[wayneman50]

Dr Web found a virus c:\users\wayne\appdata\local\temp\tool.nircmd.1. My choices are
Cure:
delete incurable
rename incurable
move incurable

And now I clicked on Move to see what options I got and it moved it. Action is "Moved". I didn't mean it to do that. What do I do now?

[Advertisements]

It's OK. Is Dr.Web finished with the scan? I presume that this was express scan. Now check the Complete scan and click on green arrow to start it.

[Render]

It's OK. Is Dr.Web finished with the scan? I presume that this was express scan. Now check the Complete scan and click on green arrow to start it.

[wayneman50]

Complete scan is done. There appears to be one virus: $ROZUPO3.exe

Archive contains infected objects
Move?
Yes to all
yes
no
no to all

I pick Yes To All, right?

[Render]

Hi,

Yes, you did the right thing. How is your computer running right now? Any problems? You still can't install updates?

Edited by Render, 02 February 2011 - 05:38 PM.

[wayneman50]

I thought it did the complete scan. It looks like it's still scanning. I now have a message "OTL.exe - infected with Trojan.Siggen2.16874. Cure?"

[Render]

This is strange. Yes, just cure it. When finished we will try with another tool.

[wayneman50]

OK. This scanner seems to be stopping every time it finds a problem, unlike all other scanners I've used which give all the problems to you at the end. Do you want me to ask you about each problem as it comes up?

[Render]

Hi,

No, I recommend you to just abort scan, close Dr.Web and shut down you computer. Things not looking good. I'm suspecting file infector but I have to consolidate with my teacher first. I will be back to you at around 9PM (CET - Central European Time) with further instructions.

[wayneman50]

I just got the PC. I don't have anything on it I need to save. I don't mind doing a system recovery.

Another piece of info - I am writing to you from my work laptop, which is using the same internet connection. If this laptop is infected, which it may be, could malicious software be crossing over the internet connection? I can have the desktop guys at work reformat the disc.

[Render]

I think that you got infected from your USB stick. So, if you don't have any important data on this PC I would recommend you format and re-install. Also check this USB stick with some anti-virus program.

If this laptop is infected, which it may be, could malicious software be crossing over the internet connection?

Everything is possible. Are you using anti-virus on this laptop? Are you experiencing some problems, strange behavior etc on that laptop? We should check it also.

So, on your laptop please follow the steps below:

Step 1

OTL Default Scan

• Download OTL to your desktop.
• Double click on the icon to run it.
• Make sure all other windows are closed and to let it run uninterrupted.
• When the window appears, underneath Output at the top, make sure Stadard output is selected.
• Under the Extra Registry section, check Use SafeList
• Download the following file scan.txt to your Desktop. Click here to download it. You may need to right click on it and select "Save"
• Double click inside the Custom Scan box at the bottom
• A window will appear saying "Click Ok to load a custom scan from a file or Cancel to cancel"
• Click the Ok button and navigate to the file scan.txt which we just saved to your desktop
• Select scan.txt and click Open. Writing will now appear under the Custom Scan box
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic

Step 2

GMER Rootkit Scanner

• Download GMER from HERE.
• Extract the contents of zipped file to your desktop.
• Double click GMER.exe.
  
  
• If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
• In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED:
• IAT/EAT
• Drives/Partition other than Systemdrive (typically C:\)
• Show All (don't miss this one)

NOTE - Not all of the tick boxes will be available if you are running a 64bit Operating System. You may also get an error message display on the screen when using a 64bit Operating System, this is normal, just click on OK and let it carry on.

• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
• Save the log where you can easily find it, such as your desktop.
• Please copy and paste the report into your Post.

Caution - Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

When completed the above, please post back the following in the order asked for:

• OTL.txt and Extras.txt logs
  
• GMER log (ark.txt)
  

[wayneman50]

I never attached any external storage devices to my desktop. I guess something crossed over the internet then. I have been observing safe internet practice - no porn, no games. I also haven't done any downloads except the stuff that geekstogo has told me to do. I'll get back to you. Thanks for all your help so far.

Is there any malware that can hide if I do a system recovery done from recovery discs?

[Render]

Hi,

It's important to format all partitions before system recovery. Where did you got those system recovery disks?

If you need further assistance I'm here to help you.

[wayneman50]

I made them from my desktop after I had already dealt with some infections. Not good? I've already done one "System Recovery from disc" a few weeks ago. I don't know if I'm getting reinfected from those discs or from my work laptop. If you think there might be a problem with the discs, HP will ship me recovery discs for a $15 shipping fee. It takes about a week for them to arrive.

Thanks for your continued support.

[Essexboy]

Hi Render will be away for a few days - so I will take over

For the windows update problems go to the fixit page here and run the Fixit which is a big button about halfway down the page - let me know if that cures it. Also what other problems are you experiencing at the moment ?

[wayneman50]

I keep trying to upload a wordpad document with screen shots of Windows Update screens (5771 KB). I select the file via Browse, then I click on Attach This File. I keep getting the message Error No file was selected for upload.

The update history shows for the latest entries: one optional and one important update were installed on 2/2/2011. In addition, one optional update was installed on 2/4/2011. The main screen reads "No important updates available", but it does show "2 optional updates are available". It showed "2 optional updates are available" yesterday too. So something's wrong, isn't it? It should have installed all of them, right?