Solved How to remove .scr virus without losing infected folders?

September 6, 2016 at 13:09:51
Specs: Windows 7
Hi, everyone.
My question is not HOW to remove the .scr virus from my flash drive, I think I already have that covered with the help of this article here:
http://www.techbae.com/remove-scr-v...

I suppose you all agree with it..(???)

My real question is the following: If I get rid of the virus using the method above will my folders be LOST?
Those are really important folders so, I would appreciate it if you could verify that this method of removal really doesn't make my folders vanish and, if it does, please, could you suggest another way for me to remove the virus without me losing the files?

Thank you very much in advance.


See More: How to remove .scr virus without losing infected folders?

Report •


✔ Best Answer
September 7, 2016 at 10:52:50
See if this 2013 thread is of any help:

http://www.computing.net/answers/ha...

see reply # 23

MIKE

http://www.skeptic.com/

message edited by mmcconaghy



#1
September 6, 2016 at 13:35:03
I assume you are referring to files you already have on the flash drive. It would seem the only file you delete is winlodr.scr so your own files should be OK. Maybe you could copy them onto a CD-R first though, just to be on the safe side.

However, I trust you realise that the article is not written with a flash drive in mind. The file winlodr.scr is on the system drive (usually C).

Always pop back and let us know the outcome - thanks


Report •

#2
September 6, 2016 at 13:46:50
I will add that flash drives are the least reliable storage device currently in use. If your data is extremely important, you should have more than one backup.

Report •

#3
September 6, 2016 at 14:52:59
Thank you for the reply Derek and riider.

Let me shed some light here and be more specific about my problem.
I didn't want my post to be too long before but now I see that is inevitable... :)

This is not my flash..
It belongs to an old (in terms of age) friend of mine.
In the flash drive he had (and still has) some important folders, mostly pictures in them, that he needed for his work.

As I was helping him (because he doesn't know much about computers) I noticed that the folders in his flash had a strange texture, a little different than the common windows folders'.
I had never seen a folder look like that before.

So, I just doubleclicked it as I would normally do.
Then, a window pops up, like that window that pops up when you click on a setup.exe file or when you try to run a program.

And I just clicked yes and then I got to see the actual folders with the pictures, all fine, no problem at all. I could use them however I liked just as normal.

But, his computer got overrun with viruses because he was not using an anti-virus and, eventually I formatted his PC and reinstalled a version of Windows 7 x64.

Then, to my surprise, the files in his flash drive didn't look like folders at all. They were looking like those idle, blank files that Windows doesn't know how to open them. I clicked on them and I was presented with an error that, unfortunately, I can't remember right now exactly what it said.
It was THEN that I noticed that the folders had the .scr abbreviation.

That was my story.

Now, is there any way I can save those files?

Because, if not, I believe he is going to have a stroke......

P.S.: The same kind of .scr folders were found in his digital camera. Specifically the DCIM folder. When I plugged in his camera I couldn't access that folder anymore. The only way to access the pictures was to select NOT the PC option on the camera screen but the "Mass" option, or something like that, I don''t remember...

Hope I've been helpful..

message edited by liakossf


Report •

Related Solutions

#4
September 6, 2016 at 15:10:13
Best first step is to do what it says in your link. All it does is remove WINLODR.SCR in Safe Mode so it will not touch your flash drive.

From what I can make of it, your files have been hidden. See this:
http://www.computing.net/howtos/sho...

Always pop back and let us know the outcome - thanks


Report •

#5
September 6, 2016 at 15:25:37
That seems like a good start...
Thanks Derek.

I will be seeing him on Saturday morning, so it will take me some days to reply and inform about the outcome.
I just wanted to be able to know how to deal with whatever problem this is, in time, so I will be able to help him...

Write back at you on Saturday..


Report •

#6
September 6, 2016 at 16:22:54
his digital camera

Did his camera come with software?
You may only need to reinstall the programs that came with his camera.

MIKE

http://www.skeptic.com/


Report •

#7
September 7, 2016 at 01:11:43
I don't know....
Most possibly this software did come with the camera but, I'm not sure if it is available anymore..
I will check it out.

mmcconaghy, are you suggesting that as a solution for healing his camera?


Isn't it weird that the only way to access the pictures is by NOT choosing the "PC" option, but the "MASS" option instead?

I really didn't understand that, but I as I long as I could do my job, I really didn't care...

It's weird, though...


Report •

#8
September 7, 2016 at 06:02:48
blank files that Windows doesn't know how to open them. I clicked on them and I was presented with an error that, unfortunately, I can't remember right now exactly what it said.

This sounds very much like a File Association problem.

A file association associates a file with an application capable of opening that file.

I'm suggesting that the software that came with the camera may be the application needed to open the files.

The .scr file type is very common and is used by many different types of programs.
At least 19. See this page:

http://www.file-extensions.org/scr-...

mostly pictures in them

You could also try changing the extension on one of the files from .scr to .jpg and see what happens.

Isn't it weird that the only way to access the pictures is by NOT choosing the "PC" option, but the "MASS" option instead?

I do not understand what this means.


MIKE

http://www.skeptic.com/

message edited by mmcconaghy


Report •

#9
September 7, 2016 at 06:31:52
When you plug in the camera its screen lights up and you are presented with two options, one of which you have to choose in order for the PC to recognise the camera.
-PC
-Mass "storage" or something, I'm not sure, I just remember the word "Mass..."

-When you choose option "PC" you are presented with the DCIM folder which is inaccesible after the reinstallation I applied to his PC. Before the format the folder DCIM behaved like the folders I describe on my second post.

-If you choose "Mass...." you are presented with the OLYMPUS1024 something folder which opens up like a normal Windows folder and the pictures ARE accesible. That's the only way I can work with the camera.

Unfortuately, such alternative doesn't occur with his flash drive in which the folders are inaccesible and thus, the pictures. That's what bothers me.


This sounds very much like a File Association problem.

A file association associates a file with an application capable of opening that file.

I'm suggesting that the software that came with the camera may be the application needed to open the files.

The .scr file type is very common and is used by many different types of programs.
At least 19.

You could also try changing the extension on one of the files from .scr to .jpg and see what happens.

You don't undestand!

It's not the pictures that have the .scr abbreviation. It's the FOLDERS.

Try reading my second post again and you will understand.


Report •

#10
September 7, 2016 at 06:46:31
What I'm trying to describe here is that the folders in his flash drive and the DCIM folder were not behaving as DIRECTORIES but as files with an.scr abbreviation that when you clicked on them twice Windows popped the "Run as administrator" window (I don't know if that is the correct term for that window) asking for confirmation.
I clicked yes and then I could see the folders and the files (the pictures) in them.

That was always weird for me but I didn't imagine it was something bad. I thought that maybe it is some security preference for these specific drives (the flash and the digital camera). I never really bothered researching because it didn't get in the way of our work.

But now, after the format and the fresh installation those are inaccesible!

And in case it is a virus I want to know if there is a way to get rid of it WITHOUT damaging or losing the files.

And if it is not a virus, then what do you suggest it is and how do I solve my problem?

Thank you all, folks.

message edited by liakossf


Report •

#11
September 7, 2016 at 10:52:50
✔ Best Answer
See if this 2013 thread is of any help:

http://www.computing.net/answers/ha...

see reply # 23

MIKE

http://www.skeptic.com/

message edited by mmcconaghy


Report •

#12
September 7, 2016 at 11:49:29
Wow! What an incredible thread! It's full of suspence! :D
Thank you Mike!

So, for the record, I have made a folder with all the "arsenal" I'm gonna need in order to face this problem.

- I have downloaded a reg entry file called scr fix in case it will be needed.
- I have downloaded Malwarebytes and RKill and saved quite a few webpages regarding the removal of the .scr Virus and the use of Malwarebytes.
- And now, I've just downloaded and saved this Zero Assumption Recovery program which seems pretty good.

What I plan to do is to scan for this .scr Virus, first, and check to see if there is this "WINLODR.scr" file in his computer. Then, I will follow Derek's advice.

After I get the Virus issue out of the way, I will check if I can restore these files with the ZAR software, or I will try to open them some other way, for example with this .scr fix regfile. I will judge it, depending on files size and how much corrupted they are, IF they are.

And I hope I will get this problem solved somehow.

I'm just thinking that, if there IS a virus in his computer, it might be a good idea to burn that magical folder of mine on a dvd, rather than saving it in my flash drive.
I would really hate it if I catch the .scr virus, too.

So, I believe I'm ready for Saturday Morning Special Clean Time! XD

In case anyone else has anything to add, it would be really appreciated.

I really appreciate the effort of all of you guys, as well, who have helped me here tremendously.

Report back to you soon.

message edited by liakossf


Report •

#13
September 7, 2016 at 13:11:16
"it might be a good idea to burn that magical folder of mine on a dvd"

Yes and best a DVD-R rather than a re-writeable so that nothing untoward can be copied onto it.

Always pop back and let us know the outcome - thanks


Report •

#14
September 7, 2016 at 14:51:09
Copy that! 8-|

Report •

#15
September 8, 2016 at 01:07:58
Hello again, guys....

I have been reading the article that I have posted on my first post

http://www.techbae.com/remove-scr-v...

just to be sure and I decided to read the two comments.
As YOU can also see, this guy has a problem with his flash drive files, too.
He describes the problem and the author of the article tells him that his flash drive may be infected with the "AUTORUN" virus.

I did a little research and I found these sites:

http://www.wikihow.com/Remove-Autor...

http://www.autorunremover.com/what-...

http://www.autorunremover.com/delet...

I believe the second link is the most valuable but I used the instructions on the first link, too.
The results on my computer were very relieving.
Then, I downloaded this "Autorun Virus Removal Tool", installed it and ran a scan.
My computer was perfectly clean.
After that, I decided to add that program and the addresses of these webpages to my "Arsenal" Folder.

I just thought that this "Autorun Virus" might be another possible answer to my problem, as well.

I don't know what do YOU make of this possibility.
If you like, let me know....

P.S.: I would like to add that when I used this Autorun Virus Removal Tool on my External Hard Drives it popped up a window showing that some folders have been corrupted by virus: I clicked on Recover Directly on USB drive and some Ancient files that I remember deleting them ages ago have appeared on my Drives, so, as you can see this program has some file recovering abilities, sort of like the ZAR software.
Just to let you know.....

message edited by liakossf


Report •

#16
September 8, 2016 at 06:36:53
These three freebies would be well worth running sometime as they often find what Antivirus programs miss:

AdwCleaner:
https://toolslib.net/downloads/view...
(blue "Download Now" button on right).
Download and "Save" the file somewhere. Go to the saved file then double click it to run the program. Use the "Scan" button, followed by the "Clean" button.

Junkware Removal Tool (JRT)
https://www.malwarebytes.org/junkwa...
(blue Download button).
Download and "Save" the file somewhere. Go to the saved file then double click it to run JRT. It might appear to have stopped at times or flash the screen but sit tight until it has finished.

MalwareBytes:
https://www.malwarebytes.org/
(use the "download" button rather than the "buy" button).
Install and Run the program but before running the Scan go to "Settings > Detection and Protection" and put a checkmark in "Scan for rootkits". Quarantine anything it finds.

Best post their logs on here so that we can see what is going on.

Always pop back and let us know the outcome - thanks


Report •

#17
September 8, 2016 at 08:40:29
From what I've read, the ADWCleaner has some problems....
Does the Junkware Removal Tool by Malwarebytes do the same things as ADWCleaner does?
If it does, then I should download that...

As for Malwarebytes itself, I have already downloaded it, so I've got that covered.

Should I be fine with just the Malwarebytes Junkware Removal Tool in terms of adware removal?


Report •

#18
September 8, 2016 at 09:05:18
So, I have downloaded the Junkware Removal Tool and applied it to my computer just to test it.
I have to admit that I' a little annoyed by it.

Here is the report:

Operating System: Windows 7 Ultimate x86
Ran by Liakos (Administrator) on œ£ 09/08/2016 at 18:43:52,12
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


File System: 42

Successfully deleted: C:\ProgramData\iobit\driver booster (Folder)
Successfully deleted: C:\ProgramData\productdata (Folder)
Successfully deleted: C:\Users\Liakos\AppData\Roaming\iobit\driver booster (Folder)
Successfully deleted: C:\Users\Liakos\AppData\Roaming\Mozilla\Firefox\Profiles\6d9gm9am.default-1471678169324\user.js (File)
Successfully deleted: C:\Users\Liakos\AppData\Roaming\productdata (Folder)
Successfully deleted: C:\Windows\System32\Tasks\Driver Booster Scheduler (Task)
Successfully deleted: C:\Windows\System32\Tasks\Driver Booster SkipUAC (Liakos) (Task)
Successfully deleted: C:\Windows\System32\Tasks\Uninstaller_SkipUac_Liakos (Task)
Successfully deleted: C:\Program Files\iobit\driver booster (Folder)
Successfully deleted: C:\Program Files\weatherchickn (Folder)
Successfully deleted: C:\Users\Liakos\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\358I1ZTH (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Liakos\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4EIPCP0P (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Liakos\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5VVINQEJ (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Liakos\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7B405RFS (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Liakos\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\93WJCINC (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Liakos\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AE0XAMZ6 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Liakos\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOQXQVQI (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Liakos\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BPK0ILX7 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Liakos\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DK93QR8H (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Liakos\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HT2PU28I (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Liakos\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JS41ZZ2W (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Liakos\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M1J6ZPPI (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Liakos\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O7WHSBU4 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Liakos\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PNOGNFHX (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Liakos\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SU8Q805O (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Liakos\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XDHEBPTD (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\358I1ZTH (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4EIPCP0P (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5VVINQEJ (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7B405RFS (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\93WJCINC (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AE0XAMZ6 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOQXQVQI (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BPK0ILX7 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DK93QR8H (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HT2PU28I (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JS41ZZ2W (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M1J6ZPPI (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O7WHSBU4 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PNOGNFHX (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SU8Q805O (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XDHEBPTD (Temporary Internet Files Folder)

Registry: 1

Successfully deleted: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10921475-03CE-4E04-90CE-E2E7EF20C814} (Registry Key)


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on œ£ 09/08/2016 at 18:46:09,86
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


It seems that it has removed IObit Driver Booster from my computer..... :-/
That's OK, at least it created a restore point...and I have the Driver Booster setup file on my External Hard Drive, so no problem, except for a little incovenience..
I just wish that it would ask me first before deleting anything..

Anyway, I'm going to restore my computer to its earlier state now because I have no idea which of the deleted files above ARE junkware and which are not.

If you have any idea about that, please let me know so that I can run the Junkware Removal again, if really necessary, and afterwards I will just reinstall Driver Booster again.

After the restore I'm going to create my own restore point and test the ADWCleaner to see what that does.

And I will report back if I face similar problems.

P.S.: In case I didn't make myself clear, this is the report from MY Personal Computer! I just tested it on mine just to be sure of what I should expect after I apply it on his computer on Saturday.

Write back at you later..


Report •

#19
September 8, 2016 at 09:57:04
Now, I've just ran the ADWCleaner (on MY computer) and this is the log:


AdwCleaner v6.010 - Logfile created 08/09/2016 at 19:23:16
# Updated on 12/08/2016 by ToolsLib
# Database : 2016-09-08.2 [Server]
# Operating System : Windows 7 Ultimate Service Pack 1 (X86)
# Username : Liakos - LIAKOS-PC
# Running from : C:\Users\Liakos\Desktop\adwcleaner_6.010.exe
# Mode: Scan
# Support : https://toolslib.net/forum

***** [ Services ] *****

No malicious services found.


***** [ Folders ] *****

Folder Found: C:\Program Files\Phervck
Folder Found: C:\Users\Liakos\AppData\Local\app


***** [ Files ] *****

No malicious files found.


***** [ DLL ] *****

No malicious DLLs found.


***** [ WMI ] *****

No malicious keys found.


***** [ Shortcuts ] *****

No infected shortcut found.


***** [ Scheduled Tasks ] *****

No malicious task found.


***** [ Registry ] *****

Key Found: HKLM\SOFTWARE\Classes\CLSID\{E49F0B41-3322-11D4-AEFE-00C04F61025C}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{10921475-03CE-4E04-90CE-E2E7EF20C814}
Key Found: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10921475-03CE-4E04-90CE-E2E7EF20C814}
Key Found: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{10921475-03CE-4E04-90CE-E2E7EF20C814}


***** [ Web browsers ] *****

No malicious Firefox based browser items found.
No malicious Chromium based browser items found.

*************************

C:\AdwCleaner\AdwCleaner[S0].txt - [1420 Bytes] - [08/09/2016 19:23:16]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1493 Bytes] ##########


It found two folders and 4 registry keys to be "Adware"...
What do you make of it?

Sorry, if I may be running off topic here, but I need to be sure about the reliability of these programs before I use them on his computer.


I didn't clean the files of course, until someone tells me if they are REALLY adware or not.

message edited by liakossf


Report •

#20
September 8, 2016 at 10:22:05
I agree that it is a pity that JRT gives you no options about what it deletes. However, most helpers on here do not recommend third party driver finding software because it has often caused more problems than it has fixed. This is probably why it is seen as junkware. On here we generally recommend getting drivers from computer manufacturers (or motherboard manufacturers if home built).

I've not run into any real problems with ADWCleaner and it certainly has fixed many browser based malware issues that MalwareBytes has not found. Unfortunately IOBit uninstaller has some embedded browser addons which are undesirable and there is a possibility that if you are not selective it might remove IOBit (not certain). One possible way forward with IOBit is to install it when required then uninstall it afterwards. Alternatively you might be able to use ADW to selectively remove the parts of IOBIt that are questionable. I don't have IOBit onboard so I can't help with the detail. ADW has been known to blacken all aspects of a program that has badies incorporated (YouTubeDownloader - YTD is one of them). I do leave some entries in situ to preserve that particular program.

Always pop back and let us know the outcome - thanks


Report •

#21
September 8, 2016 at 10:38:29
I got the part with the JRT - Driverbooster conflict and I can't say that you don't have a point.

But what does IObit Uninstaller have to do with the ADWCleaner? I don't see any IObit Uninstaller files or keys in its log!

Aside from Driverbooster, what about the other files and keys that JRT and ADWCleaner found?

Are they adware-junkware? If one or some of those keys and folders are IObit Uninstaller's which of them are they?

It's true that DriverBooster created a problem with my External Hard Drives and I had to exclude them from its update list, but IObit Uninstaller is pretty good because it lets you scan for leftovers which is pretty necessary and practical.

Unless there might be another better such alternative program I would like IObit Uninstaller to remain on my computer.

So, can you fill me in here?

P.S.: What is situ?

message edited by liakossf


Report •

#22
September 8, 2016 at 12:55:55
Unless there might be another better such alternative program

Not sure about better, but I have used "Geek Uninstaller" and it also
cleans up all the 'flotsam and jetsam' left behind after an uninstall
and it's free.

http://www.geekuninstaller.com/down...

MIKE

http://www.skeptic.com/


Report •

#23
September 8, 2016 at 14:52:13
My reference to ADW and IOBit was down to this CLSID:
10921475-03CE-4E04-90CE-E2E7EF20C814

It is for ExplorerWnd Helper (Browser Helper Object) which comes along with IOBit, see here:
http://www.shouldiremoveit.com/IObi...
As JRT removed IOBit then I assumed that ADW would want to as well. Maybe I'm wrong on this and if it just removes that particular registry entry then it should clean up IOBit without removing the whole program. Could be worth checking (ticking) everything except that registry entry to see what happens when you run the ADW Clean. You could always re-in stall IOBit if it comes to it.

EDIT:
The rest of the registry keys seemed to point to dubious items. I thought I'd said that but it seems not.

Always pop back and let us know the outcome - thanks

message edited by Derek


Report •

#24
September 8, 2016 at 22:48:45
I can go through these logs & check for problems.

Please download Farbar Recovery Scan Tool and save it onto your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
http://www.bleepingcomputer.com/dow...
If we have to run Farbar more than once, refer this SS.
http://i.imgur.com/yUxNw0j.gif
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the Desktop.
The first time the tool is run, it makes also another log (Addition.txt)
The logs are large, upload them using Zippy ( No account/registration needed ) or upload to a site of your choosing. Give us the links please.
http://www.zippyshare.com/
Instructions on how to use ZippyShare.
http://i.imgur.com/naG6t2T.gif
http://i.imgur.com/Vi9ZdIh.gif
http://i.imgur.com/1IZu5kP.gif


Report •

#25
September 8, 2016 at 23:27:36
I'm a little confused by the result.....

What IS and what is NOT a threat from this list???

http://www105.zippyshare.com/v/9ELe...

http://www12.zippyshare.com/v/u85jn...


Report •

#26
September 8, 2016 at 23:32:03
Got them, need about 30mins to check.

Report •

#27
September 8, 2016 at 23:51:38
"but I need to be sure about the reliability of these programs before I use them on his computer"
It is a top tool, if you go to any malware forum, they all use it.

Run Clean & post a new log please.


Report •

#28
September 9, 2016 at 00:31:37
Yeah, I think I get what's going on now...
Thanks pal!

Added it to my inventory.. ;)


Report •

#29
September 9, 2016 at 00:34:30
"What IS and what is NOT a threat from this list???"
Not to much at all, assuming you have now run ADW in Clean mode.

Copy & Paste the text in Blue below & save it into Notepad on your Desktop & name it fixlist.txt
NOTE: It is important that Notepad is used. The fix will not work if Word or some other program is used.
NOTE: It is important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.

CreateRestorePoint:
emptytemp:
closeprocesses:
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
S3 VGPU; System32\drivers\rdvgkmd.sys [X]

Open FRST and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that, let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please Copy & Paste the contents into your reply.
Refer these SS if needed.
http://fs5.directupload.net/images/...
http://fs5.directupload.net/images/...
http://fs5.directupload.net/images/...
http://fs5.directupload.net/images/...
http://fs5.directupload.net/images/...
http://fs5.directupload.net/images/...

message edited by Johnw


Report •

#30
September 9, 2016 at 01:09:06
Got it.
Here's the fixlog:

Fix result of Farbar Recovery Scan Tool (x86) Version: 31-08-2016
Ran by Liakos (09-09-2016 11:01:33) Run:1
Running from C:\Users\Liakos\Desktop
Loaded Profiles: Liakos (Available Profiles: Liakos)
Boot Mode: Normal

==============================================

fixlist content:
*****************
CreateRestorePoint:
emptytemp:
closeprocesses:
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
*****************

Restore point was successfully created.
Processes closed successfully.
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully.
VGPU => service removed successfully.

=========== EmptyTemp: ==========

BITS transfer queue => 8388608 B
DOMStoree, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 17430739 B
Java, Flash, Steam htmlcache => 6760 B
Windows/system/drivers => 237695 B
Edge => 0 B
Chrome => 0 B
Firefox => 478893892 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 82584 B
LocalService => 66228 B
NetworkService => 67476 B
Liakos => 62659626 B

RecycleBin => 0 B
EmptyTemp: => 541.5 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 11:03:10 ====


Yeah, it seems like a good program..

I haven't noticed anything valuable or healthy getting removed..

Thank you very much.


Report •

#31
September 9, 2016 at 01:15:18
Ok, all good from that side of things.

Tell us if you have any other issues.

Use Unchecky to help prevent third party installs. Nothing is perfect, the badies are always ahead of the goodies, so be vigilant.
http://www.softpedia.com/get/System...
http://www.freewarefiles.com/Unchec...
http://unchecky.com/
A reliable application that aims to protect your computer against third-party components often offered during software installations.


Report •

#32
September 9, 2016 at 01:50:23
Extract from your logs.

"Platform: Microsoft Windows 7 Ultimate Service Pack 1 (X86) Language: English (United States)"
Make sure ALL your Regional and Language Options settings are Ok. They will be something similar to this, the main point being, you should have at least 3 places to make sure you have your country displayed.

Windows 7: Change or Add Another Language or Region to suit your situation, here are mine for Australia.
http://i.imgur.com/QZnXZTA.gif
http://i.imgur.com/MWki04y.gif
http://i.imgur.com/Xas9F3d.gif
http://i.imgur.com/nNa2KLI.gif
http://i.imgur.com/4isl3Yk.gif
http://i.imgur.com/A0feSoa.gif


Report •

#33
September 9, 2016 at 06:33:26
Hmmm...
This Unchecky program might come in handy for protecting his computer in case he will be installing a program or something...it will prevent his computer from catching up all sorts of junk...

As for the language, I never thought it would be necessary to install my language. I prefer the Engllish display language because it makes good practice for me and secondly almost all of the reliable information on the internet regarding computer and software is written in English, so I don't think it would be necessary to install my language, thus I am the only one to use my computer so it does not pose a problem for anyone else who might not know how to speak or read or write in English..

As long as it does not generate a technical problem, I would like to keep English.

If anyone wants to know where I'm from, they can just ask me! I'm from Greece...


Report •

#34
September 9, 2016 at 07:25:04
I don't think John meant you should change or add a language, only that you should ensure that your language of choice (English) is showing as set correctly in all three places.

Is your computer OK now?

Always pop back and let us know the outcome - thanks

message edited by Derek


Report •

#35
September 9, 2016 at 07:37:46
Yes Derek, thank you!

Besides, my computer was never the problem..

Tomorrow is the big day! I'm going to use all that knowledge you shared with me for good purposes, I promise! XD

.....

I just hope I will find a solution. It would be a pity if I didn't, and all of his files get lost....I would be very mad at myself..

Anyway, enough with the drama...I will save any scan logs and I wil keep a record of eveything possible I will be doing or discovering tomorrow to let you guys know!

You surely are Little Tech-Master Miyagis all of you....XD

I hope we mark this thread as solved tomorrow....


Report •

#36
September 11, 2016 at 02:37:11
Hello guys!
I come back to report victory!

Here are are the details...

- first I booted up in Safe Mode and tried searching for the WINLODR.SCR file on Hard Drive. Nothing was found!

-Then,still in Safe Mode, I scanned his computer WITHOUT plugging-in the USB Flash Drive neither the Olympus1000 Digital Camera. I used Junkware Removal Tool, Malwarebytes and Farbar Recovery Scan Tool. The ADWCleaner tool kept showing an "sqlite3.dll corrupt or missing-replaced" error so I just didn't use it because I didn't have time or energy to deal with this problem, as well.My whole idea was to check his computer ONLY and see if it was clean or not!
The results were perfect!
I also used the Autorun Virus Removal Tool and it came clean, as well.

-Next step was to finally plug-in the USB Flash and the Digital Camera in question.
First I plugged the camera in using the Autorun Virus Removal Tool (AVR) as protection.
The AVR showed some files corrupt from Virus and proposed ro recover them. I let it do it. I checked the Drive Folder as it promted me to do and I saw some files like "thumb.db" and "System Information" and other weird things.
Then, I plugged-in the USB and it popped the same Window up saying there were corrupt files in there, too. For some reason I didn't trust this Autorun Virus Removal Tool anymore so I decided to bring out the big guns and scan, first the camera and then the USB with Malwarebytes.

The results are shown below:

This first scan is for the Digital Camera:

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 10/9/2016
Scan Time: 5:20 μμ
Logfile: scan2.txt
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.09.10.04
Rootkit Database: v2016.08.15.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7
CPU: x64
File System: NTFS
User: Barba Xrhstos

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 5
Time Elapsed: 0 min, 18 sec

Memory: Disabled
Startup: Disabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 3
Worm.AutoRun, I:\DCIM\100OLYMP .scr, Quarantined, [86f6d19f316912246e65c37b857f46ba],
Worm.AutoRun, I:\important files and folders\Thumbs.com, Quarantined, [daa2a2ce702ad363eae9d06e788c0df3],
Backdoor.Senna, I:\important files and folders\Thumbs .db, Quarantined, [b5c7422e6b2fb5810d27cc63966eea16],

Physical Sectors: 0
(No malicious items detected)


(end)


......and then the USB Flash Drive:

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 10/9/2016
Scan Time: 5:25 μμ
Logfile: scan3.txt
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.09.10.04
Rootkit Database: v2016.08.15.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7
CPU: x64
File System: NTFS
User: Barba Xrhstos

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 4
Time Elapsed: 0 min, 15 sec

Memory: Disabled
Startup: Disabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 3
Worm.AutoRun, J:\Thumbs.com, Quarantined, [4c30cea25545e94d6f642816de2640c0],
Backdoor.Senna, J:\Thumbs .db, Quarantined, [3e3e422ea4f68caae3512d02fe067888],
Worm.AutoRun, J:\Mustafa .scr, Quarantined, [fe7e38384456ea4ce7ec89b57c882cd4],

Physical Sectors: 0
(No malicious items detected)


(end)


Malwarebytes did a GREAT job and cleaned that garbage!

The only problem was that it also erased all the data......
But I was prepared for that and so, it was the time to use the Zero Assumtion Recovery Tool next.

-Which I did and the software recoverd 10.2 GB of files into the Hard Drive!
Though, I have to add that only 5.95 GB were the pictures that we were after. The remaining was ALL those .SCR files-directories which had all the other folders (sort of like "trapped" within them) but they were, of course, unreadable, as well as the thumb.db and autorun.inf virus files! I sort of panicked at first, especially when I saw that thumb.com MSDOS application within the recovered files but I SCANNED the h*ll out of them and they appeared perfectly clean. It was odd but I guess they were just remnants or "hollow, empty shells" or something. I don't know. Of course I deleted those folders permanently.

So, to summarise, this problem was a VIRUS infection, propably the AUTORUN VIRUS and the problem was solved with the following procedure:

1. Scan everything with Malwarebytes.
2.Remove threats.
3.Recover files with Zero Assumtion Recovery.
4.Delete ANY suspicious "zombies" recovered and left behind by ZAR.

That basically was it guys!

If there is ANYTHING else that you would like to add, please let me know about it!

You can't imagine how grateful I am to all of you! You helped me incredibly much and taught me so many additional things about the fascinatingly painful world of Computers! XD

I think this thread can be, thankfully, marked as SOLVED now!

Thank you guys, once again, and be sure to keep up the good work helping people out there with both their minor and major computer problems!

Farewell!


Report •

#37
September 11, 2016 at 07:33:52
Good to hear. Keep an eye out for any further comments from Johnw.

Always pop back and let us know the outcome - thanks


Report •


Ask Question