TechSpot

Malware nightmare

Resolved
By tstadt
Dec 22, 2012
Topic Status:
Not open for further replies.
  1. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Please download OTL to your Desktop. (If you already have it downloaded, then just follow the instructions below).
    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Copy the code below in the quotebox, go back to OTL and paste it in the Custom Scans/Fixes box:

    • Click the Run Scan button. The scan will not take long.
      • When the scan completes, it usually opens two notepad windows. OTL.Txt (Displayed on screen) and Extras.Txt (minimized). These are saved in the same location as OTL.
      • Please copy (Edit->Select All, Edit->Copy) and paste (Edit->Paste) the contents of OTL.txt and paste it to your next reply. I will let you know if I need the Extras.txt.

    Note: in the event that OTL fails to run, please use alternate download links to try again:

    http://oldtimer.geekstogo.com/OTL.com
    http://oldtimer.geekstogo.com/OTL.scr
  2. tstadt

    tstadt Newcomer, in training Topic Starter Posts: 37

    Merry Christmas!
    There was no Extras.txt. OTL.txt was too big to paste and post so I have attached it.

    Attached Files:

    • OTL.Txt
      File size:
      108.3 KB
      Views:
      1
  3. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    OTL Fix

    Please run OTL
    • Under the Custom Scans/Fixes box at the bottom, copy and paste in the following:

    • Then click the Run Fix button at the top.
    • Note: The fix for OTL automatically hides your Desktop and Start menu so the fix can be completed. Do not be alerted, as this is normal.
    • Please do not exit the program. It might take a while to fix, but allow it to run. If it asks to reboot the computer, allow it to reboot. If the program freezes, and the computer fails to reboot - let me know.
      Lastly, post the contents of the log. (Located at C:\_OTL\Moved Files)

    Once done, tell me how it went. :)
  4. tstadt

    tstadt Newcomer, in training Topic Starter Posts: 37

    The fix took about 2 seconds to run and I rebooted as requested (log posted below). It doesn't seem to have fixed anything however. Same as before, if I try to run any programs such as Malwarebytes, RogueKiller, TuneUp Utilities etc. it comes back with program not found.I also still have that MRI-DISABLED window opening when it boots up.

    All processes killed
    ========== OTL ==========
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2102}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2102}\ not found.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
    C:\Windows\System32\mfevtps.exe.fcbe.deleteme moved successfully.
    C:\found.003\dir0001.chk folder moved successfully.
    C:\found.003\dir0000.chk folder moved successfully.
    C:\found.003 folder moved successfully.
    ========== FILES ==========
    < ipconfig /flushdns /c >
    Windows IP Configuration
    Successfully flushed the DNS Resolver Cache.
    C:\Users\AdministratorTB\Desktop\cmd.bat deleted successfully.
    C:\Users\AdministratorTB\Desktop\cmd.txt deleted successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: AdministratorTB

    User: All Users

    User: Default

    User: Default User

    User: Public

    User: User

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 216312 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.69.0 log created on 12262012_181751

    Files\Folders moved on Reboot...

    PendingFileRenameOperations files...

    Registry entries deleted on Reboot...
  5. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Let me know if the problem resolves after this:

    Download Windows Repair (all in one) from this site

    Install the program then run it.

    Go to Step 2 and allow it to run CheckDisk by clicking on Do It button:

    [​IMG]



    Once that is done then go to Step 3 and allow it to run System File Check by clicking on Do It button:

    [​IMG]


    Go to Step 4 and under "System Restore" click on Create button:

    [​IMG]


    Go to Start Repairs tab and click Start button.

    [​IMG]


    Please ensure that ONLY items seen in the image below are ticked as indicated (they're all checked by default):

    [​IMG]

    Click on box next to the Restart System when Finished. Then click on Start.
  6. tstadt

    tstadt Newcomer, in training Topic Starter Posts: 37

    I down loaded and ran Step 2 from Safe Mode. Message stated that it may not totally work from Safe Mode but it won't run at all from normal mode. The system rebooted and I'm not sure Step 2 even completed. After numerous attempts I finally was able to log back into Safe Mode. I ran Step 3 and it stopped before completing. The log file is attached. The file was there but now is missing.
  7. tstadt

    tstadt Newcomer, in training Topic Starter Posts: 37

    Here is the log file

    Attached Files:

    • CBS.zip
      File size:
      54.1 KB
      Views:
      0
  8. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    SystemLook x86 scan

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2
    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
  9. tstadt

    tstadt Newcomer, in training Topic Starter Posts: 37

    SystemLook 30.07.11 by jpshortstuff
    Log created at 12:22 on 28/12/2012 by AdministratorTB
    Administrator - Elevation successful

    ========== regfind ==========

    Searching for "mri-disabled"
    No data found.

    -= EOF =-
  10. tstadt

    tstadt Newcomer, in training Topic Starter Posts: 37

    I changed the search for MRI only and got these results:

    SystemLook 30.07.11 by jpshortstuff
    Log created at 12:24 on 28/12/2012 by AdministratorTB
    Administrator - Elevation successful

    ========== regfind ==========

    Searching for "mri"
    [HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\VersionedIndex\6.0.6002.18005_001c11ba\ComponentFamilies\x86_microsoft-windows-font-truetype-miriam_31bf3856ad364e35_none_963f1bbe72a27c80\f256!mriam.ttf]
    [HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\VersionedIndex\6.0.6002.18005_001c11ba\ComponentFamilies\x86_microsoft-windows-font-truetype-miriam_31bf3856ad364e35_none_963f1bbe72a27c80\f256!mriamc.ttf]
    [HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\VersionedIndex\6.0.6002.18005_001c11ba\ComponentFamilies\x86_microsoft-windows-t..p-utility.resources_31bf3856ad364e35_en-us_d1ba072ce8bde1da\f256!mrinfo.exe.mui]
    [HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\VersionedIndex\6.0.6002.18005_001c11ba\ComponentFamilies\x86_microsoft-windows-tcpip-utility_31bf3856ad364e35_none_e2e61401d5327d4f\f256!mrinfo.exe]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{56E2294F-69ED-4629-A869-AEA72C0DCC2C}]
    @="IWMPCdromRip"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\MRI_DISABLED]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\0F78997E43E0CC248BFFC668A0EE2BA6\Features]
    "tt_1033"="6OI'^MRns9O*$8Wg2DTc)-ZBx+fN0?EE2IHD?MWiZqwwimQlp?HN2q!&[=1&S2kjNxDxG=?@g(`}X`)T9LI4Uul?2AL&6[[42rqMD+fo,}~-AAG2'18Fo,*D?Wi.*drxi9($HA-yUPM2Z]^TZiGZu@?W=P4ifJxFyAbMgMQsI@j{K?)qMD*?gh13I!.Vm=N^qF`jB~+7{6ai'qL15?J_x3meV0gYocUrF._y2@U!0I=Pptq*Xs+5YPe{,@ZLz3+D&18ah74f??N6G90(,xdjkNYFYk!K0v,]$?I}J$N_}*7slh2'bYeOT9pn!p@}(UM`kme$Y,O?p8oQ(IpwSB'UWJkWI}t_N?Qf(zmB^AWt@^!Rp$HC1?mDSzuhaNFmZMDSV6U=t?lUt*H5e4.FufIvl0n0L?3T1_]9XoYnA!i5ptQ}J=thAtQWy}HKX*xl2(?ZNAZg{X,Tqs!=}PkI*@C*8=X'P2)Eq01_eq$~^}eoZ9,A)[areGTY,i7]5ckW8@rmG`O$9@7^QXZQCl&H'=o~tIv{KdM_CB2}?,[y~9Su7*@`I$']b$ALX%PRc@=T@hi}LDq3]7*~YfPDw?sFZt*X(P^d_+9C%%N`h?W]!o[~uASC]C(w(iykT=GH&e$']03LvL}XL@p'c8ml_}Kaw@a5-?~Qoeq9U=F!(cI_^F0T^jRia~5P{=?5JEb~q?]*Ra~nxkP)@=T&siC?fu)$=y-s1Ndya9!y0-,i5At-L=@uq[.3K?8fx`LXU14R[EOOv7O]g8l~*`Yu8DkrzHYBp3Z9Y?qB]hSvfk&z8Y6DW$F_P9Vz^7il-E57sf*_[F--?==8$,[_7x_sg~Ecaqou@Aq?[uEDf!0f(c{=$`$jM?
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\20441E9C136328143B77B6D0BFC13093\Features]
    "QuickTimeEssentials"="TD_.UDBXu9BWe%xw`*tdY(M'Oa8YX?JlP@zA]?dPU'[}?D]p_8aFZU26(O)[hD8f.KZhu?&dw?G7u'fPzfo.6e(KeAg$b)n.g0eYg!k!9TzPM@)}t+*JIz1i4z2ey8W`a?D]ELG3@5.sz{wUL^qGU9+V'pFBY167$8!_Ybs}-?.O0CEPt)N@kFEf,EBz29xq[ai?&N^9*wdErlmYS9+*yq?_IkZ!fx]&I`tLc?e@(-c[U,Tp3xCRE$sf??9s4rg{{amE9@pQtORFU9&N5+$Z7WNRdA*0[DkQS9~j=6,?!GhQr&yS?)jd2=s4qL'&K&]DA[hddxHdg=T$[77]0RY(Pq8G!DDJ+?XUH52f{V.h@=UBE4J}W@((MkkP8^GfMqkwbm~Rq8%Xk!`%M'$Y?s]I^Eh$4=V0~{Irc5!(LSq@vvIH(?E=5m3sDcoY`5uXN,k-}?yq[nA^NJK*OU-WKewhJAW+cnwVo8~Gi?iObgW!Y@Kt%dM.{HTu4Zi4U$vly9[eA(A3zHmm$jm8[TD!C?ZGQvISNfy^e$h)4K2}]@PnN.ONtwG320p4YymJ+=^jfLO9!NbRWfNVY4!3cA-F6n2-atXtQ[[w?O[Ft?I+]O!&C?toqHQLl~S?P?&zn*j^s![%s$WU*D`[R=W%PnUfuFIs}RG*ZF5,)@O@9N@378'mg2O@l!Y!b9!DZ[LuVLHI9iRW^FgfN@4PdUWvj+jb~%VFt.4f%=$tPK_sK!J!)4b`kql0s953rb(Db`8OoWoeg,hav9vN@0AONU9qqoSpK4E[+?cvk'J6O0`zY[Ek*[Q1T=w^kOYi_KixF9C=MOE939a_]$1p?@xuaVPlpCF1E@Nn+UsCq{
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\VersionedIndex\6.0.6002.18005_001c11ba\ComponentFamilies\x86_microsoft-windows-font-truetype-miriam_31bf3856ad364e35_none_963f1bbe72a27c80\f256!mriam.ttf]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\VersionedIndex\6.0.6002.18005_001c11ba\ComponentFamilies\x86_microsoft-windows-font-truetype-miriam_31bf3856ad364e35_none_963f1bbe72a27c80\f256!mriamc.ttf]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\VersionedIndex\6.0.6002.18005_001c11ba\ComponentFamilies\x86_microsoft-windows-t..p-utility.resources_31bf3856ad364e35_en-us_d1ba072ce8bde1da\f256!mrinfo.exe.mui]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\VersionedIndex\6.0.6002.18005_001c11ba\ComponentFamilies\x86_microsoft-windows-tcpip-utility_31bf3856ad364e35_none_e2e61401d5327d4f\f256!mrinfo.exe]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts]
    "Miriam (TrueType)"="mriam.ttf"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts]
    "Miriam Fixed (TrueType)"="mriamc.ttf"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Synaptics\SynTP\Defaults]
    "BottomRightCornerPlugInID"="SynTP"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Synaptics\SynTPCpl\Controls\2Tapping\Tap Zones\Bottom right action\Action List]
    "TPZone"="TP_ZoneID_BottomRight"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Synaptics\SynTPCpl\Pages\Gestures\Bottom Right Action]
    "TPZone"="TP_ZoneID_BottomRight"

    -= EOF =-
  11. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    OTL Fix

    Please run OTL
    • Under the Custom Scans/Fixes box at the bottom, copy and paste in the following:

    • Then click the Run Fix button at the top.
    • Note: The fix for OTL automatically hides your Desktop and Start menu so the fix can be completed. Do not be alerted, as this is normal.
    • Please do not exit the program. It might take a while to fix, but allow it to run. If it asks to reboot the computer, allow it to reboot. If the program freezes, and the computer fails to reboot - let me know.
      Lastly, post the contents of the log. (Located at C:\_OTL\Moved Files)
    Let me know if the message disappears. :)
     
  12. tstadt

    tstadt Newcomer, in training Topic Starter Posts: 37

    The computer froze up on reboot. Should I do a hard boot?
  13. tstadt

    tstadt Newcomer, in training Topic Starter Posts: 37

    I did the hard boot and the MRI_DISABLED window still came up. Here is the log:
    All processes killed
    ========== REGISTRY ==========
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\MRI_DISABLED\ deleted successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: AdministratorTB

    User: All Users

    User: Default

    User: Default User

    User: Public

    User: User

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 57995 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.69.0 log created on 12292012_181821

    Files\Folders moved on Reboot...

    PendingFileRenameOperations files...

    Registry entries deleted on Reboot...
  14. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Next script for SystemLook:

    :regfind
    MRI_DISABLED

    :filefind
    *MRI*
    *DISABLED*
  15. tstadt

    tstadt Newcomer, in training Topic Starter Posts: 37

    Log file attached

    Attached Files:

  16. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Download, install, and run Whats Running.
    Click on Take snapshot in the left pane.
    New pop-up window will open.
    Click on Save snapshot, and save the file as snap (.xml extension will be added automatically) to know location.

    Zip the file, and attach it to your next reply.
  17. tstadt

    tstadt Newcomer, in training Topic Starter Posts: 37

    Sorry, I didn't see your reply. Here is the file.
    Happy New Year!

    Attached Files:

  18. tstadt

    tstadt Newcomer, in training Topic Starter Posts: 37

    Not sure if previous attachment was correct so I am attaching this file

    Attached Files:

  19. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Download Autoruns for Windows: http://technet.microsoft.com/en-us/sysinte...s/bb963902.aspx
    No installation required.
    Simply unzip Autoruns.zip file, and double click on autoruns.exe file to run the program.
    Go File>Save, and save it as AutoRuns.txt file to know location.
    You must select Text from drop-down menu as a file type:
    Attach the file to your next reply.
  20. tstadt

    tstadt Newcomer, in training Topic Starter Posts: 37

    File attached

    Attached Files:

  21. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Found it. :)

    OTL Fix

    Please run OTL
    • Under the Custom Scans/Fixes box at the bottom, copy and paste in the following:

    • Then click the Run Fix button at the top.
    • Note: The fix for OTL automatically hides your Desktop and Start menu so the fix can be completed. Do not be alerted, as this is normal.
    • Please do not exit the program. It might take a while to fix, but allow it to run. If it asks to reboot the computer, allow it to reboot. If the program freezes, and the computer fails to reboot - let me know.
      Lastly, post the contents of the log. (Located at C:\_OTL\Moved Files)

    Let me know if it pops up on reboot, please. :)
  22. tstadt

    tstadt Newcomer, in training Topic Starter Posts: 37

    Thank you, that got rid of the MRI_DISABLED. Now we are back to the original problem.

    All processes killed
    ========== FILES ==========
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\MRI_DISABLED folder moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: AdministratorTB

    User: All Users

    User: Default

    User: Default User

    User: Public

    User: User

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 36890 bytes
    RecycleBin emptied: 139264 bytes

    Total Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.69.0 log created on 01022013_153911

    Files\Folders moved on Reboot...

    PendingFileRenameOperations files...

    Registry entries deleted on Reboot...
  23. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Please explain in detail any other issues.

    I'll be out for the remainder of the day. Got an anniversary dinner to go to. Be back in the morning (ET). :)
  24. tstadt

    tstadt Newcomer, in training Topic Starter Posts: 37

    In Normal Mode all original problems continue to exist. If I try to run any programs such as Malwarebytes, RogueKiller, TuneUp Utilities etc. it comes back with program not found. System Restore not working. The Volume Shadow Copy Service not working.

    Enjoy your dinner. Tomorrow I will be back at work during the day and will be out in the evening. I won't be able to act on anything until late.
  25. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    • Please download VEW by Vino Rosso from here and save it to your desktop
    • Double click it to start it Note: If running Windows Vista or Windows 7 you will need to right click the file and select Run as administrator and click Continue or Allow at the User Account Control Prompt.
    • Click the check boxes next to Application and System located under Select log to query on the upper left
    • Under Select type to list on the right click the boxes next to Error and Warning Note: If running Windows Vista or Windows 7 also click the box next to Critical (not XP).
    • Under Number or date of events select Number of events and type 20 in the box next to 1 to 20 and click Run
    • Once it finishes it will display a log file in notepad
    • Please copy and paste its entire contents into your next reply
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.