Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Screen locked; Bogus Police want £100 !


  • Please log in to reply

#16
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,800 posts
  • MVP
Your logs look good. Check your documents and your pictures and make sure they are OK.
  • 0

Advertisements


#17
DragonFromWales

DragonFromWales

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
Hi. The Documents and Settings folder is locked.

There is a second Programs Files on Drive C called Program Files (x86). And a third called Program Data.



But all programs seem to open nicely.
  • 0

#18
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,800 posts
  • MVP
Not sure what you mean by "The Documents and Settings folder is locked."

You should have a Libraries Folder under Desktop and under that should be folders for Documents, music, video and Pictures. Click on Documents and you should see My Documents and Public Documents. (You will sometimes see shortcuts which when you click on them say access denied. This is normal in Win 7

Are you able to open old documents,and pictures?
  • 0

#19
DragonFromWales

DragonFromWales

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
Hi. Yes I can open / see photos etc. The Documemts file has an icon of a lock on it, and I'm unable to double click on it.

Secondly, I have opened my Security Essentials window and I can see that it spotted three trojan horses a few days ago (23/05/2012). I thought maybe these may be relevant, maybe not. They are: Win64/Sirfef.Y Medfos.A and Sirfef.P

My Malwarebytes is still stopping something from happening. "Successfully blocked access to a potentally harmful website: 66.150.14.111 Type:Outgoing.

Thanks for your help, so far.
  • 0

#20
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,800 posts
  • MVP
Use IE and go to http://eset.com/onlinescan and click on ESET online Scanner. Accept the terms then press Start (If you get a warning from your browser tell it you want to run it).

# Check Scan Archives
# Push the Start button.
# ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
# When the scan completes, push LIST OF THREATS FOUND
# Push EXPORT TO TEXT FILE , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
# Push the BACK button.
# Push Finish
# Once the scan is completed, you may close the window.
# Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
# Copy and paste that log as a reply.


Let's also try the bitdefender quickscan.

http://quickscan.bitdefender.com/

When it finishes there is a report option. Click on it and copy and paste the report (even if it says nothing found).
  • 0

#21
DragonFromWales

DragonFromWales

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
eset log:

C:\Program Files (x86)\Windows iLivid Toolbar\del_DM_DLL_73.dll Win32/Toolbar.SearchSuite application cleaned by deleting - quarantined
C:\Program Files (x86)\Windows iLivid Toolbar\del_DM_EXE_47.dll Win32/Toolbar.SearchSuite application cleaned by deleting - quarantined
C:\Program Files (x86)\Windows iLivid Toolbar\del_IEBHO_65.dll Win32/Toolbar.SearchSuite application cleaned by deleting - quarantined
C:\Program Files (x86)\Windows iLivid Toolbar\Datamngr\BrowserConnection.dll Win32/Toolbar.SearchSuite application cleaned by deleting - quarantined
C:\Program Files (x86)\Windows iLivid Toolbar\Datamngr\datamngr.dll Win32/Toolbar.SearchSuite application cleaned by deleting - quarantined
C:\Program Files (x86)\Windows iLivid Toolbar\Datamngr\datamngrUI.exe Win32/Toolbar.SearchSuite application cleaned by deleting - quarantined
C:\Program Files (x86)\Windows iLivid Toolbar\Datamngr\DnsBHO.dll Win32/Toolbar.SearchSuite application cleaned by deleting - quarantined
C:\Program Files (x86)\Windows iLivid Toolbar\Datamngr\IEBHO.dll Win32/Toolbar.SearchSuite application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\PROGRA~2\SEARCH~1\Datamngr\BrowserConnection.dll.vir Win32/Toolbar.SearchSuite application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\PROGRA~2\SEARCH~1\Datamngr\datamngr.dll.vir Win32/Toolbar.SearchSuite application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\PROGRA~2\SEARCH~1\Datamngr\datamngrUI.exe.vir a variant of Win32/Toolbar.SearchSuite application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\PROGRA~2\SEARCH~1\Datamngr\DnsBHO.dll.vir Win32/Toolbar.SearchSuite application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\PROGRA~2\SEARCH~1\Datamngr\IEBHO.dll.vir Win32/Toolbar.SearchSuite application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Users\Erin\AppData\Roaming\xkpoe\start.exe.vir
  • 0

#22
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,800 posts
  • MVP
Were you able to run the BitDefender scan? It usually only takes a minute.

Is MBAM still complaining about the 66.150.14.111 connection? If so run OTL again, Quickscan and post the log.

Download SubInACL.exe

http://www.microsoft...&displaylang=en

By default it installs the tool in C:\Program Files\Windows Resource Kits\Tools\

Please allow it to do so.


Download and Save the attached file, reset.zip, right click on it and Extract all and copy the reset.cmd file to C:\Program Files\Windows Resource Kits\Tools\.
Start, Run, cmd, OK Type with an ENter after each line:

cd  "\Program Files\Windows Resource Kits\Tools"

reset.cmd


Copy the next line:

dir /a /s %USERPROFILE%\Documents > \junk.txt

Start, All Programs, Accessories, right click on Command Prompt and Run as Administrator, Continue. Right click and Paste or Edit then Paste and the copied line should appear.

then type:

notepad  \junk.txt

Copy and Paste the text from notepad to your next reply. If the file is to big then attach it.
  • 0

#23
DragonFromWales

DragonFromWales

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
bitdefender logs:

Scan time:00:04:56 Files per second:4 Skipped items:0 Password-protected items:0 Over-compressed items:0 Scanned archives:0 Input-output errors:0 Scanned boot sectors:0 Scanned processes:0 Infected processes:0 Scanned registry keys:0 Infected registry keys:0 Scanned cookies:0 Infected cookies:0


Is MBAM still complaining about the 66.150.14.111 connection? No. Well done and thanks!

Re:
cd "\Program Files\Windows Resource Kits\Tools"
reset.cmd

The default went to Program files (x64), so I copied them to Program Files.

On reset.cmd a message came up: reset.cmd is not recognised as an internal or external command.

Await further instructions.
  • 0

#24
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,800 posts
  • MVP
Most of my scripts are for 32 bit since that's all I have. I expect if it went to Program files (x64) then that's where you should put the reset.cmd => \Program files (x64)\Windows Resource Kits\Tools and then you should use this command instead of the other one:

cd "\Program files (x64)\Windows Resource Kits\Tools"

reset.cmd
  • 0

#25
DragonFromWales

DragonFromWales

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
I can't locate it! Sorry.
  • 0

Advertisements


#26
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,800 posts
  • MVP
Let's see if we can see what is going on with the Documents folder.

Can you right click on it and select Properties?

If so click on Restore Defaults if the option is available. If the option for Security is available then click on it and then on Advanced then on Owner. You should be the current owner. If not then Change Owner to: yourself. Then OK. Make sure that you have full control checked in the bottom panel.


Start, All Programs, Accessories, right click on Command Prompt and Run as Administrator, Continue. Type with an Enter after each line:

cd  \

dir  /a  /s  *documents*  >  \junk.txt

(this will take a few minutes to finish)

notepad  \junk.txt

Copy and paste the text from notepad into a reply.
  • 0

#27
DragonFromWales

DragonFromWales

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
Eureka!

Volume in drive C is Local Disk
Volume Serial Number is C4E5-30AA

Directory of C:\

14/07/2009 06:08 <JUNCTION> Documents and Settings [C:\Users]
0 File(s) 0 bytes

Directory of C:\Program Files\Bitdefender\Bitdefender 2012\Skin\images\common

14/10/2011 23:59 874 is_icon_documents.png
1 File(s) 874 bytes

Directory of C:\ProgramData

14/07/2009 06:08 <JUNCTION> Documents [C:\Users\Public\Documents]
0 File(s) 0 bytes

Directory of C:\Qoobox\Quarantine\C\Users\Erin

24/05/2012 10:05 <DIR> Documents
0 File(s) 0 bytes

Directory of C:\Users\All Users

14/07/2009 06:08 <JUNCTION> Documents [C:\Users\Public\Documents]
0 File(s) 0 bytes

Directory of C:\Users\Default

14/07/2009 06:08 <DIR> Documents
14/07/2009 06:08 <JUNCTION> My Documents [C:\Users\Default\Documents]
0 File(s) 0 bytes

Directory of C:\Users\Erin

24/05/2012 10:05 <DIR> Documents
09/10/2011 14:05 <JUNCTION> My Documents [C:\Users\Erin\Documents]
0 File(s) 0 bytes

Directory of C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Libraries

21/02/2012 17:58 8,097 Documents.library-ms
1 File(s) 8,097 bytes

Directory of C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Recent

11/05/2012 21:11 586 Documents.lnk
1 File(s) 586 bytes

Directory of C:\Users\Erin\AppData\Roaming\Microsoft\Windows\SendTo

09/10/2011 14:12 0 Documents.mydocs
1 File(s) 0 bytes

Directory of C:\Users\Public

06/07/2011 09:14 <DIR> Documents
0 File(s) 0 bytes

Directory of C:\Windows\ServiceProfiles\LocalService

14/07/2009 05:45 <DIR> Documents
0 File(s) 0 bytes

Directory of C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host

11/11/2011 16:29 <DIR> Description Documents
0 File(s) 0 bytes

Directory of C:\Windows\ServiceProfiles\NetworkService

14/07/2009 05:45 <DIR> Documents
0 File(s) 0 bytes

Directory of C:\Windows\System32\migwiz\PostMigRes\Web\base_images

10/06/2009 22:05 1,154 Documents.gif
1 File(s) 1,154 bytes

Directory of C:\Windows\System32\wdi\perftrack

13/07/2009 21:53 13,013 Microsoft-Windows-Documents-Events.ptxml
1 File(s) 13,013 bytes

Directory of C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images

10/06/2009 22:43 1,154 Documents.gif
1 File(s) 1,154 bytes

Directory of C:\Windows\winsxs

14/07/2009 04:20 <DIR> amd64_microsoft-windows-documents-performance_31bf3856ad364e35_6.1.7600.16385_none_3cdadc249cb267a4
0 File(s) 0 bytes

Directory of C:\Windows\winsxs\amd64_microsoft-windows-documents-performance_31bf3856ad364e35_6.1.7600.16385_none_3cdadc249cb267a4

13/07/2009 21:53 13,013 Microsoft-Windows-Documents-Events.ptxml
1 File(s) 13,013 bytes

Directory of C:\Windows\winsxs\amd64_microsoft-windows-m..onwizardapplication_31bf3856ad364e35_6.1.7601.17514_none_18a11c58aaf4d08c

10/06/2009 22:05 1,154 Documents.gif
1 File(s) 1,154 bytes

Directory of C:\Windows\winsxs\Manifests

14/07/2009 03:27 108,322 amd64_microsoft-windows-documents-performance_31bf3856ad364e35_6.1.7600.16385_none_3cdadc249cb267a4.manifest
1 File(s) 108,322 bytes

Directory of C:\Windows\winsxs\wow64_microsoft-windows-m..onwizardapplication_31bf3856ad364e35_6.1.7601.17514_none_22f5c6aadf559287

10/06/2009 22:43 1,154 Documents.gif
1 File(s) 1,154 bytes

Total Files Listed:
11 File(s) 148,521 bytes
13 Dir(s) 405,433,692,160 bytes free
  • 0

#28
DragonFromWales

DragonFromWales

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
Are you waiting for me?
  • 0

#29
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,800 posts
  • MVP
Sorry, lost your reply and then was on a trip to a place without Internet.

Did you do this:

Can you right click on it and select Properties?

If so click on Restore Defaults if the option is available. If the option for Security is available then click on it and then on Advanced then on Owner. You should be the current owner. If not then Change Owner to: yourself. Then OK. Make sure that you have full control checked in the bottom panel.


What happens?
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP