Jump to content

windows xp restore virus?


Recommended Posts

Hi my system appears to be infected with windows xp restore virus, i tried following pinned directions but rkill in regular just gets deleted off USB and in safe mode starts and then says "access denied" what should i do to get my system working again? in the meantime it dosnt even boot up all the way, it just boots up into the resore warning.

thanx!

This is the Rkill log

rkill.txt

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post only DDS.txt directly into your reply.

Link to post
Share on other sites

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post only DDS.txt directly into your reply.

Hi Chris, thank you for your reply. I tried running mbam from USB drive, I had on USB both mbam program and also mbam set up, Set up starts but then says before finishing "access denied" then rolls back changes. Program dosnt open it just says after clicking on icon in USB folder "the system cannot find the path specified".

How else may I try to get mbam to run?

Link to post
Share on other sites

Hi Chris, thank you for your reply. I tried running mbam from USB drive, I had on USB both mbam program and also mbam set up, Set up starts but then says before finishing "access denied" then rolls back changes. Program dosnt open it just says after clicking on icon in USB folder "the system cannot find the path specified".

How else may I try to get mbam to run?

by the way i did try it both in regular and safe mode as well.

Link to post
Share on other sites

Skip it and go to DDS.

Thanx, here is the DDS.txt:

.

DDS (Ver_2011-06-23.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20

Run by Eric Rave at 19:56:05 on 2011-06-30

Microsoft Windows XP Home Edition 5.1.2600.3.1252.263.1033.18.3061.2291 [GMT -4:00]

.

AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *Enabled*

FW: AVG Firewall *Disabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

svchost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

C:\WINDOWS\system32\mfevtps.exe

C:\Program Files\CDBurnerXP\NMSAccessU.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe

C:\Program Files\Epson Software\FAX Utility\FUFAXSTM.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Program Files\Logitech\Logitech Vid\Vid.exe

c:\program files\real\realplayer\RealPlay.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIFJA.EXE

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\Documents and Settings\All Users\Application Data\NCQftnHgDltsBD.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\PROGRA~1\MI3AA1~1\rapimgr.exe

C:\WINDOWS\system32\attrib.exe

C:\WINDOWS\system32\attrib.exe

C:\Program Files\iPod\bin\iPodService.exe

c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe

C:\WINDOWS\system32\attrib.exe

C:\WINDOWS\system32\attrib.exe

C:\Documents and Settings\Eric Rave\Application Data\Real\Update\UpgradeHelper\RealPlayer\8.01\rnupgagent.exe

C:\WINDOWS\system32\attrib.exe

C:\WINDOWS\system32\attrib.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = www.google.com

uInternet Settings,ProxyOverride = *.local

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20101103061629.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~3\office14\URLREDIR.DLL

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

uRun: [Google Update] "c:\documents and settings\eric rave\local settings\application data\google\update\GoogleUpdate.exe" /c

uRun: [Logitech Vid] "c:\program files\logitech\logitech vid\Vid.exe" -bootmode

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [EPSON WorkForce 610 Series (Copy 2)] c:\windows\system32\spool\drivers\w32x86\3\e_fatifja.exe /fu "c:\windows\temp\E_S180.tmp" /EF "HKCU"

uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"

uRun: [NCQftnHgDltsBD] c:\documents and settings\all users\application data\NCQftnHgDltsBD.exe

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

mRun: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

mRun: [LWS] c:\program files\logitech\lws\webcam software\LWS.exe -hide

mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [EEventManager] c:\progra~1\epsons~1\eventm~1\EEventManager.exe

mRun: [FUFAXSTM] "c:\program files\epson software\fax utility\FUFAXSTM.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot

mRun: [iTSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

StartupFolder: c:\docume~1\ericra~1\startm~1\programs\startup\jawbone updater.lnk - c:\program files\jawbone\JawboneUpdater.exe

StartupFolder: c:\docume~1\ericra~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office14\ONENOTEM.EXE

uPolicies-explorer: NoDesktop = 1 (0x1)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office14\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html

IE: Se&nd to OneNote - c:\progra~1\micros~3\office14\ONBttnIE.dll/105

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll

IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll

IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 167.206.254.2 167.206.254.1

TCP: Interfaces\{70911794-8036-40C4-8CD7-94FB9714C640} : NameServer = 8.8.8.8,8.8.4.4

TCP: Interfaces\{70911794-8036-40C4-8CD7-94FB9714C640} : DhcpNameServer = 167.206.254.2 167.206.254.1

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: igfxcui - igfxdev.dll

Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

Hosts: 127.0.0.1 www.spywareinfo.com

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\eric rave\application data\mozilla\firefox\profiles\n49n6fgu.default\

FF - prefs.js: browser.search.selectedEngine - eBay

FF - prefs.js: browser.startup.homepage - www.google.com

FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll

FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll

FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll

FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll

FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll

FF - plugin: c:\documents and settings\eric rave\application data\facebook\npfbplugin_1_0_3.dll

FF - plugin: c:\documents and settings\eric rave\local settings\application data\google\update\1.3.21.57\npGoogleUpdate3.dll

FF - plugin: c:\progra~1\micros~3\office14\NPAUTHZ.DLL

FF - plugin: c:\progra~1\micros~3\office14\NPSPWRAP.DLL

FF - plugin: c:\progra~1\palm\packag~1\NPInstal.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll

FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\microsoft\office live\npOLW.dll

FF - plugin: c:\program files\nos\bin\np_gp.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Skype extension for Firefox: {B13721C7-F507-4982-B2E5-502A71474FED} - c:\program files\mozilla firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\mcafee\SiteAdvisor

FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\Ext

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: SwitchProxy Tool: {27A2FD41-CB23-4518-AB5C-C25BAFFDE531} - %profile%\extensions\{27A2FD41-CB23-4518-AB5C-C25BAFFDE531}

.

============= SERVICES / DRIVERS ===============

.

R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [2009-9-24 20616]

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-1-5 386840]

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-10-14 84072]

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2010-1-24 54752]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-10-14 55840]

R3 Ma730Pt;MA730 Bluetooth VCOM Driver;c:\windows\system32\drivers\ma730Pt.sys [2010-2-5 103680]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-5-11 152960]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-5-11 52104]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-10-14 313288]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-10-14 88544]

S3 btnetBUs;Bluetooth PAN Bus Service;c:\windows\system32\drivers\btnetBus.sys [2009-9-24 22528]

S3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [2009-6-17 26248]

S3 libusb0;LibUsb-Win32 - Kernel Driver 06/04/2010,1.12.1.0;c:\windows\system32\drivers\libusb0.sys [2011-5-14 21120]

S3 Ma730c;MA730 Bluetooth Core Driver;c:\windows\system32\drivers\ma730c.sys [2010-2-5 157024]

S3 Ma730Vad;MA730 Bluetooth Audio;c:\windows\system32\drivers\Ma730Vad.sys [2010-2-5 50522]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-10-14 88544]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-10-14 84264]

S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2010-5-11 34248]

S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2010-5-11 40552]

.

=============== Created Last 30 ================

.

.

==================== Find3M ====================

.

2011-06-13 02:47:00 404640 ---ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-05-29 13:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-26 13:10:38 499712 ---ha-w- c:\windows\system32\msvcp71.dll

2011-05-26 13:10:38 348160 ---ha-w- c:\windows\system32\msvcr71.dll

2011-04-06 20:20:16 91424 ---ha-w- c:\windows\system32\dnssd.dll

2011-04-06 20:20:16 197920 ---ha-w- c:\windows\system32\dnssdX.dll

2011-04-06 20:20:16 107808 ---ha-w- c:\windows\system32\dns-sd.exe

2010-04-26 22:49:15 145 -c-ha-w- c:\program files\ypp_2420718.bat

2010-04-26 22:47:48 145 -c-ha-w- c:\program files\ypp_2333468.bat

2010-04-26 00:26:03 137 -c-ha-w- c:\program files\ypp_2270203.bat

2010-04-26 00:18:19 137 -c-ha-w- c:\program files\ypp_1807859.bat

2010-04-26 00:16:52 137 -c-ha-w- c:\program files\ypp_1720859.bat

2010-04-26 00:16:51 137 -c-ha-w- c:\program files\ypp_1719906.bat

2010-04-26 00:16:50 137 -c-ha-w- c:\program files\ypp_1719250.bat

.

============= FINISH: 20:12:22.06 ===============

Link to post
Share on other sites

  • Staff

Are you also running the AVG firewall?

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

Hi, when I try to run Eset it gets to set 2 out of 4

"can not get update. Is proxy configured?"

"note eset has already been run on this computer in the past. only files necessary to update to the current version will be downloaded"

I tried running it both in regular and also in safe mode both time it only got to initialization of step 2 of 4

thank you

Link to post
Share on other sites

  • Staff

Hi,

Try this instead:

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

  • Click Start Scanning.
  • You should get a notification bar (on top) to install the ActiveX control.
  • Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

Hi,

Try this instead:

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

  • Click Start Scanning.
  • You should get a notification bar (on tohe ActiveX control.
  • Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
    via mobile:
    hi, thank u for ur reply. running f secure errors out & does not even begin. "if u want 2 run f secure online scanner please restart ur web browser & return 2 this page"
    i tried updating java, tried through firefox we google chrome also. what can i do? thanx
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

via mobile:

hi, thank u for ur reply. running f secure errors out & does not even begin. "if u want 2 run f secure online scanner please restart ur web browser & return 2 this page"

i tried updating java, tried through firefox we google chrome also. what can i do? thanx

Link to post
Share on other sites

Take a picture of the errors you are receiving and post them here please.

Does this help? since most programs are not working on my desktop im not sure which one to print screen and copy to.

java.io.FileNotFoundException: C:\Documents and Settings\Eric Rave\Application Data\Sun\Java\Deployment\security\trusted.certs (Access is denied)

at java.io.FileOutputStream.open(Native Method)

at java.io.FileOutputStream.<init>(Unknown Source)

at java.io.FileOutputStream.<init>(Unknown Source)

at com.sun.deploy.security.DeploySigningCertStore$2.run(Unknown Source)

at java.security.AccessController.doPrivileged(Native Method)

at com.sun.deploy.security.DeploySigningCertStore.save(Unknown Source)

at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)

at sun.plugin2.applet.Plugin2ClassLoader.isTrustedByTrustDecider(Unknown Source)

at sun.plugin2.applet.Plugin2ClassLoader.getTrustedCodeSources(Unknown Source)

at com.sun.deploy.security.CPCallbackHandler$ParentCallback.strategy(Unknown Source)

at com.sun.deploy.security.CPCallbackHandler$ParentCallback.openClassPathElement(Unknown Source)

at com.sun.deploy.security.DeployURLClassPath$JarLoader.getJarFile(Unknown Source)

at com.sun.deploy.security.DeployURLClassPath$JarLoader.access$800(Unknown Source)

at com.sun.deploy.security.DeployURLClassPath$JarLoader$1.run(Unknown Source)

at java.security.AccessController.doPrivileged(Native Method)

at com.sun.deploy.security.DeployURLClassPath$JarLoader.ensureOpen(Unknown Source)

at com.sun.deploy.security.DeployURLClassPath$JarLoader.<init>(Unknown Source)

at com.sun.deploy.security.DeployURLClassPath$3.run(Unknown Source)

at java.security.AccessController.doPrivileged(Native Method)

at com.sun.deploy.security.DeployURLClassPath.getLoader(Unknown Source)

at com.sun.deploy.security.DeployURLClassPath.getLoader(Unknown Source)

at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source)

at sun.plugin2.applet.Plugin2ClassLoader$2.run(Unknown Source)

at java.security.AccessController.doPrivileged(Native Method)

at sun.plugin2.applet.Plugin2ClassLoader.findClassHelper(Unknown Source)

at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)

at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)

at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)

at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)

at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)

at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)

at java.lang.ClassLoader.loadClass(Unknown Source)

at sun.plugin2.applet.Plugin2ClassLoader.loadCode(Unknown Source)

at sun.plugin2.applet.Plugin2Manager.createApplet(Unknown Source)

at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)

at java.lang.Thread.run(Unknown Source)

java.io.FileNotFoundException: C:\Documents and Settings\Eric Rave\Application Data\Sun\Java\Deployment\security\trusted.certs (Access is denied)

at java.io.FileOutputStream.open(Native Method)

at java.io.FileOutputStream.<init>(Unknown Source)

at java.io.FileOutputStream.<init>(Unknown Source)

at com.sun.deploy.security.DeploySigningCertStore$2.run(Unknown Source)

at java.security.AccessController.doPrivileged(Native Method)

at com.sun.deploy.security.DeploySigningCertStore.save(Unknown Source)

at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)

at sun.plugin2.applet.Plugin2ClassLoader.isTrustedByTrustDecider(Unknown Source)

at sun.plugin2.applet.Plugin2ClassLoader.getPermissions(Unknown Source)

at java.security.SecureClassLoader.getProtectionDomain(Unknown Source)

at java.security.SecureClassLoader.defineClass(Unknown Source)

at java.net.URLClassLoader.defineClass(Unknown Source)

at java.net.URLClassLoader.defineClass(Unknown Source)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)

at java.lang.reflect.Method.invoke(Unknown Source)

at sun.plugin2.applet.Plugin2ClassLoader.defineClassHelper(Unknown Source)

at sun.plugin2.applet.Plugin2ClassLoader.access$100(Unknown Source)

at sun.plugin2.applet.Plugin2ClassLoader$2.run(Unknown Source)

at java.security.AccessController.doPrivileged(Native Method)

at sun.plugin2.applet.Plugin2ClassLoader.findClassHelper(Unknown Source)

at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)

at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)

at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)

at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)

at java.lang.ClassLoader.loadClass(Unknown Source)

at sun.plugin2.applet.Plugin2ClassLoader.loadCode(Unknown Source)

at sun.plugin2.applet.Plugin2Manager.createApplet(Unknown Source)

at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)

at java.lang.Thread.run(Unknown Source)

Link to post
Share on other sites

Hi,

What do you mean programs don't work? What happens specifically?

the desktop is missing the background that i set as well as all the icons. in the "windows start"for example the accesories folder is missingthat is where i would normaly find the paint program. some of the programs folders are missing. even the fold that are there are empty when i click on them.

Link to post
Share on other sites

  • Staff

krystalgem,

Please start your own topic to receive help.

yos77,

Please download Unhide.exe by Grinler and save it to your Desktop.

Run it, then restart your computer.

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the box below into Notepad:

Dirlook::
C:\WINDOWS\pss
C:\Documents and Settings\Eric Rave\Start Menu

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new DDS log.

-screen317

Link to post
Share on other sites

OK did the unhide program as you said, it appears that all the icons are back to the desktop and all the programs in the start menu etc..

the desktop background picture did not revert back to my picture but remains a blue background, i will presume that i can just add my desired pic as regular and that will take care of the back ground picture.

having not used the computer yet, only of the directions you have given i don't know if there are any other issues, but I will follow up if any.

is there anything else i need to do in the meantime?

thank you for your patience and persistence follow up!

Link to post
Share on other sites

  • Staff

Hi,

Yes put your desired picture back as your Desktop background.

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6528

# api_version=3.0.2

# EOSSerial=7cff32dfea197d4b8da628288d928b42

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2011-07-31 08:52:29

# local_time=2011-07-31 04:52:29 (-0500, Eastern Daylight Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777215 100 0 37260167 37260167 0 0

# compatibility_mode=768 16777215 100 0 766393 766393 0 0

# compatibility_mode=1029 16777214 0 1 37655602 37655602 0 0

# compatibility_mode=1280 16777215 100 0 101017234 101017234 0 0

# compatibility_mode=8192 67108863 100 0 36914266 36914266 0 0

# scanned=287579

# found=10

# cleaned=10

# scan_time=23562

C:\Documents and Settings\Eric Rave\Desktop\InternationalPrimoPDF.exe Win32/OpenCandy application (deleted - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Eric Rave\My Documents\Downloads\InternationalPrimoPDF.exe Win32/OpenCandy application (deleted - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Eric Rave\My Documents\Downloads\WhiteSmokeInstaller_9128.exe a variant of Win32/InstallCore.A application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Eric Rave\My Documents\My Pictures\Palm Photos Yossi\CR\Internal\FreewarePrimoPDF.exe Win32/OpenCandy application (deleted - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\NCQftnHgDltsBD.exe.vir a variant of Win32/Kryptik.PBM trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP308\A0085338.exe a variant of Win32/Kryptik.PBM trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP308\A0090105.exe a variant of Win32/Kryptik.PBM trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP308\A0095264.exe a variant of Win32/Kryptik.PBM trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP308\A0096114.exe a variant of Win32/Kryptik.PBM trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP314\A0101919.exe Win32/OpenCandy application (deleted - quarantined) 00000000000000000000000000000000 C

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.