also @ TechSpot: Xbox One: Entertainment Hub First, Gaming Console Second -- But Could It Disrupt TV?

Malware nightmare

Discussion in 'Virus and Malware Removal' started by tstadt, Dec 22, 2012.

Page 2 of 4

  1. tstadt Newcomer, in training Posts: 37

    Oh, I'm not complaining, I appreciate all of your help. I'm just getting very frustrated.
    I was able to download ESET in Normal Mode but it won't let me run it. I cannot boot into safe Mode with netweorking to run it either. Can you help me boot into Safe Mode?
    tstadt, Dec 24, 2012
    #21

  2. tstadt Newcomer, in training Posts: 37

    ESET gives me a "Cannot get update, is proxy configured. I am logged into Sae Mode with Networking but there is no internet connection.
    BTW, I am posting this from a different computer.
    tstadt, Dec 24, 2012
    #22

  3. tstadt Newcomer, in training Posts: 37

    I enabled all services in msconfig and I now have internet in safe mode and ESET is now running
    tstadt, Dec 24, 2012
    #23

  4. tstadt Newcomer, in training Posts: 37

    ESET scan completed with no threats found. I did not see a log file.
    In Normal Mode all original problems continue to exist. If I try to run any programs such as Malwarebytes, RogueKiller, TuneUp Utilities etc. it comes back with program not found.I also now have that MRI-DISABLED window opening when it boots up. It displays two shortcut file in the Windows\Start Menu\Startup\MRI_DISABLED folder.
    tstadt, Dec 24, 2012
    #24

  5. tstadt Newcomer, in training Posts: 37

    That must have been a fluke. I'm back to being unable to boot into Safe Mode again.
    tstadt, Dec 24, 2012
    #25

  6. Jay Pfoutz Malware Helper Posts: 4,286   +49

    Please download OTL to your Desktop. (If you already have it downloaded, then just follow the instructions below).
    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Copy the code below in the quotebox, go back to OTL and paste it in the Custom Scans/Fixes box:

    • Click the Run Scan button. The scan will not take long.
      • When the scan completes, it usually opens two notepad windows. OTL.Txt (Displayed on screen) and Extras.Txt (minimized). These are saved in the same location as OTL.
      • Please copy (Edit->Select All, Edit->Copy) and paste (Edit->Paste) the contents of OTL.txt and paste it to your next reply. I will let you know if I need the Extras.txt.

    Note: in the event that OTL fails to run, please use alternate download links to try again:

    http://oldtimer.geekstogo.com/OTL.com
    http://oldtimer.geekstogo.com/OTL.scr
    Jay Pfoutz, Dec 25, 2012
    #26
     

  7. tstadt Newcomer, in training Posts: 37

    Merry Christmas!
    There was no Extras.txt. OTL.txt was too big to paste and post so I have attached it.

    Attached Files:

    • OTL.Txt
      File size:
      108.3 KB
      Views:
      1
    tstadt, Dec 25, 2012
    #27

  8. Jay Pfoutz Malware Helper Posts: 4,286   +49

    OTL Fix

    Please run OTL
    • Under the Custom Scans/Fixes box at the bottom, copy and paste in the following:

    • Then click the Run Fix button at the top.
    • Note: The fix for OTL automatically hides your Desktop and Start menu so the fix can be completed. Do not be alerted, as this is normal.
    • Please do not exit the program. It might take a while to fix, but allow it to run. If it asks to reboot the computer, allow it to reboot. If the program freezes, and the computer fails to reboot - let me know.
      Lastly, post the contents of the log. (Located at C:\_OTL\Moved Files)

    Once done, tell me how it went. :)
    Jay Pfoutz, Dec 26, 2012
    #28

  9. tstadt Newcomer, in training Posts: 37

    The fix took about 2 seconds to run and I rebooted as requested (log posted below). It doesn't seem to have fixed anything however. Same as before, if I try to run any programs such as Malwarebytes, RogueKiller, TuneUp Utilities etc. it comes back with program not found.I also still have that MRI-DISABLED window opening when it boots up.

    All processes killed
    ========== OTL ==========
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2102}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2102}\ not found.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
    C:\Windows\System32\mfevtps.exe.fcbe.deleteme moved successfully.
    C:\found.003\dir0001.chk folder moved successfully.
    C:\found.003\dir0000.chk folder moved successfully.
    C:\found.003 folder moved successfully.
    ========== FILES ==========
    < ipconfig /flushdns /c >
    Windows IP Configuration
    Successfully flushed the DNS Resolver Cache.
    C:\Users\AdministratorTB\Desktop\cmd.bat deleted successfully.
    C:\Users\AdministratorTB\Desktop\cmd.txt deleted successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: AdministratorTB

    User: All Users

    User: Default

    User: Default User

    User: Public

    User: User

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 216312 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.69.0 log created on 12262012_181751

    Files\Folders moved on Reboot...

    PendingFileRenameOperations files...

    Registry entries deleted on Reboot...
    tstadt, Dec 26, 2012
    #29

  10. Jay Pfoutz Malware Helper Posts: 4,286   +49

    Let me know if the problem resolves after this:

    Download Windows Repair (all in one) from this site

    Install the program then run it.

    Go to Step 2 and allow it to run CheckDisk by clicking on Do It button:

    [IMG]



    Once that is done then go to Step 3 and allow it to run System File Check by clicking on Do It button:

    [IMG]


    Go to Step 4 and under "System Restore" click on Create button:

    [IMG]


    Go to Start Repairs tab and click Start button.

    [IMG]


    Please ensure that ONLY items seen in the image below are ticked as indicated (they're all checked by default):

    [IMG]

    Click on box next to the Restart System when Finished. Then click on Start.
    Jay Pfoutz, Dec 27, 2012
    #30

  11. tstadt Newcomer, in training Posts: 37

    I down loaded and ran Step 2 from Safe Mode. Message stated that it may not totally work from Safe Mode but it won't run at all from normal mode. The system rebooted and I'm not sure Step 2 even completed. After numerous attempts I finally was able to log back into Safe Mode. I ran Step 3 and it stopped before completing. The log file is attached. The file was there but now is missing.
    tstadt, Dec 27, 2012
    #31

  12. tstadt Newcomer, in training Posts: 37

    Here is the log file

    Attached Files:

    • CBS.zip
      File size:
      54.1 KB
      Views:
      0
    tstadt, Dec 27, 2012
    #32

  13. Jay Pfoutz Malware Helper Posts: 4,286   +49

    SystemLook x86 scan

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2
    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
    Jay Pfoutz, Dec 28, 2012
    #33

  14. tstadt Newcomer, in training Posts: 37

    SystemLook 30.07.11 by jpshortstuff
    Log created at 12:22 on 28/12/2012 by AdministratorTB
    Administrator - Elevation successful

    ========== regfind ==========

    Searching for "mri-disabled"
    No data found.

    -= EOF =-
    tstadt, Dec 28, 2012
    #34

  15. tstadt Newcomer, in training Posts: 37

    I changed the search for MRI only and got these results:

    SystemLook 30.07.11 by jpshortstuff
    Log created at 12:24 on 28/12/2012 by AdministratorTB
    Administrator - Elevation successful

    ========== regfind ==========

    Searching for "mri"
    [HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\VersionedIndex\6.0.6002.18005_001c11ba\ComponentFamilies\x86_microsoft-windows-font-truetype-miriam_31bf3856ad364e35_none_963f1bbe72a27c80\f256!mriam.ttf]
    [HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\VersionedIndex\6.0.6002.18005_001c11ba\ComponentFamilies\x86_microsoft-windows-font-truetype-miriam_31bf3856ad364e35_none_963f1bbe72a27c80\f256!mriamc.ttf]
    [HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\VersionedIndex\6.0.6002.18005_001c11ba\ComponentFamilies\x86_microsoft-windows-t..p-utility.resources_31bf3856ad364e35_en-us_d1ba072ce8bde1da\f256!mrinfo.exe.mui]
    [HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\VersionedIndex\6.0.6002.18005_001c11ba\ComponentFamilies\x86_microsoft-windows-tcpip-utility_31bf3856ad364e35_none_e2e61401d5327d4f\f256!mrinfo.exe]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{56E2294F-69ED-4629-A869-AEA72C0DCC2C}]
    @="IWMPCdromRip"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\MRI_DISABLED]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\0F78997E43E0CC248BFFC668A0EE2BA6\Features]
    "tt_1033"="6OI'^MRns9O*$8Wg2DTc)-ZBx+fN0?EE2IHD?MWiZqwwimQlp?HN2q!&[=1&S2kjNxDxG=?@g(`}X`)T9LI4Uul?2AL&6[[42rqMD+fo,}~-AAG2'18Fo,*D?Wi.*drxi9($HA-yUPM2Z]^TZiGZu@?W=P4ifJxFyAbMgMQsI@j{K?)qMD*?gh13I!.Vm=N^qF`jB~+7{6ai'qL15?J_x3meV0gYocUrF._y2@U!0I=Pptq*Xs+5YPe{,@ZLz3+D&18ah74f??N6G90(,xdjkNYFYk!K0v,]$?I}J$N_}*7slh2'bYeOT9pn!p@}(UM`kme$Y,O?p8oQ(IpwSB'UWJkWI}t_N?Qf(zmB^AWt@^!Rp$HC1?mDSzuhaNFmZMDSV6U=t?lUt*H5e4.FufIvl0n0L?3T1_]9XoYnA!i5ptQ}J=thAtQWy}HKX*xl2(?ZNAZg{X,Tqs!=}PkI*@C*8=X'P2)Eq01_eq$~^}eoZ9,A)[areGTY,i7]5ckW8@rmG`O$9@7^QXZQCl&H'=o~tIv{KdM_CB2}?,[y~9Su7*@`I$']b$ALX%PRc@=T@hi}LDq3]7*~YfPDw?sFZt*X(P^d_+9C%%N`h?W]!o[~uASC]C(w(iykT=GH&e$']03LvL}XL@p'c8ml_}Kaw@a5-?~Qoeq9U=F!(cI_^F0T^jRia~5P{=?5JEb~q?]*Ra~nxkP)@=T&siC?fu)$=y-s1Ndya9!y0-,i5At-L=@uq[.3K?8fx`LXU14R[EOOv7O]g8l~*`Yu8DkrzHYBp3Z9Y?qB]hSvfk&z8Y6DW$F_P9Vz^7il-E57sf*_[F--?==8$,[_7x_sg~Ecaqou@Aq?[uEDf!0f(c{=$`$jM?
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\20441E9C136328143B77B6D0BFC13093\Features]
    "QuickTimeEssentials"="TD_.UDBXu9BWe%xw`*tdY(M'Oa8YX?JlP@zA]?dPU'[}?D]p_8aFZU26(O)[hD8f.KZhu?&dw?G7u'fPzfo.6e(KeAg$b)n.g0eYg!k!9TzPM@)}t+*JIz1i4z2ey8W`a?D]ELG3@5.sz{wUL^qGU9+V'pFBY167$8!_Ybs}-?.O0CEPt)N@kFEf,EBz29xq[ai?&N^9*wdErlmYS9+*yq?_IkZ!fx]&I`tLc?e@(-c[U,Tp3xCRE$sf??9s4rg{{amE9@pQtORFU9&N5+$Z7WNRdA*0[DkQS9~j=6,?!GhQr&yS?)jd2=s4qL'&K&]DA[hddxHdg=T$[77]0RY(Pq8G!DDJ+?XUH52f{V.h@=UBE4J}W@((MkkP8^GfMqkwbm~Rq8%Xk!`%M'$Y?s]I^Eh$4=V0~{Irc5!(LSq@vvIH(?E=5m3sDcoY`5uXN,k-}?yq[nA^NJK*OU-WKewhJAW+cnwVo8~Gi?iObgW!Y@Kt%dM.{HTu4Zi4U$vly9[eA(A3zHmm$jm8[TD!C?ZGQvISNfy^e$h)4K2}]@PnN.ONtwG320p4YymJ+=^jfLO9!NbRWfNVY4!3cA-F6n2-atXtQ[[w?O[Ft?I+]O!&C?toqHQLl~S?P?&zn*j^s![%s$WU*D`[R=W%PnUfuFIs}RG*ZF5,)@O@9N@378'mg2O@l!Y!b9!DZ[LuVLHI9iRW^FgfN@4PdUWvj+jb~%VFt.4f%=$tPK_sK!J!)4b`kql0s953rb(Db`8OoWoeg,hav9vN@0AONU9qqoSpK4E[+?cvk'J6O0`zY[Ek*[Q1T=w^kOYi_KixF9C=MOE939a_]$1p?@xuaVPlpCF1E@Nn+UsCq{
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\VersionedIndex\6.0.6002.18005_001c11ba\ComponentFamilies\x86_microsoft-windows-font-truetype-miriam_31bf3856ad364e35_none_963f1bbe72a27c80\f256!mriam.ttf]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\VersionedIndex\6.0.6002.18005_001c11ba\ComponentFamilies\x86_microsoft-windows-font-truetype-miriam_31bf3856ad364e35_none_963f1bbe72a27c80\f256!mriamc.ttf]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\VersionedIndex\6.0.6002.18005_001c11ba\ComponentFamilies\x86_microsoft-windows-t..p-utility.resources_31bf3856ad364e35_en-us_d1ba072ce8bde1da\f256!mrinfo.exe.mui]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\VersionedIndex\6.0.6002.18005_001c11ba\ComponentFamilies\x86_microsoft-windows-tcpip-utility_31bf3856ad364e35_none_e2e61401d5327d4f\f256!mrinfo.exe]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts]
    "Miriam (TrueType)"="mriam.ttf"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts]
    "Miriam Fixed (TrueType)"="mriamc.ttf"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Synaptics\SynTP\Defaults]
    "BottomRightCornerPlugInID"="SynTP"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Synaptics\SynTPCpl\Controls\2Tapping\Tap Zones\Bottom right action\Action List]
    "TPZone"="TP_ZoneID_BottomRight"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Synaptics\SynTPCpl\Pages\Gestures\Bottom Right Action]
    "TPZone"="TP_ZoneID_BottomRight"

    -= EOF =-
    tstadt, Dec 28, 2012
    #35

  16. Jay Pfoutz Malware Helper Posts: 4,286   +49

    OTL Fix

    Please run OTL
    • Under the Custom Scans/Fixes box at the bottom, copy and paste in the following:

    • Then click the Run Fix button at the top.
    • Note: The fix for OTL automatically hides your Desktop and Start menu so the fix can be completed. Do not be alerted, as this is normal.
    • Please do not exit the program. It might take a while to fix, but allow it to run. If it asks to reboot the computer, allow it to reboot. If the program freezes, and the computer fails to reboot - let me know.
      Lastly, post the contents of the log. (Located at C:\_OTL\Moved Files)
    Let me know if the message disappears. :)
    Jay Pfoutz, Dec 29, 2012
    #36

  17. tstadt Newcomer, in training Posts: 37

    The computer froze up on reboot. Should I do a hard boot?
    tstadt, Dec 29, 2012
    #37

  18. tstadt Newcomer, in training Posts: 37

    I did the hard boot and the MRI_DISABLED window still came up. Here is the log:
    All processes killed
    ========== REGISTRY ==========
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\MRI_DISABLED\ deleted successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: AdministratorTB

    User: All Users

    User: Default

    User: Default User

    User: Public

    User: User

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 57995 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.69.0 log created on 12292012_181821

    Files\Folders moved on Reboot...

    PendingFileRenameOperations files...

    Registry entries deleted on Reboot...
    tstadt, Dec 29, 2012
    #38

  19. Jay Pfoutz Malware Helper Posts: 4,286   +49

    Next script for SystemLook:

    :regfind
    MRI_DISABLED

    :filefind
    *MRI*
    *DISABLED*
    Jay Pfoutz, Dec 30, 2012
    #39

  20. tstadt Newcomer, in training Posts: 37

    Log file attached

    Attached Files:

    tstadt, Dec 30, 2012
    #40
Page 2 of 4
Topic Status:
Not open for further replies.

Add New Comment

Social Login & Guest Posting

TechSpot Members
Login here or sign up for free,
it takes about a minute.
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.