Free Malware Removal Forum

[Cypher]

Ok lets try to get a scan with it first.
Please run through the previous instructions for renaming and running Malwarebytes' Anti-Malware and RSIT only, if successful post the logs in you're next reply.

[Steve001]

This virus is really causing me some headaches. It will sometimes allow me to run MAM. Other times like last night after I got MAB opened again and copied the log to post, the Start button would not work so I was unable to copy the log to make another file for easier access to post.
So far I've been unble to run 525emxb0 completely. The virus will stop and crash the pc if I do. It seems this virus knows what to attack and it seems to attack the programs that are being used most at the time you are using them. I'd really like to hurt the person or persons that thought this virus up.

[Cypher]

Hi Steve00.
Ok we need to try a different approach.

Back Up registry with ERUNT

• Please use the following link and download ERUNT to your desktop. HERE
• Double Click on the erunt-setup.exe
• Follow the prompts to install ERUNT
• Choose language
• A set up window will pop up. It will ask: Create ERUNT entry in to the Start up folder, answer NO
  
  
  
• Backup your registry to the default location

Note: To restore your registry (if needed), go to the folder and start ERDNT.exe


Next.


Disable AVG

• Open AVG User Interface.
• Double-click on the Resident Shield.
• Un-tick the option Resident Shield active.
• Save the changes.
• Note: Don't forget to re-enable it after the fix.

Next.

Download and Run ComboFix

• Please download ComboFix from one of the following links.
  
  Link 1.
  
  Link 2.
  
• Note: You must rename it before saving it... Rename it: Cypher.com. See images below.
  
  **IMPORTANT !!! Save ComboFix.exe to your Desktop**
  
  
  
  
  
• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
• Double click on ComboFix.exe & follow the prompts
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

• Click on Yes, to continue scanning for malware.
• When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper



Logs/Information to Post in your Next Reply

• ComboFix.txt log
• Please give me an update on your computers performance.

[Steve001]

We have to use a different approach as I no longer have internet connectivity with that pc.

Btw. This has recently shown up in running processes and when I scan with HJT.
04 HKLM\:\ Run:[KernalFaultCheck]%systemroot\system32\dumprep
0 -k

When something appears that wasn't there before I get suspicious. Do you know what it means ?

[Cypher]

When something appears that wasn't there before I get suspicious. Do you know what it means

Yes i know what that is don't worry.
KernelFaultCheck is when your computer has had a crash, It is a part of the Windows error reporting tool.
Can you download ERUNT and ComboFix from a different PC then install it on the infected one?.
You can do this via a flash drive or disc.

Try this first to see if you can get you're internet connection back.

• Please go to Start -> Control Panel, and choose Network Connections.
• Then right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties.
• Under the Networking tab double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically.
• Click OK twice, and restart your computer.

[Steve001]

When something appears that wasn't there before I get suspicious. Do you know what it means

Yes i know what that is don't worry.
KernelFaultCheck is when your computer has had a crash, It is a part of the Windows error reporting tool.
Can you download ERUNT and ComboFix from a different PC then install it on the infected one?.
You can do this via a flash drive or disc.

Try this first to see if you can get you're internet connection back.

• Please go to Start -> Control Panel, and choose Network Connections.
• Then right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties.
• Under the Networking tab double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically.
• Click OK twice, and restart your computer.

Yes it is a LAN.
I don't show a networking tabafter right clicking LAN
I do show these options:
Create a new connection
Change Windows firewall settings
Disable this device
Rename this connection
Change settings of this device

I'll try to download Erunt and Combo Fix to this pc and try to burn them to a cd

[Cypher]

Yes it is a LAN.

Try this.

• Start Internet Explorer, and when the program is open, click on the Tools menu and then select Internet Options.
• Now click on the Connections tab.
• Now click on the Lan Settings button.
• Under the Proxy Server section, please uncheck the checkbox labeled Use a proxy server for your LAN. Then press the OK button to close this screen.
• Then press the OK button to close the Internet Options screen.

[Steve001]

Things seem to go from bad to worst. It now appears the pc will not boot up at all and this showed up
X300XT BIOS P/N 113-A33437-102.
However after the third try it started up fine.

As for internet connectivity that's back on the old pc after trouble shooting with my ISP. That though says nothing about how to re-establish control over one or both browsers; FireFox and IE on the infected pc

[Cypher]

Hi Steve001.
Did you try my previous instructions to downloading ERUNT and ComboFix then installing them on the infected PC yet?

[Steve001]

Yes, I was able to download them to this Windows 98 pc however, I've not found out how to burn them to a cd. The infected pc does not have an floppy drive so that's out and this pc does not have a thumb drive so that's not an option either..

Just checked, I still do not have internet access on the infected pc. I recall that I learned sometime ago there is a backdoor of sorts that allows you to connect to the internet through the Scientific Caculator. I thought it was a question mark icon that needed to be clicked. I looked , but don't see it.

Ok, I followed the steps outlined previously calling for unchecking Use a proxy server for your LAN. Now I'll see what happens with the infected pc after I plug in the cable modem from this pc and plug it into the infected pc.




Just bare with me on this process for inorder for the modem to connect I must shut off, plug in the modem and turn the pc on [either one] for the modem to connect. Be back shortly.


I did the above. Still no luck


I was able to burn Erunt and Combofix to a cd and install them onto the infected pc.

Thanks for your help Cypher so far. I'll be back later

[Cypher]

Hi Steve001.

I did the above. Still no luck
I was able to burn Erunt and Combofix to a cd and install them onto the infected pc.
Thanks for your help Cypher so far. I'll be back later

You're welcome.
Please don't edit you're posts i don't get email notification of you're reply if you do.
Good work getting combofix and Erunt installed on the other PC.

Things seem to go from bad to worst. It now appears the pc will not boot up at all and this showed up
X300XT BIOS P/N 113-A33437-102.

Researching this suggests it's either a problem with you're motherboard or a memory problem.
Have you updated or changed RAM recently ?

Ok follow the instructions i posted Here for running ERUNT and Combofix then post the requested logs.

[Steve001]

This pc has two users do I need to check mark the box reading Other user registries ?When using Erunt is this the default folder designation C:\WINDOWS\ERDNT\4-25-2010 ?

[Steve001]

I didn't see any prompts when installing ERUNT so it did install in the Start up Folder. I forget though how to remove it from there.

[Steve001]

Researching this suggests it's either a problem with you're motherboard or a memory problem.
Have you updated or changed RAM recently ?

No, and never in the past either.

[Cypher]

Hi Steve001.

I didn't see any prompts when installing ERUNT so it did install in the Start up Folder.

When you install ERUNT you will see a popup asking Create ERUNT entry in to the Start up folder, answer NO
Delete ERUNT then install it again.
Go to C:\Program Files\ERUNT << Delete this.

This pc has two users do I need to check mark the box reading Other user registries

Just leave it at the default setting at that point.