gumdrop

Results of screen317's Security Check version 0.99.56 Windows XP Service Pack 3 x86 Internet Explorer 8 ``````````````Antivirus/Firewall Check:`````````````` Windows Firewall Disabled! Avira Desktop Antivirus up to date! `````````Anti-malware/Other Utilities Check:````````` Spybot - Search & Destroy Malwarebytes Anti-Malware version 1.65.1.1000 CCleaner Panda Cloud Cleaner Java 7 Update 10 Java version out of Date! Adobe Flash Player 11.5.502.135 Adobe Reader XI Mozilla Firefox (17.0.1) Mozilla Thunderbird (17.0.) ````````Process Check: objlist.exe by Laurent```````` Avira Antivir avgnt.exe Avira Antivir avguard.exe CheckPoint ZoneAlarm vsmon.exe CheckPoint ZoneAlarm zatray.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C:: 8% ````````````````````End of Log``````````````````````

The thread started because Malwarebytes found a Stolen Data file, win32/help.txt. I had wanted to open it to find out what it said, or was connected to. It resides in Malwarebytes Quarantine. Can I restore it and take a look without a problem.......thanks aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software Run date: 2012-12-23 21:24:59 ----------------------------- 21:24:59.890 OS Version: Windows 5.1.2600 Service Pack 3 21:24:59.890 Number of processors: 2 586 0x304 21:24:59.890 ComputerName: DELL UserName: 21:25:00.234 Initialize success 21:26:23.687 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 21:26:23.703 Disk 0 Vendor: WDC_WD800JD-08LSA0 09.01D09 Size: 76324MB BusType: 3 21:26:23.703 Disk 0 MBR read successfully 21:26:23.703 Disk 0 MBR scan 21:26:23.703 Disk 0 Windows XP default MBR code 21:26:23.703 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 18010 MB offset 63 21:26:23.734 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 23454 MB offset 36885240 21:26:23.750 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 34859 MB offset 84919590 21:26:23.750 Disk 0 scanning sectors +156312450 21:26:23.812 Disk 0 scanning C:\WINDOWS\system32\drivers 21:26:28.609 Service scanning 21:26:35.421 Modules scanning 21:26:53.453 Scan finished successfully 21:27:25.171 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat" 21:27:25.171 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt" Results of screen317's Security Check version 0.99.56 Windows XP Service Pack 3 x86 Internet Explorer 8 ``````````````Antivirus/Firewall Check:`````````````` Windows Firewall Disabled! Avira Desktop Antivirus up to date! `````````Anti-malware/Other Utilities Check:````````` Spybot - Search & Destroy Malwarebytes Anti-Malware version 1.65.1.1000 CCleaner Panda Cloud Cleaner Java 6 Update 37 Java version out of Date! Adobe Flash Player 10 Flash Player out of Date! Adobe Flash Player 11.5.502.135 Adobe Reader 10.1.2 Adobe Reader out of Date! Mozilla Firefox 15.0.1 Firefox out of Date! Mozilla Thunderbird (17.0.) ````````Process Check: objlist.exe by Laurent```````` Avira Antivir avgnt.exe Avira Antivir avguard.exe CheckPoint ZoneAlarm zatray.exe CheckPoint ZoneAlarm vsmon.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C:: 6% ````````````````````End of Log`````````````````````` Farbar Service Scanner Version: 23-12-2012 Ran by Administrator (administrator) on 23-12-2012 at 21:31:05 Running from "C:\Documents and Settings\Administrator\Desktop" Microsoft Windows XP Service Pack 3 (X86) Boot Mode: Normal **************************************************************** Internet Services: ============ Connection Status: ============== Localhost is accessible. LAN connected. Google IP is accessible. Google.com is accessible. Yahoo IP is accessible. Yahoo.com is accessible. Windows Firewall: ============= Firewall Disabled Policy: ================== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall"=DWORD:0 System Restore: ============ System Restore Disabled Policy: ======================== Security Center: ============ Windows Update: ============ Windows Autoupdate Disabled Policy: ============================ File Check: ======== C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit C:\WINDOWS\system32\netman.dll => MD5 is legit C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit C:\WINDOWS\system32\srsvc.dll => MD5 is legit C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit C:\WINDOWS\system32\wscsvc.dll => MD5 is legit C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit C:\WINDOWS\system32\wuauserv.dll => MD5 is legit C:\WINDOWS\system32\qmgr.dll => MD5 is legit C:\WINDOWS\system32\es.dll => MD5 is legit C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit C:\WINDOWS\system32\svchost.exe => MD5 is legit C:\WINDOWS\system32\rpcss.dll => MD5 is legit C:\WINDOWS\system32\services.exe => MD5 is legit Extra List: ======= Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4) 0x0B00000005000000010000000200000003000000040000000800000056000000070000000A0000000B00000006000000 IpSec Tag value is correct. **** End of log ****

Kevinf80 thanks so much for youe help. Could the help.txt file tried to load software that ZA blocked ? --------------------------------------- Malwarebytes Anti-Rootkit BETA 1.01.0.1011 © Malwarebytes Corporation 2011-2012 OS version: 5.1.2600 Windows XP Service Pack 3 x86 Account is Administrative Internet Explorer version: 8.0.6001.18702 Java version: 1.6.0_37 File system is: NTFS Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, E:\ DRIVE_FIXED CPU speed: 2.992000 GHz Memory total: 2138025984, free: 1498341376 ------------ Kernel report ------------ 12/23/2012 16:40:50 ------------ Loaded modules ----------- \WINDOWS\system32\ntoskrnl.exe \WINDOWS\system32\hal.dll \WINDOWS\system32\KDCOM.DLL \WINDOWS\system32\BOOTVID.dll ACPI.sys \WINDOWS\system32\DRIVERS\WMILIB.SYS pci.sys isapnp.sys PCIIde.sys \WINDOWS\System32\Drivers\PCIIDEX.SYS intelide.sys MountMgr.sys ftdisk.sys dmload.sys dmio.sys PartMgr.sys VolSnap.sys atapi.sys disk.sys \WINDOWS\system32\DRIVERS\CLASSPNP.SYS fltmgr.sys sr.sys KSecDD.sys Ntfs.sys NDIS.sys timntr.sys snapman.sys ohci1394.sys \WINDOWS\system32\DRIVERS\1394BUS.SYS Mup.sys \SystemRoot\system32\DRIVERS\intelppm.sys \SystemRoot\system32\DRIVERS\ialmnt5.sys \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS \SystemRoot\system32\DRIVERS\usbuhci.sys \SystemRoot\system32\DRIVERS\USBPORT.SYS \SystemRoot\system32\DRIVERS\usbehci.sys \SystemRoot\system32\DRIVERS\e1000325.sys \SystemRoot\system32\DRIVERS\fdc.sys \SystemRoot\system32\DRIVERS\i8042prt.sys \SystemRoot\system32\DRIVERS\kbdclass.sys \SystemRoot\system32\DRIVERS\mouclass.sys \SystemRoot\system32\DRIVERS\serial.sys \SystemRoot\system32\DRIVERS\serenum.sys \SystemRoot\system32\DRIVERS\parport.sys \SystemRoot\system32\DRIVERS\imapi.sys \SystemRoot\system32\DRIVERS\cdrom.sys \SystemRoot\system32\DRIVERS\redbook.sys \SystemRoot\system32\DRIVERS\ks.sys \SystemRoot\System32\Drivers\incdrm.SYS \SystemRoot\System32\DRIVERS\InCDPass.sys \SystemRoot\system32\drivers\smwdm.sys \SystemRoot\system32\drivers\portcls.sys \SystemRoot\system32\drivers\drmk.sys \SystemRoot\system32\drivers\senfilt.sys \SystemRoot\system32\DRIVERS\audstub.sys \SystemRoot\system32\DRIVERS\rasl2tp.sys \SystemRoot\system32\DRIVERS\ndistapi.sys \SystemRoot\system32\DRIVERS\ndiswan.sys \SystemRoot\system32\DRIVERS\raspppoe.sys \SystemRoot\system32\DRIVERS\raspptp.sys \SystemRoot\system32\DRIVERS\TDI.SYS \SystemRoot\system32\DRIVERS\psched.sys \SystemRoot\system32\DRIVERS\msgpc.sys \SystemRoot\system32\DRIVERS\ptilink.sys \SystemRoot\system32\DRIVERS\raspti.sys \SystemRoot\system32\DRIVERS\rdpdr.sys \SystemRoot\system32\DRIVERS\termdd.sys \SystemRoot\system32\DRIVERS\swenum.sys \SystemRoot\system32\DRIVERS\update.sys \SystemRoot\system32\DRIVERS\mssmbios.sys \SystemRoot\System32\Drivers\NDProxy.SYS \SystemRoot\system32\DRIVERS\usbhub.sys \SystemRoot\system32\DRIVERS\USBD.SYS \SystemRoot\system32\DRIVERS\flpydisk.sys \SystemRoot\System32\Drivers\Fs_Rec.SYS \SystemRoot\System32\Drivers\Null.SYS \SystemRoot\System32\Drivers\Beep.SYS \SystemRoot\system32\DRIVERS\HIDPARSE.SYS \SystemRoot\System32\drivers\vga.sys \SystemRoot\System32\Drivers\mnmdd.SYS \SystemRoot\System32\DRIVERS\RDPCDD.sys \SystemRoot\System32\Drivers\InCDrec.SYS \SystemRoot\System32\Drivers\InCDfs.SYS \SystemRoot\System32\Drivers\Msfs.SYS \SystemRoot\System32\Drivers\Npfs.SYS \SystemRoot\system32\DRIVERS\rasacd.sys \SystemRoot\system32\DRIVERS\ipsec.sys \SystemRoot\system32\DRIVERS\tcpip.sys \SystemRoot\system32\DRIVERS\ipnat.sys \SystemRoot\system32\DRIVERS\netbt.sys \SystemRoot\system32\DRIVERS\wanarp.sys \SystemRoot\System32\vsdatant.sys \SystemRoot\System32\drivers\ws2ifsl.sys \SystemRoot\System32\drivers\afd.sys \SystemRoot\system32\DRIVERS\netbios.sys \SystemRoot\System32\drivers\truecrypt.sys \SystemRoot\system32\DRIVERS\ssmdrv.sys \SystemRoot\system32\DRIVERS\rdbss.sys \SystemRoot\system32\DRIVERS\mrxsmb.sys \SystemRoot\System32\Drivers\Fips.SYS \SystemRoot\system32\DRIVERS\avkmgr.sys \SystemRoot\system32\DRIVERS\avipbb.sys \SystemRoot\System32\Drivers\Cdfs.SYS \SystemRoot\System32\Drivers\dump_atapi.sys \SystemRoot\System32\Drivers\dump_WMILIB.SYS \SystemRoot\System32\win32k.sys \SystemRoot\System32\drivers\Dxapi.sys \SystemRoot\System32\watchdog.sys \SystemRoot\System32\drivers\dxg.sys \SystemRoot\System32\drivers\dxgthk.sys \SystemRoot\System32\ialmdnt5.dll \SystemRoot\System32\ialmrnt5.dll \SystemRoot\System32\ialmdev5.DLL \SystemRoot\System32\ialmdd5.DLL \SystemRoot\system32\DRIVERS\avgntflt.sys \SystemRoot\system32\DRIVERS\tifsfilt.sys \SystemRoot\system32\DRIVERS\ndisuio.sys \SystemRoot\System32\Drivers\Fastfat.SYS \??\C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys \SystemRoot\system32\DRIVERS\mrxdav.sys \SystemRoot\system32\drivers\wdmaud.sys \SystemRoot\system32\drivers\sysaudio.sys \SystemRoot\System32\Drivers\ParVdm.SYS \SystemRoot\System32\Drivers\Aspi32.SYS \SystemRoot\system32\DRIVERS\srv.sys \SystemRoot\System32\Drivers\HTTP.sys \??\c:\documents and settings\administrator\local settings\temp\55702B0177.sys \??\c:\documents and settings\administrator\local settings\temp\6E3251A218.sys \SystemRoot\System32\ATMFD.DLL \??\C:\WINDOWS\system32\drivers\mbamchameleon.sys \??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys \WINDOWS\system32\ntdll.dll ----------- End ----------- <<<1>>> Upper Device Name: \Device\Harddisk0\DR0 Upper Device Object: 0xffffffff8a6bfab8 Upper Device Driver Name: \Driver\Disk\ Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-3\ Lower Device Object: 0xffffffff8a68fb00 Lower Device Driver Name: \Driver\atapi\ Driver name found: atapi DriverEntry returned 0x0 Function returned 0x0 Downloaded database version: v2012.12.23.05 Initializing... Done! <<<2>>> Device number: 0, partition: 1 Physical Sector Size: 512 Drive: 0, DevicePointer: 0xffffffff8a6bfab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ --------- Disk Stack ------ DevicePointer: 0xffffffff8a6879e0, DeviceName: Unknown, DriverName: \Driver\snapman\ DevicePointer: 0xffffffff8a6c3930, DeviceName: Unknown, DriverName: \Driver\PartMgr\ DevicePointer: 0xffffffff8a6bfab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ DevicePointer: 0xffffffff8a68fb00, DeviceName: \Device\Ide\IdeDeviceP0T0L0-3\, DriverName: \Driver\atapi\ ------------ End ---------- Upper DeviceData: 0xffffffffe41497f0, 0xffffffff8a6bfab8, 0xffffffff88d6b180 Lower DeviceData: 0xffffffffe41cf720, 0xffffffff8a68fb00, 0xffffffff891c60e0 <<<3>>> Volume: C: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes Scanning directory: C:\WINDOWS\system32\drivers... Done! Drive 0 Scanning MBR on drive 0... Inspecting partition table: MBR Signature: 55AA Disk Signature: A1CCA1CC Partition information: Partition 0 type is Primary (0x7) Partition is ACTIVE. Partition starts at LBA: 63 Numsec = 36885177 Partition file system is NTFS Partition is bootable Partition 1 type is Primary (0x7) Partition is NOT ACTIVE. Partition starts at LBA: 36885240 Numsec = 48034350 Partition 2 type is Primary (0x7) Partition is NOT ACTIVE. Partition starts at LBA: 84919590 Numsec = 71392860 Partition 3 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Disk Size: 80032038912 bytes Sector size: 512 bytes Scanning physical sectors of unpartitioned space on drive 0 (1-62-156292576-156312576)... Done! Performing system, memory and registry scan... Done! Scan finished ======================================= Malwarebytes Anti-Rootkit 1.01.0.1011 www.malwarebytes.org Database version: v2012.12.23.05 Windows XP Service Pack 3 x86 NTFS Internet Explorer 8.0.6001.18702 Administrator :: DELL [administrator] 23/12/2012 16:50:29 mbar-log-2012-12-23 (16-50-29).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P Scan options disabled: Objects scanned: 24580 Time elapsed: 8 minute(s), 35 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end)

Ran Dr Web custom scan. Much faster than express. Checked all boxes in options and asked for threats to be quarantined. Haven't found a location for that as yet. Again having problems pasting the log so have just copied the details at the end of log. I have complete logs of both custom and express logs if you wantme to send them as attachments. E:\System Volume Information\_restore{A905BF95-856D-4F30-B825-676D18C0571B}\RP4\A0008894.scr - quarantined E:\System Volume Information\_restore{A905BF95-856D-4F30-B825-676D18C0571B}\RP4\A0010090.scr - quarantined E:\System Volume Information\_restore{A905BF95-856D-4F30-B825-676D18C0571B}\RP6\A0010339.exe - quarantined E:\System Volume Information\_restore{A905BF95-856D-4F30-B825-676D18C0571B}\RP7\A0010420.exe - quarantined Total 4906196498 bytes in 28814 files scanned (48009 objects) Total 28798 files (47989 objects) are clean Total 4 files are infected Total 4 files are neutralized Total 16 files are raised error condition Scan time is 00:39:19.953

I'm having problems with your instructions. Should I cancel EPM. I have done so and ignored " select objects for scanning" The express scan then rins and the results are shown below. When I get to the end I find a button saying Neutralize and I click it. I can find no way into Complete Scan. Apologies if I am missing the obvious. I'm also getting a message saying the log is too long. I will delte all but the end ! I needed to interrupt the scan, the second started at "Scan session started 2012/12/22 21:03:50 " and is posted seperately ============================================================================= Dr.Web Scanner SE for Windows v7.0.100.12030 © Doctor Web, Ltd., 1992-2012 Scan session started 2012/12/22 16:11:11 Module location : c:\documents and settings\administrator\local settings\temp\D17B38F4-A3C7B95C-DB9A8C54-AFAA4714\ ============================================================================= ----------------------------------------------------------------------------- Start curing ----------------------------------------------------------------------------- C:\WINDOWS\system32\drivers\etc\hosts - cured, reboot required Total 700294896 bytes in 1470 files scanned (1683 objects) Total 1470 files (1679 objects) are clean Total 1 file are suspicious Total 1 file are neutralized Total 3 files are raised error condition Scan time is 00:06:09.235 Dr.Web Scanner SE for Windows v7.0.100.12030 © Doctor Web, Ltd., 1992-2012 Scan session started 2012/12/22 21:03:50 Module location : c:\documents and settings\administrator\local settings\temp\DCEE50E0-DA0063E0-19F5E5CF-69FA38E\ Total 2748571786 bytes in 25270 files scanned (41631 objects) Total 25237 files (41592 objects) are clean Total 16 files are infected Total 2 files (6 objects) are suspicious Total 18 files (22 objects) are neutralized Total 19 files are raised error condition Scan time is 00:34:29.985

Used Panda cloud this morning with the following "suspicious policy" I haven't changed this Suspicious Policy. POLICY: HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED[sUPERHIDDEN] to be changed to: 0

A follow up to yesterday. After disabling Antivirus & Firewall ESETnoted that they were detected and might affect the scan. As noted previously after disabling Real Time Protection in Antivir, the umbrella is closed, the Antivir program avgnt.exe still remains in startup and if I try to disable that Antivir brings up a page saying that it had blocked the registry change. However avgnt.exe is then shown as disabled. Opening win32\help.txt. I presume I would need to restore this fom Malwarebytes Quarantine to be able to open it. If I do this is there any likelyhood of causing further problems ?

Hi...........Partition E is purely saved data, and all the noted items are in a folder with years of computer info, downloads etc. So I don't know whether these are current problems. But maybe the whole folder should be removed from the online PC ?

Farbar Service Scanner Version: 10-12-2012 Ran by Administrator (administrator) on 21-12-2012 at 18:46:31 Running from "C:\Documents and Settings\Administrator\Desktop" Microsoft Windows XP Service Pack 3 (X86) Boot Mode: Normal **************************************************************** Internet Services: ============ Connection Status: ============== Localhost is accessible. LAN connected. Google IP is accessible. Google.com is accessible. Yahoo IP is accessible. Yahoo.com is accessible. Windows Firewall: ============= Firewall Disabled Policy: ================== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall"=DWORD:0 System Restore: ============ System Restore Disabled Policy: ======================== Security Center: ============ Windows Update: ============ Windows Autoupdate Disabled Policy: ============================ File Check: ======== C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit C:\WINDOWS\system32\netman.dll => MD5 is legit C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit C:\WINDOWS\system32\srsvc.dll => MD5 is legit C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit C:\WINDOWS\system32\wscsvc.dll => MD5 is legit C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit C:\WINDOWS\system32\wuauserv.dll => MD5 is legit C:\WINDOWS\system32\qmgr.dll => MD5 is legit C:\WINDOWS\system32\es.dll => MD5 is legit C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit C:\WINDOWS\system32\svchost.exe => MD5 is legit C:\WINDOWS\system32\rpcss.dll => MD5 is legit C:\WINDOWS\system32\services.exe => MD5 is legit Extra List: ======= Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4) 0x0B00000005000000010000000200000003000000040000000800000056000000070000000A0000000B00000006000000 IpSec Tag value is correct. **** End of log ****

ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK # version=8 # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339) # OnlineScanner.ocx=1.0.0.6844 # api_version=3.0.2 # EOSSerial=5c00f9a3ea2f53459247bfb6627b7694 # end=finished # remove_checked=false # archives_checked=true # unwanted_checked=true # unsafe_checked=true # antistealth_checked=true # utc_time=2012-12-21 06:39:32 # local_time=2012-12-21 06:39:32 (+0000, GMT Standard Time) # country="United Kingdom" # lang=1033 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=1799 16775165 100 97 24405 126782877 20766 0 # compatibility_mode=9217 16777214 75 4 82627 82627 0 0 # scanned=189670 # found=4 # cleaned=0 # scan_time=5460 E:\0 Computers\0 dell\modem\cnet_ham4472win2kxp_exe.exe a variant of Win32/InstallCore.D application (unable to clean) BED5F42EADAD237544BE8B82BEB2A22539016730 I E:\0 Computers\0 video capture\OrbitDownloaderSetup3005.exe Win32/OpenCandy application (unable to clean) 387B25505673FC6FA6A42DFD3763BCF71EA55893 I E:\0 Computers\0 video capture\OrbitSetup4.1.02.exe Win32/OpenCandy application (unable to clean) ACB832AEC89467DFBD083ED618A9C2A24F87725F I E:\registry booster\registrybooster.exe a variant of Win32/RegistryBooster application (unable to clean) 59D15216A3E5C38209C825C0B857F8929571E0E5 I

Hi.............clean again.................would you assume nothing beyond the help.txt infection was put on the machine. The system is working fine with no problems as yet. None of our passwords were tampered with prior to us changing them. Would checking out the .txt message make sense or should we forget it. Now I have Emis maybe I will run it occasinally to check. Thanks very much for all your help and patience and enjoy the holidays, working or not......gumdrop Malwarebytes Anti-Malware 1.65.1.1000 www.malwarebytes.org Database version: v2012.12.20.09 Windows XP Service Pack 3 x86 NTFS Internet Explorer 8.0.6001.18702 Administrator :: DELL [administrator] 20/12/2012 18:19:45 mbam-log-2012-12-20 (18-19-45).txt Scan type: Full scan (C:\|D:\|E:\|) Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 376193 Time elapsed: 46 minute(s), 48 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end)

Thanks so much for your persistance, this time we got some results. Are either serious or may there still be a problem. We downloaded the Emis updates prior to the scan so used their latest definitions. Is it possible to send the infected text file from quarantine to you to take a look at ? Would that point to anything? As mentioned the infected machine is being kept off the internet unless absolutely neccessay. Is it now safe to hook it back up ? Emsisoft Emergency Kit - Version 3.0 Last update: 20/12/2012 07:13:35 Scan settings: Scan type: Deep Scan Objects: Rootkits, Memory, Traces, C:\, D:\, E:\ Detect Riskware: Off Scan archives: On ADS Scan: On File extension filter: Off Advanced caching: On Direct disk access: Off Scan start: 20/12/2012 07:15:02 Key: hkey_users\s-1-5-21-1409082233-308236825-682003330-500\software\toolbar detected: Trace.Registry.WebSearchToolbar (A) E:\0 Computers\0 video capture\OrbitDownloaderSetup.exe detected: Adware.Win32.OpenCandy.AMN (A) Scanned 499268 Found 2 Scan end: 20/12/2012 11:34:44 Scan time: 4:19:42 E:\0 Computers\0 video capture\OrbitDownloaderSetup.exe Quarantined Adware.Win32.OpenCandy.AMN (A) Key: hkey_users\s-1-5-21-1409082233-308236825-682003330-500\software\toolbar Quarantined Trace.Registry.WebSearchToolbar (A) Quarantined 2

Followed instructions but when trying to extract get message saying no thing to extract, fle size 246481kb, left clicked zip and get invalid or corrupted. I think its time ti recover a backup image from before the infection but as there are other partitions on the hdd containing data I think we should scan the recovered system to see if anything remains from the infection. I realize that it would be difficult to judge what might have been taken but could you give me an intuitive response, passwords rather than word documents for example. I will not recover until the morning as you may wish to get back to me. Many tahnks for your efforts.

Sorry I took it off. It is now bak on and definitions up to date. I took it off because I could disable real time protection but not AVGNT. ZA must have been preventing the change because now with ZA off the macine AVGNT can be disabled. Avira called up both Spybot & Malwarebytes as incompatible during re-installation but I would guess they don't diffentiate just anti-virus from their complete suites. Again apologies for wasting time

Have just tried defender offline tooll made on my netbook and then used on the infected machine with same result of power down after 5 mins

Hi.................As the infected PC is not being used for anything at present and is disconnected from the internet I have un-installed both Antivir & Zonealarm. Booting from Defenders media as you set out is still not working, 5mins and its asking for a restart.

Created DVD successfully and changed startup to cd-rom. Booted up, asked to hit any key to boot from CD-rom, ok, black screen blue logo, 5 mins and error code as before, push button to power down PC. Windows is password protected, do I need to change that ?

No I was using F12. Boot sequence does not have flash drive, just diskette, hdd, cdrom, integrated NIC. F12 does have flash drive, I guess I will need to download software and use cdrom ?

Thanks again but still not a lot of luck. I created media on a usb flash drive and defender was happy with the creation. Set the PC running and a black screen with a blue windows logo came up, the usb flashing away. After 5 mins an error message came up 0x0000005D telling me to hold down the power button as the system needed to re-start. I decided to re install the tool but instead of re-formatting defender just added 68mb of data and again said it was happy. Again after 5 mins the same error message to restart. I thought of trying it via DVD but that requires yet more software to be used. What would you advise. I will not have time untill early tomorrow to try again...Thanks

Thanks for the response. If we can check the problem that would be good as it might indicate any data that has been taken. I have started changing passwords on a separate netbook. I have tried getting combo to run all day, the last time it asked ZA to allow Catchme and then mbr.3XE. The windows clock froze at that time, The cursor is still alive in the blue combo box but nothing is happening. As much as possible I am keeping the infected machine disabled from the internet. Please let me know what we can try next. I all fails I do have a clean acronis image but it will be a couple of months old.

I ran 2 scans over night. The first started as described above and the windows clock stopped 1 min after combo-fix said it was scanning. Left it for 2 hours with no result. PC frozen. At 07.16 this morning I deleted combo-fix and downloaded it again and changed its name before it downloaded. Turned off avira and left ZA running. Again combo tried to make a new restore point and told me it was scanning. I allowed all ZA alerts and the scan continued for 95mins before the monitor shutdown kicked in and froze the PC. Up to that time windows clock was running. I will try again leaving more time before the monitor turns itself off. In the blue combo screen nothing was added after the note that saying heavily infected computers took a long time to scan.

Hi..........I didn't try to restore, combo-fix on its blue dialog box said that was what it was trying to do, to set a new restore point. It has installed recovery because that now shows at each logon. After that it seems to stall, the clock in the bottom right stops working. I left the first scan for 50 mins, I will try tomorrow for longer. I am getting concerned about the data that might be being removed and would like your advice on immediate precautions. Would changing passwords now work or would the new password be stolen as its changed. And would it be appropriate to use a previous Acronis backup from before the infection to get rid of any problem. The problem then is that I would never know what had hit me and what I might have lost. Your advice please.

Combo-fix.exe

Can not get Combofix to work. Downloaded with changed name, firewall and anti-virus disabled, clicked run, tried to make restore point, found recovery not installed, installed, ok. Then 3 lines of text on a blue background. Scanning for infected files, Typically ....10 mins Badly infected........double and then the PC freezes and need to power off on tower. Used Link 1, Link 2 seemed in code

Rkill 2.4.5 by Lawrence Abrams (Grinler) http://www.bleepingcomputer.com/ Copyright 2008-2012 BleepingComputer.com More Information about Rkill can be found at this link: http://www.bleepingcomputer.com/forums/topic308364.html Program started at: 12/17/2012 04:57:32 PM in x86 mode. Windows Version: Microsoft Windows XP Service Pack 3 Checking for Windows services to stop: * No malware services found to stop. Checking for processes to terminate: * C:\WINDOWS\system32\igfxtray.exe (PID: 1440) [WD-HEUR] * C:\WINDOWS\system32\hkcmd.exe (PID: 1500) [WD-HEUR] 2 proccesses terminated! Checking Registry for malware related settings: * No issues found in the Registry. Resetting .EXE, .COM, & .BAT associations in the Windows Registry. * HKLM\Software\Classes\.exe\shell found and deleted! Performing miscellaneous checks: * No issues found. Checking Windows Service Integrity: * System Restore Service (srservice) is not Running. Startup Type set to: Automatic * System Restore Filter Driver (sr) is not Running. Startup Type set to: Disabled * HidServ [Missing ServiceDLL Value] Searching for Missing Digital Signatures: * No issues found. Checking HOSTS File: * Cannot edit the HOSTS file. * Permissions Fixed. Administrators can now edit the HOSTS file. * HOSTS file entries found: 127.0.0.1 localhost 127.0.0.1 www.007guard.com 127.0.0.1 007guard.com 127.0.0.1 008i.com 127.0.0.1 www.008k.com 127.0.0.1 008k.com 127.0.0.1 www.00hq.com 127.0.0.1 00hq.com 127.0.0.1 010402.com 127.0.0.1 www.032439.com 127.0.0.1 032439.com 127.0.0.1 www.0scan.com 127.0.0.1 0scan.com 127.0.0.1 1000gratisproben.com 127.0.0.1 www.1000gratisproben.com 127.0.0.1 1001namen.com 127.0.0.1 www.1001namen.com 127.0.0.1 100888290cs.com 127.0.0.1 www.100888290cs.com 127.0.0.1 www.100sexlinks.com 20 out of 14988 HOSTS entries shown. Please review HOSTS file for further entries. Program finished at: 12/17/2012 04:58:11 PM Execution time: 0 hours(s), 0 minute(s), and 39 seconds(s)