Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

My computer is infected. [Solved]


  • This topic is locked This topic is locked

#61
ginnyjoe

ginnyjoe

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 242 posts

The items were deleted. Sorry so I could not tell you where they were located but I did notice that they were in quarantine at the time. I ran the FRST fix.

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 27-04-2015 01
Ran by Ginette at 2015-04-28 15:19:34 Run:7
Running from C:\Users\Ginette\Desktop
Loaded Profiles: Ginette (Available profiles: Ginette)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start
Folder: C:\Program Files (x86)\ESET\ESET Online Scanner\Quarantine
Folder: C:\Windows\Installer\MSIDCD7.tmp-
end
*****************

========================= Folder: C:\Program Files (x86)\ESET\ESET Online Scanner\Quarantine ========================

====== End of Folder: ======

========================= Folder: C:\Windows\Installer\MSIDCD7.tmp- ========================

Directory Not Found

==== End of Fixlog 15:19:34 ====


  • 0

Advertisements


#62
DanoNH

DanoNH

    Trusted Helper

  • Malware Removal
  • 2,153 posts

OK, thank you for the info.  It looks like that last FRST script did not reveal what I was looking for, so one last (hopefully) attempt here...

 

First

 

Display file type extensions, system and hidden files/folders
 

  • Click the Start button, then on Control Panel.
  • Double-click Folder Options.
  • Select the View tab, and in the bottom area, uncheck "Hide extensions for known file types" and "Hide protected operating system files (Recommended)", and select "Show hidden files and folders" .
  • Click on Apply, accept any warnings, and Close the Control Panel.

 

 

Next

 

Open Windows Explorer, and navigate to the following folder, if you can find it:

 

C:\Windows\Installer\MSIDCD7.tmp- (note the ending "-" character)

 

Let me know if you can see/find this folder in particular.  If so, are there any files inside it?  Don't open any of them if so, please just tell me what you see.


  • 0

#63
ginnyjoe

ginnyjoe

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 242 posts

When I go windows explorer it opens in Libraries Then I put in what you asked it shows me Fixlog.txt twice.  Maybe I am not doing something right but that is what I see.


  • 0

#64
DanoNH

DanoNH

    Trusted Helper

  • Malware Removal
  • 2,153 posts

When I go windows explorer it opens in Libraries Then I put in what you asked it shows me Fixlog.txt twice.  Maybe I am not doing something right but that is what I see.

No problem.  It sounds like you are using the search feature.  Apparently 2 of my fixlist.txt files have had that line in them... so search works. ;)

 

You are in the Libraries section Windows Explorer, if you scroll down in the left column of Windows Explorer you should see another section labelled Computer.  Select that, then below it, select your C drive, then scroll down and select the Windows folder, scroll again to the Installer folder and select it, and finally look for a folder named MSIDCD7.tmp- (the image below shows an example folder on my system, not the one I need you to find on yours). 

 

Describe to me if you have the MSIDCD7.tmp- folder, and if you do, what appears in the right side pane when you select the MSIDCD7.tmp- folder?

 

Explorer2.png


  • 0

#65
ginnyjoe

ginnyjoe

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 242 posts

Yes I found that folder and there are quite a few extensions there.


  • 0

#66
DanoNH

DanoNH

    Trusted Helper

  • Malware Removal
  • 2,153 posts

OK, great!  Can you look for and confirm the existence of both of these files?  Don't try to open them!

 

Please exercise great care in making sure you are in the exact folder name (MSIDCD7.tmp-) shown below and have the exact file names:

 

C:\Windows\Installer\MSIDCD7.tmp-\srpu.dll
C:\Windows\Installer\MSIDCD7.tmp-\Smartbar.Resources.LanguageSettings.resources.dll


  • 0

#67
ginnyjoe

ginnyjoe

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 242 posts
Yes both those files are in there.
  • 0

#68
DanoNH

DanoNH

    Trusted Helper

  • Malware Removal
  • 2,153 posts

Pesky little varmints indeed. 

 

We need to get rid of them.  Can you try to individually delete only those 2 exact files?

C:\Windows\Installer\MSIDCD7.tmp-\srpu.dll
C:\Windows\Installer\MSIDCD7.tmp-\Smartbar.Resources.LanguageSettings.resources.dll

Let me know the results/outcome please.


  • 0

#69
ginnyjoe

ginnyjoe

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 242 posts

I did delete but have not noticed any difference. What am I supposed to be looking for.


  • 0

#70
ginnyjoe

ginnyjoe

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 242 posts

For me to get to that MSIDCD7.tmp- I have to go to computer and open C then I must open FRST, quarantine, C , windows, Installer then the MSIDCD7 opens. I hope that was OK as the way you were telling me I was not able to get the Installer but no problem this way.


  • 0

Advertisements


#71
DanoNH

DanoNH

    Trusted Helper

  • Malware Removal
  • 2,153 posts

No, not in the C:\FRST\quarantine folder.  Those are quarantined copies. 

 

You mentioned earlier that you found those files on your hard drive at C:\Windows\Installer\MSIDCD7.tmp- 

 

Were you able to delete those (again, not in the FRST quarantine)?  You won't notice any difference per se, they are malware related and should be eliminated from your system.

 

 

Lets see if we can find them, wherever they are... (even if they're in quarantine).

 

 

Search with FRST
 

  • Right click on FRST/FRST64 on your Desktop and choose Run as Administrator
  • In the search box, copy&paste the following lines:
    srpu.dll
    
    Smartbar.Resources.LanguageSettings.resources.dll
    
    
  • Press Search Files button.
  • It will produce a log called Search.txt in the same directory the tool is run from.
  • Please copy and paste the contents of that log back here.

 

 


  • 0

#72
ginnyjoe

ginnyjoe

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 242 posts

Farbar Recovery Scan Tool (x64) Version: 29-04-2015
Ran by Ginette at 2015-04-29 15:50:05
Running from C:\Users\Ginette\Desktop
Boot Mode: Normal

================== Search Files: "srpu.dll

Smartbar.Resources.LanguageSettings.resources.dll" =============

====== End Of Search ======


  • 0

#73
DanoNH

DanoNH

    Trusted Helper

  • Malware Removal
  • 2,153 posts

OK, thanks. 

 

Where exactly did you delete the suspect files from?:

  1. C:\FRST\Quarantine\C\Windows\Installer\MSIDCD7.tmp-
  2. C:\Windows\Installer\MSIDCD7.tmp-
  3. Both 1 & 2

I don't mean to keep going over this, but it's rather important to make sure the bad files are gone.


  • 0

#74
ginnyjoe

ginnyjoe

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 242 posts

From 1. I was not able to get the installer the other way. Sorry.


  • 0

#75
DanoNH

DanoNH

    Trusted Helper

  • Malware Removal
  • 2,153 posts

Hello ginnyjoe,

 

No problem at all.  You have done a great job helping me to help you!  :D  Thanks for your patience, and for sticking with this.  The logs didn't have me 100% convinced that your system was clean.  I'm happy with what I see now.

 

Which leads us to the best part of the whole process...

 

 
Congratulations, your logs are clean! :thumbsup:

While all of the below information is important, I'd like you to pay special attention to the CryptoPrevent step.  A large percentage of the malware on your system was present in the C:\Users\Ginnyjoe\AppData\Temp folder, and it just so happens that the CryptoLocker virus (which encrypts all your files for ransom money) likes to hide there too.  I'm a bit surprised you didn't have that infection as well... CryptoPrevent will help protect you from this and other malware which likes to hide in the same place.

 

Now, let's cover some additional steps to clean up your computer and help you avoid getting infected again.

 

Tools Cleanup and Housekeeping

The first thing we need to do is to remove all the tools that we have used. This is so that should you ever be re-infected, you will download updated versions. It will also remove the quarantined Malware from your computer.

Tool Removal

We need to remove the tools we've used during cleaning your machine

  • Download DelFix from here
  • Ensure Remove disinfection tools is ticked
  • Also check these options:
    • Activate UAC
    • Create registry backup
    • Purge system restore
    • Reset System Settings
    delfix_zpsjnkukbim.png
  • Click Run
  • The program will run for a few moments and then notepad will open with a log. Please paste the log in your next reply

And delete any logs that you have left over on your desktop.

Now let's take a few preventative measures to reduce the risk of further infections. :cool:


Automatic Updates for Windows 7

Another essential is to keep your computer updated with the latest operating system patches and security fixes. Windows Updates are constantly being revised to combat the newest hacks and threats, Microsoft releases security updates that help keep your computer from becoming vulnerable. It is best if you have these set to download automatically.

Turn ON Automatic Updates in Windows 7


Keep Java Updated

Warning: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java.
See this article

I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to disable Java in your web browser and How to unplug Java from the browser).

If you do need to keep Java then download JavaRa.

  • Run the program and select Remove Java Runtime
  • Uninstall all versions of Java present.
  • Once done then run it again and select Update Java runtime > Download and install Latest version.

javara.JPG


Web Browser security

Most malware is exploiting Internet Explorer's vulnerabilities, with Firefox you will be more secure.

Note: If you are going to use Firefox, I would suggest the use of these add-ons:

  • NoScript - for blocking ads and other potential website attacks.
  • AdBlock Plus - block annoying ads that cost you expensive bandwith, with the added benefit of faster page loading.
  • McAfee SiteAdvisor - this tells you whether the sites you are about to visit are safe or not. A must if you do a lot of Googling.

Other Program updates

If you use any Adobe software make sure to keep them updated.  Best of all, they are FREE.
Note: Make sure to uncheck the check box labelled "Yes, install McAfee Security Scan Plus - optional", or any other optional "features".

Anti Virus Programs

On to personal Anti Virus programs. One AV is a must have, but never more than one, as this can and will cause conflicts, system slow-downs, and false readings.

If you wish to keep using your current program, always make sure it is up to date and enabled.

Anti Spyware Programs

You already have an excellent preventative program that will help to keep the nasties away - Malwarebytes Anti-Malware.  I would advise running this at least once a month.  If you need to download it again, you can get it from here:

Malwarebytes Anti-Malware


Instant Messengers

Almost done! If you like to use chat, MSN and Yahoo have vulnerabilities that can leave you open to infections. There are however a couple of very good, malware-free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN):

File/System Cleaners

Finally, it is a good idea to clear out all your temp files every now and again. This will help keep your computer running optimally. It can detect registry errors, missing shortcuts, invalid files, etc. It also can assist in getting rid of files that may contain malicious code that could re-infect your computer.

*** CryptoLocker Warning ***
 
CryptoLocker is a particularly nasty infection which is becoming more prevalent...
 
Go here for information about CryptoLocker Ransomware. Learning about what is out there may help you prevent infection. The best protection against this infection is to backup your files often. If you're using an external drive, keep it unplugged from the computer when you're not backing up files or using it. This will prevent the infection from getting to your backed up files if you ever have the frustrating experience of contracting it.
 
It is suggested to Download CryptoPrevent, which is free for home use. It will help prevent CryptoLocker infection.


Further Reading

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this excellent article, originally written by Tony Klein, and updated by SpySentinel.

I will keep this log open for the next couple of days, so if you have any further problems, you can post another reply here.

OK, happy computing, and stay safe! :cool:

Please reply again to this thread to acknowledge you have read my last post.  If you have no further questions, this thread will be closed to prevent others from posting here.

Thanks!


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP