[zRazor]

It came up while running the scan earlier. I noticed that it came up again when I just now got back from work, so it came up twice now. Thing is, I do not have a CD for this as it was preinstalled in the computer. I did upgrade to SP3 a couple of years ago.

Here is the ESET log:

C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Updates\Downloads(2)\vso_dat(2)\Index.cab Win32/Adware.SpywareProtect2009 application
C:\Program Files\FoxTabVideoConverter\VideoConverter.exe a variant of Win32/InstallCore.A application
C:\Program Files\FoxTabVideoConverter\Uninstall\Uninstall.exe a variant of Win32/InstallCore.A application
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP798\A0230596.dll Win32/Toolbar.Zugo application
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP798\A0230598.exe Win32/Toolbar.Zugo application
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP803\A0231777.exe multiple threats
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP803\A0231778.exe probably a variant of Win32/Bundled.Toolbar.Ask application
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP806\A0231918.exe Win32/RegistryBooster application
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP806\A0231919.exe a variant of Win32/RegistryBooster application
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP807\A0231940.exe Win32/SpeedUpMyPC application

[Advertisements]

does it give a clue to which file ?

[gringo_pr]

does it give a clue to which file ?

[zRazor]

No.

[gringo_pr]

we can try something to see if it will work


I want you to redownload SP3 and reinstall it over the existing sp3 download it from here and double click to install - http://www.microsoft...ails.aspx?id=24

[zRazor]

when I get home this afternoon I will try those steps. Should we do that first or complete the steps to complete this infection based upon the ES ET findings first?

[gringo_pr]

what eset found is very minor and I am not worried about it at this time - I want to see if this will clear up that error

[zRazor]

Alright. I should be home within the hour.

[gringo_pr]

OK I will be around later

[zRazor]

COmpleted installation. So far no notification. If one pops up, I will report.

[zRazor]

Nope, message popped up again.

[zRazor]

Did further research, and looked at the Event Viewer, and this is what the event viewer says:

Event Type: Information
Event Source: Windows File Protection
Event Category: None
Event ID: 64005
Date: 4/20/2013
Time: 4:22:48 PM
User: N/A
Computer: RAZOR_LAPTOP
Description:
The protected system file drmstor.dll was not restored to its original, valid version because the Windows File Protection restoration process was cancelled by user interaction, user name is Razorback. The file version of the bad file is 10.0.0.3802.

For more information, see Help and Support Center at http://go.microsoft....ink/events.asp.


and the other file

Event Type: Information
Event Source: Windows File Protection
Event Category: None
Event ID: 64005
Date: 4/20/2013
Time: 4:22:48 PM
User: N/A
Computer: RAZOR_LAPTOP
Description:
The protected system file drmclien.dll was not restored to its original, valid version because the Windows File Protection restoration process was cancelled by user interaction, user name is Razorback. The file version of the bad file is 10.0.0.3802.

For more information, see Help and Support Center at http://go.microsoft....ink/events.asp.


Those are the two files that appear to be the problem. Have not researched to see what they are as of yet.

[gringo_pr]

Hello

I would like to run this next to search for some files on the computer.


SystemLook:

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:

:filefind
drmstor.dll
drmclien.dll

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt


Gringo

[zRazor]

SystemLook 30.07.11 by jpshortstuff
Log created at 01:26 on 23/04/2013 by Razorback
Administrator - Elevation successful

========== filefind ==========

Searching for "drmstor.dll "
C:\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}$BACKUP$\System\drmstor.dll --a---- 92672 bytes [10:15 16/02/2006] [12:00 10/08/2004] 7D572867A1A0F17976AFBA043794D955
C:\WINDOWS\system32\drmstor.dll --a---- 96768 bytes [14:05 15/02/2006] [21:44 28/01/2005] AC4AED60E9B76B355BE3BBB991D0677B
C:\WINDOWS\system32\dllcache\drmstor.dll --a--c- 96768 bytes [14:05 15/02/2006] [21:44 28/01/2005] AC4AED60E9B76B355BE3BBB991D0677B

Searching for "drmclien.dll"
C:\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}$BACKUP$\System\drmclien.dll --a---- 246272 bytes [10:15 16/02/2006] [12:00 10/08/2004] 1CBC7E5C65849E74DD0B31A9C53147A0
C:\WINDOWS\system32\drmclien.dll --a---- 258296 bytes [14:05 15/02/2006] [21:44 28/01/2005] DCDAC20443BCFF7B758EC22A53D72502
C:\WINDOWS\system32\dllcache\drmclien.dll --a--c- 258296 bytes [14:05 15/02/2006] [21:44 28/01/2005] DCDAC20443BCFF7B758EC22A53D72502

-= EOF =-

[gringo_pr]

Hello



Repair Catroot

• Click Start, click Run, type Notepad, and then click OK.
• Copy the following text, and then paste the text into Notepad.

net stop wuauserv
cd %systemroot%\SoftwareDistribution
ren Download Download.old
net start wuauserv
net stop bits
net start bits
net stop cryptsvc
cd %systemroot%\system32
ren catroot2 catroot2old
net start cryptsvc

• Click File, click Save As, and then type Repair.bat.
• In the Save as type box, click All Files.
• In the Save in box, click Desktop, and then click Save.
• On the File menu, click Exit.
  Double-click the Repair.bat file

Now I need you to go to windows update and download any update that it wants you to download.

[zRazor]

Step complete. There were no High Priority updates, but I did do all the optional ones (Except for the Bing update). So far no error, but will report if it does pop up.

What's next?