Mirror [*]Save it to your desktop. [*]Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/OTL/otlDesktopIcon.png icon on your desktop. [*]Under the Custom Scan box paste this in netsvcs %SYSTEMDRIVE%\*.exe /md5start eventlog.dll scecli.dll netlogon.dll cngaudit.dll sceclt.dll ntelogon.dll logevent.dll iaStor.sys nvstor.sys atapi.sys IdeChnDr.sys viasraid.sys AGP440.sys vaxscsi.sys nvatabus.sys viamraid.sys nvata.sys nvgts.sys iastorv.sys ViPrt.sys eNetHook.dll ahcix86.sys KR10N.sys nvstor32.sys ahcix86s.sys nvrd32.sys symmpi.sys adp3132.sys mv61xx.sys /md5stop %systemroot%\*. /mp /s CREATERESTOREPOINT %systemroot%\system32\*.dll /lockedfiles %systemroot%\Tasks\*.job /lockedfiles %systemroot%\system32\drivers\*.sys /lockedfiles %systemroot%\System32\config\*.sav %systemdrive%\*.sys /90 /md5 [*]Push the Quick Scan button. [*]Two reports will open, copy and paste them in a reply here: OTL.txt <-- Will be opened Extra.txt <-- Will be minimized

Yea, still some work :) Please download exeHelper to your desktop. Double-click on exeHelper.com to run the fix. A black window should pop up, press any key to close once the fix is completed. Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan) Download SREng Extract it to Desktop and double click SREngLdr.EXE to run it Select System Repair from the left pane. Click on File Association Select all entries that has an Error status click [Repair] Refer to this image for an example: http://img.photobucket.com/albums/v666/sUBs/SystemRepair_FileAssocs.gif Close SREng now. Please go here and have a look how you can disable your security software. Download Combofix from any of the links below but rename it to <schrauber> before saving it to your desktop. Link 1 Link 2 -------------------------------------------------------------------- Double click on the renamed Combofix.exe & follow the prompts. When finished, it will produce a report for you. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: http://img.photobucket.com/albums/v706/ried7/whatnext.png Click on Yes, to continue scanning for malware. When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply. This tool is not a toy and not for everyday use. ComboFix SHOULD NOT be used unless requested by a forum helper If you need help, see this link: A guide and tutorial on using ComboFix

Please download the fix.txt from here File-Upload.net - fix.txt and save t to your USB stick. Boot with OTLPE cd, run OTLPE. Open the stick with the Explorer and drag and drop the fix.txt into the custom scan box from OTLPE. Click the run fix button. Please try to boot your system normally.

Hi, Run OTLPE Under the Custom Scans/Fixes box at the bottom, paste in the following :OTL SRV - File not found [Disabled] -- -- (KService) O20 - HKLM Winlogon: Shell - ( ) - (Registry key not found) O20 - HKLM Winlogon: UserInit - ( ) - (Registry key not found) O34 - HKLM BootExecute: (autocheck autochk *) - File not found O37 - HKLM\...com [@ = Reg Error: Key error.] -- Reg Error: Key error. File not found O37 - HKLM\...exe [@ = Reg Error: Key error.] -- Reg Error: Key error. File not found [2010/05/20 07:55:48 | 000,169,472 | ---- | C] (Ryddcf) -- C:\Windows\System32\regedit.exe [2010/05/20 16:04:42 | 000,823,808 | ---- | M] () -- C:\Windows\System32\drivers\sjaeilvj.sys [2010/05/20 10:54:44 | 000,023,040 | ---- | M] () -- C:\lsass.exe [2010/05/20 07:59:35 | 000,002,544 | ---- | M] () -- C:\Windows\ozotequw.dll [2010/05/20 07:57:46 | 000,057,344 | ---- | M] () -- C:\Windows\System32\**** [2010/05/20 07:57:37 | 000,030,000 | ---- | M] () -- C:\Windows\System32\****4 [2010/05/20 07:57:18 | 000,081,408 | ---- | M] () -- C:\Windows\System32\drivers\zgrhurxf5.sys [2010/05/20 07:56:45 | 000,006,789 | ---- | M] () -- C:\Windows\ppi2.exe [2010/05/20 07:56:02 | 000,030,000 | ---- | M] () -- C:\Windows\System32\****3 [2010/05/20 07:56:00 | 000,042,496 | ---- | M] () -- C:\Windows\System32\****2 [2010/05/20 07:55:59 | 000,006,771 | -HS- | M] () -- C:\Windows\E88D4.exe [2010/05/20 09:08:36 | 000,023,040 | ---- | C] () -- C:\lsass.exe [2010/05/20 07:59:35 | 000,002,544 | ---- | C] () -- C:\Windows\ozotequw.dll [2010/05/20 07:57:45 | 000,057,344 | ---- | C] () -- C:\Windows\System32\**** [2010/05/20 07:57:37 | 000,030,000 | ---- | C] () -- C:\Windows\System32\****4 [2010/05/20 07:56:18 | 000,823,808 | ---- | C] () -- C:\Windows\System32\drivers\sjaeilvj.sys [2010/05/20 07:56:02 | 000,030,000 | ---- | C] () -- C:\Windows\System32\****3 [2010/05/20 07:56:00 | 000,042,496 | ---- | C] () -- C:\Windows\System32\****2 [2010/05/20 07:55:53 | 000,081,408 | ---- | C] () -- C:\Windows\System32\drivers\zgrhurxf5.sys [2010/05/20 07:55:45 | 000,006,789 | ---- | C] () -- C:\Windows\ppi2.exe [2010/05/20 07:55:20 | 000,006,771 | -HS- | C] () -- C:\Windows\E88D4.exe :Commands [emptytemp] [emptyflash] [resethosts] Then click the Run Fix button at the top Let the program run unhindered, when done it will say "Fix Complete press ok to open the log" Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post. Please open OTL again, set all boxes to use safe list. Under the custom scan box, paste in: /md5start explorer.exe userinit.exe winlogon.exe ndis.sys /md5stop and hit the run scan button, post back with the logfiles.