cancel
Showing results for 
Search instead for 
Did you mean: 

Pasted on pastebin

Great site! I've pasted the autoruns.txt file on:

http://pastebin.com/m29e9cffe

RE: Pasted on pastebin

Boxermad, I looked at your autoruns and see no sign of anything malicious starting up with your computer. Does the problem still exist? Does ESET's Online scanner still find new detections? If it does, could you post the file/location?

I see you had a virus that deletes a key Windows File (breaks some Windows Installs/Updates).
You need to find the file "appmgmts.dll" and restore it from a clean backup. It goes in your %SYSTEMROOT%\System32 folder (Usually C:\Windows\System32).

XP SP2 - File version 5.1.2600.2180
XP SP3 - File version 5.1.2600.5512

I noticed you had run GMER before. When GMER starts up and does it's first scan (without you pressing any buttons) does it show any system modifications? If it does (and it should if McAfee is installed) please post GMER's results.

If you have a rootkit, Autoruns may not see the bad file.

Problem still exists

ESET still finds the Win32/Delf.OGB trojan once the system is rebooted. The file location and name is C:\Windows\saa.fqq

Regarding appmgmts.dll, I searched the whole C drive and was not able to find the file. I am not sure I would be able to restore it in any case, since I wouldn't have a backup, or I wouldn't know if the backup I made was clean 😞

As for GMER; this was installed by a McAfee technician who took remote control of the infected computer but was not able to run the file. When I tried executing GMER, the screen blanks out for a second or two and then resets- much in the same way as when I try to run CMD.EXE.

RE: Problem still exists

Do you mind if I contact you via email?

email address

Not at all...my email address is [filtered]

RE: Problem still exists

Dear Secured2K
I am not quite sure how to contact you either. I tried through the Yahoo messenger link but this all needs to be done from work which blocks this site. At home I can not access the forum because of the bug. I tried a yahoo email address but it was likely not correct.

I had a technician log on last night and after a few hours he gave up and promised another one would ring tonight. He ran Unhackme and found a few things but said a program was still controlling the computer.

I am running ESET online scanner this morning but it was taking hours so had to leave for work (to deal with viruses in pigs rather than computers!). If I get a log I will paste it as you suggested for Boxermad.

You are more than welcome to email me to either [filtered] or [filtered] so we can try and get you some useful information.
Highlighted

Possible Fix

Hi WallyWingnut,

Being following this thread for sometime now & hope we can fix this.

Try running GMER. This has been tried on some of the cases received in the last fortnight & resolved. Hopefully this should work on your computer too.

Though you tried using it the last time unsuccessfully, as mentioned, try renaming the file gmer.exe to something else; eg mine.exe, before executing it. This should let you run it successfully.

http://www.gmer.net/gmer.zip

Run this tool. Don't select 'Show All'.

Scan the computer with this tool. Note for any modifications. Reboot the computer.

Please post with the end result.
quik66
Level 9
Report Inappropriate Content
Message 38 of 75

Here's a link to my logs

Here's a link to my logs... For convenience, I placed all 3 logs into one text document (MalwareBytes results, ESET results and AutoRuns)...

http://pastebin.com/m732c54fe

Hope I did that correctly...


Out of curiosity, I check the "vision test" for the confiker, and it was okay...


The MalwareBytes found 2 Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter)
and
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter)

No other malicious items detected...


ESET found 2 infected files
Win32\PowerReg application a variant of Win32\Delf.OHA Trojan


Windows security center did open after a reboot, but I still could not access McAfee... I have ATT Uverse, and so I got my "McAfee" software through them as part of my ISP package...

I COULD access THIS thread, but I could not log on to post anything (kept kicking me out to the main index page and asking for name/password... From work, I don't have problems accessing this thread or McAfee... I could get to the ATT/Security software download page, but I didn't try to download anything... So I am assuming I can reload my McAfee software, if needed (I get an error that pops up saying I need to reinstall McAfee VS)... But I imagine thats just the basic software, and not the definitions...

If I post my email, will it read " my email is [filtered]"? I saw where both Boxermad and Wally Wingnut's read this way... And only authorized people can read it???

If so, I can post my email address...

Thanks...

RE: Here's a link to my logs

I removed the email addresses to protect privacy and to prevent spam.
Moderators can see your and send email to your registered email address.

RE: Here's a link to my logs

Quik66: I see no evidence of unknown/malcious software starting up with your computer in Autoruns. What problems still exist for you currently? It is possible to still be infected with a rootkit (hides its presence from tools like Autoruns) in which case you should follow the instructions posted above to run GMER.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community