[finnophile]

Infected with virus around 4/25/11, causing a number of issues including (but not limited to) empty folders in start menu (also missing some program folders), trouble downloading windows updates from microsoft's website, search engine redirects, phantom audio files (that play without a browser or media player open), internet explorer script errors and crashing World of Warcraft during log in.

I have run spybot, malwarebytes, House call (Trend Micro), Ad-Aware, AVG 2011, Viprerescue and rkill (with help from a Microsoft agent). Most of the threats were detected and removed (I assume). However, I still have the redirect, windows update and World of Warcraft issues.

I have reached a point where not only I (an intermediate user) can't solve my issues, but reps from Microsoft and Blizzard (WoW's parent company) have also hit the wall.

Stuck,

JM

[Advertisements]

Hello finnophile and welcome to the G2G forum.

My name is Satchfan and I would be glad to help you with your computer problem.

Please read the following guidelines which will help to make cleaning your machine easier:


• Please follow all instructions in the order posted
• Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
• If you don't understand something, please don't hesitate to ask for clarification before proceeding
• The fixes are specific to your problem and should only be used for this issue on this machine.
• Please reply within 3 days. If you do not reply within this period I will post a reminder but topics with no reply in 4 days will be closed!
IMPORTANT:

Please DO NOT install/uninstall any programs unless asked to.
Please DO NOT run any scans other than those requested

I will post instructions shortly

Satchfan

[Satchfan]

Hello finnophile and welcome to the G2G forum.

My name is Satchfan and I would be glad to help you with your computer problem.

Please read the following guidelines which will help to make cleaning your machine easier:


• Please follow all instructions in the order posted
• Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
• If you don't understand something, please don't hesitate to ask for clarification before proceeding
• The fixes are specific to your problem and should only be used for this issue on this machine.
• Please reply within 3 days. If you do not reply within this period I will post a reminder but topics with no reply in 4 days will be closed!
IMPORTANT:

Please DO NOT install/uninstall any programs unless asked to.
Please DO NOT run any scans other than those requested

I will post instructions shortly

Satchfan

[Satchfan]

Hello again finnophile

IMPORTANT: DO NOT run any programs unless requested or you may not recover your missing programs/files

===================================================

Run Unhide

Download Unhide.exe

Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.

===================================================

Download and run OTL

• Download OTL to your desktop.
• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• When the window appears, underneath Output at the top change it to Minimal Output.
• Check the boxes beside LOP Check and Purity Check.
• Under Custom Scan paste this in
  
  

  
  netsvcs
  drivers32
  %SYSTEMDRIVE%\*.*
  %systemroot%\Fonts\*.com
  %systemroot%\Fonts\*.dll
  %systemroot%\Fonts\*.ini
  %systemroot%\Fonts\*.ini2
  %systemroot%\Fonts\*.exe
  %systemroot%\system32\spool\prtprocs\w32x86\*.*
  %systemroot%\REPAIR\*.bak1
  %systemroot%\REPAIR\*.ini
  %systemroot%\system32\*.jpg
  %systemroot%\*.jpg
  %systemroot%\*.png
  %systemroot%\*.scr
  %systemroot%\*._sy
  %APPDATA%\Adobe\Update\*.*
  %ALLUSERSPROFILE%\Favorites\*.*
  %APPDATA%\Microsoft\*.*
  %PROGRAMFILES%\*.*
  %APPDATA%\Update\*.*
  %systemroot%\*. /mp /s
  CREATERESTOREPOINT
  %systemroot%\System32\config\*.sav
  %PROGRAMFILES%\bak. /s
  %systemroot%\system32\bak. /s
  %ALLUSERSPROFILE%\Start Menu\*.lnk /x
  %systemroot%\system32\config\systemprofile\*.dat /x
  %systemroot%\*.config
  %systemroot%\system32\*.db
  %PROGRAMFILES%\Internet Explorer\*.dat
  %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
  %USERPROFILE%\Desktop\*.exe
  %PROGRAMFILES%\Common Files\*.*
  %systemroot%\*.src
  %systemroot%\install\*.*
  %systemroot%\system32\DLL\*.*
  %systemroot%\system32\HelpFiles\*.*
  %systemroot%\system32\rundll\*.*
  %systemroot%\winn32\*.*
  %systemroot%\Java\*.*
  %systemroot%\system32\test\*.*
  %systemroot%\system32\Rundll32\*.*
  %systemroot%\AppPatch\Custom\*.*
  HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
  

• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
• You may need two posts to fit them both in.

===================================================

Run aswMBR

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan


On completion of the scan click save log, save it to your desktop and post in your next reply


Logs to include with next post:

OTL.txt
Extras.txt
aswMBR log

Thanks

Satchfan

[finnophile]

Thank you, Satchfan. I will begin the process right away.

JM

[finnophile]

<Run Unhide

Download Unhide.exe

Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.>
---

After running unhide, another script error hit and shut down windows. Before I could download the next program, Windows was rebooting. I pressed F8 to get to Safe Mode, but it took almost 3 hours for the desktop to appear. I could not access a web browser for another hour and I could not reach your website through my phone. I am concerned that I have watched my computer implode.

Hopefully, this is not the end.

Stuck worse,

JM

[Satchfan]

Hi finnophile

If you can’t download these files, please use a clean computer and download and save them to a removable usb memory stick, CD or DVD.

===================================================

Run RogueKiller

Note: Do not reboot your computer if at all possible otherwise the malware will reactivate and you will have to run roguekiller again

Download RogueKiller to your desktop.

• close all running programs
• for Windows Vista/Seven, right click -> run as administrator, for XP simply double-click on RogueKiller.exe
• when prompted, type 1 and press Enter
• the RKreport.txt will be generated next to the executable, (on the desktop).
• If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe

Please post the contents of the RKreport.txt in your next Reply.

Remember: Do not reboot your computer if at all possible otherwise the malware will reactivate and you will have to run roguekiller again

===================================================

When you have done that, try following the previous instructions.

If you can’t, post only the RK report

Satchfan

[finnophile]

While roguekiller was running, an error occurred. Roguekiller closed. Somewhere on my hard drive is an error report. It is too late for me to wait another hour for the window that contains the executable file to reappear. I will have to take up this matter again in about 12-16 hours when I return from work.

Exhausted and frustrated,

JM

[Satchfan]

[finnophile]

The process of running roguekiller usually takes about 30-45 minutes. I have run it 5 times and it always stops at the "copy all to quarantine" mark with "Roguekiller by Tigzy has encountered a problem and needs to close. We are sorry for the inconvenience."

[finnophile]

10th attempt for roguekiller. Same results as before.

Please explain the rename to winlogon.exe. Just change the name of the roguekiller file or is it something else?

Thank you,

JM

[Satchfan]

Yes, just change the name. Right-click on it and choose Rename: rename RogueKiller to winlogon.

[finnophile]

"Cannot rename Roguekiller: Files on this CD-ROM drive are read only. You cannot copy or move files over to this CD-ROM drive."

I'm losing my patience.

JM

[Satchfan]

Can you save it/them to a removable usb memory stick?

[finnophile]

no

[Satchfan]

Hi finnophile

Can you tell me why you are running it from a CD instead of from your desktop