Jump to content

Still lurking...


Recommended Posts

I have been recently infected. Noticed immediately and began running scans. Spybot got shut down in the middle. Malwarebytes took over 24 hrs for full scan and 8 hrs for quick scan. Repaired what was found. After research, installed avira antivir downloaded from a clean computer, via thumb drive. Found 83 problems. Repaired all and re-ran. Found 14. Same procedure again. Then tried to run Malwarebytes. Still took 8 hrs to run in quick scan. Seems to me like something is still lurking in the background. Attached are the MBAM and HJT logs after the last av-antiv clean up. Can you see anything of concern?

Malwarebytes' Anti-Malware 1.39

Database version: 2477

Windows 5.1.2600 Service Pack 3

7/24/2009 4:28:40 PM

mbam-log-2009-07-24 (16-28-40).txt

Scan type: Quick Scan

Objects scanned: 137961

Time elapsed: 7 hour(s), 51 minute(s), 24 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:25:08 AM, on 7/25/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\CTSvcCDA.EXE

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Microsoft IntelliType Pro\type32.exe

C:\WINDOWS\system32\LVCOMSX.EXE

C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

C:\Program Files\TomTom HOME\TomTomHOME.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

C:\Program Files\FinePixViewerS\QuickDCF2.exe

C:\Program Files\Kodak EasyShare software\bin\EasyShare.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://*.turbotax.com

O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)

O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe

O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe

O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe

O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--

End of file - 9540 bytes

Many thanks,

Mark

mbam_log_2009_07_24__16_28_40_.txt

mbam_log_2009_07_24__16_28_40_.txt

Link to post
Share on other sites

Hello mskidavis and welcome to MalwareBytes forums.

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!

eusa_hand.gif

If you are a casual viewer, do NOT try this on your system!

If you are not mskidavis and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

icon_arrow.gif Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

=

Close any of your open programs while you run these tools.

Have infinite patience while any of these are running (especially with Combofix below)

Do NOT do any websurfing; nor play online games.

Only go to websites I guide you to and to this forum.

Next, temporarily disable Avira's real time scanner.

Right Click the red-unbrella Avira icon in system tray and UN-check the line for "Avira Guard enable" (if it is checked). {and reverse after you've finished with all of these steps below}

You will get a message window from Security Center about this. Press the X to close the window.

Right click the Spybot Icon in the system tray (notification area).

  • If you have the new version, click once on Resident Protection and make sure it is Unchecked.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident
    If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
    Exit Spybot S&D when done and reboot the system so the changes are in effect.

=

Next, Close all browsers and all other programs that you have started.

Start HijackThis. Look for these lines and place a checkmark against each of the following, if still present

O4 - HKLM\..\Run: [pbtvis] reg C:\WINDOWS\System32\veubbdo.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

Click on Fix Checked when finished and exit HijackThis.

Make sure your Internet Explorer (& or any other window) is closed when you click Fix Checked!

=

1. Go >> Here << and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT

(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.

=

Next, Set Windows to show all files and all folders.

On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.

Next, un-check Hide extensions for known file types.

Next un-check Hide protected operating system files.

Next, Take out the trash (temporary files & temporary internet files)

Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.

Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser, do this also:

Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:

Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

ATF-Cleaner should be run per the above in every user-login account {User Profile}

=

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

If you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1

Link 2

Link 3

CF_download_FF.gif

CF_download_rename.gif

* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop

If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on Combo-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

IF you should see a message like this:

Rookit_found.gif

then, be sure to write down fully and also copy that into your next reply here and then await for my response.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

-------------------------------------------------------

A caution - Do not run Combofix more than once.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

If this occurs, please reboot to restore the desktop.

Even when ComboFix appears to be doing nothing, look at your Drive light.

If it is flashing, Combofix is still at work.

=

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

At this time of posting, the current definitions are # 2504 or later. The latest program version is 1.39 (released July 13)

When done, click the Scanner tab.

Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

=

RE-Enable your AntiVirus and AntiSpyware applications.

Reply with copy of C:\Combofix.txt

the latest MBAM scan log

Link to post
Share on other sites

Hi Maurice,

Sorry, my reply yesterday was to thank you for the detailed instructions and let you know I hadn't had time to preform the required tasks. I did so today and have attached the scans you asked for. Also, I ran combofix in safe mode and tried to get a wireless internet connection but was unable. So I took the chance of running without the Windows recovery console. Additionally I failed to run the ATF on all accounts, but did so after the combofix scan and log. Untrained, I am unable to guess at the name of the virus/malware/trojan you think I might have.

Thanks again for your assistance! your humanitarian efforts are greatly appreciated!!!!!!!!

Scan logs to follow:

Mark

Malwarebytes' Anti-Malware 1.39

Database version: 2512

Windows 5.1.2600 Service Pack 3

7/27/2009 5:10:59 PM

mbam-log-2009-07-27 (17-10-59).txt

Scan type: Quick Scan

Objects scanned: 127249

Time elapsed: 31 minute(s), 45 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

ComboFix 09-07-26.01 - Mark 07/27/2009 12:15.2.2 - NTFSx86 NETWORK

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.498 [GMT -5:00]

Running from: G:\Combo-Fix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Mark\Local Settings\Temporary Internet Files\search.html

c:\documents and settings\Mark\Local Settings\Temporary Internet Files\Tvm.log

c:\recycled\DC0

c:\recycled\DC106

c:\recycled\DC107

c:\recycled\DC108

c:\recycled\DC111

c:\recycled\DC12

c:\recycled\DC120

c:\recycled\DC124

c:\recycled\DC125

c:\recycled\DC26

c:\recycled\DC31

c:\recycled\DC4

c:\recycled\DC42

c:\recycled\DC50

c:\recycled\DC53

c:\recycled\DC56

c:\recycled\DC57

c:\recycled\DC58

c:\recycled\DC68

c:\recycled\DC69

c:\recycled\DC71

c:\recycled\DC77

c:\recycled\DC78

c:\recycled\DC8

c:\recycled\DC95

c:\windows\Downloaded Program Files\popcaploader.inf

c:\windows\Installer\12175e3.msi

c:\windows\Installer\5707429.msp

c:\windows\Installer\e315b88.msi

c:\windows\Installer\e315b9b.msi

.

((((((((((((((((((((((((( Files Created from 2009-06-27 to 2009-07-27 )))))))))))))))))))))))))))))))

.

2009-07-23 16:15 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys

2009-07-23 16:15 . 2009-03-24 21:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-07-23 16:15 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2009-07-23 16:15 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2009-07-23 16:15 . 2009-07-23 16:15 -------- d-----w- c:\program files\Avira

2009-07-23 16:15 . 2009-07-23 16:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-07-27 16:49 . 2009-07-27 16:49 73742 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2009_07_27_10_41_28_small.dmp.zip

2009-07-27 16:49 . 2009-07-27 16:49 92922 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2009_07_27_10_39_40_small.dmp.zip

2009-07-27 15:41 . 2009-07-27 15:42 1984000 ----a-w- c:\windows\Internet Logs\xDBE.tmp

2009-07-27 15:41 . 2009-07-27 15:42 8192 ----a-w- c:\windows\Internet Logs\xDBD.tmp

2009-07-27 15:39 . 2009-07-27 15:41 1984000 ----a-w- c:\windows\Internet Logs\xDBC.tmp

2009-07-27 15:39 . 2009-07-27 15:41 3438080 ----a-w- c:\windows\Internet Logs\xDBB.tmp

2009-07-27 00:45 . 2008-04-25 12:05 1174162 ----a-w- c:\windows\Internet Logs\tvDebug.Zip

2009-07-21 01:42 . 2008-09-16 02:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-07-21 01:42 . 2008-09-16 02:34 3775175 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-07-13 18:36 . 2008-09-16 02:33 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-07-13 18:36 . 2008-09-16 02:33 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-07-06 01:27 . 2004-02-12 17:54 -------- d-----w- c:\program files\Common Files\Adobe

2009-06-25 23:17 . 2003-12-27 02:26 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-06-25 22:50 . 2005-12-24 23:51 -------- d-----w- c:\program files\EA SPORTS

2009-06-20 15:58 . 2008-12-02 02:33 256 ----a-w- c:\windows\system32\pool.bin

2009-06-20 00:33 . 2009-06-20 01:14 1927680 ----a-w- c:\windows\Internet Logs\xDBA.tmp

2009-06-19 15:15 . 2009-06-19 15:15 69632 ----a-r- c:\documents and settings\Mark\Application Data\Microsoft\Installer\{51D7494B-6C54-468F-98E1-1A9997C89329}\DesktopMgr.exe

2009-06-19 15:15 . 2009-06-19 15:15 6502 ----a-r- c:\documents and settings\Mark\Application Data\Microsoft\Installer\{51D7494B-6C54-468F-98E1-1A9997C89329}\RedirectorEXE2_770DFD1204C24F4DA163D64FACCB5CBD.exe

2009-06-19 15:15 . 2009-06-19 15:15 6502 ----a-r- c:\documents and settings\Mark\Application Data\Microsoft\Installer\{51D7494B-6C54-468F-98E1-1A9997C89329}\RedirectorEXE1_770DFD1204C24F4DA163D64FACCB5CBD.exe

2009-06-19 15:15 . 2009-06-19 15:15 6502 ----a-r- c:\documents and settings\Mark\Application Data\Microsoft\Installer\{51D7494B-6C54-468F-98E1-1A9997C89329}\RedirectorEXE_770DFD1204C24F4DA163D64FACCB5CBD.exe

2009-06-19 15:15 . 2009-06-19 15:15 26694 ----a-r- c:\documents and settings\Mark\Application Data\Microsoft\Installer\{51D7494B-6C54-468F-98E1-1A9997C89329}\NewShortcut600_C6ABA3677F944B9FBB00F060701B0B5A.exe

2009-06-19 15:15 . 2009-06-19 15:15 26694 ----a-r- c:\documents and settings\Mark\Application Data\Microsoft\Installer\{51D7494B-6C54-468F-98E1-1A9997C89329}\NewShortcut60_C6ABA3677F944B9FBB00F060701B0B5A.exe

2009-06-19 15:15 . 2009-06-19 15:15 26694 ----a-r- c:\documents and settings\Mark\Application Data\Microsoft\Installer\{51D7494B-6C54-468F-98E1-1A9997C89329}\NewShortcut6_C6ABA3677F944B9FBB00F060701B0B5A.exe

2009-06-19 15:15 . 2009-06-19 15:15 26694 ----a-r- c:\documents and settings\Mark\Application Data\Microsoft\Installer\{51D7494B-6C54-468F-98E1-1A9997C89329}\NewShortcut5_C6ABA3677F944B9FBB00F060701B0B5A.exe

2009-06-19 15:15 . 2009-06-19 15:15 26694 ----a-r- c:\documents and settings\Mark\Application Data\Microsoft\Installer\{51D7494B-6C54-468F-98E1-1A9997C89329}\NewShortcut4_C6ABA3677F944B9FBB00F060701B0B5A.exe

2009-06-19 15:15 . 2009-06-19 15:15 26694 ----a-r- c:\documents and settings\Mark\Application Data\Microsoft\Installer\{51D7494B-6C54-468F-98E1-1A9997C89329}\NewShortcut3_C6ABA3677F944B9FBB00F060701B0B5A.exe

2009-06-19 15:15 . 2009-06-19 15:15 26694 ----a-r- c:\documents and settings\Mark\Application Data\Microsoft\Installer\{51D7494B-6C54-468F-98E1-1A9997C89329}\NewShortcut12_C6ABA3677F944B9FBB00F060701B0B5A.exe

2009-06-19 15:12 . 2008-12-02 01:52 -------- d-----w- c:\program files\Common Files\Research In Motion

2009-06-19 15:01 . 2009-01-04 17:22 256 ----a-w- c:\documents and settings\Mark\pool.bin

2009-06-16 14:36 . 2003-03-31 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-16 14:36 . 2003-03-31 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-09 22:52 . 2009-06-09 22:52 -------- d-----w- c:\documents and settings\All Users\Application Data\2DBoy

2009-06-09 22:51 . 2009-06-09 22:51 -------- d-----w- c:\program files\Brighter Minds Media

2009-06-03 23:41 . 2004-11-29 16:50 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-06-03 19:09 . 2003-03-31 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll

2009-05-26 00:45 . 2009-05-26 00:52 1889792 ----a-w- c:\windows\Internet Logs\xDB8.tmp

2009-05-14 18:57 . 2009-05-14 19:10 1879040 ----a-w- c:\windows\Internet Logs\xDB9.tmp

2009-05-07 15:32 . 2003-03-31 12:00 345600 ----a-w- c:\windows\system32\localspl.dll

2009-04-29 04:46 . 2003-03-31 12:00 666624 ----a-w- c:\windows\system32\wininet.dll

2009-04-29 04:46 . 2004-09-26 19:15 81920 ------w- c:\windows\system32\ieencode.dll

2004-03-11 19:27 . 2005-12-29 17:34 40960 ----a-w- c:\program files\Uninstall_CDS.exe

2009-07-24 16:44 . 2008-08-29 12:01 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll

2005-01-03 11:14 . 2005-01-03 11:14 11592 --sha-w- c:\windows\system32\llwqo.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-20 68856]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2003-05-15 114688]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-01-09 151597]

"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2004-10-08 221184]

"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-06-05 615696]

"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-09-19 236016]

"TomTomHOME.exe"="c:\program files\TomTom HOME\TomTomHOME.exe" [2007-05-15 3975848]

"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\Mark\Start Menu\Programs\Startup\

Xfire.lnk.disabled [2008-3-23 650]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Exif Launcher S.lnk - c:\program files\FinePixViewerS\QuickDCF2.exe [2008-8-31 303104]

ExifLauncher2.lnk - c:\program files\FinePixViewer\QuickDCF2.exe [2009-4-25 303104]

Kodak EasyShare software.lnk - c:\program files\Kodak EasyShare software\bin\EasyShare.exe [2006-6-2 180224]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk

backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk

backup=c:\windows\pss\KODAK Software Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk

backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NaturalColorLoad.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NaturalColorLoad.lnk

backup=c:\windows\pss\NaturalColorLoad.lnkCommon Startup

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"EA Core"=c:\program files\Electronic Arts\EADM\Core.exe -silent

"PhotoShow Deluxe Media Manager"=c:\progra~1\Ahead\NEROPH~2\data\xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Real\\RealOne Player\\realplay.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\BitTorrent\\btdownloadgui.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\EA GAMES\\Need For Speed Underground\\Speed.exe"=

"c:\\Program Files\\EA SPORTS\\NASCAR Thunder TM 2004\\NASCAR_Thunder_2004.exe"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Kodak EasyShare software\\bin\\EasyShare.exe"=

"c:\\Program Files\\Azureus\\Azureus.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/23/2009 11:15 AM 108289]

R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 6:45 AM 13088]

R3 USR1806;U.S. Robotics Faxmodem Driver 1806;c:\windows\system32\drivers\USR1806.SYS [12/26/2003 1:45 PM 793598]

S1 as6eio;as6eio;c:\windows\system32\drivers\as6eio.sys --> c:\windows\system32\drivers\as6eio.sys [?]

S2 TDKUSBDR;TDK MOJO USB driver;c:\windows\system32\drivers\tdkusbdr.sys [1/9/2005 12:26 PM 11005]

.

Contents of the 'Scheduled Tasks' folder

.

.

------- Supplementary Scan -------

.

uSearch Page = hxxp://www.google.com

mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

Trusted Zone: aol.com\free

Trusted Zone: ati.com\www

Trusted Zone: ebay.com\www

Trusted Zone: microsoft.com\windowsupdate

Trusted Zone: turbotax.com

FF - ProfilePath - c:\documents and settings\Mark\Application Data\Mozilla\Firefox\Profiles\k92y9fej.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.msnbc.msn.com/

FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava11.dll

FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava12.dll

FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava13.dll

FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava14.dll

FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava32.dll

FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJPI150_09.dll

FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPOJI610.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPZoneSB.dll

FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll

FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll

FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-07-27 12:35

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{286D4131-3821-6CBF-08770360589374C2}\{48BEB065-0DEC-1314-6E019AD5B66531AE}\{E2D4EA90-E228-BF00-D20DE2AD05099BA2}*]

"SE4K5INHHR1EDZYY15BVZC6TKG1"=hex:01,00,01,00,00,00,00,00,7e,c3,c3,8e,86,b4,21,

5e,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(740)

c:\windows\system32\Ati2evxx.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\windows\system32\ZoneLabs\vsmon.exe

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\system32\CTSVCCDA.EXE

c:\windows\system32\ati2evxx.exe

c:\program files\Analog Devices\SoundMAX\SMAgent.exe

c:\windows\system32\wdfmgr.exe

c:\windows\system32\MsPMSPSv.exe

c:\program files\Common Files\Real\Update_OB\realevent.exe

c:\program files\Common Files\Real\Update_OB\rnathchk.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-07-27 12:43 - machine was rebooted

ComboFix-quarantined-files.txt 2009-07-27 17:43

ComboFix2.txt 2008-10-02 01:50

Pre-Run: 87,811,725,312 bytes free

Post-Run: 87,225,506,304 bytes free

245 --- E O F --- 2009-07-20 20:10

Link to post
Share on other sites

Tell me what version of ZoneAlarm you have and whether it has antivirus.

Besides that, I'm concerned that your Avira AntiVir is not up-to-date with definitions.

Close any open programs you have, save your work documents if any are open.

Place your USB flash drives in-place so that some of these programs will be able to find them.

I'm going to have you get and run two utilities.

The first stops automatic use of the AutoRun feature of XP. The second will write to any connected devices a Read-only, System protected Autorun.inf file on all of your hard drives, and all connected removable storage devices.

Download and Install Microsoft's TweakUI:

http://www.microsoft.com/windowsxp/downloa...ppowertoys.mspx

Obtain and install TweakUI (part of the PowerToys for Windows XP package), and then start TweakUI.

Expand the My Computer branch, then the AutoPlay branch, and then select Drives.

Turn off the checkbox next to every drive letter to disable AutoPlay -- except your CD/DVD drive letters.

Download and run "Flash Drive Disinfector" by sUBs. It will do a cleanup of removable storage devices, and write a protected Autorun.inf file to help prevent re-infection.

http://download.bleepingcomputer.com/sUBs/...Disinfector.exe

There is no GUI interface or log file produced.

=

Download OTL by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTL.exe

  • Please double-click OTL.exe otlDesktopIcon.png to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy all the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    :filesC:\recyclerD:\recyclere:\recyclerf:\recyclerg:\recyclerh:\recycler
    :Commands[purity][emptytemp][reboot]


  • Return to OTL. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste.
  • Close any browser(s) windows that may be open.
  • Using your mouse, click on the red-lettered button Run Fix.
  • Once you see a message box "Fix complete! Click OK to open the fix log."
    Click the OK button
  • The log will open in Notepad (your default text editor).
  • Save the log. Post a copy of that log in your next reply.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.

If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

=

>

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:

  • Double-click on cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
  • Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan tab" and UNcheck "Heuristic analysis"
  • Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
  • Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
  • When done, a message will be displayed at the bottom advising if any viruses were found.
  • Click "Yes to all" if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable". (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

>

Reply with copy of the OTL MovedFiles log

the DrWeb Cure-it log

and tell me, How is your system now ?

Link to post
Share on other sites

I can/will follow your instructions. Before doing so, I'd like to know what we're after? What in the log files says there is something definitive causing problems? Much of this stuff runs in the shadows and I might never know its there, but I would like to know what you see in the logs.

I am only using Zone Alarm as a firewall, info below-

ZoneAlarm version:8.0.298.000

TrueVector version:8.0.298.000

Driver version:8.0.298.000

As for Avira-AnitV, I updated it on 7/23/09 when I downloaded it to a thumb drive from a clean computer.

Before I follow through on next steps I'll wait to hear from you what specifically it is were trying to eliminate.

Thanks,

Mark

Link to post
Share on other sites

I have completed the tasks you outlined. The logs are attached. I find it odd that some of the new tools you asked me to load contained some of the suspect problems. Please comment on the severity of the trojans identified and removed. Again thank you for your help!

Mark

All processes killed

========== FILES ==========

C:\RECYCLER\S-1-5-21-602162358-884357618-725345543-1011 moved successfully.

C:\RECYCLER\S-1-5-21-602162358-884357618-725345543-1010 moved successfully.

C:\RECYCLER\S-1-5-21-602162358-884357618-725345543-1009 moved successfully.

C:\RECYCLER\S-1-5-21-602162358-884357618-725345543-1006 moved successfully.

C:\RECYCLER\S-1-5-21-602162358-884357618-725345543-1005 moved successfully.

C:\RECYCLER\S-1-5-21-602162358-884357618-725345543-1004 moved successfully.

C:\RECYCLER moved successfully.

File\Folder D:\recycler not found.

File\Folder e:\recycler not found.

File\Folder f:\recycler not found.

File\Folder g:\recycler not found.

File\Folder h:\recycler not found.

========== COMMANDS ==========

C:\WINDOWS\System32\Μicrosoft.NET moved successfully.

[EMPTYTEMP]

User: Administrator

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

User: All Users

User: Ashley

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

User: Jessica

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 32969 bytes

User: LocalService

->Temp folder emptied: 0 bytes

File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.

->Temporary Internet Files folder emptied: 32902 bytes

User: Mark

File delete failed. C:\Documents and Settings\Mark\Local Settings\Temp\~DF6C2E.tmp scheduled to be deleted on reboot.

->Temp folder emptied: 98304 bytes

->Temporary Internet Files folder emptied: 50511 bytes

->Java cache emptied: 5234375 bytes

->FireFox cache emptied: 73182668 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

User: Tiffany

File delete failed. C:\Documents and Settings\Tiffany\Local Settings\Temp\~DFBCE2.tmp scheduled to be deleted on reboot.

->Temp folder emptied: 98304 bytes

->Temporary Internet Files folder emptied: 32902 bytes

->FireFox cache emptied: 38442277 bytes

User: Tom!

File delete failed. C:\Documents and Settings\Tom!\Local Settings\Temp\~DF34D3.tmp scheduled to be deleted on reboot.

->Temp folder emptied: 98304 bytes

->Temporary Internet Files folder emptied: 32969 bytes

->Java cache emptied: 0 bytes

->FireFox cache emptied: 113205568 bytes

User: Tom&Ty

File delete failed. C:\Documents and Settings\Tom&Ty\Local Settings\Temp\~DF7728.tmp scheduled to be deleted on reboot.

->Temp folder emptied: 98304 bytes

->Temporary Internet Files folder emptied: 32969 bytes

->Java cache emptied: 0 bytes

->FireFox cache emptied: 43515961 bytes

%systemdrive% .tmp files removed: 14149120 bytes

%systemroot% .tmp files removed: 2352485 bytes

%systemroot%\System32 .tmp files removed: 2266641 bytes

File delete failed. C:\WINDOWS\temp\ZLT07fdf.TMP scheduled to be deleted on reboot.

Windows Temp folder emptied: 708 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 279.39 mb

OTL by OldTimer - Version 3.0.10.3 log created on 07292009_082437

info.htm;C:\Documents and Settings\Ashley\Application Data\Aim\osyaweob\axel30303;Trojan.Marllo;Deleted.;

info.htm;C:\Documents and Settings\Ashley\Application Data\Aim\osyaweob\b1gblub4ll69;Trojan.Marllo;Deleted.;

info.htm;C:\Documents and Settings\Ashley\Application Data\Aim\osyaweob\babibubbles909;Trojan.Marllo;Deleted.;

info.htm;C:\Documents and Settings\Ashley\Application Data\Aim\osyaweob\BaByGuRl4LiFe900;Trojan.Marllo;Deleted.;

info.htm;C:\Documents and Settings\Ashley\Application Data\Aim\osyaweob\Eckemp1;Trojan.Marllo;Deleted.;

info.htm;C:\Documents and Settings\Ashley\Application Data\Aim\osyaweob\flirtbabi23;Trojan.Marllo;Deleted.;

info.htm;C:\Documents and Settings\Ashley\Application Data\Aim\osyaweob\Hotchica688;Trojan.Marllo;Deleted.;

info.htm;C:\Documents and Settings\Ashley\Application Data\Aim\osyaweob\hulopinkysquishy;Trojan.Marllo;Deleted.;

info.htm;C:\Documents and Settings\Ashley\Application Data\Aim\osyaweob\kissmeimry4n;Trojan.Marllo;Deleted.;

info.htm;C:\Documents and Settings\Ashley\Application Data\Aim\osyaweob\megdalilgangsta;Trojan.Marllo;Deleted.;

info.htm;C:\Documents and Settings\Ashley\Application Data\Aim\osyaweob\Metel2theEnd;Trojan.Marllo;Deleted.;

info.htm;C:\Documents and Settings\Ashley\Application Data\Aim\osyaweob\SexiBtchs4;Trojan.Marllo;Deleted.;

info.htm;C:\Documents and Settings\Ashley\Application Data\Aim\osyaweob\sugerbabi332;Trojan.Marllo;Deleted.;

info.htm;C:\Documents and Settings\Ashley\Application Data\Aim\osyaweob\sweetlilgymnast8;Trojan.Marllo;Deleted.;

info.htm;C:\Documents and Settings\Ashley\Application Data\Aim\osyaweob\westwrestler2069;Trojan.Marllo;Deleted.;

info.htm;C:\Documents and Settings\Ashley\Application Data\Aim\osyaweob\Xx8SuGaNSpIcE8xX;Trojan.Marllo;Deleted.;

~MySetup.exe;C:\Documents and Settings\Ashley\Local Settings\Temp;Adware.Delfin;Incurable.Moved.;

tizupd.bin\data002;C:\Documents and Settings\Jessica\Application Data\tizupd.bin;Trojan.MulDrop.2923;;

tizupd.bin;C:\Documents and Settings\Jessica\Application Data;Archive contains infected objects;Moved.;

tizupd.bin\data002;C:\Documents and Settings\Mark\Application Data\tizupd.bin;Trojan.MulDrop.2923;;

tizupd.bin;C:\Documents and Settings\Mark\Application Data;Archive contains infected objects;Moved.;

Flash_Disinfector.exe\nircmd.exe;C:\Documents and Settings\Mark\Desktop\Flash_Disinfector.exe;Tool.NirCmd.1;;

Flash_Disinfector.exe;C:\Documents and Settings\Mark\Desktop;Archive contains infected objects;Moved.;

bpftpserver_install.exe\data002;C:\Program Files\BPFTP\Recommended Software\bpftpserver_install.exe;Program.BpFTP.3;;

bpftpserver_install.exe;C:\Program Files\BPFTP\Recommended Software;Archive contains infected objects;Moved.;

NPZoneSB.dll;C:\Program Files\Mozilla Firefox\plugins;Adware.MyWebSearch.22;Incurable.Moved.;

NPZONESB.DLL;C:\Program Files\ZoneAlarmSB\bar\1.bin;Adware.MyWebSearch.22;Incurable.Moved.;

A0237539.exe\nircmd.exe;C:\System Volume Information\_restore{3BA4C817-8321-4A24-9839-51293753452A}\RP1631\A0237539.exe;Tool.NirCmd.1;;

A0237539.exe;C:\System Volume Information\_restore{3BA4C817-8321-4A24-9839-51293753452A}\RP1631;Archive contains infected objects;Moved.;

A0237540.exe\data002;C:\System Volume Information\_restore{3BA4C817-8321-4A24-9839-51293753452A}\RP1631\A0237540.exe;Program.BpFTP.3;;

A0237540.exe;C:\System Volume Information\_restore{3BA4C817-8321-4A24-9839-51293753452A}\RP1631;Archive contains infected objects;Moved.;

Link to post
Share on other sites

Hello Mark,

Let's proceed and run some other scans.

Please download and run the Trend Micro Sysclean Package on your computer.

NOTE! This scan will probably take a long time to run on your computer so be patient and don't use it while it's scanning.

  • Create a brand new folder to copy these files to.
  • As an example: C:\DCE
  • Then open each of the zipped archive files and copy their contents to C:\DCE
  • Copy the file sysclean.com to the new folder C:\DCE as well.
  • Double-click on the file sysclean.com that is in the C:\DCE folder and follow the on-screen instructions.
    After doing all of this, please post back your results, including the log file sysclean.log that will be left behind by sysclean.

How To Use Compressed (Zipped) Folders in Windows XP

Compress and uncompress files (zip files) in Vista

=

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

At this time of posting, the current definitions are # 2529 or later.

When done, click the Scanner tab.

Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

=

Next, Download SysProt Antirootkit from the link below:

http://sites.google.com/site/sysprotantirootkit/

It is at the bottom of the page under "Attachments".

Unzip it into a folder on your desktop.

  • Double click Sysprot.exe to start the program.
  • Click on the Log tab.
  • In the Write to log box select all items.
  • Click on the Create Log button on the bottom right.
  • After a few seconds a new window should appear.
  • Select Scan Root Drive. Click on the Start button.
  • When it is complete a new window will appear to indicate that the scan is finished.
  • The log will be saved automatically in the same folder Sysprot.exe was extracted to.
    Open the text file and copy/paste the log here.

Reply with copy of the Sysclean log

the latest MBAM scan log

and the Sysprot log

Link to post
Share on other sites

Maurice,

Sysclean Spyware pattern data was broken(circular link, no data download). I ran a T M scan from the TM House calls site. 1 malware, 9 adware and 2 suspecious/vaulnerable items. Cleaned/fixed all but last two, which were only cautions. No log produced. Ran MB, no issues, log attached. Ran SysPort, log on next post, or not at all is it is too large for posting.

Regards,

Mark

Malwarebytes' Anti-Malware 1.39

Database version: 2538

Windows 5.1.2600 Service Pack 3

8/1/2009 8:48:58 AM

mbam-log-2009-08-01 (08-48-58).txt

Scan type: Quick Scan

Objects scanned: 124781

Time elapsed: 31 minute(s), 43 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Check again please. There's no attachment here.

When you have started the reply, look for the Browse button below the reply box.

Press the Browse button and "navigate" to where your log is.

When that is done, press the UPLOAD button

and then when done with reply box, press "Add Reply"

In any event, kindly tell me, How is the system now ?

Link to post
Share on other sites

Hello Mark,

I had sent you a personal message from here (this forum) in which I gave you my external email address.

No, I did not receive your email. I hope you did not try to send it from here and into my forum PM messages.

Let's scratch that request.

Let's have you proceed with these 2 report tools:

Download GMER Rootkit Scanner from here or here. Unzip it to your Desktop.

========================================================

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

========================================================

Double-click gmer.exe. The program will begin to run.

**Caution**

These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

  • Click Yes.
  • Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop.

If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked.

  • Click the Scan button and let the program do its work. GMER will produce a log. Click on the [save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop.

Pleae attach the gmer.txt to your reply:

  1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, browse to where you saved the file, and
  2. Click Upload.

=

Next, Close all non-essential programs & windows that you have open.

Go here and download & SAVE Silent Runners.vbs (use IE to download it) to a new folder on your drive and run it. It generates a log too {name will start with "Startup Programs". It takes a minute or two and it will notify you with a popup when your log is ready (it will be in the new folder you created). Please post the information back in this thread. If your AV queries the script, allow it to run. It's not malicious. It simply generates a report on your system, and does not do any cleanup.

>

Reply with copy of the Gmer.txt

and the log from SilentRunners above

and tell me, How is your system now?

Keep in mind these 2 tools are report-only tools and do not do any removals at all

Link to post
Share on other sites

Hi Maurice,

I sent the SysPort log to you gmail address this morning. My system seems to be running fine. I ran MBAM last evening and found no issues. Unless you see something on the log sent to your personal address or feel very strongly that I should continue scanning for issues, I'm ready to be done for now. I will press forward if you feel it is necessary. I do very much appreciate your assistance!!

Mark

Link to post
Share on other sites

Maurice,

My email to your PE account did not include the Silent Runner scan log. I have attached it here.

Mark

"Silent Runners.vbs", revision 59, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:

---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"swg" = "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" ["Google Inc."]

"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]

"ISUSPM" = ""C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler" ["Macrovision Corporation"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"type32" = ""C:\Program Files\Microsoft IntelliType Pro\type32.exe"" [MS]

"TkBellExe" = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot" ["RealNetworks, Inc."]

"LVCOMSX" = "C:\WINDOWS\system32\LVCOMSX.EXE" ["Logitech Inc."]

"BlackBerryAutoUpdate" = "C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background" ["Research In Motion Limited"]

"RoxWatchTray" = ""C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"" ["Sonic Solutions"]

"TomTomHOME.exe" = ""C:\Program Files\TomTom HOME\TomTomHOME.exe" -s" ["TomTom"]

"ZoneAlarm Client" = ""C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"" ["Check Point Software Technologies LTD"]

"Adobe Reader Speed Launcher" = ""C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]

"avgnt" = ""C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min" ["Avira GmbH"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++}

"Malwarebytes' Anti-Malware" = "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent" ["Malwarebytes Corporation"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"

\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Spybot-S&D IE Protection"

\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)

-> {HKLM...CLSID} = "SSVHelper Class"

\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll" ["Sun Microsystems, Inc."]

{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Google Toolbar Helper"

\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]

{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Google Toolbar Notifier BHO"

\InProcServer32\(Default) = "C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll" ["Google Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"

-> {HKLM...CLSID} = "Display Panning CPL Extension"

\InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"

-> {HKLM...CLSID} = "HyperTerminal Icon Ext"

\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"

-> {HKLM...CLSID} = "Outlook File Icon Extension"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office\OLKFSTUB.DLL" [MS]

"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

"{A2569D1F-4E06-43EC-9825-0088B471BE47}" = "IntelliType Pro Wireless Control Panel Property Page"

-> {HKLM...CLSID} = "IntelliType Pro Wireless Control Panel Property Page"

\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliType Pro\itcplwir.dll"" [MS]

"{111D8120-25EB-4E1C-A4DF-C9EE5FCA35CB}" = "IntelliType Pro Scrolling Control Panel Property Page"

-> {HKLM...CLSID} = "IntelliType Pro Scrolling Property Page"

\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliType Pro\itcplwhl.dll"" [MS]

"{ED6E87C6-8A83-43aa-8208-8DBC8247F4D2}" = "IntelliType Pro Key Settings Control Panel Property Page"

-> {HKLM...CLSID} = "IntelliType Pro Key Settings Property Page"

\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliType Pro\itcplkey.dll"" [MS]

"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"

-> {HKLM...CLSID} = "RealOne Player Context Menu Class"

\InProcServer32\(Default) = "C:\Program Files\Real\RealOne Player\rpshellext.dll" ["RealNetworks"]

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"

-> {HKLM...CLSID} = "Portable Media Devices Menu"

\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]

"{400CFEE2-39D0-46DC-96DF-E0BB5A4324B3}" = "My Logitech Pictures"

-> {HKLM...CLSID} = "My Logitech Pictures"

\InProcServer32\(Default) = "C:\Program Files\Logitech\Video\Namespc2.dll" ["Logitech Inc."]

"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"

-> {HKLM...CLSID} = "SimpleShlExt Class"

\InProcServer32\(Default) = "C:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll" [empty string]

"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"

-> {HKLM...CLSID} = "iTunes"

\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]

"{2b232f20-fa0d-11d1-8a3e-00c0f64105cd}" = "Shuttle Shell Extension for Drive"

-> {HKLM...CLSID} = "Shuttle Shell Extension for Drive"

\InProcServer32\(Default) = "stlhook.dll" ["SCM Microsystems Inc."]

"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"

-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"

\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]

"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"

-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"

\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]

"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"

-> {HKLM...CLSID} = "Shell Extension for Malware scanning"

\InProcServer32\(Default) = "C:\Program Files\Avira\AntiVir Desktop\shlext.dll" ["Avira GmbH"]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

-> {HKLM...CLSID} = "PDF Shell Extension"

\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\

Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"

-> {HKLM...CLSID} = "Shell Extension for Malware scanning"

\InProcServer32\(Default) = "C:\Program Files\Avira\AntiVir Desktop\shlext.dll" ["Avira GmbH"]

WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\

WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\

MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"

-> {HKLM...CLSID} = "MBAMShlExt Class"

\InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]

Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"

-> {HKLM...CLSID} = "Shell Extension for Malware scanning"

\InProcServer32\(Default) = "C:\Program Files\Avira\AntiVir Desktop\shlext.dll" ["Avira GmbH"]

WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\

MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"

-> {HKLM...CLSID} = "MBAMShlExt Class"

\InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]

Default executables:

--------------------

<<!>> HKLM\SOFTWARE\Classes\.com\(Default) = "ComFile"

Group Policies {policy setting}:

--------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoDrives" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoDrives" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

"NoCDBurning" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

"HonorAutoRunSetting" = (REG_DWORD) dword:0x00000001

{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001

{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001

{Devices: Allow undock without having to log on}

"DisableRegistryTools" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

Active Desktop and Wallpaper:

-----------------------------

Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\Mark\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Windows Portable Device AutoPlay Handlers

-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

CTPlayAudioOnArrival\

"Provider" = "@C:\Program Files\Creative\MediaSource\CTCMS.CRL,-14345"

"InvokeProgID" = "CTAutoPL.AudioCDPlayer.1"

"InvokeVerb" = "open"

HKLM\SOFTWARE\Classes\CTAutoPL.AudioCDPlayer.1\shell\open\command\(Default) = ""C:\Program Files\Creative\MediaSource\CTCMS.exe" /T=CLASSKEY_AudioCD IN %L PlayNow" ["Creative Technology Ltd"]

FPVShowPicturesOnArrival\

"Provider" = "FinePixViewer"

"InvokeProgID" = "FinePixViewer.ShowPictures"

"InvokeVerb" = "Play"

HKLM\SOFTWARE\Classes\FinePixViewer.ShowPictures\shell\Play\Command\(Default) = ""C:\Program Files\FinePixViewer\FinePixViewer.exe" "/d %1"" ["FUJIFILM Corporation"]

iTunesBurnCDOnArrival\

"Provider" = "iTunes"

"InvokeProgID" = "iTunes.BurnCD"

"InvokeVerb" = "burn"

HKLM\SOFTWARE\Classes\iTunes.BurnCD\shell\burn\command\(Default) = ""C:\Program Files\iTunes\iTunes.exe" /AutoPlayBurn "%L"" ["Apple Computer, Inc."]

iTunesImportSongsOnArrival\

"Provider" = "iTunes"

"InvokeProgID" = "iTunes.ImportSongsOnCD"

"InvokeVerb" = "import"

HKLM\SOFTWARE\Classes\iTunes.ImportSongsOnCD\shell\import\command\(Default) = ""C:\Program Files\iTunes\iTunes.exe" /AutoPlayImportSongs "%L"" ["Apple Computer, Inc."]

iTunesPlaySongsOnArrival\

"Provider" = "iTunes"

"InvokeProgID" = "iTunes.PlaySongsOnCD"

"InvokeVerb" = "play"

HKLM\SOFTWARE\Classes\iTunes.PlaySongsOnCD\shell\play\command\(Default) = ""C:\Program Files\iTunes\iTunes.exe" /playCD "%L"" ["Apple Computer, Inc."]

iTunesShowSongsOnArrival\

"Provider" = "iTunes"

"InvokeProgID" = "iTunes.ShowSongsOnCD"

"InvokeVerb" = "showsongs"

HKLM\SOFTWARE\Classes\iTunes.ShowSongsOnCD\shell\showsongs\command\(Default) = ""C:\Program Files\iTunes\iTunes.exe" /AutoPlayShowSongs "%L"" ["Apple Computer, Inc."]

LogitechQuickSync\

"Provider" = "Logitech QuickSync"

"InvokeProgID" = "Applications\QSync.exe"

"InvokeVerb" = "open"

HKLM\SOFTWARE\Classes\Applications\QSync.exe\shell\open\command\(Default) = ""C:\Program Files\Logitech\Video\QSync.exe"" ["Logitech Inc."]

MediaCapture9Music\

"Provider" = "Media Import"

"InvokeProgID" = "RoxioMediaCapture9"

"InvokeVerb" = "Audio"

HKLM\SOFTWARE\Classes\RoxioMediaCapture9\shell\Audio\command\(Default) = "C:\Program Files\Roxio\Media Import 9\MediaCapture9.exe -audio %L" ["Sonic Solutions"]

MediaCapture9Photos\

"Provider" = "Media Import"

"InvokeProgID" = "RoxioMediaCapture9"

"InvokeVerb" = "Photo"

HKLM\SOFTWARE\Classes\RoxioMediaCapture9\shell\Photo\command\(Default) = "C:\Program Files\Roxio\Media Import 9\MediaCapture9.exe -photo %L" ["Sonic Solutions"]

MediaCapture9VideoCamera\

"Provider" = "Media Import"

"ProgID" = "Shell.HWEventHandlerShellExecute"

"InitCmdLine" = "C:\Program Files\Roxio\Media Import 9\MediaCapture9.exe"

HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"

-> {HKLM...CLSID} = "ShellExecute HW Event Handler"

\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

MediaCapture9Videos\

"Provider" = "Media Import"

"InvokeProgID" = "RoxioMediaCapture9"

"InvokeVerb" = "Video"

HKLM\SOFTWARE\Classes\RoxioMediaCapture9\shell\Video\command\(Default) = "C:\Program Files\Roxio\Media Import 9\MediaCapture9.exe -video %L" ["Sonic Solutions"]

NeroAutoPlay2CDAudio\

"Provider" = "Nero Express"

"InvokeProgID" = "Nero.AutoPlay2"

"InvokeVerb" = "HandleCDBurningOnArrival_CDAudio"

HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\HandleCDBurningOnArrival_CDAudio\command\(Default) = "C:\Program Files\Ahead\nero\nero.exe /w /New:AudioCD /Drive:%L" ["Ahead Software AG"]

NeroAutoPlay2CopyCD\

"Provider" = "Nero Express"

"InvokeProgID" = "Nero.AutoPlay2"

"InvokeVerb" = "PlayCDAudioOnArrival_CopyCD"

HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\PlayCDAudioOnArrival_CopyCD\command\(Default) = "C:\Program Files\Ahead\nero\nero.exe /w /Dialog:DiscCopy /Drive:%L" ["Ahead Software AG"]

NeroAutoPlay2DataDisc\

"Provider" = "Nero Express"

"InvokeProgID" = "Nero.AutoPlay2"

"InvokeVerb" = "HandleCDBurningOnArrival_DataDisc"

HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\HandleCDBurningOnArrival_DataDisc\command\(Default) = "C:\Program Files\Ahead\nero\nero.exe /w /New:ISODisc /Drive:%L" ["Ahead Software AG"]

NeroAutoPlay2DVDVideoToNeroDigital\

"Provider" = "Nero Recode"

"InvokeProgID" = "Nero.AutoPlay2"

"InvokeVerb" = "PlayDVDMovieOnArrival_DVDVideoToNeroDigital"

HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\PlayDVDMovieOnArrival_DVDVideoToNeroDigital\command\(Default) = "C:\Program Files\Ahead\Nero Recode\Recode.exe /New:ReAuthorNeroDigital /Drive:%L" ["Ahead Software AG"]

NeroAutoPlay2LaunchNeroStartSmart\

"Provider" = "Nero StartSmart"

"InvokeProgID" = "Nero.AutoPlay2"

"InvokeVerb" = "HandleCDBurningOnArrival_LaunchNeroStartSmart"

HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\HandleCDBurningOnArrival_LaunchNeroStartSmart\command\(Default) = "C:\Program Files\Ahead\Nero StartSmart\NeroStartSmart.exe /AutoPlay /Drive:%L" ["Ahead Software AG"]

NeroAutoPlay2PlayAudioCD\

"Provider" = "Nero Media Player"

"InvokeProgID" = "Nero.AutoPlay2"

"InvokeVerb" = "PlayMusicFilesOnArrival_PlayAudioCD"

HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\PlayMusicFilesOnArrival_PlayAudioCD\command\(Default) = "C:\Program Files\Ahead\NeroMediaPlayer\NeroMediaPlayer.exe /Play %L" ["Ahead software"]

NeroAutoPlay2PlayDVD\

"Provider" = "Nero ShowTime"

"InvokeProgID" = "Nero.AutoPlay2"

"InvokeVerb" = "PlayVideoFilesOnArrival_PlayDVD"

HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\PlayVideoFilesOnArrival_PlayDVD\command\(Default) = "C:\Program Files\Ahead\Nero ShowTime\ShowTime.exe /Play %L" ["Nero Software AG"]

NeroAutoPlay2TranscodeVideo\

"Provider" = "Nero Recode"

"InvokeProgID" = "Nero.AutoPlay2"

"InvokeVerb" = "PlayDVDMovieOnArrival_TranscodeVideo"

HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\PlayDVDMovieOnArrival_TranscodeVideo\command\(Default) = "C:\Program Files\Ahead\Nero Recode\Recode.exe /New:CopyDVDVideo /Drive:%L" ["Ahead Software AG"]

NeroAutoPlay2VideoCapture\

"Provider" = "NeroVision Express"

"ProgID" = "Shell.HWEventHandlerShellExecute"

"InitCmdLine" = ""C:\Program Files\Ahead\NeroVision\NeroVision.exe" /New:VideoCapture"

HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"

-> {HKLM...CLSID} = "ShellExecute HW Event Handler"

\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

NeroAutoPlay2ViewPhotos\

"Provider" = "Nero PhotoSnap Viewer"

"InvokeProgID" = "Nero.AutoPlay2"

"InvokeVerb" = "ShowPicturesOnArrival_ViewPhotos"

HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\ShowPicturesOnArrival_ViewPhotos\command\(Default) = "C:\Program Files\Ahead\Nero PhotoSnap\PhotoSnapViewer.exe /Drive:%L" ["Ahead Software AG"]

PDirDVArrival\

"Provider" = "PowerDirector"

"ProgID" = "Shell.HWEventHandlerShellExecute"

"InitCmdLine" = ""C:\Program Files\CyberLink DVD Solution\PowerDirector\PowerDirector.exe" /DV"

HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"

-> {HKLM...CLSID} = "ShellExecute HW Event Handler"

\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

PDVDPlayDVDMovieOnArrival\

"Provider" = "PowerDVD"

"InvokeProgID" = "DVD"

"InvokeVerb" = "PlayWithPowerDVD"

HKLM\SOFTWARE\Classes\DVD\shell\PlayWithPowerDVD\Command\(Default) = ""C:\Program Files\CyberLink DVD Solution\PowerDVD\PowerDVD.exe" "%l"" ["CyberLink Corp."]

PPCDBurningOnArrival\

"Provider" = "PowerProducer"

"InvokeProgID" = "Picture"

"InvokeVerb" = "OpenWithPowerProducer"

HKLM\SOFTWARE\Classes\Picture\shell\OpenWithPowerProducer\Command\(Default) = ""C:\Program Files\CyberLink DVD Solution\PowerProducer\Producer.exe"" ["Cyberlink"]

PPDCameraArrival\

"Provider" = "PowerProducer"

"InvokeProgID" = "Picture"

"InvokeVerb" = "OpenWithPowerProducer"

HKLM\SOFTWARE\Classes\Picture\shell\OpenWithPowerProducer\Command\(Default) = ""C:\Program Files\CyberLink DVD Solution\PowerProducer\Producer.exe"" ["Cyberlink"]

PPDVArrival\

"Provider" = "PowerProducer"

"ProgID" = "Shell.HWEventHandlerShellExecute"

"InitCmdLine" = ""C:\Program Files\CyberLink DVD Solution\PowerProducer\Producer.exe""

HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"

-> {HKLM...CLSID} = "ShellExecute HW Event Handler"

\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

PTSOnArrivalHandler\

"Provider" = "Kodak EasyShare software"

"InvokeProgID" = "Ptswia.WiaEvents.1"

"InvokeVerb" = "open"

HKLM\SOFTWARE\Classes\Ptswia.WiaEvents.1\shell\open\DropTarget\CLSID = "{66A41C80-C64A-45A9-8BC9-0D58DE47C007}"

-> {HKLM...CLSID} = "WiaEvents Class"

\LocalServer32\(Default) = "C:\PROGRA~1\KODAKE~1\bin\ptswia.exe" [empty string]

RPCDBurningOnArrival\

"Provider" = "RealOne Player"

"InvokeProgID" = "RealPlayer.CDBurn.6"

"InvokeVerb" = "open"

HKLM\SOFTWARE\Classes\RealPlayer.CDBurn.6\shell\open\command\(Default) = ""C:\Program Files\Real\RealOne Player\RealPlay.exe" /burn "%1"" ["RealNetworks, Inc."]

RPPlayCDAudioOnArrival\

"Provider" = "RealOne Player"

"InvokeProgID" = "RealPlayer.AudioCD.6"

"InvokeVerb" = "play"

HKLM\SOFTWARE\Classes\RealPlayer.AudioCD.6\shell\play\command\(Default) = ""C:\Program Files\Real\RealOne Player\RealPlay.exe" /play %1 " ["RealNetworks, Inc."]

RPPlayDVDMovieOnArrival\

"Provider" = "RealOne Player"

"InvokeProgID" = "RealPlayer.DVD.6"

"InvokeVerb" = "play"

HKLM\SOFTWARE\Classes\RealPlayer.DVD.6\shell\play\command\(Default) = ""C:\Program Files\Real\RealOne Player\RealPlay.exe" /dvd %1 " ["RealNetworks, Inc."]

RPPlayMediaOnArrival\

"Provider" = "RealOne Player"

"InvokeProgID" = "RealPlayer.AutoPlay.6"

"InvokeVerb" = "open"

HKLM\SOFTWARE\Classes\RealPlayer.AutoPlay.6\shell\open\command\(Default) = ""C:\Program Files\Real\RealOne Player\RealPlay.exe" /autoplay "%1"" ["RealNetworks, Inc."]

Startup items in "Mark" & "All Users" startup folders:

------------------------------------------------------

C:\Documents and Settings\Mark\Start Menu\Programs\Startup

<<!>> "Xfire.lnk.disabled" [null data]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup

"Exif Launcher S" -> shortcut to: "C:\Program Files\FinePixViewerS\QuickDCF2.exe" ["FUJIFILM Corporation"]

"ExifLauncher2" -> shortcut to: "C:\Program Files\FinePixViewer\QuickDCF2.exe" ["FUJIFILM Corporation"]

"Kodak EasyShare software" -> shortcut to: "C:\Program Files\Kodak EasyShare software\bin\EasyShare.exe -hx" [null data]

Winsock2 Service Provider DLLs:

-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000004\LibraryPath = "C:\Program Files\Bonjour\mdnsNSP.dll" ["Apple Computer, Inc."]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:

------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"

-> {HKLM...CLSID} = "&Google"

\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"

-> {HKLM...CLSID} = "&Google"

\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)

-> {HKLM...CLSID} = "&Google"

\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

HKLM\SOFTWARE\Classes\CLSID\{916C1EF1-CA89-4F1B-AFDA-3CA85BD0F831}\(Default) = "ZoneAlarm PopBlocker"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC}"

-> {HKCU...CLSID} = "Java Plug-in 1.5.0_09"

\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll" ["Sun Microsystems, Inc."]

-> {HKLM...CLSID} = "Java Plug-in 1.5.0_09"

\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll" ["Sun Microsystems, Inc."]

{7F9DB11C-E358-4CA6-A83D-ACC663939424}\

"ButtonText" = "Bonjour"

{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\

"ButtonText" = "AIM"

"Exec" = "C:\Program Files\AIM\aim.exe" ["America Online, Inc."]

{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}\

"ButtonText" = "PartyPoker.com"

"MenuText" = "PartyPoker.com"

"Exec" = "c:\program files\PartyGaming\PartyPoker\RunApp.exe" [empty string]

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\

"MenuText" = "Spybot - Search & Destroy Configuration"

"CLSIDExtension" = "{53707962-6F74-2D53-2644-206D7942484F}"

-> {HKLM...CLSID} = "Spybot-S&D IE Protection"

\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

{E2E2DD38-D088-4134-82B7-F2BA38496583}\

"MenuText" = "@xpsp3res.dll,-20001"

"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}\

"ButtonText" = "Yahoo! Messenger"

"MenuText" = "Yahoo! Messenger"

"Exec" = "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" ["Yahoo! Inc."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\

"ButtonText" = "Messenger"

"MenuText" = "Windows Messenger"

"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]

Avira AntiVir Guard, AntiVirService, ""C:\Program Files\Avira\AntiVir Desktop\avguard.exe"" ["Avira GmbH"]

Avira AntiVir Scheduler, AntiVirSchedulerService, ""C:\Program Files\Avira\AntiVir Desktop\sched.exe"" ["Avira GmbH"]

Bonjour Service, Bonjour Service, ""C:\Program Files\Bonjour\mDNSResponder.exe"" ["Apple Computer, Inc."]

Creative Service for CDROM Access, Creative Service for CDROM Access, "C:\WINDOWS\system32\CTSvcCDA.EXE" ["Creative Technology Ltd"]

Intuit Update Service, IntuitUpdateService, ""C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe"" [null data]

SoundMAX Agent Service, SoundMAX Agent Service (default), "C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe" ["Analog Devices, Inc."]

TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Check Point Software Technologies LTD"]

Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]

WMDM PMSP Service, WMDM PMSP Service, "C:\WINDOWS\system32\MsPMSPSv.exe" [MS]

---------- (launch time: 2009-08-05 16:04:46)

<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

+ To search all directories of local fixed drives for DESKTOP.INI

DLL launch points, use the -supp parameter or answer "No" at the

first message box and "Yes" at the second message box.

---------- (total run time: 81 seconds, including 18 seconds for message boxes)

Link to post
Share on other sites

Hello Mark,

Apology for not getting back with you earlier.

javaicon.gif

See this topic in the AumHa Security forum and get the latest Java run-time

http://aumha.net/viewtopic.php?f=26&t=41464

After that, one scan online, before we proceed to cleanup & closure of this case. The SilentRunners log result is good.

Scan the system with the Kaspersky Online Scanner

http://www.kaspersky.com/virusscanner

icon_arrow.gifAttention: Kaspersky Online Scanner 7.0 may not run successfully while another antivirus program is running. If you have Anti-Virus software installed, please temporarily disable your AV protection before running the Kaspersky Online Scanner. Reenable it after the scan is finished.

During this run, make sure your browser does not block popup windows. Have patience while some screens populate.

1) Click the Kapersky Online Scanner button. You'll see a popup window.

2) Accept the agreement

3) Accept the installation of the required ActiveX object ( XP SP2-SP3 will show this in the Information Bar )

4) For XP SP2-SP3, click the Install button when prompted

5) The necessary files will be downloaded and installed. Please have plenty of patience.

6) After Kaspersky AntiVirus Database is updated, look at the Scan box.

7) Click the My Computer line

8 ) Be infinetely patient, the scan is comprehensive and, unlike other online antivirus scanners, will detect all malwares

9) When the scan is completed there will be an option to Save report as a .txt file. Click that button. Copy and paste the report into your reply.

( To see an animated tutorial-how-to on the scan, see >>this link<<)

Re-enable your antivirus program after Kaspersky has finished.

Kapersky Online Scanner can be uninstalled later on from Add or Remove Programs in the Control Panel, if desired.

Do not be alarmed if Kaspersky tags items that are already in quarantine by MBAM, or SmitFraudFix items, or ComboFix's Qoobox & quarantine.

Kaspersky is a report only and does not remove files.

Post back with copies of the Kaspersky.txt report.

How is your system now ?

Link to post
Share on other sites

The Sysprot did not show a rootkit infection, so that is excellent.

The SilentRunners log is good.

I am awaiting your confirmation that you have updated Java runtime,

and posting the Kaspersky scan report.

One of the major reasons the Sysprot log was super-huge, it found lots of temporary files lying around.

Especially at folder C:\Documents and Settings\Ashley\Local Settings\Temp\

P.S. In my very first reply, I suggested you get and run ATF Cleaner

When you get to some stopping point, login to each pc-user account (yours and all the rest; one account at a time; login run ATF Cleaner & logoff & login to the next user-account}

Run ATF Cleaner once for each account.

Run ATF Cleaner as per my first note. That should free up a ton of space.

Likely one major reason why your scans were taking forever.

Link to post
Share on other sites

Maurice.

I have updated Java and removed old versions, except Sun Download Manager 2.0, which could not be removed. Also the Kaspersky would not load with repeated error message saying:

Update has failed. Program has failed to start. Close the Kaspersky Online Scanner 7.0

window and open it again to install the program. You must be online to update the

Kaspersky Online Scanner 7.0 database. With the latest database updates, you can find

new viruses and other threats. Please go online to use Kaspersky Online Scanner 7.0.

[ERROR: Key is expired]

I tried several ways around the issue including removing all cookies, other download options etc. None successful.

Finally, I was not able to access the temp files under C:\Documents and Settings\Ashley\Local Settings\Temp\. Access was denied, although I could access all other Doc & Set under the other user accounts. Any ideas?

Thanks,

Mark

Link to post
Share on other sites

If you have used Kaspersky Online in the past, then, go to Control Panel > Add-or-Remove Programs & de-install Kaspersky Online.

We'll skip Kaspersky and try a scan at Eset.

But first,

I'm going to have you use OTL to empty temp files, including browsers.

(You are likely logged in as Mark & thus blocked from accessing Ahsley account temp folder.)

Print this out if you wish.

a) Close all browsers, and close / save any work documents you have open.

B: This will force a reboot after temp files are removed.

c)

  • Please double-click OTL.exe otlDesktopIcon.png to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy all the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    :Commands[purity][emptytemp][reboot]


  • Return to OTL. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste.
  • Close any browser(s) windows that may be open.
  • Using your mouse, click on the red-lettered button Run Fix.
  • Once you see a message box "Fix complete! Click OK to open the fix log."
    Click the OK button
  • The log will open in Notepad (your default text editor).
  • Save the log. Post a copy of that log in your next reply.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.

If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

next, Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Using Internet Explorer browser only, go to ESET Online Scanner website:

Vista users should start IE by Start (Vista Orb) >> Internet Explorer >> Right-Click and select Run As Administrator.

  • Accept the Terms of Use and press Start button;
  • Approve the install of the required ActiveX Control, then follow on-screen instructions;
  • Enable (check) the Remove found threats option, and run the scan.
  • After the scan completes, the Details tab in the Results window will display what was found and removed.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt.

    Look at contents of this file using Notepad or Wordpad.

    The Frequently Asked Questions for ESET Online Scanner can be viewed here

    http://www.eset.com/onlinescan/cac4.php?page=faq

    • From ESET Tech Support: If you have ESET NOD32 installed, you should disable it prior to running this scanner.
      Otherwise the scan will take twice as long to do:
      everytime the ESET online scanner opens a file on your computer to scan it, NOD32 on your machine will rescan the file as a result.
    • It is emphasized to temporarily disable any pc-resident {active} antivirus program prior to any on-line scan by any on-line scanner.
      (And the prompt re-enabling when finished.)
    • If you use Firefox, you have to install IETab, an add-on. This is to enable ActiveX support.

=

RE-Enable your AntiVirus and AntiSpyware applications.

Reply with copy of OTL MovedFiles log

and the Eset scan log

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.