Hi Steveo4571, welcome to the forum.
To make cleaning this machine easier- Please do not uninstall/install any programs unless asked to
It is more difficult when files/programs are appearing in/disappearing from the logs. - Please do not run any scans other than those requested
- Please follow all instructions in the order posted
- All logs/reports, etc.. must be posted in Notepad. Please ensure that word wrap is unchecked. In notepad click format, uncheck word wrap if it is checked.
- Do not attach any logs/reports, etc.. unless specifically requested to do so.
- If you have problems with or do not understand the instructions, Please ask before continuing.
- Please stay with this thread until given the All Clear. A absence of symptoms does not mean a clean machine.
Since you are able to post, I'm guessing you have access to another computer.
Do you have a usb storage device such as a flashdrive we can use to transfer some tools to the infected computer?
A blank CD will also work.
If using a USB device please follow these instructions to protect it from infection. No need to do this if you are using a CD.
On the Clean computer
Download Flash_Disinfector.exe by sUBs and save it to your desktop.- attach the USB storage device to the computer.
- Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
- The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
- Wait until it has finished scanning and then exit the program.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.
Now for the tools.
Go HERE to get a randomly named copy of GMER. Scroll down to the Download section and click Download EXE. Save it to your desktop.
Next
Download OTL to your desktop.
Next
Open a new Notepad session - Click the Start button, click run
- in the run box type notepad
- click ok
- In the notepad, Click "Format" and be certain that Word Wrap is not checked.
- Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE
Code:
netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\system32\spool\prtprocs\w32x86\*.tmp
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
In the notepad - Click File, Save as..., and set the Save in to your Desktop
- In the filename box, type (including quotation marks) as the filename: "custom.txt"
- Click save
Transfer the 3 files to the USB storage device or CD.
On the infected computer
- Attach the USB storage device or insert the CD.
- Tranfer the files you saved directly to the infected computer's Desktop
Running GMER
Before scanning with GMER, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
- Double click on the file you downloaded. If asked to allow gmer.sys driver to load, please consent .
- If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
Click the image to enlarge it
- In the right panel, you will see several boxes that have been checked. Uncheck the following ...
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
- Then click the Scan button & wait for it to finish.
- Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
- Save it where you can easily find it, such as your desktop, and post it in your next reply.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
If GMER will not run in normal windows, please run it in Saffe Mode
Next, running OTL
- Double click on OTL.exe to run it. Make sure all other windows are closed and to let it run uninterrupted.
- When the window appears, underneath Output at the top change it to Minimal Output
- Check the boxes beside LOP Check and Purity Check.
- In the window under Custom Scans/Fixes copy and paste the text from the custom.txt you saved earlier.
- Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Transfer the GMER.txt, OTL,txt and Extra.txt to the usb device or CD. Please post them in your next reply .
Thanks