maryy

Malwarebytes Hijackthis Spybot and even Rootrepeal won't run

20 posts in this topic

Wow! Whatever I got is a piece of work this malware must be! The following either won't load or get interrupted and disappear midscan:

Malwarebytes

Spybot

Hijackthis and even

Rootrepeal

Combofix as combo-fix.exe on the desktop also will not run

hey, "who are those guys?"

The system has Avira Premium Security Suite and it blocks outgoing packets and attempts by msa.exe and b.exe to access the internet. However a full scan including rootkits done by the Avira program reveals no problem. Avira seems to scan fine, it just doesn't find anything to remove.

I do have an uninfected computer on which I am running now and writing from. I can transfer programs via USB flashdrive-- and my infected computer can boot from one. I have a 2GB flashdrive and can borrow a 16GB one if that helps. The system has a CD/DVD drive. My uninfected system burns CD's but not DVD's.

Thanks to your forum, I did install the console prior to this infestation and can access it at startup. However even though I downloaded combofix to the desktop as "combo-fix" it also will not run past the first display or so.

The system is a Core 2 Duo running WinXP SP/3 with most of the updates done but maybe not the last week's or so.

I tried updating Spybot which worked and now it shows up in the task bar again however it won't come up. It did detect msa.exe on one startup (a few restarts ago) and offered to delete it which I accepted. Now, msa.exe no longer shows up in the running processes list on Task Manager. However b.exe is still present. Teatimer is in the list of running processes.

I'd appreciate (you have no idea how much) any help you can provide in removing this persistent pest. And I will be delighted to contribute (again) to your excellent efforts. I'd also appreciate if you know, if this is could be a password stealer or other identity theft risk in which case, I will use the other computer to change banking passwords.

Again thanks for all the good you guys do! I'll watch here for replies.

Share this post


Link to post
Share on other sites

Hello,

Excellent notes on your part. Let's start with some things .

#1 Disable and keep disabled Tea Timer, otherwise it will revert any fixes we make during cleanups.

Right click the Spybot Icon (blue icon with lock teatimer-systemtray-en.1.png) in the system tray (notification area).

  • If you have the new version, click once on Resident Protection and make sure it is Unchecked.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident
    If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
    Exit Spybot S&D when done and reboot the system so the changes are in effect.

Next, Start with this and on the next round, we'll begin actual cleanups:

1. Go >> Here << and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT

(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.

=

Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from

>>> here <<<

  • Double-click FixPolicies.exe.
  • Click the "Install" button on the bottom toolbar of the box that will open.
  • The program will create a new Folder called FixPolicies.
  • Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
  • A black box will briefly appear and then close.
  • This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.

=

1. Set Windows to show all files and all folders.

On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.

Next, un-check Hide extensions for known file types.

Next un-check Hide protected operating system files.

2. Take out the trash (temporary files & temporary internet files)

Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.

Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser, do this also:

Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:

Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

ATF-Cleaner should be run per the above in every user-login account {User Profile}

=

3. Important! => Open Notepad > Click on Format > Uncheck Word wrap, if checked. Exit Notepad.

=

Download OTL by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTL.exe and really try to Rename it ALPHA.exe

IF unable to download it, use another pc to download and then transfer it to the DESKTOP

  • Close all open windows on the Task Bar. Click the icon (for Vista, right click the icon and Run as Administrator) to start the program.
  • In the lower right corner of the Top Panel, checkmark "LOP Check" and checkmark "Purity Check".
  • Now click Run Scan at Top left and let the program run uninterrupted. It will take about 4 minutes.
  • It will produce two logs for you, one will pop up called OTL.txt, the other will be saved on your desktop and called Extras.txt.
  • Exit Notepad. Remember where you've saved these 2 files as we will need both of them shortly!
  • Exit OTL by clicking the X at top right.

Download Security Check by screen317 and save it to your Desktop: here or here

  • Run Security Check
  • Follow the onscreen instructions inside of the command window.
  • A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!

eusa_hand.gifIf one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.

Then copy/paste the following into your post (in order):

  • the contents of OTL.txt;
  • the contents of Extras.txt ; and
  • the contents of checkup.txt

Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You may have to do more than 1 reply.

Do not use the attachment feature to place any of your reports. Always put them in-line inside the body of reply.

Share this post


Link to post
Share on other sites

Hi and thank you for the prompt reply.

I have a question about Avira Premium Security Suite. I can uncheck the various scan options but I can not shut it off completely and it still asks for various permissions. I don't mind uninstalling it if that would be better-- please advise.

Prior to your reply, I ran Combofix again as Combo-fix.exe and it ran and updated itself. It then provided the following log which I am adding here in case it changes your instructions. I apologize for jumping the gun but I thought Combofix wasn't running because the blue screen was on for quite a while -- or maybe it started running at some point. In any case, I thought it better to hold off following the previous instructions and let you know about this log. I regret the inconvenience and incompleteness of the first post!

*-------

ComboFix 09-09-06.02 - user1 09/06/2009 10:44.2.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1603 [GMT -7:00]

Running from: c:\documents and settings\user1\Desktop\Combo-Fix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {11638345-E4FC-4BEE-BB73-EC754659C5F6}

FW: Avira Firewall *enabled* {11638345-E4FC-4BEE-BB73-EC754659C5F6}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Start Menu\Programs\HOLUX

c:\documents and settings\All Users\Start Menu\Programs\HOLUX \GpsViewer.lnk

c:\documents and settings\user1\Application Data\inst.exe

C:\install.exe

c:\windows\Installer\4e340b3.msi

c:\windows\Installer\50887c3.msp

c:\windows\Installer\WMEncoder.msi

c:\windows\system32\AutoRun.inf

c:\windows\system32\drivers\Sonyhcp.dll

c:\windows\UA000019.DLL

c:\windows\UA000079.DLL

c:\windows\UA000106.DLL

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected

Restored copy from - c:\windows\system32\logevent.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

((((((((((((((((((((((((( Files Created from 2009-08-06 to 2009-09-06 )))))))))))))))))))))))))))))))

.

2009-09-06 15:52 . 2009-09-06 15:52 -------- d-----w- c:\program files\GiPo@Utilities

2009-09-06 15:52 . 2009-09-06 15:52 -------- d-----w- c:\program files\Common Files\Gibinsoft Shared

2009-09-06 07:08 . 2009-09-06 07:08 -------- d-----w- c:\documents and settings\user1\Application Data\Avira

2009-09-06 06:59 . 2009-05-08 21:13 97608 ----a-w- c:\windows\system32\drivers\avfwot.sys

2009-09-06 06:59 . 2009-03-30 17:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys

2009-09-06 06:59 . 2009-02-13 19:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2009-09-06 06:59 . 2009-02-13 19:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2009-09-06 06:59 . 2009-02-24 20:06 69632 ----a-w- c:\windows\system32\drivers\avfwim.sys

2009-09-06 06:59 . 2009-09-06 06:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2009-09-06 06:59 . 2009-09-06 06:59 -------- d-----w- c:\program files\Avira

2009-09-06 06:40 . 2009-09-06 06:40 -------- d-----w- c:\program files\ESET

2009-09-05 22:28 . 2009-09-05 22:28 -------- d-----w- c:\program files\CMS Products

2009-09-05 22:28 . 2007-08-31 19:39 10240 ----a-w- c:\windows\system32\drivers\portd64.sys

2009-09-05 22:21 . 2008-01-02 16:35 35520 ----a-w- c:\windows\system32\BBUninstall.exe

2009-09-05 22:21 . 2009-09-05 22:21 -------- d-----w- c:\documents and settings\user1\Application Data\InstallShield Installation Information

2009-08-27 06:28 . 2009-08-27 06:29 -------- d-----w- c:\program files\MapExplorer

2009-08-27 06:20 . 2009-08-27 06:20 -------- d-----w- c:\documents and settings\user1\Application Data\GARMIN

2009-08-26 00:22 . 2003-09-22 23:01 11520 ------w- c:\windows\system32\drivers\WDMSTUB.sys

2009-08-25 23:43 . 2007-03-08 22:18 8320 ----a-w- c:\windows\system32\drivers\grmnusb.sys

2009-08-25 23:43 . 2007-03-08 22:18 18432 ----a-w- c:\windows\system32\drivers\grmngen.sys

2009-08-25 23:41 . 2009-08-27 06:17 -------- d-----w- C:\Garmin

2009-08-15 20:36 . 2009-08-15 20:36 -------- d-----w- c:\program files\Seagate

2009-08-15 20:36 . 2009-08-15 20:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Seagate

2009-08-15 20:34 . 2009-08-15 20:34 -------- d-----w- c:\documents and settings\user1\Local Settings\Application Data\Downloaded Installations

2009-08-15 20:33 . 2009-08-15 20:33 -------- d-----w- c:\documents and settings\user1\Application Data\Leadertech

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-06 16:42 . 2008-12-18 17:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-06 16:22 . 2006-12-31 21:12 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-09-06 06:53 . 2007-01-03 16:22 -------- d-----w- c:\program files\Powermarks 3.5

2009-09-04 21:54 . 2007-01-03 08:24 -------- d-----w- c:\program files\Google

2009-09-04 20:18 . 2007-10-08 20:38 -------- d-----w- c:\program files\Olympus

2009-09-04 20:18 . 2006-12-13 02:41 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-08-30 23:38 . 2007-02-19 14:19 -------- d-----w- c:\program files\MpcStar

2009-08-27 05:46 . 2007-02-11 01:29 -------- d-----w- c:\program files\BitComet

2009-08-22 13:14 . 2008-08-30 18:47 -------- d-----w- c:\program files\MediaCoder

2009-08-17 22:50 . 2007-08-09 01:10 -------- d-----w- c:\documents and settings\user1\Application Data\Canon

2009-08-17 07:18 . 2007-03-15 03:13 -------- d-----w- c:\program files\Zoom Player

2009-08-03 20:36 . 2008-12-18 17:34 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-03 20:36 . 2008-12-18 17:34 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-07-28 23:33 . 2009-05-03 20:37 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-07-21 05:26 . 2007-06-14 06:17 -------- d-----w- c:\program files\URLToysPerlSA

2005-05-14 00:12 . 2005-05-14 00:12 217073 --sha-r- c:\windows\meta4.exe

2005-10-24 18:13 . 2005-10-24 18:13 66560 --sha-r- c:\windows\MOTA113.exe

2005-10-14 04:27 . 2005-10-14 04:27 422400 --sha-r- c:\windows\x2.64.exe

2005-10-08 02:14 . 2005-10-08 02:14 308224 --sha-r- c:\windows\system32\avisynth.dll

2005-07-14 19:31 . 2005-07-14 19:31 27648 --sha-r- c:\windows\system32\AVSredirect.dll

2005-06-26 22:32 . 2005-06-26 22:32 616448 --sha-r- c:\windows\system32\cygwin1.dll

2005-06-22 05:37 . 2005-06-22 05:37 45568 --sha-r- c:\windows\system32\cygz.dll

2004-01-25 07:00 . 2004-01-25 07:00 70656 --sha-r- c:\windows\system32\i420vfw.dll

2006-04-27 17:24 . 2006-04-27 17:24 2945024 --sha-r- c:\windows\system32\Smab.dll

2005-02-28 20:16 . 2005-02-28 20:16 240128 --sha-r- c:\windows\system32\x.264.exe

2004-01-25 07:00 . 2004-01-25 07:00 70656 --sha-r- c:\windows\system32\yv12vfw.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-09 7561216]

"GoToMyPC"="c:\program files\Citrix\GoToMyPC\g2svc.exe" [2007-06-20 258856]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-19 868352]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-03-27 181544]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HDAShCut.exe [2004-10-27 61952]

c:\documents and settings\user1\Start Menu\Programs\Startup\

BounceBack Launcher.lnk - c:\program files\CMS Products\BounceBack Server\BBStartup.exe [2009-9-5 40960]

c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled

HP Digital Imaging Monitor.lnk - c:\program files\Hp\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]

2007-06-20 19:09 10536 ----a-w- c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Device Detector 2.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Device Detector 2.lnk

backup=c:\windows\pss\Device Detector 2.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk

backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SMART-ER.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SMART-ER.lnk

backup=c:\windows\pss\SMART-ER.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^user1^Start Menu^Programs^Startup^Secunia PSI (RC1).lnk]

path=c:\documents and settings\user1\Start Menu\Programs\Startup\Secunia PSI (RC1).lnk

backup=c:\windows\pss\Secunia PSI (RC1).lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\GigaByte\\VGA Utility Manager\\gvupdate.exe"=

"c:\\Program Files\\GigaByte\\VGA Utility Manager\\gvflashw.exe"=

"c:\\WINDOWS\\system32\\dpnsvr.exe"=

"c:\\Program Files\\EtiVoServer\\EtiVoSrv.exe"=

"c:\\WINDOWS\\system32\\java.exe"=

"c:\\Program Files\\GigaByte\\VGA Utility Manager\\G-VGA.exe"=

"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\TVHarmony\\AutoPilot.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\Media Player Classic\\mplayerc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"26233:TCP"= 26233:TCP:*:Disabled:BitComet 26233 TCP

"26233:UDP"= 26233:UDP:*:Disabled:BitComet 26233 UDP

"7329:TCP"= 7329:TCP:BitComet 7329 TCP

"7329:UDP"= 7329:UDP:BitComet 7329 UDP

"2190:UDP"= 2190:UDP:*:Disabled:HMO

"2190:TCP"= 2190:TCP:*:Disabled:HMO

"8081:TCP"= 8081:TCP:*:Disabled:HMO

R0 ezgmntr;EZ GIG II Backup Archive Explorer;c:\windows\system32\drivers\ezgmntr.sys [12/20/2006 8:38 PM 213760]

R1 avfwot;avfwot;c:\windows\system32\drivers\avfwot.sys [9/5/2009 11:59 PM 97608]

R2 AntiVirFirewallService;Avira Firewall;c:\program files\Avira\AntiVir Desktop\avfwsvc.exe [9/5/2009 11:59 PM 388865]

R2 AntiVirMailService;Avira AntiVir MailGuard;c:\program files\Avira\AntiVir Desktop\avmailc.exe [9/5/2009 11:59 PM 194817]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [9/5/2009 11:59 PM 108289]

R2 AntiVirWebService;Avira AntiVir WebGuard;c:\program files\Avira\AntiVir Desktop\avwebgrd.exe [9/5/2009 11:59 PM 434945]

R2 BBWatcherService;BBWatcherService;c:\program files\CMS Products\BounceBack Server\BBWatcherService.exe [9/5/2009 3:28 PM 36864]

R2 ezgfsfilt;EZ GIG II FS Filter;c:\windows\system32\drivers\ezgfsfilt.sys [12/20/2006 8:38 PM 28800]

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [3/27/2009 3:54 PM 165160]

R3 avfwim;AvFw Packet Filter Miniport;c:\windows\system32\drivers\avfwim.sys [9/5/2009 11:59 PM 69632]

S2 gupdate1c9bd2f6accc6cc;Google Update Service (gupdate1c9bd2f6accc6cc);c:\program files\Google\Update\GoogleUpdate.exe [4/14/2009 11:32 AM 133104]

S3 EtiVoServer;EtiVoServer;c:\program files\EtiVoServer\EtiVoSrv.exe [9/8/2005 11:09 PM 24576]

S3 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [3/15/2009 1:13 PM 34064]

S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2/19/2008 1:24 AM 7808]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [5/15/2008 8:25 AM 747912]

S4 GPCIDrv;GPCIDrv;c:\windows\GPCIDrv.sys [11/8/2008 1:49 PM 5112]

S4 GVTDrv;GVTDrv;c:\windows\system32\drivers\GVTDrv.sys [12/30/2006 9:17 AM 17962]

S4 TCCrystalCpuInfo;TCCrystalCpuInfo;\??\c:\docume~1\user1\LOCALS~1\Temp\TCCpuInfo.sys --> c:\docume~1\user1\LOCALS~1\Temp\TCCpuInfo.sys [?]

S4 TivoBeacon2;TiVo Beacon;c:\program files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe [7/9/2008 4:13 PM 868864]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-09-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-14 18:32]

2009-09-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-14 18:32]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm

IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm

IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Download All by FlashGet

IE: Download using FlashGet

LSP: c:\program files\Avira\AntiVir Desktop\avsda.dll

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://204.13.252.204:90/activex/AMC.cab

FF - ProfilePath - c:\documents and settings\user1\Application Data\Mozilla\Firefox\Profiles\z4f3xe0j.default\

FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official

FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll

FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll

FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np32asw.dll

FF - plugin: c:\program files\MpcStar\Codecs\Real\browser\plugins\nppl3260.dll

FF - plugin: c:\program files\MpcStar\Codecs\Real\browser\plugins\nprpjplug.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-06 10:55

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{12D6502E-043D-FB91-713D-CA485AE31673}\InProcServer32*]

"oadnadkhjbgegodlmcjnolaelolijn"=hex:6a,61,63,61,68,6b,6e,63,6c,6a,6c,6a,6d,65,

68,68,6e,63,70,70,00,f9

"nadnkcabafnddlccliceghmkmodh"=hex:6a,61,63,61,68,6b,6e,63,6c,6a,6c,6a,6d,65,

68,68,6e,63,70,70,00,f9

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1028)

c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

- - - - - - - > 'lsass.exe'(1084)

c:\program files\Avira\AntiVir Desktop\avsda.dll

- - - - - - - > 'explorer.exe'(3052)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Common Files\InterVideo\DeviceService\DevSvc.exe

c:\program files\Olympus\DeviceDetector\DM1Service.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\Google\Update\1.2.183.7\GoogleCrashHandler.exe

c:\windows\system32\nvsvc32.exe

c:\program files\Citrix\GoToMyPC\g2comm.exe

c:\program files\Citrix\GoToMyPC\g2pre.exe

c:\program files\Citrix\GoToMyPC\g2tray.exe

c:\windows\system32\wscntfy.exe

c:\program files\CMS Products\BounceBack Server\BBLauncher.exe

c:\program files\Avira\AntiVir Desktop\usrreq.exe

.

**************************************************************************

.

Completion time: 2009-09-06 11:07 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-06 18:07

ComboFix2.txt 2009-01-03 21:06

Pre-Run: 21,244,571,648 bytes free

Post-Run: 21,270,700,032 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4

255 --- E O F --- 2008-09-18 18:22

Share this post


Link to post
Share on other sites

I only have the Avira free edition (on 1 system) and not the Premium version..... but I think you should be able to right-click the Avira icon on system notification area and de-select Avira guard IF it is checked. That ought to de-activate the real time monitor.

Have infinite patience with the Sysclean and Kaspersky scans (below).

You should be able to update MBAM and running it (if not, go on with next steps).

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

At this time of posting, the current definitions are # 2748 or later. The latest program version is 1.40

When done, click the Scanner tab.

Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

=

Go >> here <<

and download RootRepeal and SAVE to your Desktop.

Doubleclick RootRepeal.exe icon on your Desktop.

Click on the Report tab at bottom of window and then click on Scan button.

A Windows will open asking what to include in the scan. Check all of the below and then click Ok.

Drivers

Files

Processes

SSDT

Hidden Services

Stealth Objects

You will then be asked which drive to scan.

Check C: (or the drive your operating system is installed on if not C) and click Ok again.

The scan will start.

It will take a little while so please be patient. When the scan has finished, click on Save Report.

Name the log RootRepeal.txt and save it to your Documents folder (it should default there).

When you have done this, please copy and paste it in this thread.

=

Please download and run the Trend Micro Sysclean Package on your computer.

NOTE! This scan will probably take a long time to run on your computer so be patient and don't use it while it's scanning.

  • Trend Micro Damage Cleanup Engine

[*]Make sure you read this document to understand how to use the program.

Trend Micro Sysclean Package README 1st

[*]Basically there are 3 parts that need to be downloaded and SAVED from these links:

[*]Sysclean Package

[*]Virus Pattern Files that will be a LPTxxx.ZIP file

[*]Spyware Pattern Files this is a SSAPIPTNxxx.ZIP

It is the 4th listed file, under title "Detection and Cleanup (Trend Micro Anti-Spyware)

Share this post


Link to post
Share on other sites

Hi again,

Well... Malwarebytes now runs. I'll post the log below -- I did an uneventful update of it yesterday. Just FYI, I am still unable to delete some of the original malwarebyte files so I reinstalled the program into a folder called malwarebytes2 (under Program Files) and I renamed the exe file to winlogon.exe just in case.

Rootrepeal.exe stops running rapidly with a "blue screen of death". I tried it with all my usual startup items active and also with Spybot, Avira, Gotomypc, and Bounceback (a backup system) deactivated from the task bar at the bottom right of the screen. I did not try deactivating individual processes so presumably Teatimer or other things may have been running. I ran it three times. On one run with the startup programs deactivated as above, Rootrepeal gave an error message in a box before the screen went blue. I could probably capture that with a camera and type it in if it would help. It stayed up too short a time to read. Two of the runs with the programs inactivated didn't get very far. The third (with the above programs active) ran for a short time and scanned a few dozen files before it went "bloooey!" It may help to know I use an Asus PN5SLI mother board which is quite fussy. I am not overclocking it. It complained after the third blue screen event during the cold restart, went to its own "safe mode" but restarted OK without problems or other error messages when I pressed F1 to continue.

I'm happy to uninstall ALL the antiviral stuff-- Avira and Spybot and anything else you'd like removed and I can make an image backup of the hard drive and work on that so my data will be preserved. Just let me know if that's the best way to go. If so, it may be a day or two before I can continue with your instructions.

Here's the Malwarebytes log from yesterday. Did you want another Combofix log? I did not attempt the additional steps you specified after Rootrepeal would not run.

*-------

Malwarebytes' Anti-Malware 1.40

Database version: 2750

Windows 5.1.2600 Service Pack 3

9/7/2009 12:58:50 AM

mbam-log-2009-09-07 (00-58-50).txt

Scan type: Full Scan (C:\|)

Objects scanned: 516240

Time elapsed: 4 hour(s), 18 minute(s), 4 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\user1\Desktop\Temporary Programs\System utilities\benchmarks\super_pi\super_pi_mod-1.5\super_pi_mod.exe (Malware.Packer.Krunchy) -> Quarantined and deleted successfully.

*-------

Superpi is infected? I've had that download for a long time-- way before the current problem started! Anyway, I allowed Malwarebytes to remove it.

I'm sure you know how much all this assistance is appreciated!

M.Y.

Share this post


Link to post
Share on other sites

Hello M.Y.

2 issues I want to address: #1 Do not run Combofix on your own. Don't run anything else on your own, unless I ask you to.

This is a must so we can rule out confusion & conflicts & a possible non-working Windows install.

#2. You stated

so I reinstalled the program into a folder called malwarebytes2 (under Program Files) and I renamed the exe file to winlogon.exe just in case.
Do you & I a favor. Go back and un-name back to normal the MBAM exe

I am not fan of renaming anything as winlogon.

And as to a second setup of MBAM it is not desired.

Let me review your recent logs and get back with you for further steps. As I say, don't make changes or additions to the system, nor do anything on your own with consulting here, please. I like to avoid complications.

Share this post


Link to post
Share on other sites

Since RootRepeal is giving fits, let's set that aside. I need for you to proceed (as per my earlier reply) to get and run

SYSCLEAN & do

Kaspersky scan

After those 2 are done, then let's get & run GMER

Download GMER Rootkit Scanner from here or here. Unzip it to your Desktop.

========================================================

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

========================================================

Double-click gmer.exe. The program will begin to run.

**Caution**

These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

  • Click Yes.
  • Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [save..] button, and in the File name area, type in "Gmer.txt"
  • Save it where you can easily find it, such as your desktop.

If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked.

  • Click the Scan button and let the program do its work. GMER will produce a log. Click on the [save..] button, and in the File name area, type in "Gmer.txt"
  • Save it where you can easily find it, such as your desktop.

=

When done, reply with copy of

Sysclean.log

Kaspersky scan log

the GMER.txt

Share this post


Link to post
Share on other sites

Hi.

Sorry about the apparently independent actions -- they took place between the time I first posted and your first reply and the renaming idea came from a sticky set of instructions elsewhere in the forum. I ran Combofix at the same time to see if it would run instead of being terminated by whatever malware I had. I did not mean to increase your workload! Won't happen again.

Trend Micro ran fine until the end at which time, I am guessing it did a reboot which probably re-activates Avira Premium Security Suite whose scanners had been turned off-- anyway the Trend Micro program stopped with a message from Avira: "SSAPI command line scanner. This application is trying to execute code in another process (explorer.exe)-- Allow/Deny." I allowed and Trend Micro continued and terminated, apparently normally. The log display from inside the Trend Micro scanner isn't copyable as text. Transcribing it manually from a screen image, the next to last entry is "Scanner C:\DEC\TSC.bin has finished running." Next line says "TSC Log:" and the last line consists of what looks like 3 characters. The first is a "y" with two dots over it, the second looks like a p overwritten with an L and the last is a D.

The files report.log and sysclean.log exist and can be loaded into Notepad and read as text. Would you like me to post either or both? sysclean.log is fairly brief but report.log is quite lengthy, a 135KB file.

I then tried to run Kaspersky's web scan as directed. First I updated Java as requested. I made sure Avira was as much OFF as I can make it (all scanners unchecked) and I disabled Spybot. Kaspersky started to load but terminated with the error: "Launch of the JACA application is interrupted. Please establish an interrupted Internet connection for work with this program." The only other thing I can think of to tell you is that no programs are running that I was able to disable from taskbars and the only other thing is that some Windows updates are pending and the Windows shield icon is on the task bar. My browser seems to run fine and the internet connection is from Time Warner cable via a cable modem and a Linksys wifi router however this computer is hard wired to the router via a CAT5 cable. I've had no problems with the internet connection recently.

I did not run the last program you requested nor post the Trend Micro logs pending your further directions. If you'd like me to uninstall Avira, I'll be happy to. Shall I allow Windows update to run at this time?

Thanks and again, sorry for the previous inconvenience.

M. Y.

Share this post


Link to post
Share on other sites

Yes, accept the Windows Updates and apply them. If prompted to reboot, do it at that time.

At your next chance, Copy and Paste here in reply the contents of Sysclean.log

Share this post


Link to post
Share on other sites

/--------------------------------------------------------------\

| Trend Micro System Cleaner |

| Copyright 2009-2010, Trend Micro, Inc. |

| http://www.trendmicro.com |

\--------------------------------------------------------------/

2009-09-08, 00:03:20, Auto-clean mode specified.

2009-09-08, 00:03:20, Initialized Rootkit Driver version 1.6.0.1059.

2009-09-08, 00:03:20, Running scanner "C:\dce\TSC.BIN"...

2009-09-08, 00:03:24, Scanner "C:\dce\TSC.BIN" has finished running.

2009-09-08, 00:03:24, TSC Log:

Share this post


Link to post
Share on other sites

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

At this time of posting, the current definitions are # 2773.

When done, click the Scanner tab.

Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

=

Download GMER Rootkit Scanner from here or here. Unzip it to your Desktop.

========================================================

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

========================================================

Double-click gmer.exe. The program will begin to run.

**Caution**

These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

  • Click Yes.
  • Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [save..] button, and in the File name area, type in "Gmer.txt".
  • Save it where you can easily find it, such as your desktop.

If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked.

  • Click the Scan button and let the program do its work. GMER will produce a log. Click on the [save..] button, and in the File name area, type in "Gmer.txt".
  • Save it where you can easily find it, such as your desktop.

=

Reply with copy of the latest MBAM scan log

and the Gmer.txt

and tell me, How is your system now ?

Share this post


Link to post
Share on other sites

MBAM SCAN LOG:

Malwarebytes' Anti-Malware 1.40

Database version: 2774

Windows 5.1.2600 Service Pack 3

9/10/2009 7:02:15 PM

mbam-log-2009-09-10 (19-02-15).txt

Scan type: Full Scan (C:\|)

Objects scanned: 520788

Time elapsed: 4 hour(s), 26 minute(s), 24 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir (Trojan.Sirefef) -> Quarantined and deleted successfully.

GMER.TXT:

GMER 1.0.15.15077 [gmer.exe] - http://www.gmer.net

Rootkit scan 2009-09-11 08:49:12

Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.15 ----

SSDT BAF60BAE ZwCreateKey

SSDT BAF60BA4 ZwCreateThread

SSDT BAF60BB3 ZwDeleteKey

SSDT BAF60BBD ZwDeleteValueKey

SSDT BAF60BC2 ZwLoadKey

SSDT BAF60B90 ZwOpenProcess

SSDT BAF60B95 ZwOpenThread

SSDT BAF60BCC ZwReplaceKey

SSDT BAF60BC7 ZwRestoreKey

SSDT BAF60BB8 ZwSetValueKey

SSDT BAF60B9F ZwTerminateProcess

SSDT BAF60B9A ZwWriteVirtualMemory

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avfwot.sys (TDI filtering kernel driver/Avira GmbH)

AttachedDevice \Driver\Tcpip \Device\Tcp avfwot.sys (TDI filtering kernel driver/Avira GmbH)

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)

AttachedDevice \Driver\Tcpip \Device\Udp avfwot.sys (TDI filtering kernel driver/Avira GmbH)

AttachedDevice \Driver\Tcpip \Device\RawIp avfwot.sys (TDI filtering kernel driver/Avira GmbH)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{12D6502E-043D-FB91-713D-CA485AE31673}\InProcServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{12D6502E-043D-FB91-713D-CA485AE31673}\InProcServer32@oadnadkhjbgegodlmcjnolaelolijn 0x6A 0x61 0x63 0x61 ...

Reg HKLM\SOFTWARE\Classes\CLSID\{12D6502E-043D-FB91-713D-CA485AE31673}\InProcServer32@nadnkcabafnddlccliceghmkmodh 0x6A 0x61 0x63 0x61 ...

---- Files - GMER 1.0.15 ----

ADS C:\System Volume Information\_restore{BC0A5C4A-5200-4703-8FD3-2C54CB731FCB}\RP2\A0000041.sys:1 8704 bytes executable

ADS C:\System Volume Information\_restore{BC0A5C4A-5200-4703-8FD3-2C54CB731FCB}\RP2\A0000046.sys:1 8704 bytes executable

ADS C:\System Volume Information\_restore{BC0A5C4A-5200-4703-8FD3-2C54CB731FCB}\RP2\A0000065.sys:1 8704 bytes executable

ADS C:\System Volume Information\_restore{BC0A5C4A-5200-4703-8FD3-2C54CB731FCB}\RP2\A0000072.sys:1 8704 bytes executable

ADS C:\System Volume Information\_restore{BC0A5C4A-5200-4703-8FD3-2C54CB731FCB}\RP2\A0000056.sys:1 8704 bytes executable

File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5031178.JPG 1127258 bytes

File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5031161.JPG 1312961 bytes

File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5031162.JPG 1916617 bytes

File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5031163.JPG 1929773 bytes

File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5031164.JPG 1864782 bytes

File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5031165.JPG 2025580 bytes

File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5031166.JPG 1751723 bytes

File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5031167.JPG 1437183 bytes

File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5031168.JPG 2320084 bytes

File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5031169.JPG 2369072 bytes

File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5031170.JPG 1966530 bytes

File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5031171.JPG 1943830 bytes

File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5031172.JPG 1866613 bytes

File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5031173.JPG 1884373 bytes

File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5031174.JPG 1998313 bytes

File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5031175.JPG 2100706 bytes

File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5031176.JPG 1795936 bytes

File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5031177.JPG 1410303 bytes

File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5031179.JPG 286404 bytes

File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5031180.JPG 1781610 bytes

File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5031181.JPG 1021017 bytes

File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5041182.JPG 378687 bytes

File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5041183.JPG 403750 bytes

File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5041184.JPG 1164497 bytes

File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5041185.JPG 2314880 bytes

File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5041186.JPG 2435349 bytes

File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5041187.JPG 2534233 bytes

File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5041188.JPG 2576637 bytes

File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5041189.JPG 2490951 bytes

File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5041190.JPG 2596927 bytes

File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5041191.JPG 2175079 bytes

File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5041192.JPG 2349697 bytes

File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5041193.JPG 2448487 bytes

File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5041194.JPG 2387656 bytes

File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5041195.JPG 2481140 bytes

File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5041196.JPG 2541145 bytes

File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5041197.JPG 2458840 bytes

File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5041198.JPG 2595027 bytes

File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5041199.JPG 2755933 bytes

File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5041200.JPG 2696896 bytes

File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5041201.JPG 2550105 bytes

File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5041202.JPG 1920479 bytes

File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5041203.JPG 1680012 bytes

File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5041204.JPG 1612098 bytes

---- EOF - GMER 1.0.15 ----

FYI: The files with the long path name at the end of the log are JPG's I made myself with a Sony camera. No idea why the program would notice those.

The computer runs fine. The browsers, both IE8 and FF seem slow. This may be because prior to consulting you, I tightened up Avira's security setting. If everything seems clean now, I can experiment with that or maybe there is a better, less speed-reducing antivirus I can use (it doesn't need to be free)? Please let me know if any other tests seem indicated. Again, many thanks for the very valuable and patient help. If you have an extra moment, I'd be interested if you know what malware I had and typically where it might have come from.

Share this post


Link to post
Share on other sites

Well, all may not yet be copacetic.

I just clicked on a link from a political discussion forum and the link is supposed to go here: http://www.nytimes.com/2007/03/12/us/12med...;pagewanted=all . The first time I tried that link, I received a popup or popunder from: http://www.toptvbytes.com/index.aspx?pid=10088&SID=1796 and the tab I opened with the link in Firefox went to here: (CAUTION--DO NOT CLICK THIS LINK UNLESS PROTECTED! I changed it so it won't work unless a dot is substituted for my text between the asterisks. ) http://malwareinternetscanner03 **dot**com/1/?sess=%3D2259jDwMi02MyZpcD02Ni43NS4yNDkuNyZ0aW1lPTEyNTY3MMkMNQkN -- Avira caught it and stopped the browser from accessing it with a warning "The requested URL has been identified as a potentially dangerous website. In order not to compromise your security, the access to this page has been blocked. Category/categories:Malware. Generated by AntiVir WebGuard 9.0.5.0 " I closed the involved tab and tried the same link again and it connected to the correct URL-- the NYT article. The prior page I accessed before the discussion forum was snopes.com. That gave me a Netflix popup (as usual).

Firefox is fully updated, version 3.5.3 . I did quite a bit of browsing today and this has been the only anomaly I noticed. Any idea what caused this or what to do about it or how serious it may be? This computer is used for some banking though I switched that function to a well running and well protected laptop while this trouble shooting is going on. The computer runs fine today other than the above and maybe FF is a bit slow. I suspect I can run any scanner program that you'd like.

Thanks!

M. Y.

Share this post


Link to post
Share on other sites

Please download GooredFix and save it to your Desktop.

Now double-click Goored.exe on your Desktop to run it.

Select 2. Fix Goored by typing 2 and pressing Enter. Make sure all instances of Firefox are closed at this point. Type y at the prompt and press Enter again.

A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).

=

Then, next, get and run FixIEDef:

Use this URL to Download the latest version, and SAVE it to your Desktop !

http://downloads.malwareteks.com/FixIEDef.exe

Double click FixIEdef.exe on your Desktop to start it.

Click OK when you get the 1st FixIEDef window.

Next, at 2nd message-window, press SCAN button.

Click OK when you see a FixIEDef alert window.

Let it scan the file system and the resgistry. Do not touch keyboard or mouse while utility is running.

Click Exit once FixIEDef displays the !!! All Finished message !!! window.

WARNING: FixIEDef will kill all copies of Internet Explorer and Explorer that are running, during removal of malicious files. The icons and Start Menu on your Desktop will not be visible while FixIEDef is removing malicious files. This is necessary to remove parts of the infection that would otherwise not be removed.

Click Exit once FixIEDef displays the All Finished message.

Reply with copy of Goored.txt and the FixIEDef log file, located on the Desktop.

Share this post


Link to post
Share on other sites

GooredFix by jpshortstuff (12.07.09)

Log created at 11:16 on 12/09/2009 (user1)

Firefox version 3.5.3 (en-US)

========== GooredScan ==========

C:\Program Files\Mozilla Firefox\extensions\

powermarks@kaylon.com [16:23 03/01/2007]

{972ce4c6-7e08-4474-a285-3208198ce6fd} [16:21 03/01/2007]

{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} [16:39 01/05/2007]

{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} [19:13 26/07/2007]

{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} [17:25 28/10/2007]

{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} [18:38 27/03/2008]

{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [16:00 06/07/2008]

{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} [18:01 02/11/2008]

{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} [18:09 04/03/2009]

{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [06:23 11/04/2009]

{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} [21:43 08/09/2009]

{FE76A1D3-DF55-4527-8BB7-07A3C6ABE9D6} [16:48 20/07/2007]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]

"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [21:19 10/02/2009]

"{000a9d1c-beef-4f90-9363-039d445309b8}"="C:\Program Files\Google\Google Gears\Firefox\" [21:54 04/09/2009]

"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [18:01 02/11/2008]

-=E.O.F=-

--------------------------------------------------------

********************************************************************************

* *

* FixIEDef Log *

* Version 1.7.22.7514 *

* *

********************************************************************************

Created at 11:18:15 on Saturday, September 12, 2009

Time Zone : (GMT-08:00) Pacific Time (US & Canada)

Logged On User : user1

Operating System : Microsoft Windows XP Home Edition Service Pack 3

OS Architecture : X86

System Langauge : English (United States)

Keyboard Layout : English (United States)

Processor : X64 Intel® Core2 CPU 6600 @ 2.40GHz

System Drive : C:\

Windows Directory : C:\WINDOWS

System Directory : C:\WINDOWS\system32

System Drive Type : Fixed

System Drive Status : READY

System Drive Label :

System Drive Size : 305.23 GB

System Drive Free : 16.32 GB

Total Physical Memory: 2046 MB

Free Physical Memory : 1362 MB

Total Page File : 2046 MB

Free Page File : 2100 MB

Total Virtual Memory : 2048 MB

Free Virtual Memory : 1961 MB

Boot State : Normal boot

--------------------------------------------------------------------------------

!!! userinit.exe is Clean !!!

--------------------------------------------------------------------------------

!!! Files that have been deleted !!!

C:\WINDOWS\system32\tmp.txt

--------------------------------------------------------------------------------

!!! Directories that have been removed !!!

No malicious directories to be removed

--------------------------------------------------------------------------------

!!! Registry entries that have been removed !!!

No malicious Registry entries found

================================================================================

All Done :unsure:

ShadowPuterDude

Safe Surfing!!!

-----------------------------------

Thanks! M. Y. (I'll be away for a few hours and then back for the day)

Share this post


Link to post
Share on other sites

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

At this time of posting, the current definitions are # 2785 or later. The latest program version is 1.41

When done, click the Scanner tab.

Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

=

next, Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Using Internet Explorer browser only, go to ESET Online Scanner website:

Vista users should start IE by Start (Vista Orb) >> Internet Explorer >> Right-Click and select Run As Administrator.

  • Accept the Terms of Use and press Start button;
  • Approve the install of the required ActiveX Control, then follow on-screen instructions;
  • Enable (check) the Remove found threats option, and run the scan.
  • After the scan completes, the Details tab in the Results window will display what was found and removed.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt.

    Look at contents of this file using Notepad or Wordpad.

    The Frequently Asked Questions for ESET Online Scanner can be viewed here

    http://www.eset.com/onlinescan/cac4.php?page=faq

    • From ESET Tech Support: If you have ESET NOD32 installed, you should disable it prior to running this scanner.
      Otherwise the scan will take twice as long to do:
      everytime the ESET online scanner opens a file on your computer to scan it, NOD32 on your machine will rescan the file as a result.
    • It is emphasized to temporarily disable any pc-resident {active} antivirus program prior to any on-line scan by any on-line scanner.
      (And the prompt re-enabling when finished.)
    • If you use Firefox, you have to install IETab, an add-on. This is to enable ActiveX support.

=

RE-Enable your AntiVirus and AntiSpyware applications.

Reply with copy of the MBAM scan log

and the Eset scan log

Share this post


Link to post
Share on other sites

Woops ... ran the full scan by mistake-- the quick scan had reported clean. here's the log:

Malwarebytes' Anti-Malware 1.41

Database version: 2786

Windows 5.1.2600 Service Pack 3

9/12/2009 10:38:13 PM

mbam-log-2009-09-12 (22-38-13).txt

Scan type: Full Scan (C:\|)

Objects scanned: 523462

Time elapsed: 4 hour(s), 45 minute(s), 53 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Here's Eset's log:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=6

# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6050

# api_version=3.0.2

# EOSSerial=d2dd2de2a98f6947b98f1fe668ecf5f0

# end=stopped

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2009-09-06 06:51:25

# local_time=2009-09-05 11:51:25 (-0800, Pacific Daylight Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=1797 21 100 100 1156968593750

# compatibility_mode=2817 63 100 100 316444658281250

# scanned=16092

# found=0

# cleaned=0

# scan_time=434

# version=6

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6050

# api_version=3.0.2

# EOSSerial=d2dd2de2a98f6947b98f1fe668ecf5f0

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2009-09-13 11:36:44

# local_time=2009-09-13 04:36:44 (-0800, Pacific Daylight Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=1798 37 100 100 565640468750

# compatibility_mode=2817 63 100 100 323095846718750

# scanned=635544

# found=2

# cleaned=0

# scan_time=20865

C:\Documents and Settings\user1\Local Settings\Application Data\Identities\{FC7AC938-F43A-4C42-968E-F18737F16BD8}\Microsoft\Outlook Express\old_sent (last 5_2003).dbx VBS/LoveLetter.Colombia worm (unable to clean) 00000000000000000000000000000000 I

C:\Documents and Settings\user1\Local Settings\Application Data\Identities\{FC7AC938-F43A-4C42-968E-F18737F16BD8}\Microsoft\Outlook Express\old_sent_to6_2002.dbx Win32/Adware.Webhancer.A application (unable to clean) 00000000000000000000000000000000 I

If I am not mistaken the two files listed above are folders from Outlook Express email. They are also very old -- one from 2002 and the other from 2003! I don't need them and if it helps, I can delete them by hand. But it's hard to imagine how these could be significant after all this time.

Regards and thanks.

M. Y.

Share this post


Link to post
Share on other sites

You'll need to delete the 2 items out of Outlook Express on your own. The last 2 scans are very good.

Your system is good to go after the following

Unless you have purchased Malwarebytes' Anti Malware {MBAM}, you should un-install it.

Go to Control Panel and Add-or-Remove programs.

Look for it and click the line for it. Select Change/Remove to de-install it.

De-install ESET Online scan

De-install Kaspersky Online scan

OK & Exit out of Control Panel

I see that you are clear of your original issues.

If you have a problem with these steps, or something does not quite work here, do let me know.

The following few steps will remove tools we used; followed by advice on staying safer.

We have to remove Combofix and all its associated folders. By whichever name you named it, {it's on your desktop as combo-fix.exe }

put that name in the RUN box stated just below.

The "/u" in the Run line below is to start Combofix for it's cleanup & removal function.

Note the space after exe and before the slash mark.

The utility must be removed to prevent any un-intentional or accidental usage, PLUS, to free up much space on your hard disk.

  • Click Start, then click Run.
    In the command box that opens, type or copy/paste
    combo-fix.exe /u
    and then click OK.

  • Please double-click OTL.exe otlDesktopIcon.png to run it.
  • Click on the CleanUp! button at upper Right corner. When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTL attempting to contact the internet you should allow it to do so. After the list has been download you'll be asked if you want to Begin cleanup process? Select Yes.
  • This step removes the files, folders, and shortcuts created by the tools I had you download and run.

Delete SYSCLEAN downloads and the C:\DCE folder (if still there)

Delete GMER if still there

Delete RootRepeal if still there

We are finished here. Best regards.

Share this post


Link to post
Share on other sites

You're very welcome. Stay safe.

This thread is closed. The procedures used here are only for this system. Using them on another system may very well cause harm.

If you are a viewer and having issues, create your own New topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.