Page 2 of 2 FirstFirst 12
Results 11 to 15 of 15

Thread: Unable to delete Win32.Autorun.tmp

  1. #11
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Hello,

    Try running GMER in Safemode

    To Enter Safemode
    • Go to Start> Shut off your Computer> Restart
    • As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
      this will bring up a menu.
    • Use the Up and Down Arrow Keys to scroll up to Safemode
    • Then press the Enter Key on your Keyboard

    Tutorial if you need it How to boot into Safemode




    If it still wont run then try this one.

    Please download Rooter Rootkit Detector to your Desktop
    • Doubleclick it to start the tool.
    • A Notepad file containing the report will open, also found at %systemdrive% (usually C:\Rooter.txt.
    • Post the report for me to see.
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  2. #12
    Junior Member
    Join Date
    Sep 2010
    Posts
    8

    Default

    Hi,

    Thanks for your reply. I have tried what you suggest: gmer runs without problem when started in safe mode. I have waited till it has finished, and the generated log is void (nothing has been found). Outside safe mode, it behaves like before: slows down (while other processes rapidly occupy 100% CPU) and, if I change priority, quits OS with error message (blue screen, message visible 1 second, then reboot) .

    Regarding Rooter Rootkit Detector, I have followed indicated steps (with the one in addition, namely "press on Scan button to run the program"). You can find the resulting log below.

    Thanks for your comments and help!

    --------------------------------------------------------------------------
    Rooter.exe (v1.0.2) by Eric_71
    .
    SeDebugPrivilege granted successfully ...
    .
    Windows XP . (5.1.2600) Service Pack 3
    [32_bits] - x86 Family 6 Model 15 Stepping 13, GenuineIntel
    .
    [wscsvc] (Security Center) RUNNING (state:4)
    [SharedAccess] RUNNING (state:4)
    Windows Firewall -> Enabled
    .
    Internet Explorer 8.0.6001.18702
    Mozilla Firefox 3.5.13 (en-GB)
    .
    C:\ [Fixed-NTFS] .. ( Total:24 Go - Free:5 Go )
    D:\ [Fixed-NTFS] .. ( Total:9 Go - Free:1 Go )
    E:\ [CD_Rom]
    .
    Scan : 20:37.33
    Path : C:\Documents and Settings\Artem\Bureau\Rooter.exe
    User : Artem ( Administrator -> YES )
    .
    ----------------------\\ Processes
    .
    Locked [System Process] (0)
    ______ System (4)
    ______ \SystemRoot\System32\smss.exe (920)
    ______ \??\C:\WINDOWS\system32\csrss.exe (1288)
    ______ \??\C:\WINDOWS\system32\winlogon.exe (1324)
    ______ C:\WINDOWS\system32\services.exe (1368)
    ______ C:\WINDOWS\system32\lsass.exe (1388)
    ______ C:\WINDOWS\system32\svchost.exe (1552)
    ______ C:\WINDOWS\system32\svchost.exe (1600)
    ______ C:\WINDOWS\System32\svchost.exe (1640)
    ______ C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe (1696)
    ______ C:\WINDOWS\system32\svchost.exe (1752)
    ______ C:\WINDOWS\system32\svchost.exe (1876)
    ______ C:\WINDOWS\system32\spoolsv.exe (276)
    ______ C:\WINDOWS\system32\svchost.exe (460)
    ______ C:\Program Files\Intel\Wireless\Bin\EvtEng.exe (752)
    ______ C:\Program Files\Java\jre6\bin\jqs.exe (796)
    ______ C:\WINDOWS\Explorer.EXE (880)
    ______ C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe (492)
    ______ C:\WINDOWS\system32\ctfmon.exe (1100)
    ______ C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe (1112)
    ______ C:\Program Files\McAfee\Common Framework\FrameworkService.exe (1140)
    ______ C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe (1240)
    ______ C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE (1516)
    ______ C:\WINDOWS\system32\mfevtps.exe (1800)
    ______ C:\WINDOWS\system32\nvsvc32.exe (1824)
    ______ C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe (1976)
    ______ C:\Program Files\CyberLink\Shared Files\RichVideo.exe (528)
    ______ C:\WINDOWS\system32\svchost.exe (620)
    ______ C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe (748)
    ______ C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe (228)
    ______ C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe (2164)
    ______ C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe (2172)
    ______ C:\WINDOWS\RTHDCPL.EXE (2196)
    ______ C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe (2208)
    ______ C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe (2272)
    ______ C:\WINDOWS\ATK0100\HControl.exe (2288)
    ______ C:\Program Files\McAfee\Common Framework\udaterui.exe (2428)
    ______ C:\Program Files\TOSHIBA\TOSHIBA e-STUDIO Client\GLDocMon.exe (2460)
    ______ C:\Program Files\McAfee\Common Framework\McTray.exe (2516)
    ______ C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe (2588)
    ______ C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe (2676)
    ______ C:\Program Files\Skype\Phone\Skype.exe (2692)
    ______ C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe (2744)
    ______ C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe (2800)
    ______ C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe (2976)
    ______ C:\WINDOWS\ATK0100\ATKOSD.exe (3068)
    ______ C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe (3200)
    ______ C:\WINDOWS\system32\wbem\wmiapsrv.exe (1504)
    ______ C:\WINDOWS\System32\alg.exe (1136)
    ______ C:\Program Files\McAfee\VirusScan Enterprise\ShStat.exe (3584)
    ______ C:\Program Files\Mozilla Firefox\firefox.exe (2780)
    ______ C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe (1904)
    ______ C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe (3752)
    ______ C:\Documents and Settings\Artem\Bureau\Rooter.exe (1244)
    .
    ----------------------\\ Device\Harddisk0\
    .
    \Device\Harddisk0 [Sectors : 63 x 512 Bytes]
    .
    ----------------------\\ Scheduled Tasks
    .
    C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
    C:\WINDOWS\Tasks\desktop.ini
    C:\WINDOWS\Tasks\SA.DAT
    C:\WINDOWS\Tasks\User_Feed_Synchronization-{D7B34122-7D38-4DB9-BA5B-FA6966AD0A11}.job
    .
    ----------------------\\ Registry
    .
    .
    ----------------------\\ Files & Folders
    .
    ----------------------\\ Scan completed at 20:37.48
    .
    C:\Rooter$\Rooter_3.txt - (17/09/2010 | 20:37.49)

  3. #13
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Looks fine. GMER for some reason wont run on some systems, why I dont know.

    How are things running now ?
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  4. #14
    Junior Member
    Join Date
    Sep 2010
    Posts
    8

    Default

    Hi ken,

    all the symptoms of trojan activity have disappeared. Thank you for all your help: you did a really great job! I wonder if there is something I can do to thank you for your help? If yes, Just let me know

    Anyway, it was a pleasure to follow your advices.

  5. #15
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Your very welcome, glad things are back to normal. If you look up at the top right you will see a donate button, any donation big or small is used for malware research and to help keep us online, but its not mandatory.


    Malwarebytes <-- Yours to keep also, check for updates and run a scan now and then.

    Combofix <---Is not a general cleaning tool, just run it with supervision or you can damage your system

    • Click START then RUN
    • Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.




    • When shown the disclaimer, Select "2"


    The above procedure will:
    • Delete the following:
      • ComboFix and its associated files and folders.
      • VundoFix backups, if present
      • The C:_OtMoveIt folder, if present
    • Reset the clock settings.
    • Hide file extensions, if required.
    • Hide System/Hidden files, if required.
    • Reset System Restore.






    Now to remove most of the tools that we have used in fixing your machine:
    • Make sure you have an Internet Connection.
    • Download OTC to your desktop and run it
    • A list of tool components used in the cleanup of malware will be downloaded.
    • If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
    • Click Yes to begin the cleanup process and remove these components, including this application.
    • You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.









    Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .

    Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
    • Spybot Search and Destroy 1.6
      Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
    • WinPatrol Keep this fine program activated to block a lot of threats
    • Spyware Blaster It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
    • Spyware Guard It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
    • IE-Spyad
      IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
    • Firefox 3 It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.



    Safe Surfn
    Ken
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •