what a mess--sorry will repost
Edited by BLewellyn, 21 February 2011 - 01:01 PM.
7+ trojans! Gen Kriptik, SVCHost.exe, Malex.gen!E, etc.
Started by
BLewellyn
, Feb 15 2011 02:59 AM
#31
Posted 21 February 2011 - 12:53 PM
BLewellyn
- Topic Starter
-
- Member
-
- 28 posts
Member
what a mess--sorry will repost
#32
Posted 21 February 2011 - 01:05 PM
BLewellyn
- Topic Starter
-
- Member
-
- 28 posts
Member
Hello again Ron,
The password for Kerryn worked fine this time. No alerts other than the mme.exe one so far. I should probably tell you that I made a new administrator account named Daryn that wasn't password protected when I put the password back on Kerryn. He had not yet been demoted before I started the tasks in this reply.
I went back and took a look at those administrator files. There are actually 3 of them. One is plain administrator and the other two are administrator.BARBARA and administrator.BARBARA.000. BARBARA is the name I gave to the computer.
Here is the notepad file for the cmd run:
Volume in drive C has no label.
Volume Serial Number is 58B4-4E91
Directory of C:\Documents and Settings\kerryn
02/20/2011 04:30 PM <DIR> .
02/20/2011 04:30 PM <DIR> ..
05/07/2006 03:47 PM <DIR> .housecall
02/21/2011 04:53 AM <DIR> Application Data
02/21/2011 09:24 AM <DIR> Cookies
02/21/2011 05:13 AM <DIR> Desktop
02/16/2011 09:42 AM <DIR> Favorites
02/14/2011 10:09 PM <DIR> IECompatCache
02/14/2011 10:06 PM <DIR> IETldCache
12/02/2005 12:05 PM <DIR> Local Settings
02/20/2011 12:58 PM <DIR> My Documents
02/23/2005 03:23 PM <DIR> NetHood
02/21/2011 12:23 PM 3,932,160 ntuser.dat
02/21/2011 12:34 PM 1,024 ntuser.dat.LOG
02/21/2011 12:23 PM 178 NTUSER.INI
02/23/2005 03:23 PM <DIR> PrintHood
02/14/2011 10:07 PM <DIR> PrivacIE
02/21/2011 12:20 PM <DIR> Recent
02/20/2011 12:50 PM <DIR> SendTo
02/23/2005 03:23 PM <DIR> Start Menu
02/15/2011 01:31 PM <DIR> Templates
03/15/2005 08:33 PM <DIR> UserData
11/12/2005 03:06 PM <DIR> WINDOWS
3 File(s) 3,933,362 bytes
20 Dir(s) 22,028,890,112 bytes free
Volume in drive C has no label.
Volume Serial Number is 58B4-4E91
Directory of C:\
Volume in drive C has no label.
Volume Serial Number is 58B4-4E91
Directory of C:\Documents and Settings
02/20/2011 04:35 PM <DIR> .
02/20/2011 04:35 PM <DIR> ..
02/20/2011 04:29 PM <DIR> Administrator
02/20/2011 04:26 PM <DIR> Administrator.BARBARA
02/20/2011 04:36 PM <DIR> Administrator.BARBARA.000
02/23/2005 03:23 PM <DIR> All Users
02/20/2011 04:30 PM <DIR> Barbara
02/17/2011 02:24 PM <DIR> Default User
02/20/2011 04:30 PM <DIR> kerryn
02/20/2011 05:18 PM <DIR> LocalService
02/20/2011 04:30 PM <DIR> NetworkService
0 File(s) 0 bytes
11 Dir(s) 22,039,441,408 bytes free
Volume in drive C has no label.
Volume Serial Number is 58B4-4E91
Directory of C:\Documents and Settings\kerryn\Start Menu\Programs\Startup
02/21/2011 04:45 AM <DIR> .
02/21/2011 04:45 AM <DIR> ..
08/10/2004 01:04 PM 84 DESKTOP.INI
1 File(s) 84 bytes
2 Dir(s) 22,039,441,408 bytes free
B
The password for Kerryn worked fine this time. No alerts other than the mme.exe one so far. I should probably tell you that I made a new administrator account named Daryn that wasn't password protected when I put the password back on Kerryn. He had not yet been demoted before I started the tasks in this reply.
I went back and took a look at those administrator files. There are actually 3 of them. One is plain administrator and the other two are administrator.BARBARA and administrator.BARBARA.000. BARBARA is the name I gave to the computer.
Here is the notepad file for the cmd run:
Volume in drive C has no label.
Volume Serial Number is 58B4-4E91
Directory of C:\Documents and Settings\kerryn
02/20/2011 04:30 PM <DIR> .
02/20/2011 04:30 PM <DIR> ..
05/07/2006 03:47 PM <DIR> .housecall
02/21/2011 04:53 AM <DIR> Application Data
02/21/2011 09:24 AM <DIR> Cookies
02/21/2011 05:13 AM <DIR> Desktop
02/16/2011 09:42 AM <DIR> Favorites
02/14/2011 10:09 PM <DIR> IECompatCache
02/14/2011 10:06 PM <DIR> IETldCache
12/02/2005 12:05 PM <DIR> Local Settings
02/20/2011 12:58 PM <DIR> My Documents
02/23/2005 03:23 PM <DIR> NetHood
02/21/2011 12:23 PM 3,932,160 ntuser.dat
02/21/2011 12:34 PM 1,024 ntuser.dat.LOG
02/21/2011 12:23 PM 178 NTUSER.INI
02/23/2005 03:23 PM <DIR> PrintHood
02/14/2011 10:07 PM <DIR> PrivacIE
02/21/2011 12:20 PM <DIR> Recent
02/20/2011 12:50 PM <DIR> SendTo
02/23/2005 03:23 PM <DIR> Start Menu
02/15/2011 01:31 PM <DIR> Templates
03/15/2005 08:33 PM <DIR> UserData
11/12/2005 03:06 PM <DIR> WINDOWS
3 File(s) 3,933,362 bytes
20 Dir(s) 22,028,890,112 bytes free
Volume in drive C has no label.
Volume Serial Number is 58B4-4E91
Directory of C:\
Volume in drive C has no label.
Volume Serial Number is 58B4-4E91
Directory of C:\Documents and Settings
02/20/2011 04:35 PM <DIR> .
02/20/2011 04:35 PM <DIR> ..
02/20/2011 04:29 PM <DIR> Administrator
02/20/2011 04:26 PM <DIR> Administrator.BARBARA
02/20/2011 04:36 PM <DIR> Administrator.BARBARA.000
02/23/2005 03:23 PM <DIR> All Users
02/20/2011 04:30 PM <DIR> Barbara
02/17/2011 02:24 PM <DIR> Default User
02/20/2011 04:30 PM <DIR> kerryn
02/20/2011 05:18 PM <DIR> LocalService
02/20/2011 04:30 PM <DIR> NetworkService
0 File(s) 0 bytes
11 Dir(s) 22,039,441,408 bytes free
Volume in drive C has no label.
Volume Serial Number is 58B4-4E91
Directory of C:\Documents and Settings\kerryn\Start Menu\Programs\Startup
02/21/2011 04:45 AM <DIR> .
02/21/2011 04:45 AM <DIR> ..
08/10/2004 01:04 PM 84 DESKTOP.INI
1 File(s) 84 bytes
2 Dir(s) 22,039,441,408 bytes free
B
#33
Posted 21 February 2011 - 01:10 PM
RKinner
-
- Expert
-
- 24,624 posts
Malware Expert
Are you sure it is not asking for
mm_tray.exe instead of mm.exe?
There is an entry in your last OTL log
O4 - HKLM..\Run: [MMTray]
which used to refer to:
O4 - HKLM..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe ()
Part of musicmatch which didn't completely uninstall.
We can remove it with OTL:
Copy the text in the code box by highlighting and Ctrl + c
Let the program run unhindered, OTL will reboot the PC when it is done. Save the log and copy and paste it to a reply.
mm_tray.exe instead of mm.exe?
There is an entry in your last OTL log
O4 - HKLM..\Run: [MMTray]
which used to refer to:
O4 - HKLM..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe ()
Part of musicmatch which didn't completely uninstall.
We can remove it with OTL:
Copy the text in the code box by highlighting and Ctrl + c
:Services
:OTL
O4 - HKLM..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe ()
O4 - HKLM..\Run: [MMTray]
:Files
C:\Program Files\MUSICMATCH
:Commands
[emptytemp]
[Reboot]
then run OTL and Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the Run Fix button at the topLet the program run unhindered, OTL will reboot the PC when it is done. Save the log and copy and paste it to a reply.
#34
Posted 21 February 2011 - 01:21 PM
BLewellyn
- Topic Starter
-
- Member
-
- 28 posts
Member
Hi Ron,
Sorry, it's actually mmtask.exe. I need my nap. I've been up since 4:30.
Barbara
Sorry, it's actually mmtask.exe. I need my nap. I've been up since 4:30.
Barbara
#35
Posted 21 February 2011 - 01:57 PM
RKinner
-
- Expert
-
- 24,624 posts
Malware Expert
Still part of musicmatch
Use this OTL script:
Use this OTL script:
O4 - HKLM..\Run: [mmtask] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe ()
:OTL
O4 - HKLM..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe ()
O4 - HKLM..\Run: [MMTray]
O4 - HKLM..\Run: [mmtask] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe ()
O4 - HKLM..\Run: [mmtask]
:Files
C:\Program Files\MUSICMATCH
:Commands
[emptytemp]
[Reboot]
#36
Posted 21 February 2011 - 04:13 PM
BLewellyn
- Topic Starter
-
- Member
-
- 28 posts
Member
Thanks Ron,
That took care of it. So far, so good. It's fast, responsive and no alerts except for that Avast one and from what I can tell (from the Comodo forums) that sf.bin alert is normal so I just allow it.
B
That took care of it. So far, so good. It's fast, responsive and no alerts except for that Avast one and from what I can tell (from the Comodo forums) that sf.bin alert is normal so I just allow it.
B
#37
Posted 22 February 2011 - 12:13 PM
RKinner
-
- Expert
-
- 24,624 posts
Malware Expert
There is another free firewall called Online Armor
http://www.online-ar...-armor-free.php
which we are recommending over Comodo these days. It has a method under Options of excluding anything from the Avast folder so that sf.bin will not bug you any more.
http://support.onlin...ad.php?p=117332
Ron
http://www.online-ar...-armor-free.php
which we are recommending over Comodo these days. It has a method under Options of excluding anything from the Avast folder so that sf.bin will not bug you any more.
http://support.onlin...ad.php?p=117332
Ron
#38
Posted 22 February 2011 - 03:44 PM
BLewellyn
- Topic Starter
-
- Member
-
- 28 posts
Member
Good Afternoon Ron,
Thank you for your reply. I have switched to the Online Armor firewall and excluded the Avast folder.
I have a question about the AutoRunEater program. OA says that billy.exe is a keylogger. I looked it up and found it in the AutoRunEater folder. I asked Avast to scan it and Avast says it's OK. Should I be concerned?
RealPlayer is trying to connect to the internet repeatedly. I block it because I haven't asked it to do anything. Do I need this? I don't recall ever using it. Can I/Should I remove it?
I tried to get into my control panel because I thought that Real Player had been restricted through the programs access and default settings when I opted out of Windows settings and got an alert that the PRApplet.cpl > ENUPGUIR.dll was trying to connect to the internet. Blocked it and looked it up. This is the description I found:" Intel® PRO/1000 Gigabit Server Adapter Driver" here: http://driveragent.com/archive/6612. What is it and why is it trying to connect to the internet when I go into the control panel? I clicked on the control panel again to see if the firewall blocks that now and got the message Intel ® Proset resources are not available but the control panel pops up when I click OK.
Otherwise everything has been running well. No more problems with the passwords. Well, I haven't put the jumper back on the system password pins yet so I'm not sure about that. But the windows passwords are fine.
Thanks for your help.
B
Thank you for your reply. I have switched to the Online Armor firewall and excluded the Avast folder.
I have a question about the AutoRunEater program. OA says that billy.exe is a keylogger. I looked it up and found it in the AutoRunEater folder. I asked Avast to scan it and Avast says it's OK. Should I be concerned?
RealPlayer is trying to connect to the internet repeatedly. I block it because I haven't asked it to do anything. Do I need this? I don't recall ever using it. Can I/Should I remove it?
I tried to get into my control panel because I thought that Real Player had been restricted through the programs access and default settings when I opted out of Windows settings and got an alert that the PRApplet.cpl > ENUPGUIR.dll was trying to connect to the internet. Blocked it and looked it up. This is the description I found:" Intel® PRO/1000 Gigabit Server Adapter Driver" here: http://driveragent.com/archive/6612. What is it and why is it trying to connect to the internet when I go into the control panel? I clicked on the control panel again to see if the firewall blocks that now and got the message Intel ® Proset resources are not available but the control panel pops up when I click OK.
Otherwise everything has been running well. No more problems with the passwords. Well, I haven't put the jumper back on the system password pins yet so I'm not sure about that. But the windows passwords are fine.
Thanks for your help.
B
Edited by BLewellyn, 22 February 2011 - 03:47 PM.
#39
Posted 22 February 2011 - 05:31 PM
RKinner
-
- Expert
-
- 24,624 posts
Malware Expert
I expect OA is getting a false positive on Autorun Eater but it's always possible that a server has been compromised. Submit the file to http://virustotal.com and see what they say about it.
IF you don't use Real player to play music/ copy music CDs then you can uninstall it. It is normal for it to want to check with the mother ship for updates tho.
PRApplet.cpl > ENUPGUIR.dll should be allowed. It is part of Intel® PROSet. A lot of programs use TCP/IP to connect between their different parts and I expect this is one of them. It's probably not really going to the internet just to some port on 127.0.0.1 (which is your own computer)
IF you don't use Real player to play music/ copy music CDs then you can uninstall it. It is normal for it to want to check with the mother ship for updates tho.
PRApplet.cpl > ENUPGUIR.dll should be allowed. It is part of Intel® PROSet. A lot of programs use TCP/IP to connect between their different parts and I expect this is one of them. It's probably not really going to the internet just to some port on 127.0.0.1 (which is your own computer)
#40
Posted 22 February 2011 - 08:14 PM
BLewellyn
- Topic Starter
-
- Member
-
- 28 posts
Member
Good Evening Ron,
Thanks for your reply.
I removed Real Play. I got another alert during the uninstall process but blocked it and when I went looking for it, it wasn't to be found so I assume it went away with Real Play. Virus total came up with one positive for billy.exe being a problem:
ClamAV 0.96.4.0 2011.02.23 PUA.Script.Packed-3 I'm guessing false positive.
Thanks for explaining PROset. I couldn't understand what the webistes I found pertaining to it were saying.
I will use Virus Total to look things up from here on in before reporting something to you.
B
Thanks for your reply.
I removed Real Play. I got another alert during the uninstall process but blocked it and when I went looking for it, it wasn't to be found so I assume it went away with Real Play. Virus total came up with one positive for billy.exe being a problem:
ClamAV 0.96.4.0 2011.02.23 PUA.Script.Packed-3 I'm guessing false positive.
Thanks for explaining PROset. I couldn't understand what the webistes I found pertaining to it were saying.
I will use Virus Total to look things up from here on in before reporting something to you.
B
#41
Posted 22 February 2011 - 08:46 PM
BLewellyn
- Topic Starter
-
- Member
-
- 28 posts
Member
Hello again Ron,
I just got a message that my virtual memory is low. I only have Firefox open. I have 2Gb of RAM. This machine had 256Mb before I upgraded. I'm confused...
B
I just got a message that my virtual memory is low. I only have Firefox open. I have 2Gb of RAM. This machine had 256Mb before I upgraded. I'm confused...
B
#42
Posted 28 February 2011 - 10:04 PM
BLewellyn
- Topic Starter
-
- Member
-
- 28 posts
Member
quote name='RKinner' timestamp='1298181861' post='1970813']
Hello Ron,
Aside from an occasional notification that the PC was low on virtual memory for no apparent reason (just a couple of Firefox windows open that weren't downloading anything, no videos playing, no scans running, etc.) the computer seemed to be running well so I decided to follow the instructions outlined in the following post and call this resolved. Oh my...
We need to clean up System Restore. Follow Jim's procedure here:
http://forum.aumha.o...581099691bf108f
I had to go to the Online Armor forum to get help with this since OA was blocking rstrui.exe. It was in the hidden trusted but blocked files. I can't imagine why I would have blocked it but that didn't worry me too much. I unblocked it and followed the instructions at the Aumha forums.
You can uninstall or delete any tools we had you download and their logs.
Everything uninstalled but ComboFix
To uninstall combofix, copy the next line:
"%userprofile%\Desktop\george.exe" /Uninstall
Start, Run, cmd, OK then right click, Paste, then hit Enter.
I ran into a problem at this point. Well, maybe it isn't a problem but it's sure a big question to my mind. Maybe I'm just paranoid but when I ran this command and OA began popping up dozens of alerts I got a little worried. I allowed the first few but there were so many I began to wonder what was up and began blocking them. I wrote them all down--all 63 of them. In the end ComboFix popped up a message that I must have a corrupted version and stopped itself. Is it normal that ComboFix would want to create so may executable files during the uninstall process?
To hide hidden files again:
XP
# Close all programs so that you are at your desktop.
# Double-click on the My Computer icon.
# Select the Tools menu and click Folder Options.
# After the new window appears select the View tab.
# Uncheck the checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the 'Hide protected operating system
files (recommended)' option.
# Check the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and shutdown My Computer.
Done
Also make sure you have the latest versions of any adobe.com products you use like
Shockwave, Flash or Acrobat. Adobe is fond of foisting GetPlus on you. You can let them
install it and then afterwards, go into Control Panel, Add/Remove Software and remove it.
It probably doesn't hurt to leave it but I don't see the need for it and it has caused problems in the past.
I have no idea what I am doing wrong but when I try to download the Adobe Reader what actually downloads and installs is Adobe DLM. There are no Adobe entries in the Start menu. I'm not sure I care since I so seldom use IE or pdf files.
It's the same for Foxit reader except you uncheck Enable Javascript Actions.
Done.
I recommend you install the free WinPatrol 18.1 from http://www.winpatrol.com/download.html
Done
It's a small program that will sit in your systray and warn you if something tries to make changes to your system.
If you use USB drives you might want to install Autorun Eater v2.5.
Done
http://download.cnet...4-10752777.html
Another small program which will stay resident and prevent an infected USB drive from infecting your PC.
Is this instead of AutoRun Eater or in addition to that program?
If you use Firefox then get the AdBlock Plus Add-on. WOT (Web of Trust) is another you might want to try.
Done.
If Firefox is slow loading make sure it only has the current Java add-on. Then download
and run Speedy Fox.
http://www.crystalidea.com/speedyfox. It seems to work best if you reboot right after running it. You can run it any time that Firefox seems slow.
Done.
Be warned: If you use Limewire, utorrent or any of the other P2P programs you will almost certain be coming back to the Malware Removal forum. If you must use P2P then submit any files you get to http://virustotal.com before you open them.
I don't use these programs. I don't even know what they do.
If you install the MVP Hosts file:
http://www.mvps.org/...p2002/hosts.htm
it will keep you from going to most bad sites. You do not need Spybot's Immunize which does the same thing.
Done
If you have a router, log on to it today and change the default password!
I still haven't figured this out. I think I change the router password whenever I change my SBC Global email password but I'm not absolutely sure. I'll have to do some more research.
B
Hello Ron,
Aside from an occasional notification that the PC was low on virtual memory for no apparent reason (just a couple of Firefox windows open that weren't downloading anything, no videos playing, no scans running, etc.) the computer seemed to be running well so I decided to follow the instructions outlined in the following post and call this resolved. Oh my...
We need to clean up System Restore. Follow Jim's procedure here:
http://forum.aumha.o...581099691bf108f
I had to go to the Online Armor forum to get help with this since OA was blocking rstrui.exe. It was in the hidden trusted but blocked files. I can't imagine why I would have blocked it but that didn't worry me too much. I unblocked it and followed the instructions at the Aumha forums.
You can uninstall or delete any tools we had you download and their logs.
Everything uninstalled but ComboFix
To uninstall combofix, copy the next line:
"%userprofile%\Desktop\george.exe" /Uninstall
Start, Run, cmd, OK then right click, Paste, then hit Enter.
I ran into a problem at this point. Well, maybe it isn't a problem but it's sure a big question to my mind. Maybe I'm just paranoid but when I ran this command and OA began popping up dozens of alerts I got a little worried. I allowed the first few but there were so many I began to wonder what was up and began blocking them. I wrote them all down--all 63 of them. In the end ComboFix popped up a message that I must have a corrupted version and stopped itself. Is it normal that ComboFix would want to create so may executable files during the uninstall process?
To hide hidden files again:
XP
# Close all programs so that you are at your desktop.
# Double-click on the My Computer icon.
# Select the Tools menu and click Folder Options.
# After the new window appears select the View tab.
# Uncheck the checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the 'Hide protected operating system
files (recommended)' option.
# Check the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and shutdown My Computer.
Done
Also make sure you have the latest versions of any adobe.com products you use like
Shockwave, Flash or Acrobat. Adobe is fond of foisting GetPlus on you. You can let them
install it and then afterwards, go into Control Panel, Add/Remove Software and remove it.
It probably doesn't hurt to leave it but I don't see the need for it and it has caused problems in the past.
I have no idea what I am doing wrong but when I try to download the Adobe Reader what actually downloads and installs is Adobe DLM. There are no Adobe entries in the Start menu. I'm not sure I care since I so seldom use IE or pdf files.
It's the same for Foxit reader except you uncheck Enable Javascript Actions.
Done.
I recommend you install the free WinPatrol 18.1 from http://www.winpatrol.com/download.html
Done
It's a small program that will sit in your systray and warn you if something tries to make changes to your system.
If you use USB drives you might want to install Autorun Eater v2.5.
Done
http://download.cnet...4-10752777.html
Another small program which will stay resident and prevent an infected USB drive from infecting your PC.
Is this instead of AutoRun Eater or in addition to that program?
If you use Firefox then get the AdBlock Plus Add-on. WOT (Web of Trust) is another you might want to try.
Done.
If Firefox is slow loading make sure it only has the current Java add-on. Then download
and run Speedy Fox.
http://www.crystalidea.com/speedyfox. It seems to work best if you reboot right after running it. You can run it any time that Firefox seems slow.
Done.
Be warned: If you use Limewire, utorrent or any of the other P2P programs you will almost certain be coming back to the Malware Removal forum. If you must use P2P then submit any files you get to http://virustotal.com before you open them.
I don't use these programs. I don't even know what they do.
If you install the MVP Hosts file:
http://www.mvps.org/...p2002/hosts.htm
it will keep you from going to most bad sites. You do not need Spybot's Immunize which does the same thing.
Done
If you have a router, log on to it today and change the default password!
I still haven't figured this out. I think I change the router password whenever I change my SBC Global email password but I'm not absolutely sure. I'll have to do some more research.
B
#43
Posted 01 March 2011 - 02:05 AM
RKinner
-
- Expert
-
- 24,624 posts
Malware Expert
If you right click on the clock and select Task Manager then Processes then check the box Show Processes from All Users you can then click twice on the column header that says Memory it will show you which processes are using the most memory. What are your top 5 and how much does each use?
You can just manually delete the combofix file on your desktop and the two folders that combofix created. C:\qoobox and C:\george (may have a number added to the name.)
Adobe is getting to be a real pain. First you download DLM then they let you download Reader and Flash. I prefer Fox-it myself for a PDF reader. http://www.foxitsoft...com/pdf/reader/ Just don't let them install their toolbar.
The Goodbye post is pretty generic - I didn't modify it to allow for the fact that you already had installed AutoRun Eater.
I doubt that you have ever changed the router's password. If you have a router, tell me the make and model number and I will tell you how to change the password. We are seeing a lot of routers being reprogrammed by viruses. It's easy to do since there are a limited number out there and the default passwords are known.
Ron
You can just manually delete the combofix file on your desktop and the two folders that combofix created. C:\qoobox and C:\george (may have a number added to the name.)
Adobe is getting to be a real pain. First you download DLM then they let you download Reader and Flash. I prefer Fox-it myself for a PDF reader. http://www.foxitsoft...com/pdf/reader/ Just don't let them install their toolbar.
The Goodbye post is pretty generic - I didn't modify it to allow for the fact that you already had installed AutoRun Eater.
I doubt that you have ever changed the router's password. If you have a router, tell me the make and model number and I will tell you how to change the password. We are seeing a lot of routers being reprogrammed by viruses. It's easy to do since there are a limited number out there and the default passwords are known.
Ron
#44
Posted 01 March 2011 - 08:44 AM
BLewellyn
- Topic Starter
-
- Member
-
- 28 posts
Member
Good morning Ron,
Thank you for your reply.
If you right click on the clock and select Task Manager then Processes then check the box Show Processes from All Users you can then click twice on the column header that says Memory it will show you which processes are using the most memory. What are your top 5 and how much does each use?
AHA! That's where the task manager has gone to. I meant to mention that control+alt+delete was getting me nowhere. Including an emergency kill of all processes when the PC freezes..firefox.exe 121,744 K
plugin-container.exe 12,048 K
svchost.exe 11,084K
oasrv.exe 8,192
explorer.exe 7,136
You can just manually delete the combofix file on your desktop and the two folders that combofix created. C:\qoobox and C:\george (may have a number added to the name.)
Got rid of george on the desk-top and the folders george created when I tried to delete him (I tried twice just to be sure I was following your instructions correctly) but I did not find a folder labeled george in C:\ and qoobox would not let me delete it--I got a pop-up that said access was restricted and I don't have the permission needed. I was in my administrator account.
In the administrator account I noticed a weird and probably insignificant detail but I thought I would mention it. In your post the \ had been replaced by a W with a line through it. In my non-administrator account that isn't present.
Adobe is getting to be a real pain. First you download DLM then they let you download Reader and Flash. I prefer Fox-it myself for a PDF reader. http://www.foxitsoft...com/pdf/reader/ Just don't let them install their toolbar.
I'm going to delete the DLM and AIR programs Adobe installed and just stick with Foxit. I didn't let them install the tool bar.
The Goodbye post is pretty generic - I didn't modify it to allow for the fact that you already had installed AutoRun Eater.
No problem.
I doubt that you have ever changed the router's password. If you have a router, tell me the make and model number and I will tell you how to change the password. We are seeing a lot of routers being reprogrammed by viruses. It's easy to do since there are a limited number out there and the default passwords are known.
I have a Slipstream 5100.
Ron
#45
Posted 01 March 2011 - 09:59 AM
RKinner
-
- Expert
-
- 24,624 posts
Malware Expert
Your memory use looks normal right now. If you get another low mem virtual warning, repeat the task manager thing.
The default address on your router is 192.168.254.254 the user name is admin and there is no password so to log on to it you open firefox, type in 192.168.254.254 or http://slipstream and it should ask you to logon. See page 14 in the manual:
http://www2.windstre...edStream211.pdf
It's possible this router was provided by and configured by your ISP and may already have had the default password changed in which case you need do nothing.
Ron
The default address on your router is 192.168.254.254 the user name is admin and there is no password so to log on to it you open firefox, type in 192.168.254.254 or http://slipstream and it should ask you to logon. See page 14 in the manual:
http://www2.windstre...edStream211.pdf
It's possible this router was provided by and configured by your ISP and may already have had the default password changed in which case you need do nothing.
Ron
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
As Featured On:
Sign In
Create Account
