[RKinner]

Appears that the malware is finally gone. You can try malware bytes anti-malware again and see if it finds anything new but it looks like things should be OK now. I think it should be safe to run Avast again.

Ron

[Advertisements]

Wow! OK, I'll try MBAM (one of my favorites) and Avast again.

I'll post findings if any.

You have amazing skills, thank you very much for all your help. KON

[radon]

Wow! OK, I'll try MBAM (one of my favorites) and Avast again.

I'll post findings if any.

You have amazing skills, thank you very much for all your help. KON

[radon]

MBAM and Avast installed and running. No problems.

MBAM scan results attached.
Avast scan detected many things and moved them to "chest". Can't figure out how to post Avast scan.

Anyway, PC seems OK. Anything else to do?

THANK YOU for your time and expertise! KON

Attached Files

•  mbam-log-2011-08-09 (16-33-06).txt   887bytes   105 downloads

Edited by radon, 09 August 2011 - 09:02 PM.

[RKinner]

See if you can find aswboot.txt in C:\Documents and Settings\All Users\Application Data\AVAST Software\Avast\report\

I think that's where they hide the log file.

Let's do a final checkup:

1. Double-click My Computer, and then right-click the hard disk that you want to check. C:
2. Click Properties, and then click Tools.
3. Under Error-checking, click Check Now. A dialog box that shows the Check disk options is displayed,
4. Check both boxes and then click Start.
You will receive the following message:
The disk check could not be performed because the disk check utility needs exclusive access to some Windows files on the disk. These files can be accessed by restarting Windows. Do you want to schedule the disk check to occur the next time you restart the computer?
Click Yes to schedule the disk check, but don't restart yet.

Start, Run, eventvwr.msc, OK to bring up the Event Viewer. Right click on System and Clear All Events, No (we don't want to save the old log), OK. Repeat for Application. Reboot. The disk check will run and will probably take an hour or more to finish.

Start, Run, sfc /scannow, OK

SPACE after sfc. This will check your critical system files. If it asks for a CD and you don't have one or it doesn't like your CD just tell it to SKIP.

Start, Run, sigverif, OK

Press Start. This will check your drivers. If you just get a few when it finishes tell me what they are. If you get a lot just look for those with newish dates (since about the time the problem started.)


1. Please download the Event Viewer Tool by Vino Rosso
http://images.malwar...om/vino/VEW.exe
and save it to your Desktop:
2. Double-click VEW.exe
3. Under 'Select log to query', select:

* System
4. Under 'Select type to list', select:
* Error
* Warning


Then use the 'Number of events' as follows:


1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.


Please post the Output log in your next reply then repeat but select Application.

Ron

[radon]

Avast scan log from previous scan attached.

Ran chkdsk.
File verification, index verification, security descriptor verification, usn journal verification, file data verivication and free space verification all completed.

Ran eventvwr.msc as directed: disk check ran for 1 hr. 33 minutes.

Ran sfc /scannow

Ran sigverif: found one file not digitally signed: ati23vxx.exe

Ran VEW tool: logs attached for "system" and "application" scans.

I noticed one line in the system log that mentioned "ftsata2". Is this related to my CD/DVD drives? They no longer appear under "My Computer" and do not respond when a CD/DVD is inserted.

Thanks! KON

Attached Files

•  10AUG11aswAr.log   36.47KB   108 downloads
•  VEW APPLICATION LOG.txt   359bytes   94 downloads
•  VEW SYSTEM LOG.txt   1.52KB   107 downloads

[RKinner]

Attached is a file netbt.zip. Download it then right click and Extract All. This will create a folder called netbt. In the folder will be netbt.reg. Right click on netbt.reg and Merge. Allow it to merge. It should recreate the missing netBT service that your event log was complaining about.

The ftsata2 file is a driver for a SCSI RAID hard drive setup. Don't know why it thinks it needs to run. We can turn it off:

Go to Start>Control Panel>System>Hardware>Device Manager>View>Show Hidden Devices>>Non Plug and Play Drivers>ftsata2>Driver> then change Start up Type = Demand

While in Device Manager look for DVD/CD-ROM drives and click the + in front of it. You should see your CD there. Right click on it and select Uninstall then reboot.

See if it will work now.

Also run VEW again just for the system logs and post the new log. (Please tell me what time you rebooted so I will know which are the new logs).

Ron

[radon]

Looks like Juno dial-up did not like netbt file because after running it, my dial-up would not work. I did system restore to before I ran netbt program and Juno worked. Think I will leave that as is.

Did the ftsata2 procedure and the DVD/CD procedure while in Device Manager. CD/DVD now appear and function.

New System VEW log attached Reboot @ 2105 hrs.

Thanks KON

Attached Files

•  VEW APPLICATION LOG.txt   359bytes   103 downloads

[RKinner]

Since both
TCP/IP NetBIOS
DHCP Client
depend on NetBT and Juno doesn't want NetBT running you should Start, Run, services.msc, OK then find each, right click and select Properties then change Startup Type to Disabled. OK. That will turn them off and make things boot a bit faster.

Your last attached log was the Application one and not the system but go ahead and turn off the two services and run another one after a reboot then run VEW again for the System.

Ron

[radon]

Sorry about the mix up on the file I sent--I copied on wrong one on mem stick! I have attached the correct one (SYSTEM).

I won't be able to access my PC until Monday 15 Aug. Will do other items mentioned above then.

Thank you KON

Attached Files

•  SYSTEM LOG VEW.txt   6.65KB   155 downloads

[radon]

Sorry for delayed response. Have had 2 family health emergencies and have been away for this week. I disabled the items you mentioned. Everything seems to be working normally. Any more scans to do?

Thank you for your help. KON.

[RKinner]

Let's do a new VEW for System

Ron

[radon]

System VEW file attached.

Attached Files

•  SYSTEM20AUG11VEW.txt   4.48KB   181 downloads

[RKinner]

No new alarms in several days so that's good. I think we can sew up the patient.

We need to clean up System Restore if we haven't already. Follow Jim's procedure here:
http://aumha.net/vie...581099691bf108f


You can uninstall or delete any tools we had you download and their logs.
To uninstall combofix, copy the next line:

"%userprofile%\Desktop\combofix.exe" /Uninstall

Start, Run, cmd, OK then right click, Paste, then hit Enter.

OTL has a cleanup tab so if you run it again and select cleanup it will remove itself and its backup files.

To hide hidden files again:

XP

# Close all programs so that you are at your desktop.
# Double-click on the My Computer icon.
# Select the Tools menu and click Folder Options.
# After the new window appears select the View tab.
# Uncheck the checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the 'Hide protected operating system files (recommended)' option.
# Check the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and shutdown My Computer.

You probably do not have the latest Java (Java™ 6 Update 26 or perhaps 7 Update 0 by now). Get the latest at:

http://www.java.com/en/

Save it to your PC then close all browsers and install it.

Once you install it, go into Control Panel, Add/Remove Software and remove any old versions (which may call themselves: Java Runtime, Runtime Environment, Runtime, JRE, Java Virtual Machine, Virtual Machine, Java VM, JVM, VM, J2RE, J2SE)


Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat.

Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.

To help keep your programs up-to-date you can download and run the UpdateChecker:
http://www.filehippo.../updatechecker/

If you use Firefox then get the AdBlock Plus Add-on. WOT (Web of Trust) is another you might want to try.
The equivalent to AdBlock Plus for IE is called Simple Adblock and you should install it too: Adhttp://simple-adblock.com/

If Firefox is slow loading make sure it only has the current Java add-on. Then download and run Speedy Fox.
http://www.crystalidea.com/speedyfox . You can run it any time that Firefox seems slow.

Be warned: If you use Limewire, utorrent or any of the other P2P programs you will almost certain be coming back to the Malware Removal forum. If you must use P2P then submit any files you get to http://virustotal.com before you open them.

If you have a router, log on to it today and change the default password! If using a Wireless router you really should be using encryption on the link. Use the strongest (newest) encryption method that your router and PC wireless adapter support especially if you own a business. See http://www.king5.com...-120637284.html and http://www.seattlepi...ted-1344185.php for why encryption is important. If you don't know how, visit the router maker's website. They all have detailed step by step instructions or a wizard you can download.

Ron

[radon]

"No new alarms in several days so that's good. I think we can sew up the patient." WOOT!
Wound closure starts today!

"Be warned: If you use Limewire, utorrent or any of the other P2P programs..." Never have, never will.

"If you have a router..." Don't have--my PC is stand-alone, using only dial-up modem.

Great work! I am amazed by how you excised the tumor.

Thank you very much for your tech advice and for having the patience to assist me.

KON