Jump to content

Infected with Advanced Virus Remover infection HELP NEEDED


Recommended Posts

HI - I could downloaded Avenger. At first it would not run in normal mode so I started it in Safe Mode (which worked). It rebooted, back to normal mode but the virus must have cut it off as the pc was booting up as no log was produced.

I then tried it again in Safe Mode and directed the reboot back to Safe Mode (F8) - that must have thrown it off as no log was produced again. I then went to normal mode and was able to get it to run by using the Run As prompt. I was able to copy the script in and when I pressed execute and after the first mesage it produced an error message along the lines that it could not execute a RunOnce command to clean the registry.

So I am unable to get it to produce the log.

Link to post
Share on other sites

  • Replies 119
  • Created
  • Last Reply

Top Posters In This Topic

Hi - when I run the script is something supposed to happen that I see. I ran it, but could not run a fresh ComboFix in normal, so went to Safe Mode and ran the script and ran Win32kDiag - thinking that is what the script was supposed to kick off. I ran it and got a log (below). I then tried Combo Fix - it ran but gave me an error at the end when I quess it was generating a log. I then re-ran Win32kDiag and put that log below the first:

First:

Log file is located at: C:\Documents and Settings\HP_Administrator\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Cannot access: C:\WINDOWS\Administrator.acl

[1] 2009-08-12 20:58:26 35262 C:\WINDOWS\Administrator.acl ()

Found mount point : C:\WINDOWS\pchealth\helpctr\batch\batch

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\07a96de176867bc25b7dc839d22b07e2\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\0dd0244816ffb4b094c1caba4c3b1178\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\6913c676e5d33978934caa46c49fdc75\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\b7f0b2892b21211a5630518d058f48d9\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\d48a3b967ba5709df048e8f2a49cf8a6\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-2156329642-1541253121-17644588-500\S-1-5-21-2156329642-1541253121-17644588-500

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-09 17:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2009-08-27 21:28:47 62976 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 20:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

Found mount point : C:\WINDOWS\system32\GroupPolicy\Machine\Machine

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\MRT.exe

[1] 2009-07-29 20:49:14 24281536 C:\WINDOWS\system32\MRT.exe ()

Cannot access: C:\WINDOWS\system32\tmp.txt

[1] 2009-08-15 10:05:07 0 C:\WINDOWS\system32\tmp.txt ()

Cannot access: C:\WINDOWS\system32\wbem\Logs\FrameWork.log

[1] 2009-08-27 20:39:31 10278 C:\WINDOWS\system32\wbem\Logs\FrameWork.log ()

Found mount point : C:\WINDOWS\Temp\MCE001a7\MCE001a7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001a8\MCE001a8

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001a9\MCE001a9

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001aa\MCE001aa

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001ab\MCE001ab

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001ac\MCE001ac

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001ad\MCE001ad

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001ae\MCE001ae

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001af\MCE001af

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001b0\MCE001b0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001b1\MCE001b1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001b2\MCE001b2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001b3\MCE001b3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001b4\MCE001b4

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001b5\MCE001b5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001b6\MCE001b6

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001b7\MCE001b7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001b8\MCE001b8

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001b9\MCE001b9

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001ba\MCE001ba

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001bb\MCE001bb

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001bc\MCE001bc

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001bd\MCE001bd

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001be\MCE001be

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001bf\MCE001bf

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001c0\MCE001c0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001c1\MCE001c1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001c2\MCE001c2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001c3\MCE001c3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001c4\MCE001c4

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001c5\MCE001c5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001c6\MCE001c6

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MPTelemetrySubmit\MPTelemetrySubmit

Mount point destination : \Device\__max++>\^

Finished!

===========second==========

Log file is located at: C:\Documents and Settings\HP_Administrator\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Cannot access: C:\WINDOWS\Administrator.acl

[1] 2009-08-12 20:58:26 35262 C:\WINDOWS\Administrator.acl ()

Found mount point : C:\WINDOWS\pchealth\helpctr\batch\batch

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\07a96de176867bc25b7dc839d22b07e2\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\0dd0244816ffb4b094c1caba4c3b1178\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\6913c676e5d33978934caa46c49fdc75\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\b7f0b2892b21211a5630518d058f48d9\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\d48a3b967ba5709df048e8f2a49cf8a6\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-2156329642-1541253121-17644588-500\S-1-5-21-2156329642-1541253121-17644588-500

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-09 17:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2009-08-27 21:28:47 62976 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 20:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

Found mount point : C:\WINDOWS\system32\GroupPolicy\Machine\Machine

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\MRT.exe

[1] 2009-07-29 20:49:14 24281536 C:\WINDOWS\system32\MRT.exe ()

Cannot access: C:\WINDOWS\system32\tmp.txt

[1] 2009-08-15 10:05:07 0 C:\WINDOWS\system32\tmp.txt ()

Cannot access: C:\WINDOWS\system32\wbem\Logs\FrameWork.log

[1] 2009-08-27 20:39:31 10278 C:\WINDOWS\system32\wbem\Logs\FrameWork.log ()

Found mount point : C:\WINDOWS\Temp\MCE001a7\MCE001a7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001a8\MCE001a8

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001a9\MCE001a9

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001aa\MCE001aa

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001ab\MCE001ab

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001ac\MCE001ac

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001ad\MCE001ad

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001ae\MCE001ae

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001af\MCE001af

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001b0\MCE001b0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001b1\MCE001b1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001b2\MCE001b2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001b3\MCE001b3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001b4\MCE001b4

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001b5\MCE001b5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001b6\MCE001b6

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001b7\MCE001b7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001b8\MCE001b8

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001b9\MCE001b9

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001ba\MCE001ba

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001bb\MCE001bb

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001bc\MCE001bc

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001bd\MCE001bd

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001be\MCE001be

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001bf\MCE001bf

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001c0\MCE001c0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001c1\MCE001c1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001c2\MCE001c2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001c3\MCE001c3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001c4\MCE001c4

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001c5\MCE001c5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001c6\MCE001c6

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MPTelemetrySubmit\MPTelemetrySubmit

Mount point destination : \Device\__max++>\^

Finished!

=====================

not sure if they are different or if this is what you needed me to do. I will be here for a little bit more, but then will be away until 5pmEST. Would you be around this weekend to continue helping ??

Link to post
Share on other sites

Information

This one is being a right pain :)

Please delete any tools that I have asked you to download, and get fresh ones as the following instructions ask for them.

( I will be around all weekend :D )

----------------------------------------------------------------------------------------

Step 1

Create A Batch File

Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad.

Save it as "All Files" and name it look.bat Please save it on your desktop.

@Echo Off

copy C:\WINDOWS\ServicePackFiles\i386\eventlog.dll C:\eventlog.dll

If exist C:\eventlog.dll (@echo Please Continue) Else (@Echo Move Failed Please report this message)

Pause

del /q %0

Double click on look.bat

This should only take a second or so, and you will see a message.

----------------------------------------------------------------------------------------

Step 2

Avenger

Note to users reading this topic! This script was created specificly for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.

  1. Please download The Avenger2 by SwanDog46.
  2. Unzip avenger.exe to your desktop.
  3. Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
    Files to move:
    C:\eventlog.dll|C:\WINDOWS\system32\eventlog.dll


  4. Now start The Avenger2 by double clicking avenger.exe on your desktop.
  5. Read the prompt that appears, and press OK.
  6. Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
  7. Press the "Execute" button.
  8. You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
    Note: It is possible that Avenger will reboot your system TWICE.
  9. Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

----------------------------------------------------------------------------------------

Step 3

Please download the Win32kDiag.exe tool from the following location and save it to your desktop:

http://download.bleepingcomputer.com/rootr.../Win32kDiag.exe

Create A Batch File

Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad.

Save it as "All Files" and name it Win32.bat Please save it on your desktop ( IT MUST BE NEXT TO win32kdiag.exe ).

@Echo Off

CD %~dp0

If not exist win32kdiag.exe (@Echo File not found)&&Exit

win32kdiag.exe -f -r

del /q %0

Double click on Win32.bat

When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

----------------------------------------------------------------------------------------

Step 4

Download and Run ComboFix (by sUBs)

Please visit this webpage for instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial

  • You must download it to and run it from your Desktop
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply
  • Re-enable all the programs that were disabled during the running of ComboFix..

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.

This tool is not a toy and not for everyday use.

ComboFix SHOULD NOT be used unless requested by a forum helper

For instructions on how to disable your security programs, please see this topic

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

----------------------------------------------------------------------------------------

Logs/Information to Post in Reply

Please post the following logs/Information in your reply

Some of the logs I request will be quite large, You may need to split them over a couple of replies.

  • Avenger Log
  • Win32kDiag Log
  • Combofix Log
  • How are things running now ?

Link to post
Share on other sites

Hi - I had a quick question before procedeing. Do I need to be connected to the internet to Run ComboFix - it seems like I should. I think I need to go to Safe Mode to run these, and if that is okay (that is where I have been having luck), would I want to use Safe Mode with Networking (does this connect me to the internet?)?

I ran the first bat file. I got a quick dos screen then a popup that the file is infected (that is the virus stopping it). This was in normal mode. I think I should go to Safe Mode and start the first step and then try to continue (and if that sounds good, do I choose Safe Mode or Safe Mode with Networking.

Please let me know your thoughts.

Thanks

Link to post
Share on other sites

Good Morning....I am hoping this is good news. I was able to run everything. The bat file was wierd in that when I ran it a second time it deleted itself, but I was able to go to Safe Mode with Networking and run each item and get a log !!!!!. A couple things to note. I could not turn off Spybot and McAfee prior to running ComboFix - the virus did not allow me to do anything with them. In running ComboFix, I had to change the name of it to Something.exe to get it to run. I also got this message - not sure if this is of concern: detected rootkit that may need to fix later (something along those lines, but here is the location:) C:\Windows\system32\drivers\kbiwkmrujdaijx.sys

Here are the logs:

Link to post
Share on other sites

How are things running?

Much better. It rebooted to no visual sign of the virus (no popups). Spybot came up with a few registry warnings that I did not allow for changes. The PC is slow though, but things seem to be back closer to normal. My Desktop screen is still blue (the virus created a blue background). I can access Control Mgr, and it looks like Spybot is working, and McAfee is not working (I am guessing I should download a new version (its free from my ISP). I'll turn off the pc now and check in tomorrow morning before doing so since I don't know if that will interphere with next steps. Also, when the virus did first appear, I tried to download Windows defender. I don't think that got installed correctly as I got a message when logging on that some piece of it did not load.

I'll be back tomorrow and hope you can continue helping.

Thanks again - I hope this is good progress AND good news !!!

Link to post
Share on other sites

@sUBs ..... Hi there Boss :)

@Ace01 Please follow sUBs instructions, and then continue with the following ....

Right, that's looking better :D

Let's see what's left.

Download this file Inherit.exe

Drag each of the exe files that you are unable to run onto Inherit.exe.

Then wait for it to say "OK"

----------------------------------------------------------------------------------------

Step 1

Disable Teatimer

We need to disable Teatimer as it may interfere with the cleaning.

Please do not re-enable it until I give instructions.

First step:

  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident

Second step, For Either Version :

  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go To the bottom of the Vertical Panel on the Left, Click Tools
  • then, also in left panel, click Resident shows a red/white shield.
  • If your firewall raises a question, say OK
  • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File, Exit to terminate Spybot
  • Click Link >>> HERE <<< Link and select "save as" and save it to your desktop
  • Double click TTWipe.bat
  • Reboot your machine for the changes to take effect.

----------------------------------------------------------------------------------------

Step 2

Malwarebytes' Anti-Malware

(this will install a fresh copy of MBAM)

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware

    [*] then click Finish.

    [*]If an update is found, it will download and install the latest version.

    [*]Once the program has loaded, select Perform full scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    [*]If requested, please reboot

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

----------------------------------------------------------------------------------------

Step 3

Download and Run RSIT

  • Please download Random's System Information Tool by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open:
    • log.txt will be opened maximized.
    • info.txt will be opened minimized.

    [*]Please post the contents of both log.txt and info.txt.

    ( They can also be found in the C:\RSIT folder )

----------------------------------------------------------------------------------------

Logs/Information to Post in Reply

Please post the following logs/Information in your reply

Some of the logs I request will be quite large, You may need to split them over a couple of replies.

  • MalwareBytes Log
  • RSIT Logs
  • How are things running now ?

Link to post
Share on other sites

Hi Thanks - before I begin, I am not sure I understand what I would drag into Inherit - would it be executables below those instructions that might not work or are there other things you feel I should drag in there. I don't quite understand if I should be looking for .exes that dont run (e.g. like trying everything on my desktop) or use it as I experience them in continuing to fix the problem.

Link to post
Share on other sites

I am not sure I understand what I would drag into Inherit

If you try to run a file, and you get an error about not being able to access or run it, then you should drag that file onto Inherit.

If you don't get any errors, that's fine. We can delete it when we are finished.

Link to post
Share on other sites

Hi - Thank you for waiting. I did as @sUBS instructed. MBAW took an hour and a half to run due to a pretty full pc. The results are below. Also, back a few postings ago you asked me to delete all the prior programs I downloaded as part of this fix. I forgot to mention that I could not delete OTS and RSIT. As a result, when downloading an updated RSIT I had to rename it. Its logs are below. I hope there is nothing too bad.....

Malwarebytes' Anti-Malware 1.40

Database version: 2712

Windows 5.1.2600 Service Pack 3

8/29/2009 9:24:11 AM

mbam-log-2009-08-29 (09-24-11).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 291590

Time elapsed: 1 hour(s), 34 minute(s), 59 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 4

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 47

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Win AntiVirus Pro (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Windows antiVirus pro (Rogue.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kbiwkmewcdpuiu (Trojan.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vesazoleye (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\63edc2d7 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe rundll32.exe tapi.nfo beforeglav) Good: (Explorer.exe) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\dqaso.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\kytwd.exe (Worm.Autorun) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\cleanup.exe.vir (Trojan.Banker) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\Program Files\AdvancedVirusRemover\PAVRM.exe.vir (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\Program Files\Windows Antivirus Pro\tmp\dbsinit.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\RECYCLER\S-1-5-21-6102273205-4520788213-821105478-4443\msimfo32.exe.vir (Worm.Autorun) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\cru629.dat.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\msa.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\msi.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\svchast.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\cru629.dat.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\desot.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\tapi.nfo.vir (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\winhelper.dll.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\winupdate.exe.vir (Rogue.Installer) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\wisdstr.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\dllcache\beep.sys.vir (Trojan.KillAV) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\beep.sys.vir (Trojan.KillAV) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP0\A0000023.exe (Trojan.Banker) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP0\A0000027.exe (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP0\A0000031.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP0\A0000034.exe (Worm.Autorun) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP0\A0000038.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP0\A0000040.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP0\A0000047.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP0\A0000048.sys (Trojan.KillAV) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP0\A0000056.nfo (Trojan.Agent) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP0\A0000057.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP0\A0000058.exe (Rogue.Installer) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP0\A0000059.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP0\A0000061.sys (Trojan.KillAV) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP0\A0000037.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\msb.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\msc.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\msd.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\msf.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\msg.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\msh.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\onhelp.htm (Rogue.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\mse.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\msj.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\msk.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\msl.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\msm.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\mso.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\dsitxsxq.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

RSIT info.txt:

info.txt logfile of random's system information tool 1.06 2009-08-29 09:31:16

======Uninstall list======

"Let's Ride! Dreamer"-->C:\Program Files\THQ\Let's ride Dreamer\uninst.exe

-->"C:\Program Files\HP Games\Airstrike 2 Gulf Thunder\Uninstall.exe"

-->"C:\Program Files\HP Games\Alien Shooter\Uninstall.exe"

-->"C:\Program Files\HP Games\Bejeweled 2 Deluxe\Uninstall.exe"

-->"C:\Program Files\HP Games\Bistro Stars\Uninstall.exe"

-->"C:\Program Files\HP Games\Blackhawk Striker 2\Uninstall.exe"

-->"C:\Program Files\HP Games\Blasterball 2 Remix\Uninstall.exe"

-->"C:\Program Files\HP Games\Blasterball 2 Revolution\Uninstall.exe"

-->"C:\Program Files\HP Games\Bookworm Deluxe\Uninstall.exe"

-->"C:\Program Files\HP Games\Bounce Symphony\Uninstall.exe"

-->"C:\Program Files\HP Games\Cake Mania\Uninstall.exe"

-->"C:\Program Files\HP Games\Chuzzle Deluxe\Uninstall.exe"

-->"C:\Program Files\HP Games\Diner Dash\Uninstall.exe"

-->"C:\Program Files\HP Games\Family Feud\Uninstall.exe"

-->"C:\Program Files\HP Games\FATE\Uninstall.exe"

-->"C:\Program Files\HP Games\Garden Dreams\Uninstall.exe"

-->"C:\Program Files\HP Games\Insaniquarium Deluxe\Uninstall.exe"

-->"C:\Program Files\HP Games\JEOPARDY\Uninstall.exe"

-->"C:\Program Files\HP Games\Jewel Quest\Uninstall.exe"

-->"C:\Program Files\HP Games\LEGO Builder Bots\Uninstall.exe"

-->"C:\Program Files\HP Games\Mah Jong Quest\Uninstall.exe"

-->"C:\Program Files\HP Games\Mystery Case Files\Uninstall.exe"

-->"C:\Program Files\HP Games\Penguins!\Uninstall.exe"

-->"C:\Program Files\HP Games\Polar Bowler\Uninstall.exe"

-->"C:\Program Files\HP Games\Polar Golfer\Uninstall.exe"

-->"C:\Program Files\HP Games\Ricochet Lost Worlds\Uninstall.exe"

-->"C:\Program Files\HP Games\SCRABBLE\Uninstall.exe"

-->"C:\Program Files\HP Games\Slingo Deluxe\Uninstall.exe"

-->"C:\Program Files\HP Games\Snowy Space Trip\Uninstall.exe"

-->"C:\Program Files\HP Games\Super Granny\Uninstall.exe"

-->"C:\Program Files\HP Games\Tradewinds\Uninstall.exe"

-->"C:\Program Files\HP Games\Wheel of Fortune\Uninstall.exe"

-->"C:\Program Files\WildTangent\Apps\My HP Game Console\Uninstall.exe"

-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0

-->C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL

-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu

-->c:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}

-->c:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}

-->c:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}

-->c:\WINDOWS\system32\\MSIEXEC.EXE /x {F80239D8-7811-4D5E-B033-0D0BBFE32920}

-->C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL

-->C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL

-->C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL

-->C:\WINDOWS\UNNeroVision.exe /UNINSTALL

-->C:\WINDOWS\UNRecode.exe /UNINSTALL

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf

32 Bit HP CIO Components Installer-->MsiExec.exe /I{2614F54E-A828-49FA-93BA-45A3F756BFAA}

Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe

Adobe Reader 7.1.0-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A71000000002}

Adobe Shockwave Player 11-->C:\WINDOWS\system32\adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log

Amazon MP3 Downloader 1.0.5-->C:\Program Files\Amazon\MP3 Downloader\Uninstall.exe

AnswerWorks 4.0 Runtime - English-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7DD9A065-2C86-4A9F-A5FF-796EC1B99DCA}\setup.exe" -l0x9 -removeonly

AnswerWorks 5.0 English Runtime-->MsiExec.exe /I{9E5A03E3-6246-4920-9630-0527D5DA9B07}

Apple Mobile Device Support-->MsiExec.exe /I{C337BDAF-CB4E-47E2-BE1A-CB31BB7DD0E3}

Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}

ArcSoft PhotoStudio 5.5-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{85309D89-7BE9-4094-BB17-24999C6118FC}\SETUP.EXE" -l0x9

Audacity 1.2.6-->"C:\Program Files\Audacity\unins000.exe"

Audioro iPod touch Converter 1.00-->C:\Program Files\Red Kawa\Audio Converter App\uninstaller.exe

AviSynth 2.5-->"C:\Program Files\AviSynth 2.5\Uninstall.exe"

Barbie Girls-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\IDriver.exe /M{16B18999-56D7-4E8F-A40C-385E68A6D0CD}

BitTornado 0.3.17-->C:\Program Files\BitTornado\uninst.exe

Bonjour-->MsiExec.exe /I{07287123-B8AC-41CE-8346-3D777245C35B}

Canon Camera Access Library-->"C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\CAL\Uninst.ini"

Canon Camera Support Core Library-->"C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\CSCLIB\Uninst.ini"

Canon G.726 WMP-Decoder-->"C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\G726Decoder\G726DecUnInstall.ini"

Citrix Presentation Server Client-->MsiExec.exe /I{E89956F9-5B89-470E-818D-BD46102D0A01}

Critical Update for Windows Media Player 11 (KB959772)-->"C:\WINDOWS\$NtUninstallKB959772_WM11$\spuninst\spuninst.exe"

Customer Experience Enhancement-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{23012310-3E05-46A5-88A9-C6CBCABCAC79} /l1033

Data Fax SoftModem with SmartCP-->C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200C14F1\HXFSETUP.EXE -U -ITrx200Ck.inf

DISCover-->"C:\Program Files\DISC\uninstall.exe"

DivX Content Uploader-->C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER

DivX Web Player-->C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN

DivX-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC

DVD Decrypter (Remove Only)-->"C:\Program Files\DVD Decrypter\uninstall.exe"

Easy-WebPrint-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\Easy-WebPrint\Uninst.isu"

Enhanced Multimedia Keyboard Solution-->C:\HP\KBD\Install.exe /u

Exact Audio Copy 0.95b4-->C:\Program Files\Exact Audio Copy\uninst.exe

FileZilla (remove only)-->"C:\Program Files\FileZilla\uninstall.exe"

FLAC Installer 1.1.2a (remove only)-->C:\Program Files\FLAC\uninstall.exe

Free YouTube to iPod Converter version 3.1-->"C:\Program Files\DVDVideoSoft\Free YouTube to iPod Converter\unins000.exe"

GemMaster Mystic-->"C:\Program Files\GemMaster\uninstallgemmaster.exe"

Google Earth-->MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}

Google Toolbar for Internet Explorer-->"C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarManager_E582EA556D8DE101.exe" /uninstall

Google Toolbar for Internet Explorer-->MsiExec.exe /I{18455581-E099-4BA8-BC6B-F34B2F06600C}

High Definition Audio Driver Package - KB888111-->"C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"

HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""

Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"

Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"

Hotfix for Windows Media Player 10 (KB910393)-->"C:\WINDOWS\$NtUninstallKB910393$\spuninst\spuninst.exe"

Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"

Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"

Hotfix for Windows XP (KB961118)-->"C:\WINDOWS\$NtUninstallKB961118$\spuninst\spuninst.exe"

Hotfix for Windows XP (KB970653-v3)-->"C:\WINDOWS\$NtUninstallKB970653-v3$\spuninst\spuninst.exe"

HP Boot Optimizer-->MsiExec.exe /X{1341D838-719C-4A05-B50F-49420CA1B4BB}

HP Customer Participation Program 9.0-->C:\Program Files\HP\Digital Imaging\ExtCapUninstall\hpzscr01.exe -datfile hpqhsc01.dat

HP DigitalMedia Archive-->MsiExec.exe /X{F80239D8-7811-4D5E-B033-0D0BBFE32920}

HP DVD Play 2.1-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{45D707E9-F3C4-11D9-A373-0050BAE317E1}\Setup.exe" -uninstall

HP Imaging Device Functions 9.0-->C:\Program Files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe -datfile hpqbud01.dat

HP OCR Software 9.0-->C:\Program Files\HP\Digital Imaging\OCR\hpzscr01.exe -datfile hpqbud11.dat

HP Photosmart All-In-One Software 9.0-->C:\Program Files\HP\Digital Imaging\{D64BC2CF-0F12-47d7-B412-B4F3FD684253}\setup\hpzscr01.exe -datfile hposcr21.dat

HP Photosmart Essential 2.01-->C:\Program Files\HP\Digital Imaging\PhotoSmartEssential\hpzscr01.exe -datfile hpqbud13.dat

HP Photosmart for Media Center PC-->c:\Program Files\HP\Digital Imaging\bin\mcpc\setupmcl.exe /u

HP Photosmart Premier Software 6.5-->C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat

HP Product Assistant-->MsiExec.exe /I{36FDBE6E-6684-462B-AE98-9A39A1B200CC}

HP Smart Web Printing-->MsiExec.exe /X{415CDA53-9100-476F-A7B2-476691E117C7}

HP Solution Center 9.0-->C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat

HP Update-->MsiExec.exe /X{FE57DE70-95DE-4B64-9266-84DA811053DB}

HP Web Helper-->regsvr32 /u /s "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll"

HPSSupply-->MsiExec.exe /X{487B0B9B-DCD4-440D-89A0-A6EDE1A545A3}

Intel® Graphics Media Accelerator Driver-->C:\WINDOWS\system32\igxpun.exe -uninstall

Intel® Matrix Storage Manager-->C:\WINDOWS\System32\Imsmudlg.exe

Intel® PRO Network Connections Drivers-->Prounstl.exe

Intel® Quick Resume Technology Drivers-->C:\WINDOWS\System32\Elusetup.exe

Intel

Link to post
Share on other sites

IMPORTANT

I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

BitTornado 0.3.17

I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

Also available here.

My recommendation is you go to Control Panel > Add/Remove Programs and uninstall any P2P programs

Please note: you must NOT use any P2P whilst we are cleaning your machine.

----------------------------------------------------------------------------------------

Step 1

Please do the following:

Go Start > Run and copy/paste the following single-line command into the Run box and click OK:

cmd /c PEV -l "%systemdrive%\beep.sys" >Log.txt&Log.txt&del Log.txt

A Notepad file will open. Post the contents of Log.txt in your next reply.

----------------------------------------------------------------------------------------

Step 2

Kaspersky Online Scanner .

Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal

NOTE:- This scan is best done from IE (Internet Explorer)

NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin

Go Here http://www.kaspersky.com/kos/eng/partner/d...kavwebscan.html

Read the Requirements and limitations before you click Accept.

Once the database has downloaded, click My Computer in the left pane

Now go and put the kettle on !

When the scan has completed, click Save Report As...

Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)

Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

**Note**

To optimize scanning time and produce a more sensible report for review:

  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

----------------------------------------------------------------------------------------

Logs/Information to Post in Reply

Please post the following logs/Information in your reply

Some of the logs I request will be quite large, You may need to split them over a couple of replies.

  • Log.txt
  • Kaspersky log
  • How are things running now ?

---------------------------------------------------------------------------------------------------

---------------------------------------------------------------------------------------------------

Additional Notes

Your Adobe Acrobat Reader is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Adobe Reader is a large program and uses unnecessary space.

If you prefer a smaller program you can get Foxit 3.0 from http://www.foxitsoftware.com/pdf/rd_intro.php << Recommended

There is a newer version of Adobe Acrobat Reader available.

  • Please go to this link Adobe Acrobat Reader Download Link
  • Click Download
  • On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
  • Click the Continue button
  • Click Run, and click Run again
  • Next click the Install Now button and follow the on screen prompts

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download Java SE Runtime Environment (JRE) . ( don't install it yet )

  • Scroll down to where it says "Java SE Runtime Environment (JRE)".
  • Click the "Download" button to the right.
    • Platform = Windows
    • Language = Multi Language

    [*]Check the box that says: "Accept License Agreement".

    [*]The page will refresh.

    [*]Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.

Now download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location.

Now install the Java SE Runtime Environment (JRE) package you downloaded

(it comes with a toolbar pre-selected, so make sure you uncheck the box)

You can delete JavaRa (zip and exe)

Link to post
Share on other sites

Hi - I removed BitTornado. Here is the first log:

Entries: 0 (0)

Directories: 0 Files: 0

Bytes: 0 Blocks: 0

As for Kaspersky, the Accept button is greyed out and it has a red message at the top stating that any antivirus program needs to be stopped. On the left side it says it is checking computer configuration (which I am not sure if it is really doing it or will do so once I Accept, which I can't do) - if it is, does it take a really long time (10-15 min??). Or is it impacted by any antivirus (McAfee) that I may have running?

My McAfee is Not Protecting me and pops up a message that it needs to be reinstalled. I cannot "Exit" it from any options that I can see. In one of the logs I saw that it seemed to be disabled, but am not sure....how can I know for sure that it is not impacting the Accept button on Kaspersky.

I will do the Adobe and Java updates after Kaspersky.

Let me know your thoughts on the above.

Thanks.

Link to post
Share on other sites

Hi - in addition to the question Kaspersky question, I had some problems with installing both Adobe and Java. I first closed out of the Kasperky window and then proceded to try to follow the Adobe and Java instructions - in attempting both, they got to a point where they both said that they could not install because 'the feature you are trying to install is on a network that is unavailable'. "Click ok or try again, or enter an alternate path...." I Cancelled - then it said the "older version could not be removed" ??

Why would this occur ??

Link to post
Share on other sites

It's likely that all the problems are caused by files damaged by the infection.

For McAfee, I would recommend reinstalling it.

We need to scan the system with this special tool.

  • Please download Junction.zip and save it.
  • Unzip it and put junction.exe in the Windows directory (C:\Windows).
  • Go to Start => Run... => Copy and paste the following command in the run box and click OK:

    cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

    A command window opens starting to scan the system. Wait until a log file opens. Copy and paste or attach the content of it.

Link to post
Share on other sites

Hi When I try junction.exe in C:\Windows after running the script, I immediately get this message:

"Access is Denied" in the DOS window and nothing in the log.

I am going to wait to update McAfee - When I use its Fix function it is trying update, but cannot access what it needs to update. I am hesitant to remove and reinstall in case I can't due to this access issue.

Please let me know your next thoughts.

Thanks.

Link to post
Share on other sites

Sorry for the multiple posts -- I noticed also that in my C:\Windows directory that some of the folders are greyed out. Just wondering if that is something you know is occurring at this stage of the fix and we'll get to, or is that something you need to know now. Thought I'd let you know.

Link to post
Share on other sites

Sorry for the multiple posts -- I noticed also that in my C:\Windows directory that some of the folders are greyed out. Just wondering if that is something you know is occurring at this stage of the fix and we'll get to, or is that something you need to know now. Thought I'd let you know.

edit: C:\Windows and C:\ drives have greyed out folders.

Link to post
Share on other sites

I tried Kaspersky again - it gave me an error : Kaspersky Online Scanner 7.0 download and operation require Java Framework version 1.5 or later.

I had the problem earlier with installing Java.

I've hit you with a couple posts now and will hold back until I hear from you again. Thanks.

Link to post
Share on other sites

The greyed out folders are probably hidden files that will disappear when we re-hide files and folders

Create A Batch File

Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad.

Save it as "All Files" and name it look.bat Please save it on your desktop. (Next to Inherit.exe)

@echo off

CD %~dp0

if not exist Inherit.exe (@Echo Inherit Not found >>"%Temp%\log.txt"&&Pause&&goto End)

Inherit.exe "%systemroot%\system32\cmd.exe"

cd C:\

if not exist junction.exe (@Echo Juction Not found >>"%Temp%\log.txt"&&Pause&&goto End)

junction -s c:\ >>"%Temp%\log.txt"

:End

notepad "%Temp%\log.txt" & del log.txt

del /q %0

Double click on look.bat

Notepad will open, please copy/paste the results here.

Link to post
Share on other sites

Hi - it does look like Kaspersky will take a long time. I imagine you'll be signed off by then...will you be back tomorrow morning ??

Also, should I attempt the .bat instructions after I post the Kaspersky log or hold off.

Thanks again for your help today....I hope you'll be back tomorrow.

Do you think we are getting there ????

Link to post
Share on other sites

1) will you be back tomorrow morning ??

2) Also, should I attempt the .bat instructions after I post the Kaspersky log or hold off.

3) Do you think we are getting there ????

1) Yes, I'll be around

2) Let's see what Kaspersky says

3) I think we are close now :)

Link to post
Share on other sites

Well, here it is. It took 3hours and 30 minutes - glad you mentioned to put a kettle on :) :

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0: scan report

Saturday, August 29, 2009

Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Saturday, August 29, 2009 20:15:31

Records in database: 2705419

--------------------------------------------------------------------------------

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

Scan area - My Computer:

C:\

D:\

E:\

F:\

H:\

I:\

K:\

Z:\

Scan statistics:

Objects scanned: 181910

Threats found: 6

Infected objects found: 8

Suspicious objects found: 0

Scan duration: 03:37:27

File name / Threat / Threats count

C:\hp\bin\wbug\HPPavillion_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 1

C:\Qoobox\Quarantine\C\WINDOWS\msn.exe.vir Infected: Trojan.Win32.FraudPack.riw 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\critical_warning.html.vir Infected: Trojan.HTML.Fraud.b 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_kbiwkmrujdaijx_.sys.zip Infected: Trojan.Win32.TDSS.anyi 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\sdra64.exe.vir Infected: Trojan-Spy.Win32.Zbot.aaer 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\~.exe.vir Infected: Packed.Win32.Krap.x 1

D:\I386\APPS\APP26640\src\CompaqPresario_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 1

D:\I386\APPS\APP26640\src\HPPavillion_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 1

Selected area has been scanned.

==============================

Please let me know what you feel I should do next.

Thanks again !!!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.