DDS File

[pinkshoegirl]

Regarding my previous post, this is the only log I am able to get - the defogger never asked me to reboot, I was not able to download the DDS to my desktop - I had to run it, so I'm not sure if this will even be sufficient. I can't seem to download anything new to my desktop.

DDS (Ver_09-12-01.01) - NTFSx86

Run by Owner at 20:23:14.60 on Thu 02/25/2010

Internet Explorer: 7.0.5730.13

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.470 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

I:\WINDOWS\system32\Ati2evxx.exe

I:\WINDOWS\system32\svchost -k DcomLaunch

I:\WINDOWS\system32\svchost -k rpcss

I:\WINDOWS\System32\svchost.exe -k netsvcs

I:\WINDOWS\system32\svchost.exe -k NetworkService

I:\WINDOWS\system32\svchost.exe -k LocalService

I:\WINDOWS\system32\spoolsv.exe

I:\WINDOWS\system32\Ati2evxx.exe

I:\WINDOWS\Explorer.EXE

I:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

I:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

I:\Program Files\Bonjour\mDNSResponder.exe

I:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe

I:\WINDOWS\eHome\ehRecvr.exe

I:\WINDOWS\eHome\ehSched.exe

I:\Program Files\Java\jre6\bin\jqs.exe

I:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

i:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

i:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

I:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

I:\Program Files\McAfee\MPF\MPFSrv.exe

I:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe

I:\WINDOWS\system32\svchost.exe -k imgsvc

I:\WINDOWS\wanmpsvc.exe

i:\PROGRA~1\mcafee.com\agent\mcagent.exe

I:\WINDOWS\system32\dllhost.exe

I:\Documents and Settings\Owner\Local Settings\Application Data\av.exe

I:\Program Files\Winamp\winampa.exe

I:\Program Files\Java\jre6\bin\jusched.exe

I:\Program Files\Common Files\AOL\1149769522\ee\AOLSoftware.exe

I:\WINDOWS\SM1BG.EXE

I:\WINDOWS\ehome\ehtray.exe

I:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9HA.EXE

I:\Program Files\ATI Technologies\ATI.ACE\cli.exe

I:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

I:\Program Files\Napster\napster.exe

I:\Program Files\iTunes\iTunesHelper.exe

I:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe

I:\Program Files\QuickTime\QTTask.exe

I:\WINDOWS\eHome\ehmsas.exe

I:\WINDOWS\system32\ctfmon.exe

I:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

I:\Program Files\iPod\bin\iPodService.exe

I:\Program Files\ATI Technologies\ATI.ACE\cli.exe

I:\Program Files\ATI Technologies\ATI.ACE\cli.exe

I:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

i:\PROGRA~1\mcafee\msc\mcuimgr.exe

I:\Program Files\AOL 9.1\waol.exe

I:\Program Files\AOL 9.1\shellmon.exe

I:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe

I:\WINDOWS\system32\msdtc.exe

I:\WINDOWS\System32\vssvc.exe

I:\WINDOWS\system32\dllhost.exe

I:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CSJKR229\dds[1].scr

I:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.aol.com/

uSearch Page = hxxp://www.google.com

uSearchMigratedDefaultURL = hxxp://search.aol.com/aolcom/search?query={searchTerms}&invocationType=msie70a

uSearch Bar = hxxp://www.google.com/ie

mDefault_Page_URL = hxxp://www.aol.com/?src=customie7

mDefault_Search_URL = hxxp://www.google.com/ie

mSearch Page = hxxp://www.google.com

mStart Page = hxxp://www.google.com

mSearchAssistant = hxxp://www.google.com

uURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - i:\program files\aol\aol toolbar 5.0\aoltb.dll

mURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - i:\program files\aol\aol toolbar 5.0\aoltb.dll

TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - i:\program files\aol\aol toolbar 5.0\aoltb.dll

TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -

EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - i:\windows\system32\Shdocvw.dll

uRun: [Aim6]

uRun: [ctfmon.exe] i:\windows\system32\ctfmon.exe

mRun: [EPSON Stylus Photo RX620 Series] i:\windows\system32\spool\drivers\w32x86\3\E_FATI9HA.EXE /P31 "EPSON Stylus Photo RX620 Series" /O6 "USB001" /M "Stylus Photo RX620"

mRun: [WinampAgent] i:\program files\winamp\winampa.exe

mRun: [sunJavaUpdateSched] "i:\program files\java\jre6\bin\jusched.exe"

mRun: [sM1BG] i:\windows\SM1BG.EXE

mRun: [Pure Networks Port Magic] "i:\progra~1\purene~1\portma~1\PortAOL.exe" -Run

mRun: [HostManager] i:\program files\common files\aol\1149769522\ee\AOLSoftware.exe

mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe

mRun: [ehTray] i:\windows\ehome\ehtray.exe

mRun: [ATICCC] "i:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay

mRun: [AOLDialer] i:\program files\common files\aol\acs\AOLDial.exe

mRun: [Adobe Photo Downloader] "i:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"

mRun: [NapsterShell] i:\program files\napster\napster.exe /systray

mRun: [mcagent_exe] i:\program files\mcafee.com\agent\mcagent.exe /runkey

mRun: [Carbonite Backup] i:\program files\carbonite\carbonite backup\CarboniteUI.exe

mRun: [QuickTime Task] "i:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "i:\program files\itunes\iTunesHelper.exe"

mRun: [Hfonudihosozido] rundll32.exe "i:\windows\atajaqap.dll",Startup

StartupFolder: i:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - i:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe

uPolicies-system: EnableProfileQuota = 1 (0x1)

IE: &AOL Toolbar Search - i:\documents and settings\all users\application data\aol\ietoolbar\resources\en-us\local\search.html

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - i:\program files\messenger\msmsgs.exe

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - i:\windows\system32\Shdocvw.dll

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Notify: AtiExtEvent - Ati2evxx.dll

============= SERVICES / DRIVERS ===============

R0 sonypvl2;sonypvl2;i:\windows\system32\drivers\sonypvl2.sys [2006-6-11 19478]

R1 mfehidk;McAfee Inc. mfehidk;i:\windows\system32\drivers\mfehidk.sys [2007-12-17 201320]

R1 sonypvf2;sonypvf2;i:\windows\system32\drivers\sonypvf2.sys [2006-6-11 635017]

R1 sonypvt2;sonypvt2;i:\windows\system32\drivers\sonypvt2.sys [2006-6-11 431236]

R2 McProxy;McAfee Proxy Service;i:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-6-4 359248]

R2 McShield;McAfee Real-time Scanner;i:\progra~1\mcafee\viruss~1\mcshield.exe [2007-12-17 144704]

R3 McSysmon;McAfee SystemGuards;i:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-12-17 695624]

R3 mfeavfk;McAfee Inc. mfeavfk;i:\windows\system32\drivers\mfeavfk.sys [2007-12-17 79304]

R3 mfebopk;McAfee Inc. mfebopk;i:\windows\system32\drivers\mfebopk.sys [2007-12-17 35240]

R3 mfesmfk;McAfee Inc. mfesmfk;i:\windows\system32\drivers\mfesmfk.sys [2007-12-17 40488]

S1 sonypvd2;sonypvd2;i:\windows\system32\drivers\sonypvd2.sys [2006-6-11 64093]

S3 mferkdk;McAfee Inc. mferkdk;i:\windows\system32\drivers\mferkdk.sys [2007-12-17 33832]

S3 MSSQL$NR2005;MSSQL$NR2005;i:\program files\microsoft sql server\mssql$nr2005\binn\sqlservr.exe -snr2005 --> i:\program files\microsoft sql server\mssql$nr2005\binn\sqlservr.exe -sNR2005 [?]

S3 SQLAgent$NR2005;SQLAgent$NR2005;i:\program files\microsoft sql server\mssql$nr2005\binn\sqlagent.exe -i nr2005 --> i:\program files\microsoft sql server\mssql$nr2005\binn\sqlagent.EXE -i NR2005 [?]

=============== Created Last 30 ================

2010-02-26 01:20:41 0 ----a-w- i:\documents and settings\owner\defogger_reenable

2010-02-11 01:40:25 0 ----a-w- i:\windows\Bbaxiyaparohi.bin

2010-02-11 01:40:24 120 ----a-w- i:\windows\Gpujagakusa.dat

2010-02-11 01:36:11 35328 ---ha-w- i:\windows\system32\cmdl2bin.dll

==================== Find3M ====================

2010-01-07 21:07:14 38224 ----a-w- i:\windows\system32\drivers\mbamswissarmy.sys

2010-01-07 21:07:04 19160 ----a-w- i:\windows\system32\drivers\mbam.sys

2003-08-27 18:19:18 36963 ------r- i:\program files\common files\SM1updtr.dll

============= FINISH: 20:23:57.84 ===============

[Maniac]

Hello pinkshoegirl! Welcome to MalwareBytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

• The process of cleaning your system may take some time, so please be patient.
  
• Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  
• Instructions that I give are for your system only!
  
• If you don't know or can't understand something please ask.
  
• Do not install any software or hardware, while work on.
  

Please use this button: , not this:

Now:

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click and choose Run as Admin

You only need to get one of them to run, not all of them.

1. rkill.exe
   
2. rkill.com
   
3. rkill.scr
   
4. rkill.pif
   
5. WiNlOgOn.exe
   
6. uSeRiNiT.exe
   

Please post the log in your next reply.

Note: The log can be found at the root of your installed hard drive entitled rkill.log

In your next reply, please include these log(s):

* Rkill log

* DDS log

* Attach log

[pinkshoegirl]

Hi and thank you! I was able to run (not save and run) the rkill.exe - it closed the malware that was running and mcafee came up with a box that asked if i wanted to allow a registry change. i had to hit "allow this change" for the rkill to finish. However I cannot find the log. Here are the other 2 logs I had saved prior. The malware is starting to run again.

Thanks so much, I'm on my way to work but will be back in a few hours to check this!

~Kim

Attach.zip

DDS.zip

[pinkshoegirl]

the registry change i allowed in mcafee was:

I:\Documents and Settings\Owner\Local Settings\Temp\2C2.tmp\pev.rkexe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

I hope this was okay

[Maniac]

Please visit Combofix Guide & Instructions for instructions for installing the recovery console and downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to Combo-Fix.exe please.

Post the log from ComboFix.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read HERE for an article written by dvk01 on why we disable autoruns.

Note: During this process, it would help a great deal and be very much appreciated if you would refrain from installing any new software or hardware on this machine, unless absolutely necessary, until the clean up process is finished as it makes our job more tedious, with additional new files that may have to be researched, which is very time consuming.

Also, please do not run any security programs or fixes on your own as doing so may compromise what we will be doing. It is important that you wait for instructions.

[pinkshoegirl]

Comfo-fix ran successfully here is the log...

combo_fix_log.txt

[Maniac]

Step 1:

Please uninstall the following applications:

Adobe Reader 7.0.8

AOL Toolbar 5.0

When finish our work, please download and install the latest version of Adobe Reader from:

http://www.adobe.com

Step 2:

I also see you have Viewpoint installed...

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

• 
  
• Viewpoint
  
• Viewpoint Manager
  
• Viewpoint Media Player
  

Step 3:

Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA

Then run this tool to help cleanup any left over Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

• Double-click on JavaRa.exe to start the program.
  
• From the drop-down menu, choose English and click on Select.
  
• JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  
• Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  
• A logfile will pop up. Please save it to a convenient location and post it back when you reply
  Then look for the following Java folders and if found delete them.
  C:\Program Files\Java
  C:\Program Files\Common Files\Java
  C:\Windows\Sun
  C:\Documents and Settings\All Users\Application Data\Java
  C:\Documents and Settings\All Users\Application Data\Sun\Java
  C:\Documents and Settings\username\Application Data\Java
  C:\Documents and Settings\username\Application Data\Sun\Java
  

Step 4:

Open Notepad and copy and paste the text in the code box below into it:

http://forums.malwarebytes.org/index.php?showtopic=41523

KillAll::

Collect::
i:\windows\Bbaxiyaparohi.bin
i:\windows\Gpujagakusa.dat

DDS::
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Step 5:

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  :filefind
  *proquota*

  
  

• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt

In your next reply, please include these log(s):

* JavaRa log

* ComboFix log

* SystemLook log

[pinkshoegirl]

I was able to run all the above steps. Here are the requested logs.

JavaRa.zip

ComboFix_log.zip

SystemLook.zip

[Maniac]

Thanks Kim!

Step 1:

Please download proquota.exe and save it on your desktop.

Step 2:

Start your computer in Safe Mode:

http://www.microsoft.com/resources/documen...e.mspx?mfr=true

Step 3:

Copy proquota.exe and save it on:

i:\windows\system32\

Step 4:

Reboot your computer.

Step 5:

Delete your copy of ComboFix.exe and try again:

Please visit Combofix Guide & Instructions for instructions for installing the recovery console and downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to Combo-Fix.exe please.

Post the log from ComboFix.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read HERE for an article written by dvk01 on why we disable autoruns.

Note: During this process, it would help a great deal and be very much appreciated if you would refrain from installing any new software or hardware on this machine, unless absolutely necessary, until the clean up process is finished as it makes our job more tedious, with additional new files that may have to be researched, which is very time consuming.

Also, please do not run any security programs or fixes on your own as doing so may compromise what we will be doing. It is important that you wait for instructions.

[pinkshoegirl]

here is the combofix log

combofix.zip

[Maniac]

Perfect, Kim!

Now:

• Launch Malwarebytes' Anti-Malware
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

[pinkshoegirl]

Malwarebytes' Anti-Malware 1.44

Database version: 3510

Windows 5.1.2600 Service Pack 2

Internet Explorer 7.0.5730.13

2/27/2010 12:31:13 PM

mbam-log-2010-02-27 (12-31-13).txt

Scan type: Quick Scan

Objects scanned: 108105

Time elapsed: 3 minute(s), 48 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[Maniac]

Your database is not updated.

Your version:

Database version: 3510

Current version:

Database version: 3802

Please try again!

[pinkshoegirl]

Malwarebytes' Anti-Malware 1.44

Database version: 3803

Windows 5.1.2600 Service Pack 2

Internet Explorer 7.0.5730.13

2/27/2010 1:16:38 PM

mbam-log-2010-02-27 (13-16-38).txt

Scan type: Quick Scan

Objects scanned: 115480

Time elapsed: 3 minute(s), 48 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[Maniac]

That's right! Let's try with:

ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however may need to disable your current installed Anti-Virus, how to do so can be read here.

• Please go here then click on:
  
• Select the option YES, I accept the Terms of Use then click on:
  
• When prompted allow the Add-On/Active X to install.
  
• Now click on Advanced Settings and select the following:
  

• • Remove found threats
    
  • Scan archives
    
  • Scan for potentially unwanted applications
    
  • Scan for potentially unsafe applications
    
  • Enable Anti-Stealth Technology
    

[*]Now click on:

[*]The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.

[*]When completed the Online Scan will begin automatically.

[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

[*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!

[*]Now click on:

[*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.

[*]Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Finally tell me how are things running now.

[pinkshoegirl]

I cannot get this to run, when I install the active x all i see is a little box in the upper left corner with a circle, square and triangle in it. Do I need to reinstall Java?

[Maniac]

Would you make the screenshot?

[pinkshoegirl]

When I made the screen shot as soon as I zipped the file the eset scanner started working. It is 33% finished at the moment, will post the log shortly - thanks!

[pinkshoegirl]

Here is the log. Things seem to be running smoothly!

[pinkshoegirl]

Oops sorry! Here it is!

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=7.00.5730.13 (longhorn(wmbla).070711-1130)

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=6d4b11f152358d4f864c05bfbafb317f

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2010-02-27 10:33:22

# local_time=2010-02-27 05:33:22 (-0500, Eastern Standard Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 2

# compatibility_mode=5121 16776873 100 96 46747737 81091729 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=132463

# found=2

# cleaned=2

# scan_time=3774

I:\Qoobox\Quarantine\I\Documents and Settings\Owner\Local Settings\Application Data\av.exe.vir a variant of Win32/Kryptik.CQW trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

I:\Qoobox\Quarantine\I\WINDOWS\system32\cmdl2bin.dll.vir.vir a variant of Win32/PSW.Papras.AW trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

log.zip

[Maniac]

Excellent! That's all!

Some final steps:

Step 1:

Please manually delete: DDS; Rkill; JavaRa; SystemLook;

Step 2:

* Go to start > run and copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Step 3:

Please locate to:

C:\Program Files\ESET\ESET Online Scanner\

and run OnlineScannerUninstaller.exe . Follow the instructions to successfully uninstall ESET Online Scanner.

Step 4:

Some preventions:

http://users.telenet.be/bluepatchy/miekiem...prevention.html

I'm so glad we got to work together, Kim!

Safe surfing!

[pinkshoegirl]

Ha! I didn't realize this had gone to a second page and was patiently awaiting a response

Thank you so much for your help, and for the recommendations! I appreciate your time and expertise!

~Kim

[Maniac]

You're welcome!

Good luck, Kim!

[Maurice Naggar]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.