Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Sirefef Rtk AGAIN!

Started by 3mateo , Sep 07 2012 05:55 PM

Page 3 of 5
1
2
3
4
5

Please log in to reply

#31
RKinner

Posted 23 September 2012 - 05:57 PM

Malware Expert

Expert
24,625 posts

So now, 1) What to do re: Windows UPdates

This was called Automatic Updates in XP. Farbar is not complaining so it's probably OK now.

2) Same re: Java (due to viral vulnerability): Disable? Update? Delete?

Disable from the browser or run Firefox with NoScript, Chrome with ScriptNo.

3) AV/Protection: A few people have suggested Norton 360, but I'm a little more agressive internet surfer than they are. As you prob know, I only have free AV programs. What's your recommendataion for my system. If it makes any difference, I now have Cent Link via phone jack and personalized password. My desktop (this comp) is plugged in, and i have an HP mini that connects via wireless; tho I don't know if it's WPA or WEP (or even what those mean for that matter).

If you want to pay for an anti-virus then get Kaspersky or BitDefender. If you want a free anti-virus then get the free version of Avast! You can add the free Online Armor firewall if you feel you need a firewall other than Windows' firewall. As for wireless, if you don't know then it's probably not encrypted at all unless this is via a special adapter which actually taps into your cellphone service in which case it's secure. I would hope there is some option to encrypt it if it is regular wireless otherwise anyone driving by can use your Internet service. WEP is the older encryption which is easily broken. WPA/WPA2 is the newer version which is much safer to use.

4) Often, i get this: Error Message: The Recycle Bin on C:\ Is Corrupt or Invalid. Do You Want to Empty the Recycle Bin for this.... what should I do?

Empty the Recycle Bin
then see the procedure under the next step.

5) When I start up in Normal MOde, I get: FOUND NEW HARDWDARE ... WIZARD for UNKNOWN.
IF IT CAME W/ CD or FLOPPY, PLZ INSTERT, or choose from....
I have been clicking on cancel, and then later a bottom right box pops up w/ PROB OCCURED IN INSTILLATION,
What do to about that?

Copy the next 6 lines:

dir /a /s \recycler > \junk.txt
dir /a /s \$Recycle.bin >> \junk.txt
reg query "HKCU\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}" /s > \junk.txt
reg query "HKCR\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}" /s >> \junk.txt
reg query "HKEY_CLASSES_ROOT\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}" /s >> \junk.txt
reg query "HKEY_CLASSES_ROOT\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}" /s >> \junk.txt

Start, Run, cmd, OK. Then right click in the Command Window and select Paste or Edit then Paste and the copied lines should appear. Hit Enter.

Attach the file c:\junk.txt to your next reply.

Also run vew again for both system and applications and post the logs.

6) Any and all other suggestions?

I will give you more to do in the goodbye post.

#32
3mateo

Posted 23 September 2012 - 07:28 PM

Member

Topic Starter
Member
47 posts

Kinner-

I turned on Auto Updates, but set to prompt me, the i'll download. IS there any reason NOT to download all updated suggested?

Now using Firefox with NoScript.

Reloaded Avast Free, but will look into Kasp & BitDef as well as Online Armor. As I do use surf a lot and P2P (I scan all files before opening them), is the level of protection worth the money? I am not broke, but I detest spending money where it will only give me 1% more protection than free programs.

RECYLER: Since I last posted, I accidentally hit "yes" to the prompt regarding emptying the Recycler Bin for this. I'm not sure if that messed up the process, but the text is below.

Thanks as always@!@

-Mateo

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}
<NO NAME> REG_SZ Microsoft WBEM _WbemFetchRefresherMgr Proxy Helper

HKEY_CLASSES_ROOT\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32
<NO NAME> REG_EXPAND_SZ %systemroot%\system32\wbem\fastprox.dll
ThreadingModel REG_SZ Free

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}
<NO NAME> REG_SZ Microsoft WBEM New Event Subsystem

HKEY_CLASSES_ROOT\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32
<NO NAME> REG_EXPAND_SZ %systemroot%\system32\wbem\wbemess.dll
ThreadingModel REG_SZ Both

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}
<NO NAME> REG_SZ ShellFolder for CD Burning

HKEY_CLASSES_ROOT\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32
<NO NAME> REG_EXPAND_SZ %SystemRoot%\system32\SHELL32.dll
ThreadingModel REG_SZ Apartment

HKEY_CLASSES_ROOT\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\MergedFolder
Attributes REG_SZ 0x0
AttributeMask REG_SZ 0xffffffff
Location REG_SZ @shell32.dll,-12589
ConflictOverlayIcon REG_EXPAND_SZ %SystemRoot%\system32\SHELL32.dll,-232

#33
RKinner

Posted 23 September 2012 - 07:31 PM

Malware Expert

Expert
24,625 posts

I left out a ">" on the third line and it overwrote the first two. Can you just do these two again?

dir /a /s \recycler > \junk.txt
dir /a /s \$Recycle.bin >> \junk.txt

#34
3mateo

Posted 23 September 2012 - 08:16 PM

Member

Topic Starter
Member
47 posts

Both the cmd screen and junk log are odd, so I prt/scr'ed for you (see attachment// Never mind, won't attach for some reason.); and the vew logs are below, not sure if i did correctly.

WIERD C:JUNK LOG:

Volume in drive C has no label.
Volume Serial Number is 206D-1F5F
Volume in drive C has no label.
Volume Serial Number is 206D-1F5F

That's it!!!

On VEW, I ran as before: Application and System, both with 'Error' and 'Warning' cliked and 20 in No of Events box.
If you would like it run otherwise, just let me know.
Thanks. -M

######## VEW LOGs ####################

Vino's Event Viewer v01c run on Windows XP in English
Report run at 23/09/2012 7:09:13 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 22/09/2012 10:57:46 PM
Type: error Category: 0
Event: 100 Source: Bonjour Service
Task Scheduling Error: m->NextScheduledSPRetry 1968

Log: 'Application' Date/Time: 22/09/2012 10:57:46 PM
Type: error Category: 0
Event: 100 Source: Bonjour Service
Task Scheduling Error: m->NextScheduledEvent 1968

Log: 'Application' Date/Time: 22/09/2012 10:57:46 PM
Type: error Category: 0
Event: 100 Source: Bonjour Service
Task Scheduling Error: Continuously busy for more than a second

Log: 'Application' Date/Time: 21/09/2012 11:02:57 PM
Type: error Category: 0
Event: 100 Source: Bonjour Service
Task Scheduling Error: m->NextScheduledSPRetry 1969

Log: 'Application' Date/Time: 21/09/2012 11:02:57 PM
Type: error Category: 0
Event: 100 Source: Bonjour Service
Task Scheduling Error: m->NextScheduledEvent 1969

Log: 'Application' Date/Time: 21/09/2012 11:02:57 PM
Type: error Category: 0
Event: 100 Source: Bonjour Service
Task Scheduling Error: Continuously busy for more than a second

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

############ Second LOG: ###################################################

Vino's Event Viewer v01c run on Windows XP in English
Report run at 23/09/2012 7:10:45 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 22/09/2012 5:39:51 PM
Type: error Category: 0
Event: 1001 Source: Dhcp
Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 000F66F2BDDD. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.

Log: 'System' Date/Time: 21/09/2012 11:48:56 AM
Type: error Category: 2
Event: 55 Source: Ntfs
The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume V:.

Log: 'System' Date/Time: 20/09/2012 10:42:05 AM
Type: error Category: 0
Event: 7026 Source: Service Control Manager
The following boot-start or system-start driver(s) failed to load: iaStor

Log: 'System' Date/Time: 20/09/2012 10:41:54 AM
Type: error Category: 0
Event: 1 Source: sr
The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.

Log: 'System' Date/Time: 19/09/2012 2:51:39 PM
Type: error Category: 0
Event: 7000 Source: Service Control Manager
The Kodak Camera Connection Software service failed to start due to the following error: The system cannot find the file specified.

Log: 'System' Date/Time: 19/09/2012 1:22:29 PM
Type: error Category: 0
Event: 7000 Source: Service Control Manager
The Kodak Camera Connection Software service failed to start due to the following error: The system cannot find the file specified.

Log: 'System' Date/Time: 12/09/2012 9:19:41 AM
Type: error Category: 0
Event: 7000 Source: Service Control Manager
The Kodak Camera Connection Software service failed to start due to the following error: The system cannot find the file specified.

Log: 'System' Date/Time: 12/09/2012 9:18:42 AM
Type: error Category: 0
Event: 10005 Source: DCOM
DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Log: 'System' Date/Time: 12/09/2012 9:14:21 AM
Type: error Category: 0
Event: 7026 Source: Service Control Manager
The following boot-start or system-start driver(s) failed to load: Fips intelppm

Log: 'System' Date/Time: 12/09/2012 9:13:02 AM
Type: error Category: 0
Event: 10005 Source: DCOM
DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Log: 'System' Date/Time: 12/09/2012 9:03:13 AM
Type: error Category: 0
Event: 7031 Source: Service Control Manager
The Windows Media Player Network Sharing Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.

Log: 'System' Date/Time: 12/09/2012 8:59:50 AM
Type: error Category: 0
Event: 7031 Source: Service Control Manager
The Windows Media Player Network Sharing Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.

Log: 'System' Date/Time: 12/09/2012 8:59:13 AM
Type: error Category: 0
Event: 7023 Source: Service Control Manager
The System Restore Service service terminated with the following error: Access is denied.

Log: 'System' Date/Time: 12/09/2012 8:59:13 AM
Type: error Category: 0
Event: 104 Source: SRService
The System Restore initialization process failed.

Log: 'System' Date/Time: 12/09/2012 8:59:06 AM
Type: error Category: 0
Event: 7031 Source: Service Control Manager
The Windows Media Player Network Sharing Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.

Log: 'System' Date/Time: 12/09/2012 8:57:34 AM
Type: error Category: 0
Event: 7023 Source: Service Control Manager
The System Restore Service service terminated with the following error: Access is denied.

Log: 'System' Date/Time: 12/09/2012 8:57:34 AM
Type: error Category: 0
Event: 7000 Source: Service Control Manager
The Kodak Camera Connection Software service failed to start due to the following error: The system cannot find the file specified.

Log: 'System' Date/Time: 12/09/2012 8:57:33 AM
Type: error Category: 0
Event: 104 Source: SRService
The System Restore initialization process failed.

Log: 'System' Date/Time: 12/09/2012 8:52:43 AM
Type: error Category: 0
Event: 7031 Source: Service Control Manager
The Windows Media Player Network Sharing Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.

Log: 'System' Date/Time: 12/09/2012 8:49:27 AM
Type: error Category: 0
Event: 7023 Source: Service Control Manager
The System Restore Service service terminated with the following error: Access is denied.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 23/09/2012 4:59:54 PM
Type: warning Category: 0
Event: 4226 Source: Tcpip
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Log: 'System' Date/Time: 23/09/2012 4:22:12 PM
Type: warning Category: 0
Event: 4226 Source: Tcpip
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Log: 'System' Date/Time: 23/09/2012 11:26:20 AM
Type: warning Category: 0
Event: 1009 Source: Dhcp
A network error occurred when trying to send a message. The error code is: A blocking operation was interrupted by a call to WSACancelBlockingCall. .

Log: 'System' Date/Time: 23/09/2012 11:26:20 AM
Type: warning Category: 0
Event: 1003 Source: Dhcp
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 000F66F2BDDD. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.

Log: 'System' Date/Time: 23/09/2012 10:24:20 AM
Type: warning Category: 0
Event: 1009 Source: Dhcp
A network error occurred when trying to send a message. The error code is: A blocking operation was interrupted by a call to WSACancelBlockingCall. .

Log: 'System' Date/Time: 23/09/2012 10:23:04 AM
Type: warning Category: 0
Event: 1009 Source: Dhcp
A network error occurred when trying to send a message. The error code is: A blocking operation was interrupted by a call to WSACancelBlockingCall. .

Log: 'System' Date/Time: 23/09/2012 10:22:45 AM
Type: warning Category: 0
Event: 2504 Source: Server
The server could not bind to the transport \Device\NetBT_Tcpip_{70FC676B-AE41-4E18-B39D-20CB5E48B32C}.

Log: 'System' Date/Time: 23/09/2012 10:22:36 AM
Type: warning Category: 0
Event: 1007 Source: Dhcp
Your computer has automatically configured the IP address for the Network Card with network address 001D09827674. The IP address being used is 169.254.120.252.

Log: 'System' Date/Time: 23/09/2012 10:22:34 AM
Type: warning Category: 0
Event: 1003 Source: Dhcp
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 001D09827674. The following error occurred: The semaphore timeout period has expired. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.

Log: 'System' Date/Time: 23/09/2012 10:21:59 AM
Type: warning Category: 0
Event: 27 Source: e1express
Intel® 82562V-2 10/100 Network Connection Link has been disconnected.

Log: 'System' Date/Time: 23/09/2012 10:21:22 AM
Type: warning Category: 0
Event: 51 Source: Disk
An error was detected on device \Device\Harddisk1\D during a paging operation.

Log: 'System' Date/Time: 23/09/2012 10:21:13 AM
Type: warning Category: 0
Event: 1003 Source: Dhcp
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 000F66F2BDDD. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.

Log: 'System' Date/Time: 23/09/2012 10:21:08 AM
Type: warning Category: 0
Event: 1003 Source: Dhcp
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 001D09827674. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.

Log: 'System' Date/Time: 22/09/2012 5:48:36 PM
Type: warning Category: 0
Event: 1009 Source: Dhcp
A network error occurred when trying to send a message. The error code is: A blocking operation was interrupted by a call to WSACancelBlockingCall. .

Log: 'System' Date/Time: 22/09/2012 5:39:42 PM
Type: warning Category: 0
Event: 1009 Source: Dhcp
A network error occurred when trying to send a message. The error code is: A blocking operation was interrupted by a call to WSACancelBlockingCall. .

Log: 'System' Date/Time: 22/09/2012 9:32:00 AM
Type: warning Category: 0
Event: 51 Source: Disk
An error was detected on device \Device\Harddisk1\D during a paging operation.

Log: 'System' Date/Time: 22/09/2012 9:31:58 AM
Type: warning Category: 0
Event: 1009 Source: Dhcp
A network error occurred when trying to send a message. The error code is: A blocking operation was interrupted by a call to WSACancelBlockingCall. .

Log: 'System' Date/Time: 22/09/2012 9:31:58 AM
Type: warning Category: 0
Event: 1003 Source: Dhcp
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 000F66F2BDDD. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.

Log: 'System' Date/Time: 22/09/2012 9:31:53 AM
Type: warning Category: 0
Event: 1003 Source: Dhcp
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 000F66F2BDDD. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.

Log: 'System' Date/Time: 22/09/2012 9:31:51 AM
Type: warning Category: 0
Event: 1003 Source: Dhcp
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 000F66F2BDDD. The following error occurred: An operation was attempted on something that is not a socket. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.

#35
RKinner

Posted 23 September 2012 - 11:48 PM

Malware Expert

Expert
24,625 posts

The junk.txt file just says it could not find the C:\Recycler which is odd. Can you see it in Explorer?

I'm seeing some hard drive errors which might explain why we lost internet. Let's run Disk check and see if it helps.

1. Double-click My Computer, and then right-click the hard disk that you want to check. C:
2. Click Properties, and then click Tools.
3. Under Error-checking, click Check Now. A dialog box that shows the Check disk options is displayed,
4. Check both boxes and then click Start.
You will receive the following message:
The disk check could not be performed because the disk check utility needs exclusive access to some Windows files on the disk. These files can be accessed by restarting Windows. Do you want to schedule the disk check to occur the next time you restart the computer?
Click Yes to schedule the disk check, but don't restart yet.

Start, Run, eventvwr.msc, OK to bring up the Event Viewer. Right click on System and Clear All Events, No (we don't want to save the old log), OK. Repeat for Application.

Reboot.

The disk check will run and will probably take an hour or more to finish.

2. Double-click VEW.exe
3. Under 'Select log to query', select:

* System
4. Under 'Select type to list', select:
* Error
* Warning

Then use the 'Number of events' as follows:

1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.

Please post the Output log in your next reply then repeat but select Application.

You asked about Windows Updates and I forgot to answer. The Express updates are almost always a good idea to get. The optional ones that show up under Custom are sometimes not so good. I have no use for Silverlight, Windows Live, or Windows Search but I do always get the updates for windows and the certificate updates. I would stay away from hardware updates and get those from your PC maker's site. Sometimes the ones you get from Windows don't work right.

#36
3mateo

Posted 24 September 2012 - 09:50 AM

Member

Topic Starter
Member
47 posts

RK-
Before I start this, Last night I did an Avast Boot Scan and it found 14 issues. I went ahead a deleted the V:Lee Child Persuader files, although they were listed as corrupt and not viral, and were not on the pop up Avast report where the 14 viruses were listed.
I'm guessing I got the Java virus again before I started using Firefox w/ NoScript?
I will wait to see if you still want me to do the last steps w/ Recycler & VEW. I can see the RECYCLE BIN on my desktop if that was what you were asking.
Thanks!
-M

################# AVAST Boot-time Scan Log: ########################

09/23/2012 21:06
Scan of all local drives

File C:\Documents and Settings\Jim\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\34\26769362-7f9ad9ec is infected by Win32:Trojan-gen, Moved to chest
File C:\Documents and Settings\Jim\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\55\42b97cb7-10d4a696|>magica\magica.class is infected by Java:Agent-BUD [Trj], Moved to chest
File C:\Documents and Settings\Jim\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\55\42b97cb7-10d4a696|>magica\magicf.class is infected by Java:Agent-BUD [Trj], Moved to chest
File C:\Documents and Settings\Jim\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\55\42b97cb7-10d4a696|>magica\magice.class is infected by Java:Agent-BUD [Trj], Moved to chest
File C:\Documents and Settings\Jim\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\55\42b97cb7-10d4a696|>magica\magicc.class is infected by Java:Agent-BUD [Trj], Moved to chest
File C:\Documents and Settings\Jim\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\55\42b97cb7-10d4a696|>magica\magicd.class is infected by Java:Agent-BUD [Trj], Moved to chest
File C:\Documents and Settings\Jim\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\55\42b97cb7-10d4a696|>magica\magicb.class is infected by Java:Agent-BUD [Trj], Moved to chest
File C:\Qoobox\Quarantine\C\WINDOWS\Installer\{06009DE9-CE52-5394-4A34-C9162998F4E3}\_syshost_.exe.zip|>syshost.exe is infected by Win32:Crypt-NUB [Trj], Moved to chest
File C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_52c68b51ad2755ee_.sys.zip|>52c68b51ad2755ee.sys is infected by Win32:Rootkit-gen [Rtk], Moved to chest
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP41\A0011973.exe is infected by Win32:Winwebsec-AL [Trj], Moved to chest
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP41\A0011974.exe is infected by Win32:Winwebsec-AL [Trj], Moved to chest
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP41\A0011975.exe is infected by Win32:Winwebsec-AM [Trj], Moved to chest
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP43\A0012465.exe is infected by Win32:Trojan-gen, Moved to chest
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP43\A0012466.dll is infected by Win32:Spyware-gen [Spy], Moved to chest
File V:\Lee Child - 07 - Persuader Audio book Unabridged 128kb.zip|>Lee Child - 07 - Persuader Audio book Unabridged 128kb\Lee Child - Persuader 01 of 12.mp3 Error 42125 {ZIP archive is corrupted.}
File V:\Lee Child - 07 - Persuader Audio book Unabridged 128kb.zip|>Lee Child - 07 - Persuader Audio book Unabridged 128kb\Lee Child - Persuader 02 of 12.mp3 Error 42125 {ZIP archive is corrupted.}
File V:\Lee Child - 07 - Persuader Audio book Unabridged 128kb.zip|>Lee Child - 07 - Persuader Audio book Unabridged 128kb\Lee Child - Persuader 03 of 12.mp3 Error 42125 {ZIP archive is corrupted.}
File V:\Lee Child - 07 - Persuader Audio book Unabridged 128kb.zip|>Lee Child - 07 - Persuader Audio book Unabridged 128kb\Lee Child - Persuader 04 of 12.mp3 Error 42125 {ZIP archive is corrupted.}
File V:\Lee Child - 07 - Persuader Audio book Unabridged 128kb.zip|>Lee Child - 07 - Persuader Audio book Unabridged 128kb\Lee Child - Persuader 05 of 12.mp3 Error 42125 {ZIP archive is corrupted.}
File V:\Lee Child - 07 - Persuader Audio book Unabridged 128kb.zip|>Lee Child - 07 - Persuader Audio book Unabridged 128kb\Lee Child - Persuader 06 of 12.mp3 Error 42125 {ZIP archive is corrupted.}
File V:\Lee Child - 07 - Persuader Audio book Unabridged 128kb.zip|>Lee Child - 07 - Persuader Audio book Unabridged 128kb\Lee Child - Persuader 07 of 12.mp3 Error 42125 {ZIP archive is corrupted.}
File V:\Lee Child - 07 - Persuader Audio book Unabridged 128kb.zip|>Lee Child - 07 - Persuader Audio book Unabridged 128kb\Lee Child - Persuader 10 of 12.mp3 Error 42125 {ZIP archive is corrupted.}
Number of searched folders: 10483
Number of tested files: 463510
Number of infected files: 14

#37
RKinner

Posted 24 September 2012 - 11:22 AM

Malware Expert

Expert
24,625 posts

Clear the Java Cache by following the instructions on
http://www.java.com/...lugin_cache.xml

Delete your old OTL.exe and download the new version. It has been changed to detect ZA a little better. Run a quickscan and post the log.

Reboot into Safe Mode. Reboot and when you see the maker's logo, hear a beep or it talks about F8, start tapping the F8 key slowly. Keep tapping until the Safe Mode Menu appears and choose Safe Mode. Login with your usual login.)

First right click on Recycle Bin and select Properties then click on Do Not Move Files to the Recycle Bin. OK.
Right click on Start, and select Explore. Then navigate to C: Do you see Recycler folder in the right pane?

If not, Select the Tools option at the top and click Folder Options.
After the new window appears select the View tab.
Put a checkmark in the checkbox labeled Display the contents of system folders.
Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
Remove the checkmark from the checkbox labeled Hide protected operating system files.
Press the Apply button and then the OK button.

Move to a different folder then back to C: so that it has to refresh the screen. Do you see Recycler now?

If you see it, right click on it and select properties then Security. Click on Administrators then in the bottom of the pane make sure that Full Control is checked under ALLOW. OK. Now double click on Recycler. Does it open? If you see a folder called S-1-5-18, right click on it and try to delete it. In fact right click on any folder or files you see and try to delete them. If you are successful at this then close explorer and right click on Recycle Bin and uncheck Do Not Move Files to the Recycle Bin then OK.

#38
3mateo

Posted 24 September 2012 - 01:58 PM

Member

Topic Starter
Member
47 posts

RK-
ReLoaded Otl, Quick Scan, log below.
Cliked on DO NOT MOVE Fs to REC BIN.
Recylcer was visible.
FULL CONTROL was already cliked on.
Deleted S-1-5-18, and one other file (both hidden).
Unchecked DO NOT MOVE fs to REC BIN.
Thanks,
-M

############### OTL LOG ####################################

OTL logfile created on: 24/09/2012 11:36:57 AM - Run 8
OTL by OldTimer - Version 3.2.66.2 Folder = C:\Documents and Settings\Jim\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.43 Gb Available Physical Memory | 71.55% Memory free
3.85 Gb Paging File | 3.46 Gb Available in Paging File | 90.07% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 148.96 Gb Total Space | 112.88 Gb Free Space | 75.78% Space Free | Partition Type: NTFS
Unable to calculate disk information.
Drive E: | 7.45 Gb Total Space | 4.67 Gb Free Space | 62.63% Space Free | Partition Type: FAT32
Drive U: | 488.28 Gb Total Space | 466.71 Gb Free Space | 95.58% Space Free | Partition Type: NTFS
Drive V: | 908.98 Gb Total Space | 206.07 Gb Free Space | 22.67% Space Free | Partition Type: NTFS

Computer Name: BOSS | User Name: Jim | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/09/24 11:30:35 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jim\Desktop\OTL.com
PRC - [2012/09/05 18:26:39 | 000,917,984 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2012/08/21 02:12:26 | 004,282,728 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastUI.exe
PRC - [2012/08/21 02:12:25 | 000,044,808 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe
PRC - [2012/08/08 16:05:09 | 000,161,776 | ---- | M] (Oracle Corporation) -- C:\Program Files\Java\jre7\bin\jqs.exe
PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

========== Modules (No Company Name) ==========

MOD - [2012/09/23 23:12:00 | 001,811,968 | ---- | M] () -- C:\Program Files\AVAST Software\Avast\defs\12092400\algo.dll
MOD - [2012/09/05 18:26:41 | 002,244,064 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2012/05/30 20:06:48 | 000,087,912 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2012/05/30 20:06:30 | 001,242,512 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll

========== Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- C:\Program Files\Common Files\SureThing Shared\stllssvr.exe -- (stllssvr)
SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\system32\drivers\KodakCCS.exe -- (KodakCCS)
SRV - File not found [On_Demand | Stopped] -- %SystemRoot%\System32\appmgmts.dll -- (AppMgmt)
SRV - File not found [On_Demand | Stopped] -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)
SRV - [2012/08/21 02:12:25 | 000,044,808 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
SRV - [2012/08/08 16:05:09 | 000,161,776 | ---- | M] (Oracle Corporation) [Auto | Running] -- C:\Program Files\Java\jre7\bin\jqs.exe -- (JavaQuickStarterService)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\GEORGE\CFcatchme.sys -- (CFcatchme)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\Jim\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2012/08/21 02:13:15 | 000,729,752 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2012/08/21 02:13:15 | 000,355,632 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2012/08/21 02:13:15 | 000,054,232 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2012/08/21 02:13:14 | 000,097,608 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2012/08/21 02:13:14 | 000,035,928 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (AswRdr)
DRV - [2012/08/21 02:13:13 | 000,025,256 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2012/08/21 02:13:13 | 000,021,256 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2010/11/06 22:24:30 | 000,019,056 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\PeerBlock\pbfilter.sys -- (pbfilter)
DRV - [2007/07/22 14:27:12 | 004,424,704 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService)
DRV - [2005/02/23 14:58:56 | 000,011,776 | ---- | M] (Arcsoft, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\afc.sys -- (Afc)
DRV - [2004/04/21 22:09:00 | 000,120,448 | R--- | M] (Ralink Technology Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RT2500.sys -- (RT2500)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKCU\..\SearchScopes\{02C2FC17-3FA4-475F-9F6F-099E21DA079D}: "URL" = http://www.bing.com/...ferrer:source?}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{1E02B687-EA27-4815-A25C-25B51B037734}: "URL" = http://www.flickr.co...q={searchTerms}
IE - HKCU\..\SearchScopes\{1F397D90-488D-4800-BAEE-F0BCD701E15C}: "URL" = http://delicious.com...p={searchTerms}
IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...&rlz=1I7DKUS_en
IE - HKCU\..\SearchScopes\{C62CFA05-44B5-4B60-917B-9289833B2AD5}: "URL" = http://rover.ebay.co...e={searchTerms}
IE - HKCU\..\SearchScopes\{F1359F9E-D2BE-4403-A7C6-D7B2998237C7}: "URL" = http://search.yahoo....0834,6901,0,8,0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..extensions.enabledAddons: {73a6fe31-595d-460b-a920-fcc0f8843232}:2.5.5
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.5.1: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.5.0: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@mozilla.zeniko.ch/PDFlite_Browser_Plugin: C:\Program Files\PDFlite\npPdfViewer.dll File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@mozilla.zeniko.ch/PDFlite_Browser_Plugin: C:\Program Files\PDFlite\npPdfViewer.dll File not found

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\AVAST Software\Avast\WebRep\FF [2012/09/23 11:12:50 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 15.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/09/23 17:07:12 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 15.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2008/10/09 16:42:30 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Jim\Application Data\Mozilla\Extensions
[2008/10/09 16:42:30 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Jim\Application Data\Mozilla\Extensions\[email protected]
[2012/09/23 17:25:11 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\0tgeoq9k.default\extensions
[2012/09/23 17:25:11 | 000,527,915 | ---- | M] () (No name found) -- C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\0tgeoq9k.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
[2012/09/23 17:07:12 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/09/05 18:27:05 | 000,266,720 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/09/05 18:26:22 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/09/05 18:26:22 | 000,002,253 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2012/09/12 09:06:03 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7529.1424\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} http://www.fcd.maric...mgaxctrl6.5.cab (Autodesk MapGuide ActiveX Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.mi...b?1346283026031 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1346283014625 (MUWebControl Class)
O16 - DPF: {EBF85371-A38F-485B-B28F-0B4C82D25937} http://update.hpphot.../HPSWUpdate.ocx (CUpdateCtl Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1 205.171.2.25
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{70FC676B-AE41-4E18-B39D-20CB5E48B32C}: DhcpNameServer = 192.168.0.1 205.171.2.25
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Jim\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Jim\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/10 12:04:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (sdnclean.exe)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/09/24 11:30:36 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Jim\Desktop\OTL.com
[2012/09/23 17:07:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jim\Local Settings\Application Data\Mozilla
[2012/09/23 17:07:09 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2012/09/23 17:05:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jim\Desktop\Sirefef STUFF
[2012/09/23 16:14:06 | 000,000,000 | ---D | C] -- C:\Program Files\PeerBlock
[2012/09/23 16:14:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\PeerBlock
[2012/09/23 16:03:54 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Jim\Recent
[2012/09/23 11:13:08 | 000,355,632 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2012/09/23 11:13:08 | 000,021,256 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2012/09/23 11:13:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\avast! Free Antivirus
[2012/09/23 11:13:06 | 000,054,232 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2012/09/23 11:13:06 | 000,035,928 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2012/09/23 11:13:05 | 000,729,752 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSnx.sys
[2012/09/23 11:13:05 | 000,097,608 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2012/09/23 11:13:05 | 000,089,624 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2012/09/23 11:13:04 | 000,025,256 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2012/09/23 11:12:44 | 000,227,648 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe
[2012/09/23 11:12:44 | 000,041,224 | ---- | C] (AVAST Software) -- C:\WINDOWS\avastSS.scr
[2012/09/12 08:51:57 | 004,749,988 | R--- | C] (Swearware) -- C:\Documents and Settings\Jim\Desktop\ComboFix.exe
[2012/09/11 16:40:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/09/11 16:39:59 | 000,022,856 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/09/11 16:39:58 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/09/11 16:03:11 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2012/09/10 15:00:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Sun
[2012/09/10 15:00:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2012/09/09 16:49:16 | 000,000,000 | ---D | C] -- C:\GEORGE29377G
[2012/09/09 13:57:38 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2012/09/09 11:31:28 | 000,000,000 | ---D | C] -- C:\RECYCLER
[2012/09/09 11:02:51 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/09/09 11:02:51 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/09/09 11:02:51 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/09/09 11:02:51 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/09/09 11:01:36 | 000,000,000 | ---D | C] -- C:\GEORGE2
[2012/09/09 10:59:44 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/09/08 14:03:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Desktop\CC Support
[2012/09/07 15:48:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Apple Computer
[2012/09/07 15:47:04 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/09/07 11:16:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jim\Desktop\Pics n Music 2012
[2012/09/06 21:53:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2012/09/06 21:53:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2012/09/06 20:51:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2012/09/06 20:51:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2012/09/06 19:00:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jim\Recent(2)
[2012/09/04 15:30:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jim\Application Data\ImgBurn
[2012/09/01 17:17:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jim\Desktop\Neil Young Tonights the Night
[2012/09/01 17:17:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jim\Desktop\On The Beach
[2012/08/30 20:45:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jim\My Documents\Downloads

========== Files - Modified Within 30 Days ==========

[2012/09/24 11:30:35 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jim\Desktop\OTL.com
[2012/09/24 11:13:00 | 000,000,310 | -H-- | M] () -- C:\WINDOWS\tasks\avast! Emergency Update.job
[2012/09/24 10:48:00 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/09/23 22:07:17 | 000,000,876 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/09/23 22:07:12 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/09/23 20:58:47 | 000,001,554 | ---- | M] () -- C:\Documents and Settings\Jim\Desktop\Defrag...lnk
[2012/09/23 20:34:11 | 000,013,312 | ---- | M] () -- C:\Documents and Settings\Jim\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/09/23 20:05:53 | 000,367,304 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/09/23 18:13:13 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/09/23 17:07:13 | 000,000,742 | ---- | M] () -- C:\Documents and Settings\Jim\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2012/09/23 17:07:13 | 000,000,724 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2012/09/23 16:14:07 | 000,001,606 | ---- | M] () -- C:\Documents and Settings\Jim\Desktop\PeerBlock.lnk
[2012/09/23 16:03:41 | 000,000,682 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2012/09/23 11:13:09 | 000,001,689 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast!.lnk
[2012/09/23 11:13:05 | 000,002,625 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2012/09/19 13:22:27 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/09/12 09:06:03 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/09/12 08:52:06 | 004,749,988 | R--- | M] (Swearware) -- C:\Documents and Settings\Jim\Desktop\ComboFix.exe
[2012/09/11 20:37:33 | 000,061,440 | ---- | M] ( ) -- C:\Documents and Settings\Jim\Desktop\VEW.exe
[2012/09/11 19:43:00 | 000,001,196 | ---- | M] () -- C:\backup.reg
[2012/09/11 19:42:59 | 000,000,574 | ---- | M] () -- C:\cleanup.bat
[2012/09/11 16:40:00 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/09/11 15:56:27 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/09/07 17:04:46 | 000,022,856 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/09/07 10:27:04 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2012/09/05 12:44:40 | 221,672,648 | ---- | M] () -- C:\Documents and Settings\Jim\Desktop\1x15 - So Sorry, My Island Now.avi
[2012/08/28 15:47:45 | 000,000,692 | ---- | M] () -- C:\Documents and Settings\Jim\Application Data\Microsoft\Internet Explorer\Quick Launch\iTunes.lnk

========== Files Created - No Company Name ==========

[2012/09/23 20:09:58 | 000,001,505 | ---- | C] () -- C:\Documents and Settings\Jim\Desktop\Vuze.lnk
[2012/09/23 18:12:15 | 000,001,374 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2012/09/23 17:07:13 | 000,000,742 | ---- | C] () -- C:\Documents and Settings\Jim\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2012/09/23 17:07:13 | 000,000,730 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
[2012/09/23 17:07:13 | 000,000,724 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2012/09/23 16:14:07 | 000,001,606 | ---- | C] () -- C:\Documents and Settings\Jim\Desktop\PeerBlock.lnk
[2012/09/23 11:13:09 | 000,001,689 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\avast!.lnk
[2012/09/23 11:13:05 | 000,000,310 | -H-- | C] () -- C:\WINDOWS\tasks\avast! Emergency Update.job
[2012/09/11 20:09:36 | 000,061,440 | ---- | C] ( ) -- C:\Documents and Settings\Jim\Desktop\VEW.exe
[2012/09/11 19:43:00 | 000,001,196 | ---- | C] () -- C:\backup.reg
[2012/09/11 19:42:59 | 000,000,574 | ---- | C] () -- C:\cleanup.bat
[2012/09/11 16:40:00 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/09/09 20:33:02 | 000,000,880 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/09/09 20:33:02 | 000,000,876 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/09/09 13:36:16 | 000,000,690 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Movie Maker.lnk
[2012/09/09 13:36:15 | 000,000,609 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Messenger.lnk
[2012/09/09 13:36:14 | 000,001,505 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Vuze.lnk
[2012/09/09 13:36:13 | 000,002,489 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Word.lnk
[2012/09/09 13:36:12 | 000,001,978 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Publisher.lnk
[2012/09/09 13:36:11 | 000,002,487 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Excel.lnk
[2012/09/09 13:36:10 | 000,001,830 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Apple Software Update.lnk
[2012/09/09 13:36:09 | 000,001,804 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader X.lnk
[2012/09/09 11:02:51 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/09/09 11:02:51 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/09/09 11:02:51 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/09/09 11:02:51 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/09/09 11:02:51 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/09/05 12:46:00 | 221,672,648 | ---- | C] () -- C:\Documents and Settings\Jim\Desktop\1x15 - So Sorry, My Island Now.avi
[2012/06/01 23:25:57 | 000,184,696 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2012/05/31 11:34:25 | 000,000,288 | ---- | C] () -- C:\Documents and Settings\Jim\Application Data\.backup.dm
[2012/02/28 08:42:14 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/02/15 21:16:41 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2010/11/04 16:22:07 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Jim\Application Data\bibstats
[2010/10/14 14:50:36 | 000,001,940 | ---- | C] () -- C:\Documents and Settings\Jim\Local Settings\Application Data\{96C87F53-AC72-4604-A9CC-186A49F17F3C}.ini
[2008/08/20 13:10:43 | 000,000,022 | ---- | C] () -- C:\Documents and Settings\Jim\Local Settings\Application Data\kodakpcd.ini
[2008/07/21 13:18:42 | 000,013,312 | ---- | C] () -- C:\Documents and Settings\Jim\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/01/31 10:15:58 | 000,260,544 | ---- | C] () -- C:\Documents and Settings\Jim\BD=1

========== ZeroAccess Check ==========

[2004/08/10 12:09:48 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008/04/13 17:12:05 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2008/04/13 17:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2012/09/23 11:12:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVAST Software
[2011/04/09 13:28:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2012/02/10 17:28:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJScan
[2012/02/24 12:52:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ChessBase
[2012/05/31 11:45:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ClubSanDisk
[2009/12/04 10:15:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DriverCure
[2009/10/27 16:07:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ParetoLogic
[2008/01/31 10:28:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SBT
[2012/08/27 09:08:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Tarma Installer
[2011/02/04 16:55:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WEngineLite
[2011/07/12 10:29:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2012/06/22 19:00:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\AnvSoft
[2012/09/24 08:31:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\Azureus
[2012/02/10 17:28:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\Canon
[2008/10/06 16:34:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2009/10/27 16:07:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\DriverCure
[2012/08/06 11:26:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\ElevatedDiagnostics
[2009/01/14 13:19:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\Hoyle Casino
[2008/02/01 11:54:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\Hoyle FaceCreator
[2012/09/04 15:30:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\ImgBurn
[2009/09/25 11:11:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\Leadertech
[2011/03/22 15:10:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\MSNInstaller
[2012/08/09 18:18:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\OpenOffice.org
[2012/08/08 16:05:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\Oracle
[2011/04/05 12:41:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\Panasonic
[2012/09/08 10:13:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\Philipp Winterberg
[2012/09/06 20:39:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\shrink_pic
[2008/07/21 15:23:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\Skinux
[2010/01/29 11:29:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\Smith Micro
[2012/08/27 09:22:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\stickies
[2008/09/17 14:05:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\TomTom
[2012/07/30 11:59:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\Uniblue
[2012/06/22 18:48:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\Video Converter

========== Purity Check ==========

< End of report >

#39
RKinner

Posted 24 September 2012 - 02:05 PM

Malware Expert

Expert
24,625 posts

I'm hoping that was it. The presence of the hidden S-1-5-18 folder means this was the latest version of ZA. It does something to block access to the recycler folder so our tools can't see it. I guess the report that the Recycle Bin is corrupt is the only clue that it is there. I would run another boot-time scan and see what it finds this time.

#40
3mateo

Posted 24 September 2012 - 05:12 PM

Member

Topic Starter
Member
47 posts

RK-
That was it.
Avast Boot-time scan found nothing.
What's next?
Thanks.
-M

#41
RKinner

Posted 24 September 2012 - 05:15 PM

Malware Expert

Expert
24,625 posts

Let's check your error log and see if we need to fix anything.

Start, Run, eventvwr.msc, OK to bring up the Event Viewer. Right click on System and Clear All Events, No (we don't want to save the old log), OK. Repeat for Application.

Reboot.

1. Please download the Event Viewer Tool by Vino Rosso
http://images.malwar...om/vino/VEW.exe
and save it to your Desktop:
2. Double-click VEW.exe
3. Under 'Select log to query', select:

* System
4. Under 'Select type to list', select:
* Error
* Warning

Then use the 'Number of events' as follows:

1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.

Please post the Output log in your next reply then repeat but select Application.

#42
3mateo

Posted 24 September 2012 - 05:58 PM

Member

Topic Starter
Member
47 posts

RK-
Cleared events for System and Application, not saving logs, rebooted.

VEW logs very short: #######################################

Vino's Event Viewer v01c run on Windows XP in English
Report run at 24/09/2012 4:51:16 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

####### VEW APPLICATION LOG: ######################

Vino's Event Viewer v01c run on Windows XP in English
Report run at 24/09/2012 4:55:03 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

#43
RKinner

Posted 24 September 2012 - 06:06 PM

Malware Expert

Expert
24,625 posts

Short is good. No errors showing. Avast is happy. Windows is not complaining about the Recycle Bin. I think we are finally done unless you see something on your end we can clean up.

We need to clean up System Restore.

Copy the following:


:Commands
[CLEARALLRESTOREPOINTS]
[Reboot]

Run OTL. In the Custom Scans/Fixes box at the bottom, paste in the copied text (Ctrl + v) and then hit Run Fix.

You can uninstall or delete any tools we had you download and their logs.
To uninstall combofix, copy the next line:

"%userprofile%\Desktop\combofix.exe" /Uninstall

Start, Run, cmd, OK then right click, Paste, then hit Enter.

OTL has a cleanup tab so if you run it again and select cleanup it will remove itself and its backup files.

To hide hidden files again (If you do not run OTL cleanup):

XP

# Close all programs so that you are at your desktop.
# Double-click on the My Computer icon.
# Select the Tools menu and click Folder Options.
# After the new window appears select the View tab.
# Uncheck the checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the 'Hide protected operating system files (recommended)' option.
# Check the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and exit My Computer.

Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat.

Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.

To help keep your programs up-to-date you should download and run the UpdateChecker:
http://www.filehippo.../updatechecker/
(You don't need to download Betas and if there is a program you don't use you can just uninstall it rather than update it. You can right click on the updatechecker icon (looks like a downward green arrowhead) and select Settings and tell it no betas. If you don't use MSN Messenger I would not upgdate it. MS installs a bunch of stuff when you do. You can tell the program to not show you that update.)
If you use Firefox or Chome then get the AdBlock Plus Add-on. WOT (Web of Trust) is another you might want to try.
The equivalent to AdBlock Plus for IE is called Simple Adblock and you should install it too: Adhttp://simple-adblock.com/

If Firefox is slow loading make sure it only has the current Java add-on. Then download and run Speedy Fox.
http://www.crystalidea.com/speedyfox . Click on Speedup my Firefox. When it finishes click on Exit.

Be warned: If you use Limewire, utorrent or any of the other P2P programs you will almost certain be coming back to the Malware Removal forum. If you must use P2P then submit any files you get to http://virustotal.com before you open them.

If you have a router, log on to it today and change the default password! If using a Wireless router you really should be using encryption on the link. Use the strongest (newest) encryption method that your router and PC wireless adapter support especially if you own a business. See http://www.king5.com...-120637284.html and http://www.seattlepi...ted-1344185.php for why encryption is important. If you don't know how, visit the router maker's website. They all have detailed step by step instructions or a wizard you can download.

Special note on Java. Currently there is an exploit out that works on all Java Version 7 software so we are recommending that if you do not visit websites that absolutely require Java that you turn it off in your browser per the instructions in http://www.geekstogo...ur-web-browser/
If you use websites that require Java and you trust them then we recommend that you use either Firefox with the NoScript add-on or Chrome with the ScriptNo add-on and avoid IE. NoScript/ScriptNo will turn off Java and Javascript on all websites you visit except for those that you specifically approve. More info on the exploit is here: http://krebsonsecuri...y-java-exploit/
A new Java 7 Version 7 was released on an emergency basis to fix the exploit but apparently actually makes things worse.

Special note on IE. Make sure you have the latest updates from Microsoft. Especially KB2744842 http://support.micro...com/kb/2744842. Do not use java with IE until they offer Java 7 Version update 8

Ron

#44
3mateo

Posted 24 September 2012 - 09:47 PM

Member

Topic Starter
Member
47 posts

Think i did it all but the router, save 2 issues:
1) i think i deleted OTL via its tab, along with delteing it, i think i deleted the original log created when i first ran it with the lines in your post pasted into the fixes box; I did reload and ran it again, and the log below is the second run, so it might be moot, sorry.
2) the update checker said I needed NVIDIA, which i don't remember ever seeing before. DO i need it?
I think that's it for my comp, much thanks!!

On an all together other note: on my laptop, i've been trying to do all the aspects you have recommended for my desktop, and the update checker won't run. It says: FileHippo Udate checher has stopped working. then: Windows is checking for a solution, then it goes away, and nothing. Can you give me some direction?
I did use the Mozilla "Plugin check and update" site, but it's not quite the same as the hippo undate checker.
Please let me know where to go for help.
Thanks as always!!
-Mateo

OTL Second Log: ################################################

========== COMMANDS ==========
Restore point Set: OTL Restore Point

OTL by OldTimer - Version 3.2.68.0 log created on 09242012_202344

#45
RKinner

Posted 24 September 2012 - 11:44 PM

Malware Expert

Expert
24,625 posts

If we already cleared the Restore Points it won't hurt to do it again.

2) the update checker said I needed NVIDIA, which i don't remember ever seeing before. DO i need it?
I think that's it for my comp, much thanks!!

You have NVIDIA drivers in your uninstall log. NVIDIA makes video cards so I expect that's your video driver. I prefer to get new drivers from the PC maker's web site rather than letting Windows or FileHippo give them to me.

What version of Windows does the laptop have? If it's Vista or Win 7 then you need to run it by right clicking and Run As Admin. FileHippo uses .net so if that's not installed correctly and up to date it may not run. There is another program called Secunia which does the same thing. It's Java based tho so you need to be careful with it. http://secunia.com/v...nning/personal/