[Essexboy]

Could you run it from safe mode ?

[Advertisements]

I can sure try! lol

[Garrett33]

I can sure try! lol

[Essexboy]

How much RAM do you have on your computer ?

[Garrett33]

448MB of RAM, on a Mobile AMD Sempron, 1.79GHz

Safe mode did not work. It restarted and asked how to start, tried safe mode with networking, didn't start. So I started windows normally.

[Essexboy]

OK Lets try another analysis programme slightly different to the first

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is too large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop

• Close ALL OTHER PROGRAMS.
• Double-click on OTS.exe to start the program.
• Check the box that says Scan All Users
• Under Additional Scans check the following:

Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

• Under the Custom Scan box paste this in
  
  
  %SYSTEMDRIVE%\*.exe
  /md5start
  volsnap.*
  explorer.exe
  winlogon.exe
  Userinit.exe
  svchost.exe
  /md5stop
  %systemroot%\*. /mp /s
  hklm\software\clients\startmenuinternet|command /rs
  CREATERESTOREPOINT
  
  
• Now click the Run Scan button on the toolbar.
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

[Garrett33]

It starts scanning then gets to: Scanning HKEY_USERS\a bunch of numbers\Internet Explorer settings, and becomes unresponsive.

[Essexboy]

It looks as though the only way we are going to find out what is wrong is to work outside of windows... Can you burn a programme to a CD ?

Please print these instruction out so that you know what you are doing

Latest version: v3.1.46.0

OTLPENet.exe
MD5=79209302A1AFB2490808DB890A815CED
Size: 127,222,215b / 121.3MB

• Download the attached scan.txt to a USB drive
• Download OTLPENet.exe to your desktop
• Ensure that you have a blank CD in the drive
• Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
  
• Reboot your system using the boot CD you just created.
  Note : If you do not know how to set your computer to boot from CD follow the steps here
• As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads
  
  
• Your system should now display a Reatogo desktop.
  Note : as you are running from CD it is not exactly speedy
• Double-click on the OTLPE icon.
• Select the Windows folder of the infected drive if it asks for a location
• When asked "Do you wish to load the remote registry", select Yes
• When asked "Do you wish to load remote user profile(s) for scanning", select Yes
• Ensure the box "Automatically Load All Remaining Users" is checked and press OK
• OTL should now start.
• Double click the Custom scans and fixes box
• In the dialogue locate the scan.txt you have on the USB
• Press Run Scan to start the scan.
• When finished, the file will be saved in drive C:\OTL.txt
• Copy this file to your USB drive if you do not have internet connection on this system.
• Right click the file and select send to : select the USB drive.
• Confirm that it has copied to the USB drive by selecting it
• You can backup any files that you wish from this OS
• Please post the contents of the C:\OTL.txt file in your reply.

[Garrett33]

I followed all the steps correctly, but when I got to step 8 there was no OTLPEN.exe. Instead there was OTPLE, so I opened that assuming it was the same thing. Step 10: It did not ask me if I wish to load remote registry. I was asked step 11. Then there was no box to automatically load all remaining users. I just restarted the computer cause I'm afraid of messing something up lol.

[Essexboy]

Continue as you were, there will be slight variations dependant on the system

Run OTLPE and when the log has generated post that here please

[Garrett33]

It started scanning firfoxs settings and became unresponsive. After letting it sit for just a couple of minutes, I tried to restart the computer. Everything froze except for the pointer. I had to hold down the power button to get it off.

[Essexboy]

I think you also have some system problems as well

Could you re-run AVP but just do the second part (the analysis run)
Then attach the zip file

[Garrett33]

Here it is.

Attached Files

•  avptool_sysinfo.zip   125.16KB   115 downloads

[Essexboy]

Not a great deal showing there, I feel your best bet would be to invest in some more RAM

• Re-run AVPTool
• Select the Manual Disinfection tab and press Script execution
  
• Where it states Insert text script in the following box copy the below script and press Run script
  Copy from Begin until End
  
  

  begin
  SetAVZPMStatus(True);
  SetAVZGuardStatus(True);
  SearchRootkit(true, true);
   DeleteFile('C:\Documents and Settings\Administrator\Local Settings\Temp\_uninst_93306840.bat');
   BC_DeleteFile('C:\Documents and Settings\Administrator\Local Settings\Temp\_uninst_93306840.bat');
  BC_ImportDeletedList;
  BC_ImportAll;
  ExecuteSysClean;
  BC_Activate;
  RebootWindows(true);
  end.

  
  
• Your system will reboot on completion, if it does not please do so yourself
• On completion please run another analysis scan and attach the zip file

[Garrett33]

Being an unemployed college student, money is scarce lol. RAM isn't high on my list. This computer isn't actually slow though, it runs videos great, the internet is decent, it does stall sometimes though, and I don't play games on it. But it would definitely be nice.
Its only been freezing up since the virus and running the scans.

It froze on startup. So I turned it off, back on and now it says it found new hardware and wants to install software for "unknown". I just left it open.

Also I started the Automatic scan on accident, and it didn't stop it this time. I stopped it myself since I wasn't instructed to do that scan. I think it's possible now though. I did another manual disinfection scan and opened the report sending folder. There was only one zip file, seems like there should be two, but this one is 1kb smaller so I guess they're different.

Attached Files

•  avptool_sysinfo.zip   124.91KB   106 downloads

[Essexboy]

Actually RAM is quite cheap a 1GB stick comes out at around £8.00 or $15.00 if you go to crucial and run the scanner it will tell you what type and how much

Does it give an indication of what hardware has been found ?