almost completed read me perfectly...

Thanks for being here, and providing everything you do!!!

I have followed all of the directions in the READ ME AND RUN THIS FIRST. I've disabled all of the security programs, etc. I could find, and do not have any AV program installed. Everything has worked the way the forum said it would except fot MG Tools. I did put it in C:\ and ran it as administrator, and it did make itself a folder... and a command prompt window appeared for a split second. When I right click the GetLogs.bat file and click run as administrator, the same thing happens... a command prompt appears so briefly I can hardly even tell what it is, then, nothing. I also tried running it, after doing that a few times, from the desktop, as administrator. Same thing.

My original problem was clicking OK on a request to run a flash add-on. That apparently gave me Windows Recovery, which soon revealed itself in a series of false warnings, which I ignored, and finally found and deleted the program. but it had apparently invited some friends over, and soon my computer was visiting random web sites (I've used IE for many, many years, and I think it's working through that... I'll explain further soon...). Oddly, it also rearranged the shortcuts in my task bar. I ran MalwareBytes, and something else, and they cleaned about 11 things but then it started accessing the sound, only, of random sites (I kept some records of which ones, etc.) and logging the sites in IE's history. It deleted all of my bookmarks (favorites).

Now it has mutated to running IE invisibly (I find it running in Task Manager), and not logging the sites visited. Sometimes there is sound, usually not.

It also deleted the URL's in all of the internet links I had saved on my computer (even in folders within folders).

OK, now I'll see if I can figure out how to attach the logs from the programs that DID run... there, hope that worked. My (very computer literate, adult) son ran a few things last week and made at least one log... let's see... catchme.log. Do you want that?

Thanks again! -- bab

 

Thanks, TImW.

My command prompt is just the cursor, and no matter what I type, I still just get a blinking cursor. No indication of what drive it is, etc.

And I forgot to mention that I can't get email, now. :-/

My son will be here in a few minutes and may be able to help me with the command prompt... it's been a long time since I've used that.

WAIT ... I'm managing to use it without the regular prompt. BRB

OK --- "the system cannot find the path specified", with either command you suggested.

 

Thanks for your quick response. Yes, I opened the command prompt as admin, and it said so at the top, and I found out which drive/directory/folder I was in by using dir, and I got into the one that MGtools had created when I ran it, right in C:. The getrunkey.bat and shownew.bat files were in there, but the computer ignored the commands. We were mystified. Still no normal prompts, but I could tell which drive I was in by using dir.

 

Omigoodness, all of my favorites/bookmarks are back, and when I save a link to my dektop it's no longer "empty". Also, IE has not started running on its own, invisibly, since at least early yesterday. I think, MAYBE, one of the steps in READ ME AND RUN THIS FIRST got rid of "my" malware! Thank you!

How can I be sure? Should I just assume it's gone if nothing else weird happens, or can you tell frm one of the logs?

Oh... and what about that Command Prompt problem? Let me see if it's still happening, since I shut down over night and turned it on this morning... WOO-HOO!!! I have a normal command prompt! By cracky, I think you guys have done it!!! Thanks for posting all of that. God bless you all.
"Pastor Barb"

 

Will do. Sorry, tied up most of today. Thanks for your patience.

I wonder if I can even run MGtools now. I'll give that a try, too.

 

Here are the results of the OTL scan, done as you directed. Also, I was able to run that getrunkey batch file in MGtools from my now-normal C prompt, and am attaching those results as well. Should I run anything else from MGtools?

Thanks for your help -- I see there is still some kind of problem -- with the event log or something like that.

--Babbaroni

 

I haven't noticed anything misbehaving for over 24 hours, now.

OK, I ran getlogs.bat, and have attached MGlogs.zip.

HiJack reported an error; asked me to report it, and I clicked OK; then Trendsure customer help window opened in IE. AFter a few minutes, I closed that, but not the command prompt window. I waited until it was done, and it said "hitting any key will close this" etc and then did so.

Way back during the guide and tutorial on using ComboFix, (I
thought it was during CClean, but I must have remembered wrong,
because my note is on the ComboFix pages I printed)
a message said "driver VOLSNAP.SYS is patched with a rootkit;
attempting disinfection" -- which it apparently did, and then
instructed me to reboot, which I did, and then it resumed.

So... could that have been causing all the mayhem? Because I didn't see a thing, after that, indicating that anything else had been discovered (that I can recall). I just don't remember everything being fine from that moment... it seemed to happen later. But I may be mistaken.

Thanks so much for your help!

 

Omigoodness, that's a lot left to do! I'm startled! Not complaining... just startled. I'll get started now.

I looked up "rootkit" and I was flabbergasted at what they can do.

Again, thanks a million... and I intend to put my money where my mouth is (just need to decide which way).

Babbaroni

 

I have to make a confession. I did not do one part of the clean-up. Since the only way I can make Microsoft Security Essentials stop working is to uninstall it, and I had just reinstalled it, I didn't "disable" it before uninstalling ComboFix.

Do I need to redo anything? Will that come back and bite me in the butt?

Thanks for your patience,
babbaroni

 

Can I send a donation via PayPal?

 

Oh, dear, I fear the rootkit may have left a shadow behind...

I recently upgraded to IE 9, but nothing I do (including some lame suggestions from a MS help forum) will make the "open previous browsing session" function work. It's always grayed out.

They had me uninstall IE9 , and told me to reinstall it. But while it was uninstalled, I opened IE8, and it's grayed out in that, too, under Tools, and doesn't appear at all in the New Tab page.

When I went to look for the link I had saved to this thread, it was only a file consisting of the name of the thread; no link. Maybe a fluke, because all of my other links are still OK.

What do you think?

Thanks in advance for any input,
babbaroni

 

No... but the rootkit did not affect Firefox. And it did hide aspects of IE.

So, I'm thinking it worked/s through IE, and a bit of it is still on my PC somewhere, and becoming active, in this new way. It did "mutate" quite a bit before apparently being removed the last week or two.

When I tried to work through the issue with MS support, they gave up pretty easily. But, I will open a thread on the software board, as you suggest.