Hi ChellePow, welcome to the forum.
To make cleaning this machine easier- Please do not uninstall/install any programs unless asked to
It is more difficult when files/programs are appearing in/disappearing from the logs. - Please do not run any scans other than those requested
- Please follow all instructions in the order posted
- All logs/reports, etc.. must be posted in Notepad. Please ensure that word wrap is unchecked. In notepad click format, uncheck word wrap if it is checked.
- Do not attach any logs/reports, etc.. unless specifically requested to do so.
- If you have problems with or do not understand the instructions, Please ask before continuing.
- Please stay with this thread until given the All Clear. A absence of symptoms does not mean a clean machine.
The original desktop is mostly there, just what ever was on it hidden by the malware. We can transfer the tool along with a notepad to the infected computer witha usb device such as a flashdrive.
On the working computer.
Download OTL a and save it to your usb device.
Rename OTL.exe to iexplore.exe
Next
Open a new Notepad session - Click the Start button, click run
- in the run box type notepad
- click ok
- In the notepad, Click "Format" and be certain that Word Wrap is not checked.
- Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE
Code:
netsvcs
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.līk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%PROGRAMFILES%\Internet Explorer\*.dat
%APPDATA%\Mikzosoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
%USERPROFILE%\..|smtmp;true;true;true /FP
%temp%\smtmp\*.* /s
/md5start
iexplore.*
explorer.*
winlogon.*
dll
zx.dll
hlp.dat
consrv.dll
/md5stop
In the notepad - Click File, Save as..., and set the Save in to your [b[usb device[/b]
- In the filename box, type (including quotation marks) as the filename: "scan.txt"
- Click save
On the sick computer
- transfer both scan.txt and OTL(remaned to iexplore.exe) to the desktop
- Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
- Click on Minimal Output at the top
- Double click inside the Custom Scan box at the bottom
- A window will appear saying "Click OK to load a custom scan from a file or Cancel to cancel"
- Click the OK button and navigate to the file scan.txt which you just saved to your desktop
- Select scan.txt and click Open. Writing will now appear under the Custom Scan box
- Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan won't take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Transfer them to the usb device.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic
System Check virus
