1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Backup questions

Discussion in 'Virus & Other Malware Removal' started by Justletmepost, Mar 11, 2012.

Thread Status:
Not open for further replies.
Advertisement
  1. Justletmepost

    Justletmepost Thread Starter

    Joined:
    Mar 11, 2012
    Messages:
    116
    Sorry if this is in the wrong subforum, I wasn't sure.

    Right now I'm looking into making a complete backup of my HDD before I start trying to sort out a virus (which I'll be posting about once this is done).

    The virus'd computer can't connect to the internet and thus may have trouble installing the imaging software I need, so I was thinking of doing this by way of another computer and a pair of usb drive enclosures, for the virus'd drive and the backup drive. Am I correct in thinking that (with autoplay disabled) the virus couldn't contaminate the other computer running the imaging software?
     
  2. Justletmepost

    Justletmepost Thread Starter

    Joined:
    Mar 11, 2012
    Messages:
    116
    Forgot this in the original post:
    If I use imaging software to "clone" an hdd, then I assume that means the orginal drive could be physically replaced with the backup drive, rather than needing to run software to "restore" the backup?
     
  3. Justletmepost

    Justletmepost Thread Starter

    Joined:
    Mar 11, 2012
    Messages:
    116
  4. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    32,640
    Hiya and welcome to Tech Support Guy :)

    The only problem with cloning the drive, is that the virus will also be cloned, so you wouldn't be able to use it safely.

    However, do you know which virus you have? Are there any alerts from your virus scanner?

    Can you run the tools in this thread:

    http://forums.techguy.org/virus-other-malware-removal/943214-everyone-must-read-before-posting.html

    And then post the following:

    1. Copy and paste the HijackThis log.
    2. Copy and paste the contents of the DDS.txt file.
    3. Upload as an attachment the Attach.txt file. There is no need to zip it as suggested in the DDS instructions
    4. Copy and paste the contents of the ark.txt file.

    Regards

    eddie
     
  5. Justletmepost

    Justletmepost Thread Starter

    Joined:
    Mar 11, 2012
    Messages:
    116
    Originally I was going to post the logs in a new topic, as this one was questions about hard drive backups(which...haven't really been answered) rather than about the virus, but okay. Someone's lent me a computer they were about to reformat anyway, so I did all the backing up via that and I can reformat it when I'm done with all this.

    Now, the full story. (textwall warning!)
    I was infected when the casual gaming site Jayisgames was compromised last week. Given that other people exposed to the same thing have mentioned totally different symptoms from mine, and that the symptoms I have seem unlikely to be caused by a single virus, I suspect that the Jayisgames virus was a trojan or something that downloads other viruses.

    The first symptom was the appearance of "Smart Fortress 2012", one of those fake anti-malwares that prevents you from running any other programs and tries to get you to buy the "full version". The really alarming thing about this one was that it got itself to autostart even in Safe Mode, which I didn't think was even possible. In the end though my googling I found a site that mentioned a 'full version code' which had been used in previous versions of Smart Fortress. I tried it and it worked, tricking it into thinking I'd bought it, and then I was able to run my antivirus: Bullguard.

    It caught a bunch of things and fixed or quarantined them, except for a running process that it couldn't fix - unprecedentedly, it told me to submit my log to Bullguard Support for instructions.
    I did, and they just told me to boot in safe mode and manually delete the process mentioned in the log: mswsock.dll

    But some googling told me that although there's a virus with this name, it's also the name of a vital Windows process, and my instance of it was in the location that the real process is found(windows\system32\mswsock.dll). After continued correspondence with Bullguard support just resulted in continued unhelpful automated responses (I've since learned they also have a live chat support, which may have been more useful, but if I tried it now I'm sure they'd just tell me this is all my own fault for uninstalling =_=), I uninstalled Bullguard, downloaded AGV, ran that. Didn't help. Uninstalled that, downloaded Avast, ran boot scan. It was a bit overzealous, turning up several things I know for a fact aren't viruses. I left the things I wasn't sure about alone, deleted the things that looked overly suspicious (mainly two files with very long randomized-looking names). Uninstalled Avast...can't remember why.

    Upon restarting, new problems appeared. Internet connection completely broken (browsers, instant messengers, nothing, as if the ethernet cable was unplugged - which it now is), desktop image randomly changed to a basic blue screen, left half of start menu was completely blank, and every folder on HDD turned "hidden". Oh, and my keyboard mappings for " and @ have switched round. I initially thought I must have accidentally deleted some important system files despite my caution, but after google revealing that the hidden folders thing can be caused by a virus, it seems likely I have more infections. Besides, I STILL have Smart Fortress 2012. Although it doesn't seem seem to be doing anything anymore, and its icon in the start menu 'all programs' list has changed to a generic executable icon, it's still THERE in the start menu...on closer inspection as I type this, it has an Uninstall option that wasn't there before I entered that purchase code. It doesn't seem likely that a virus would consent to being removed, though, so I'm not touching it for now.

    Before I realized the lack of internet is probably due to infection, I acquired and ran winsockpfix. Didn't help.
    At some point after this this I did...something...that involved attempting to backup my registry with ERDNT, which is why my dds log mentions a "aaaaaaREGBACKUP_ERONT" (I misread ERDNT at the time) - I deliberately created it for this purpose, although I can't remember why >_>.
    I also tried to use System Restore, which was a total failure. I can restore just fine to points made AFTER the avast scan, so one or more of the restore files must have been deleted, either by the virus or by one of the antivirus...es. Joy.

    At wit's end, found this forum. Eventually managed to make full backup of HDD, then acquired and ran Hijackthis, DDS and GMER. Hijackthis and DDS were fine, but I can't get GMER to run successfully (yes, I have IAT/EAT unchecked, and no, I don't touch the mouse during the scan). The first time (not in safe mode) it seemed to finish the scan, but when I tried to save the gmer log, it said "insufficient system resources" and "cannot access My Docments"; also, I couldn't open any folders or run any programs (not even task manager!) and the tooltip for all folders on the desktop read "folder is empty"...and shortly aferwards, I got a BlueScreen, citing BAD_POOL_CALLER. The second time (in safe mode), didn't even get that far - it bluescreened during the scan, this time with DRIVER_IRQL_NOT_LESS_OR_EQUAL.
    The third time (in safe mode and logged in as admin) it did this again - I wasn't near the computer that time, so I don't know what the error was.

    I should also probably mention that this computer has an...unusual history. After my previous computer's motherboard died, I tried to avoid having to reinstall all my programs by doing a partial Registry Hive transplant. This was unexpectedly successful, so I stuck with it. So if anything about my registry seems particularly baffling, that may be why.

    If you guys can fix this for me, I shall shower you with adoration forever. Or not, whatever's the better incentive. Here follow the logs.

    =============================================
    HIJACK THIS LOG
    =============================================
    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 3:22:26 PM, on 3/15/2012
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.17106)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\AskBarDis\bar\bin\AskService.exe
    C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\Program Files\RosettaStoneLtdServices\RosettaStoneDaemon.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\dllhost.exe
    C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
    C:\Documents and Settings\Finn\Desktop\HiJackThis.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/...b/*http://uk.docs.yahoo.com/info/bt_side.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: (no name) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
    O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
    O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1169214453\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
    O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O4 - S-1-5-18 Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe (User 'SYSTEM')
    O4 - .DEFAULT Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe (User 'Default user')
    O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Home Hub\Help\bin\matcli.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\IMJP81K.DLL
    O9 - Extra button: Click to call with Skype - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\WINDOWS\system32\IMJP81K.DLL
    O9 - Extra 'Tools' menuitem: Click to call with Skype - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\WINDOWS\system32\IMJP81K.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
    O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
    O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
    O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
    O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
    O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1231200248818
    O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v6.cab
    O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
    O16 - DPF: {BD08A9D5-0E5C-4F42-99A3-C0CB5E860557} (CSolidBrowserObj Object) - http://cdn1.acclaimdownloads.com/solidstateion.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Apache - Apache Software Foundation - C:\Documents and Settings\Finn\Desktop\FYP NOTES\NETSERVER\bin\stable\apache\apache.exe
    O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe
    O23 - Service: ASKUpgrade - Unknown owner - C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
    O23 - Service: BGRaSvc - Unknown owner - C:\Program Files\BullGuard Software\BullGuard\support\bgrasvc.exe (file missing)
    O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    O23 - Service: Maya 7 PLE Documentation Server (mple7docserver) - Unknown owner - C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\wrapper.exe
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
    O23 - Service: RosettaStoneDaemon - Rosetta Stone Ltd. - C:\Program Files\RosettaStoneLtdServices\RosettaStoneDaemon.exe
    O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindService.exe
    O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
    --
    End of file - 12504 bytes


    =================================================
    DDS LOG
    =================================================
    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_26
    Run by Finn at 15:23:36 on 2012-03-15
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\AskBarDis\bar\bin\AskService.exe
    C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\Program Files\RosettaStoneLtdServices\RosettaStoneDaemon.exe
    C:\WINDOWS\System32\dllhost.exe
    C:\Documents and Settings\Finn\Desktop\HiJackThis.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\Documents and Settings\Finn\Desktop\dds.scr
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\System32\svchost.exe -k NetworkService
    C:\WINDOWS\System32\svchost.exe -k LocalService
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    .
    ============== Pseudo HJT Report ===============
    .
    mStart Page = about:blank
    mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
    mSearchAssistant = hxxp://www.google.com/ie
    BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
    BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
    BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
    BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
    BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
    BHO: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
    TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
    TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    mRun: [btbb_wcm_McciTrayApp] c:\program files\btbb_wcm\McciTrayApp.exe
    mRun: [YBrowser] c:\progra~1\yahoo!\browser\ybrwicon.exe
    mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
    mRun: [<NO NAME>]
    mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
    mRun: [HostManager] c:\program files\common files\aol\1169214453\ee\AOLSoftware.exe
    mRun: [IPHSend] c:\program files\common files\aol\iphsend\IPHSend.exe
    mRun: [Motive SmartBridge] c:\progra~1\bthome~1\help\smartb~1\BTHelpNotifier.exe
    mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [Alcmtr] ALCMTR.EXE
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /install
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
    mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
    mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
    mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
    mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [SunKistEM] c:\program files\digital media reader\shwiconem.exe
    mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
    mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
    mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
    mRun: [ehTray] c:\windows\ehome\ehtray.exe
    mRun: [CHotkey] zHotkey.exe
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    DPF: Microsoft XML Parser for Java
    DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
    DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
    DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1231200248818
    DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} - hxxp://www.acclaim.com/cabs/acclaim_v6.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
    DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
    DPF: {BD08A9D5-0E5C-4F42-99A3-C0CB5E860557} - hxxp://cdn1.acclaimdownloads.com/solidstateion.cab
    DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    Notify: igfxcui - igfxdev.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\finn\application data\mozilla\firefox\profiles\47edvphp.default\
    FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
    FF - prefs.js: browser.startup.homepage - hxxp://www.hyrulianwar.com/
    FF - component: c:\documents and settings\finn\application data\mozilla\firefox\profiles\47edvphp.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components\FFExternalAlert.dll
    FF - component: c:\documents and settings\finn\application data\mozilla\firefox\profiles\47edvphp.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components\RadioWMPCore.dll
    FF - component: c:\program files\mozilla firefox\extensions\{82af8dca-6de9-405d-bd5e-43525bdad38a}\components\SkypeFfComponent.dll
    FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
    FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
    FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
    FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
    FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
    FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
    FF - Ext: Adobe DLM (powered by getPlus(R)): {CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7} - %profile%\extensions\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}
    FF - Ext: Tabloc: {60520222-6bbf-45dd-b547-3641ea9cd9cb} - %profile%\extensions\{60520222-6bbf-45dd-b547-3641ea9cd9cb}
    FF - Ext: Google Wave Add-on for Firefox: [email protected] - %profile%\extensions\[email protected]
    FF - Ext: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - %profile%\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}
    FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    FF - Ext: Adblock Plus Pop-up Addon: [email protected] - %profile%\extensions\[email protected]
    FF - Ext: Java Quick Starter: [email protected] - c:\program files\java\jre6\lib\deploy\jqs\ff
    .
    ============= SERVICES / DRIVERS ===============
    .
    R? BGRaSvc;BGRaSvc
    R? gupdate;Google Update Service (gupdate)
    R? gupdatem;Google Update Service (gupdatem)
    R? McrdSvc;Media Center Extender Service
    R? mple7docserver;Maya 7 PLE Documentation Server
    R? msvsmon80;Visual Studio 2005 Remote Debugger
    R? StarWindService;StarWind iSCSI Service
    S? ASKService;ASKService
    S? ASKUpgrade;ASKUpgrade
    S? HWiNFO32;HWiNFO32 Kernel Driver
    S? RapportCerberus_34302;RapportCerberus_34302
    S? RapportEI;RapportEI
    S? RapportIaso;RapportIaso
    S? RapportKELL;RapportKELL
    S? RapportMgmtService;Rapport Management Service
    S? RapportPG;RapportPG
    S? RosettaStoneDaemon;RosettaStoneDaemon
    .
    =============== Created Last 30 ================
    .
    2012-03-09 17:41:08 -------- d-----w- C:\aaaaaaREGBACKUP_ERONT
    2012-03-09 17:27:30 -------- d-----w- C:\zzzwinsockfix
    2012-03-09 17:16:47 -------- d-----w- c:\windows\system32\wbem\repository\FS
    2012-03-09 17:16:47 -------- d-----w- c:\windows\system32\wbem\Repository
    2012-03-08 23:20:00 -------- d-----w- c:\program files\AVAST Software
    2012-03-08 23:20:00 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
    2012-03-08 22:15:05 -------- d-----w- c:\documents and settings\finn\application data\AVG2012
    2012-03-08 22:13:55 -------- d-----w- c:\documents and settings\all users\application data\AVG2012
    2012-03-08 22:13:19 -------- d-----w- c:\program files\AVG
    2012-03-08 22:03:32 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
    2012-03-08 22:02:17 -------- d-----w- c:\documents and settings\all users\application data\MFAData
    2012-03-07 20:37:36 -------- d-----w- c:\documents and settings\finn\application data\Qerayw
    2012-03-07 20:37:27 -------- d-----w- c:\documents and settings\finn\application data\Tuyzynv
    2012-03-07 20:37:27 -------- d-----w- c:\documents and settings\all users\application data\F4D55F17000073230120E1C3D151FC4E
    2012-02-25 11:30:59 -------- d-----w- c:\documents and settings\finn\lmms
    2012-02-25 11:29:22 -------- d-----w- c:\program files\LMMS
    .
    ==================== Find3M ====================
    .
    2012-01-25 10:16:44 56208 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
    2006-05-03 11:06:54 163328 --sha-r- c:\windows\system32\flvDX.dll
    2007-02-21 12:47:16 31232 --sha-r- c:\windows\system32\msfDX.dll
    2008-03-16 14:30:52 216064 --sha-r- c:\windows\system32\nbDX.dll
    2010-01-06 23:00:00 107520 --sha-r- c:\windows\system32\TAKDSDecoder.dll
    .
    ============= FINISH: 15:24:32.84 ===============
     

    Attached Files:

  6. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    32,640
    Hiya

    The reason why I was concerned for virus removal was making sure that it was all gone, as sometimes when you create an image, the virus will also be created in the image. This means that when you remove it off one drive, you'll have to do the same for the backup.

    As for the virus/malware, lets see if we can get it all gone, and your computer back to how it was :)

    So, lets begin...

    Firstly, can you uninstall these via AddRemove Programs or Start | Programs:

    Viewpoint Media Player
    DAEMON Tools Toolbar


    --

    Also, your Java is out of date, so lets get that sorted before we start:

    Please download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.
    • Now, go here and download the latest Java Version.



    For the remains of the Java, can you do this:

    Open Java in the Control Panel and under the General tab, under Temporary Internet Files, click the Settings button. Then click on Delete Files.

    Make sure both of these options are checked:

    • Applications and Applets
    • Trace and Log Files
    OK out of all the screens. :)


    ------

    Download ComboFix from one of these locations:

    Link 1
    Link 2


    * IMPORTANT !!! As you download it rename it to username123.exe and save it to your Desktop


    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      • Remember to re-enable the protection again afterwards before connecting to the Internet.
    • Double click on ComboFix.exe & follow the prompts.

    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


    [​IMG]


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    [​IMG]


    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

    eddie
     
  7. Justletmepost

    Justletmepost Thread Starter

    Joined:
    Mar 11, 2012
    Messages:
    116
    Oh, if this all works I'll just be reformatting the backup drive. Simple. The backup is just in case I somehow make things even worse while doing this.

    Anyway, depressingly basic problem.

    Uninstalled VMP and Daemon successfully.
    Ran JavaRa, no problems.

    But when I try to run the offline Java installer, its progress bar gets most of the way there and then produces an error:
    "Error 1330: A file that is required cannot be installed because the cabinet file C:\Documents and Settings\Finn\Apllication Data\Sun\Java\...Data1.cab has an invalid digital signature. This may indicate that the cabinet file is corrupt."

    Unless I run it in safe mode. Then it fails immediately with a different error, even if I'm logged in as admin:
    "The system administrator has set policies to prevent this installation"

    Oh, and despite JavaRa 'removing' java, the java icon is still present in the Control Panel - it just gives me an error message when I click it.

    Any ideas on how to get around this?

    Meanwhile: Should I avoid running programs on the infected computer? Could they becomed 'infected' as a result? Or can I go ahead and actually get some stuff done?
     
  8. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    32,640
    With regards to using the computer, its up to you. I think most people are okay, just don't do any banking related things, just in case ;)

    Okay, lets have a look at that Java problem. First, although you have used the JavaRa tool, uninstalling via AddRemove Programs may work.

    So, go to Control Panel | AddRemove Programs, and uninstall these:

    J2SE Runtime Environment 5.0 Update 2
    Java(TM) 6 Update 26


    Then, try the installer below (delete the copy of the one you already have, in case its corrupt)

    http://www.java.com/winoffline_installer/

    And let me know how that goes :)
     
  9. Justletmepost

    Justletmepost Thread Starter

    Joined:
    Mar 11, 2012
    Messages:
    116
    No joy.

    When I tried to uninstall J2SE Runtime Environment 5.0 Update 2, I got this error window:
    "The feature you are trying to use is on a network resource that is unavailable

    Click OK to try again, or enter an alternate path to a folder containing the installation package 'J2SE Runtim Environment 5.0 Update 2.msi' in the box below."

    The current path in the box is "C:\Documents an Settings\Administrator\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150020}\"

    Trying it in Safe Mode logged in as admin just gives me a standard error message telling me I can't use the microsoft installer in safe mode.

    Java(TM) 6 Update 26 wasn't present on the Add/Remove list, but there was a similair JDK item, so I uninstalled that instead. It didn't occur to me to note down its name until afterwards, but I think it was "Java(TM) Development Kit 6 Update 2 "

    There's also a "Java Auto Updater" in the list, but that presents no Change or Remove buttons.

    Redownloaded and retried the offline onstaller - same result as before.

    *sits and waits*
     
  10. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    32,640
    Edit, links not working
     
  11. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    32,640
    Sorry about that, old speech has died since I last used it.

    See if this works:

    Uninstalling Programs Using Revo Uninstaller Free

    --------------------

    Revo Uninstaller is more thorough in deleting programs on your computer than using the Add/Remove option in Windows. Since it is a more powerful tool, please be sure to follow the instructions carefully.

    Please note there is a chance when you look for this program to uninstall through Revo it might not be listed because of the previous uninstall. If that is the case simply stop and let me know.
    • Please download and install Revo Uninstaller Free
    • Double click Revo Uninstaller to run it.
    • From the list of programs double click on the listed program(s), or anything similar, to remove it
      J2SE Runtime Environment 5.0 Update 2
    • When prompted if you want to uninstall click Yes.
    • Be sure the Moderate option is selected then click Next.
    • The program will run, If prompted again click Yes
    • When the built-in uninstaller is finished click on Next
    • Once the program has searched for leftovers click Next.
    • Check the items in bold only on the list then click Delete. You may have to expand some folders by clicking the "+" mark.
    • When prompted click on Yes and then on Next.
    • Put a check on any folders that are found and select Delete
    • When prompted select Yes then Next
    • Once done click Finish.
     
  12. Justletmepost

    Justletmepost Thread Starter

    Joined:
    Mar 11, 2012
    Messages:
    116
    Nope.

    Ran Revo, after it ran the base uninstaller (and got the same "The feature you are trying to use is on a network resource that is unavailable", unsurprisingly), it came up with a bunch of bold registry entries. Deleted them. And that was that. But even after restarting, I still can't get the java offline installer to work: it gives the same Error 1330 as ever.

    Meanwhile, when I restarted the computer, I got an "Program Not Responding/End Now" prompt for something I've never heard of: MCI Command Handling Window.
     
  13. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    32,640
    Okay, lets see if installing Java whilst online works:

    http://java.com/en/download/help/ie_online_install.xml

    When the file download box appears, select Run, not save, and it should install.

    As for the message on startup, that can be related to many things: multimedia, malware etc.

    Can you also try running ComboFix as well, after the Java, as there may be something else causing the problems. originally you have said that you have a virus from Jayisgames, and other problems that sound virus related.

    http://forums.techguy.org/8291001-post6.html

    eddie
     
  14. Justletmepost

    Justletmepost Thread Starter

    Joined:
    Mar 11, 2012
    Messages:
    116
    As I said before, the infected computer has been rendered unable to connect to the internect in any capcity - that's why I was using the offline installer.

    And I haven't run ComboFix because I assumed the Java business was a prerequisite.

    To be clear, when you say:

    IMPORTANT !!! As you download it rename it to username123.exe and save it to your Desktop

    ,seeing as it's so important, do you mean literally "username123.exe", or should I be replacing "username" with my username? So Finn123.exe in my case? Or does it not matter so long as I rename it to anything other than ComboFix.exe?
     
  15. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    32,640
    Ah, sorry about that. As its not connected to the internet yet, we can leave the Java until we get it back online.

    You can save it as the name you suggested, Finn123.exe :)

    Yep, you're correct, as malware see's the name and stops it from running, which is why the renaming is done ;)
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1044770

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice