Can't remove Win32.Autorun.tmp

**alphabet_soup** · 2010-09-08, 12:06

Hi there

thanks again for your post and assistance

I started running Combo Fix and it asked me if I needed to download the Microsoft Windows Recovery Console, I selected "Yes", then it came up with this message:

So I pressed "OK" and this came up:

I'm not sure how to proceed, have you any idea? Should I re-download Combo Fix?

Cheers

**jmw3** · 2010-09-08, 12:56

Hi

Originally Posted by jmw3

# As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware
# Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

No need to re-download, but allow it to install the Recovery Console

**jmw3** · 2010-09-08, 13:08

Sorry... misread what you said.

Yes, delete the copy of ComboFix you have & re-download it. before saving it rename it to commy.exe, then try running it.

**alphabet_soup** · 2010-09-08, 13:55

Hmmm...still didn't work! :(

After pressing OK again when I got the message about the Licence Agreement, this is what came up

Then I pressed "close" and the same error message showed up again.

**jmw3** · 2010-09-08, 14:06

OK... Leave ComboFix for a bit. We'll try & get rid of some the crap that's on your computer to see if it makes any difference.

Malwarebytes' Anti-Malware
Download Malwarebytes' Anti-Malware here & save to your desktop.

Double-click mbam-setup.exe & follow the prompts to install the program
At the end, be sure a checkmark is placed next to:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware
Then click Finish
If an update is found, it will download and install the latest version
Once the program has loaded, select Perform full scan, then click Scan
When the scan is complete, click OK, then Show Results to view the results
Check all items except items in the C:\System Volume Information folder... then click on Remove Selected
When completed, a log will open in Notepad. Please copy & paste the log back into your next reply
Note:
The log is automatically saved by Malwarebytes' Anti-Malware & can be viewed by clicking the Logs tab

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either & let Malwarebytes' Anti-Malware proceed with the disinfection process.
If asked to restart the computer, please do so. Failure to reboot will prevent MBAM from removing all the malware.
If you receive an (Error Loading) error on reboot please reboot a second time . It is normal for this error to occur once & does not need to be reported unless it returns on future reboots.

**alphabet_soup** · 2010-09-08, 14:35

Swell...ok here's the Malwarebytes log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

8/09/2010 10:35:06 PM
mbam-log-2010-09-08 (22-35-06).txt

Scan type: Full scan (C:\|)
Objects scanned: 176360
Time elapsed: 22 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 8
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\.pox (Rogue.FixTool) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\pofile (Rogue.FixTool) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Miracle (PUP.PerfectOptimizer) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (explorer.exe,C:\RECYCLER\S-1-5-21-9624512614-5829467475-673620608-5226\rundll32.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Perfect Optimizer (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Backup (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Backup\Registry (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Backup\Registry\FirstBackup (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Backup\Registry\FullBackup (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Backup\Service (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Backup\Application (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Temp (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.

Files Infected:
C:\RECYCLER\S-1-5-21-9624512614-5829467475-673620608-5226\rundll32.exe (Worm.P2P) -> Delete on reboot.
C:\RECYCLER\S-1-5-21-7356296101-1933998588-915145784-2179\yv8g67.exe (Worm.Autorun.B) -> Delete on reboot.
C:\Program Files\Perfect Optimizer\PerfectOptimizer.ini (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.

**jmw3** · 2010-09-08, 14:48

Hi

OK good. But the Database version you used to run Malwarebytes' Anti-Malware was woefully out of date. The current Database version is 4570 (at the time of this post).

Can you run Malwarebytes' again, ensuring you click the Update tab then Check for Updates before conducting the scan. Then post the log.

Cheers

**alphabet_soup** · 2010-09-09, 06:43

Originally Posted by alphabet_soup

Hmmm...still didn't work! :(

After pressing OK again when I got the message about the Licence Agreement, this is what came up

Then I pressed "close" and the same error message showed up again.

^^^ Unfortunately I'm still getting this error...

**jmw3** · 2010-09-09, 07:28

Hi

Leave ComboFix for the time being.

OTL
Download OTL by Old Timer from Here & save it to your Desktop.

Double click on the icon to run it. Make sure all other windows are closed & to let it run uninterrupted
Click on Minimal Output at the top
Download the following file scan.txt to your Desktop - Click here to download it. You may need to right click on it and select "Save"
Double click inside the Custom Scan box at the bottom
A window will appear saying Click Ok to load a custom scan from a file or Cancel to cancel
Click the OK button and navigate to the file scan.txt which we just saved to your desktop
Select scan.txt & click Open. Writing will now appear under the Custom Scan box
Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long
- When the scan completes, it will open two notepad windows OTL.Txt & Extras.Txt. These are saved in the same location as OTL
- Copy/paste the contents of these files, one at a time & post them in your next reply

To post in next reply:
Contents of OTL.txt
Contents of Extras.txt
These are large logs, so one log per post please

**jmw3** · 2010-09-09, 07:33

What happens if you click Ignore on that message?

Thread: Can't remove Win32.Autorun.tmp

Thread Tools

Display

Hybrid View

Posting Permissions