Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

This is a real bad one!!!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

This is a real bad one!!!

Unread postby Crunchyhippo » November 20th, 2008, 1:43 pm

Ok, I really have a bad one this time!!!

I merely copied and pasted a link into my browser, and my computer immediately shut down and restarted, which immediately sent up red flags to me. Sure enough, I start getting messages "Your computer is infected!" popups, and another icon has appeared on my taskbar that I don't recognize. Also, whatever webpage I try to go to, I get redirected to another site advertising all manner of products. However, the worst thing is that I can't even open other applications on the computer without it crashing!

Worse still, even booting in safe mode/safe mode with networking, no icons appear! Only the "safe mode" words at each corner. I can't even run Hijackthis to diagnose the issue. But even if I could diagnose it, I wouldn't be able to run the cure. The mouse works fine, but there's nothing to click on. This has moved from the realm of "spyware" to "malware/virus" for sure.

Is there another option to explore before I turn to the Geeksquad or a computer repair shop?
Crunchyhippo
Regular Member
 
Posts: 46
Joined: February 5th, 2008, 9:11 am
Location: Florida
Advertisement
Register to Remove

Re: This is a real bad one!!!

Unread postby ndmmxiaomayi » November 25th, 2008, 8:28 am

Hi Crunchyhippo,

Welcome to Malware Removal. :)

Sorry for the delay, the forums are busy lately.

Step 1

Please download DDS from Tech Support Forum and save it to your desktop.

  1. Double click on dds to run it.
  2. When done, DDS.txt will open.
  3. You will receive another prompt after a while. Click Yes at the prompt. It will take another few minutes to scan.
  4. When done, Attach.txt will open.
  5. Please attach Attach.txt to this topic by scrolling down to Upload attachment and click on Browse.... Please also copy and paste the contents of DDS.txt in your next reply.

An image for attaching files is below for your reference.

Image

Step 2

Please download gmer.zip from Gmer and save it to your desktop.

  1. Right click on gmer.zip and select Extract All....
  2. Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
  3. Click on the Browse button. Click on Desktop. Then click OK.
  4. Click Next. It will start extracting.
  5. Once done, check (tick) the Show extracted files box and click Finish.

Double click on gmer.exe to run it. It will start running a scan. If it detects rootkit activity, you will receive a prompt to run a full scan. Click Yes.

  • When done, you may receive another notice. Click OK.
  • Click on Save ... to save a log.
  • Copy and paste in Gmer.txt and click Save.
  • Close Gmer.

If you receive no notice, click on the Scan button.

  • It will start scanning again.
  • When done, click on Save ... to save a log.
  • Copy and paste in Gmer.txt and click Save.
  • Close Gmer.

Note: Do not run any programs while Gmer is running.

In your next reply, please post:

  1. DDS.txt
  2. Attach.txt (attached it to this topic)
  3. Gmer.txt
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Re: This is a real bad one!!!

Unread postby Crunchyhippo » November 25th, 2008, 12:18 pm

I can't run any application to scan since I can't get any application to run, including the "Start" button nor any desktop icons. I get a totally black screen after the computer is fully booted - even in Safe Mode.

I will probably have to get my desktop HD to boot off a secondary computer so I can access it (which may take a day), unless you have another suggestion. Thanks.
Crunchyhippo
Regular Member
 
Posts: 46
Joined: February 5th, 2008, 9:11 am
Location: Florida

Re: This is a real bad one!!!

Unread postby ndmmxiaomayi » November 25th, 2008, 12:37 pm

Hmm... a black screen.

Did you manage to get to the log in screen? (if there's any)
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Re: This is a real bad one!!!

Unread postby Crunchyhippo » November 25th, 2008, 1:56 pm

Huh. Well, the computer's been sitting off for several days now. I just turned it back on and it booted up like normal. I'm not about to try and go online, though. That's when all my troubles began.

Let me try your aforementioned recommendations and see what happens.
Crunchyhippo
Regular Member
 
Posts: 46
Joined: February 5th, 2008, 9:11 am
Location: Florida

Re: This is a real bad one!!!

Unread postby Crunchyhippo » November 25th, 2008, 2:08 pm

Ok, I managed to download gmer.zip to a flash drive and copy it to my desktop on my infected computer. However, when I click the extraced .exe icon, nothing will open. I also tried to open my Hijackthis program to run a scan, and that also won't open. As a test I tried to open Wordpad, and it opened fine. I also noticed that when I right-clicked the program and could see the "Run Zonealarm Antivirus" option (my antivirus program), it's dimmed out, though I never disabled it.

It almost sounds like this infection won't let me run any diagnositc program which will get rid of it, doesn't it?
Last edited by Crunchyhippo on November 25th, 2008, 2:22 pm, edited 1 time in total.
Crunchyhippo
Regular Member
 
Posts: 46
Joined: February 5th, 2008, 9:11 am
Location: Florida

Re: This is a real bad one!!!

Unread postby ndmmxiaomayi » November 25th, 2008, 2:10 pm

Is DDS working?
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Re: This is a real bad one!!!

Unread postby Crunchyhippo » November 25th, 2008, 2:34 pm

I couldn't get gmer.exe to open on my infected computer.

However, I was able to run the other that you requested. I am uploading those two log files.

I don't know if DDS is working or not. It opened fine on my flash drive and extracted to my infected computer. It just won't open, nor will Hijackthis or ZoneAlarm. I might add that Zonealarm is running and turned on. It never detected this new infection.
You do not have the required permissions to view the files attached to this post.
Crunchyhippo
Regular Member
 
Posts: 46
Joined: February 5th, 2008, 9:11 am
Location: Florida

Re: This is a real bad one!!!

Unread postby ndmmxiaomayi » November 26th, 2008, 8:31 am

Hi Crunchyhippo,

It's all right for now if HijackThis can't run. I've already gotten some of the necessary info needed via the logs you provided.

Please download Combofix from one of these locations. You must rename it before clicking on the Save button.

Link 1
Link 2
Link 3

Image


Image

Save it to your desktop.

  • Double click on Combo-Fix.exe & follow the prompts.

  • As part of its process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. You will see the following message if Microsoft Windows Recovery Console is not installed.

    Image

    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue its malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Image


Click on Yes to continue scanning for malware.

When finished, a log will be produced. Please post this log in your next reply.

Do not mouse click on Combofix while it is running. That may cause it to stall.
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Re: This is a real bad one!!!

Unread postby Crunchyhippo » November 27th, 2008, 12:57 pm

I ran Combofix and it produced a log file, after finding some items. I'm posting it here.
You do not have the required permissions to view the files attached to this post.
Crunchyhippo
Regular Member
 
Posts: 46
Joined: February 5th, 2008, 9:11 am
Location: Florida

Re: This is a real bad one!!!

Unread postby ndmmxiaomayi » November 29th, 2008, 2:07 am

Hi Cruncyhippo,

Please open Notepad and copy and paste the following in the Code box into Notepad:

Code: Select all
http://malwareremoval.com/forum/viewtopic.php?f=11&t=36724

Collect::
c:\documents and settings\jeffrey\Application Data\jale.pif
c:\program files\Common Files\casutapeti.inf
c:\documents and settings\All Users\Application Data\rorocesok.com
c:\documents and settings\jeffrey\Application Data\urime.pif
c:\documents and settings\jeffrey\Application Data\ulyqyt.sys

Suspect::
c:\program files\Realplayer.exe
c:\program files\Realplayer7.exe
C:\program files\Backup-Wizard.exe

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"New Value #1"=-

Folder::
c:\program files\ErrorSmart

File::
c:\windows\Tasks\ErrorSmart Scheduled Scan.job


Warning: The above script is just for Crunchyhippo. If you are not Crunchyhippo, please do not use this script as it may damage the workings of your system.

Click on File > Save As....

In the File Name field, copy and paste in CFScript.txt. Do not change the file name.

Click Save.

Referring to the picture below, drag CFScript into Combofix.

Image

Combofix will start running. When done, a log will be produced. Please post this log in your next reply.

In addition, it will prompt you to submit some files for analyzing.

Image

Click OK.

Your web browser (by default it's Internet Explorer) will open.

Please refer to the image below to submit the file for analysis.

http://i35.photobucket.com/albums/d165/ndmmxiaomayi/mayi/submit_CF.gif

Do not mouse click on Combofix while it is running. That may cause it to stall.
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Re: This is a real bad one!!!

Unread postby Crunchyhippo » November 29th, 2008, 5:01 pm

I will reply as soon as possible - working double shift right now.
Crunchyhippo
Regular Member
 
Posts: 46
Joined: February 5th, 2008, 9:11 am
Location: Florida

Re: This is a real bad one!!!

Unread postby ndmmxiaomayi » December 1st, 2008, 9:04 am

Okie, no problems. :)
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Re: This is a real bad one!!!

Unread postby ndmmxiaomayi » December 6th, 2008, 2:53 am

Hi Crunchyhippo,

Are you still working on this?
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Re: This is a real bad one!!!

Unread postby Gary R » December 10th, 2008, 3:38 am

Due to lack of response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 499 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware