[HammerHead1980]

Hi EB,

Just a quick update while I wait on your reply/advice.

I did a Anit-Malware Scan and it got 7 infections. See log.
I then deleted these files with Anit-Malware.
 mbam_log_2009_03_12__16_10_57_.txt   1.23KB   168 downloads

I then did an Avast Scan it it got a number of infections. See Log.
I deleted these infections with Avast.


Regards,
Tom.

[Advertisements]

Ok this is insidious and I have not come across this one before so I will have to use all the tools in my armoury to find out where it is hiding and what the infector is

I have two programmes for you to run one after the other they are both healing and analysis programmes

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

THEN

We will now do a deep search of your processes and files

Download avz4.zip from here

• Unzip it to your desktop to a folder named avz4
• Double click on AVZ.exe to run it.
• Run an update by clicking the Auto Update button on the Right of the Log window:
• Click Start to begin the update

Note: If you recieve an error message, chose a different source, then click Start again

• Start AVZ.
  
• Choose from the menu "File" => "Standard scripts " and mark the "Healing/Quarantine and Advanced System Investigation" check box.
• Click on the “Execute selected scripts”.
• Automatic scanning, healing and system check will be executed.
• A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
• It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
• All applications will work properly after the system restart.

When restarted

• Start AVZ.
  
• Choose from the menu "File" => "Standard scripts " and mark the “Advanced System Investigation" check box.
• Click on the "Execute selected scripts".
• A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

Attach both zip files to your next post

To attach a file, do the following:

• Click Add Reply
• Under the reply panel is the Attachments Panel
• Browse for the attachment file you want to upload, then click the green Upload button
• Once it has uploaded, click the Manage Current Attachments drop down box
• Click on to insert the attachment into your post

I will just need the two zip files and the report.txt

[Essexboy]

Ok this is insidious and I have not come across this one before so I will have to use all the tools in my armoury to find out where it is hiding and what the infector is

I have two programmes for you to run one after the other they are both healing and analysis programmes

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

THEN

We will now do a deep search of your processes and files

Download avz4.zip from here

• Unzip it to your desktop to a folder named avz4
• Double click on AVZ.exe to run it.
• Run an update by clicking the Auto Update button on the Right of the Log window:
• Click Start to begin the update

Note: If you recieve an error message, chose a different source, then click Start again

• Start AVZ.
  
• Choose from the menu "File" => "Standard scripts " and mark the "Healing/Quarantine and Advanced System Investigation" check box.
• Click on the “Execute selected scripts”.
• Automatic scanning, healing and system check will be executed.
• A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
• It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
• All applications will work properly after the system restart.

When restarted

• Start AVZ.
  
• Choose from the menu "File" => "Standard scripts " and mark the “Advanced System Investigation" check box.
• Click on the "Execute selected scripts".
• A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

Attach both zip files to your next post

To attach a file, do the following:

• Click Add Reply
• Under the reply panel is the Attachments Panel
• Browse for the attachment file you want to upload, then click the green Upload button
• Once it has uploaded, click the Manage Current Attachments drop down box
• Click on to insert the attachment into your post

I will just need the two zip files and the report.txt

[HammerHead1980]

Hi EB,

Downloaded and Installed SDFix. Ran in Safe Mode.
See Log.  report.txt   6.78KB   275 downloads

Downloaded AVZ4.
Ran Healing/Quarantine and Advanced System Analysis (No Investigation)
Rebooted. (Note: Avast Called the virus on boot)
See AVZ4 Log1:  virusinfo_syscure.zip   29.03KB   155 downloads

Ran Advanced System Analysis (No Investigation)
See AVZ4 Log2:  virusinfo_syscheck.zip   28.72KB   155 downloads

The first 2 found infections and removed things.
Althought as I said Avast called the virus, after the reboot, after the first AVZ4 Run.

Do you think the virus is removable.
I would love to get rid of it but I can format if needs be.
I really appreciate the help EB.

Regards,
Tom.

[Essexboy]

At the moment I cannot even find the trigger which is very annoying. I have checked all the usual areas including your MBR and still nothng, yet the three system files are being re-infected. It might be worth backing your data up now in case this takes more time than you can afford


Download RootRepeal.zip and unzip it to your Desktop.

• Double click RootRepeal.exe to start the program
• Click on the Report tab at the bottom of the program window
• Click the Scan button
• In the Select Scan dialog, check:
  • Drivers
  • Files
  • Processes
  • SSDT
  • Stealth Objects
  • Hidden Services
• Click the OK button
• In the next dialog, select all drives showing
• Click OK to start the scan
  

  Note: The scan can take some time. DO NOT run any other programs while the scan is running

• When the scan is complete, the Save Report button will become available
• Click this and save the report to your Desktop as RootRepeal.txt
• Go to File, then Exit to close the program

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

To attach a file, do the following:

• Click Add Reply
• Under the reply panel is the Attachments Panel
• Browse for the attachment file you want to upload, then click the green Upload button
• Once it has uploaded, click the Manage Current Attachments drop down box
• Click on to insert the attachment into your post

[HammerHead1980]

Morning EB,

Here is the contents of the RootRepeal,

******************
ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/03/13 09:53
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA8465000 Size: 98304 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79F1000 Size: 8192 File Visible: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA7CC3000 Size: 45056 File Visible: No
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP5\A0000384.exe
Status: Allocation size mismatch (API: 409600, Raw: 389120)

Path: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP5\A0000386.EXE
Status: Allocation size mismatch (API: 32768, Raw: 16384)

Path: C:\Documents and Settings\PL\Local Settings\Temporary Internet Files\Content.IE5\OKNLGTZG\forums[1].htm
Status: Allocation size mismatch (API: 86016, Raw: 81920)
******************

The funny thing was when I clicked the .exe, AVG picked it up but it still infected the PC?
I think this virus could be pretty new, like a new variant of an existing virus.

Couple of quick questions,

The Flash Disinfector, That will clean viri off a flash drive and then also so STOP new ones 'jumping' on there?
Should I use the same program, or is there similar software for a 160GB External HDD.
What are the best programs to install to stop me getting infected again?

Thanks for the replys,
Regards,
Tom.

[Essexboy]

Morning Tom

The Flash Disinfector, That will clean viri off a flash drive and then also so STOP new ones 'jumping' on there?
Should I use the same program, or is there similar software for a 160GB External HDD.

If the drive is connected when you run disinfector it will cure and protect that drive

OK it may be hiding in system restore looking at that

• Select Start > All Programs > Accessories > System tools > System Restore.
• On the dialogue box that appears select Create a Restore Point
• Click NEXT
• Enter a name e.g. Clean
• Click CREATE

You now have a clean restore point, to get rid of the bad ones:

• Select Start > All Programs > Accessories > System tools > Disk Cleanup.
• In the Drop down box that appears select your main drive e.g. C
• Click OK
• The System will do some calculation and the display a dialogue box with TABS
• Select the More Options Tab.
• At the bottom will be a system restore box with a CLEANUP button click this
• Accept the Warning and select OK again, the program will close and you are done

Then run Rootrepeal again please

[HammerHead1980]

Ok

I created a new Restor point called 'Clean.
I then did the disk cleanup.
Note:The cleanup did not seem to actually do much?? It completed though.

Note: I had turned off System Restore when I first got the virus.
It is now back on? Must have happend when I created a new point.


********************************
ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/03/13 11:27
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA8465000 Size: 98304 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79F1000 Size: 8192 File Visible: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA7A48000 Size: 45056 File Visible: No
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!
*******************************************

Regards,
Tom.

[Essexboy]

Path: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP5\A0000384.exe
Status: Allocation size mismatch (API: 409600, Raw: 389120)

Path: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP5\A0000386.EXE
Status: Allocation size mismatch (API: 32768, Raw: 16384)

These two have now gone though

What can you tell me about this programme Tom as I have been unable to find any decent info about it -half say it is a virus and half an FTP programme

O23 - Service: ABB Industrial Robot Communication Server (RobComCtrlServer) - ABB - C:\Program Files\Common Files\ABB Industrial IT\Robotics IT\RobAPI\RobComCtrlServer.exe
O23 - Service: ABB Industrial Robot Discovery Server (RobNetScanHost) - ABB - C:\Program Files\Common Files\ABB Industrial IT\Robotics IT\RobAPI\RobNetScanHost.exe

[HammerHead1980]

Hi EB,

It's not a virus, but as you say it's a kind of FTP and PC to Industrial PC communication tool.
It's for connecting a Laptop to an ABB Industrial Robot system. I use it for work.
I should have mentioned it as I thought it might confuse people as to what the [bleep] it was.
I will uninstall as I really don't need it on this home laptop.

Ok I did the following,
Un-installed, ABB software, FTP Voyager and iTunes.
Ran an ATF cleaner.
Rebooted.
Ran a RootRepeal.
Ran a HijackThis.

I will post a Hijack this log and a RootRepeal in my next post.

Tom.

[HammerHead1980]

RootRepeal Log

*************

ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/03/13 16:29
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA9EBA000 Size: 98304 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79CD000 Size: 8192 File Visible: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA919E000 Size: 45056 File Visible: No
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
Status: Size mismatch (API: 20480, Raw: 1024)

*************

HijackThis Log

************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:33:35, on 13/03/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {36DBC179-A19F-48F2-B16A-6A3E19B42A87} - c:\windows\system32\tourstart.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [LXCECATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,23/mcgdmgr.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 5209 bytes

************

[Essexboy]

Well I do not know where this appeared from but we may have the culprit, obviously removing the restore points revealed it I think

Please download the OTMoveIt3 by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :Reg
  [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{36DBC179-A19F-48F2-B16A-6A3E19B42A87}]
  [-HKEY_CLASSES_ROOT\CLSID\{36DBC179-A19F-48F2-B16A-6A3E19B42A87}]
  
  :Files
  c:\windows\system32\tourstart.dll
  
  :Commands
  [purity]
  [emptytemp]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

[HammerHead1980]

I ran OTMoveIt3 as instructed.
It asked for a reboot after the program was run.
The log lanuched itself after the reboot.

I'm considering formating the HDD this evening or tomomrrow.
I would be concerned about left over viri or bad files.
Still, I'd love to kill it LOL

OTMoveIt3 Log

========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{36DBC179-A19F-48F2-B16A-6A3E19B42A87}\\ deleted successfully.
Registry key HKEY_CLASSES_ROOT\CLSID\{36DBC179-A19F-48F2-B16A-6A3E19B42A87}\\ deleted successfully.
========== FILES ==========
DllUnregisterServer procedure not found in c:\windows\system32\tourstart.dll
c:\windows\system32\tourstart.dll NOT unregistered.
c:\windows\system32\tourstart.dll moved successfully.
========== COMMANDS ==========
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_258.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_6f0.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 03132009_165637

Files moved on Reboot...
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File C:\WINDOWS\temp\Perflib_Perfdata_258.dat not found!
File C:\WINDOWS\temp\Perflib_Perfdata_6f0.dat not found!

[Essexboy]

To satisfy my curiosity is Avast still alerting

We have a reformat tutorial here if it would help

[HammerHead1980]

Yes, unfortunately it seems unchanged.
Awkward little bugger.
I think it possibly may be rather new? Shouldn't have clicked that .exe
Thanks for the help EB unless you have any other brain waves I think I'll format the HDD.

Lets hope it's not on the recovery partition!!! (Doubt it, I think it does not get mounted)

Tom.

[Essexboy]

Shouldn't do as it is a read only partition

I don't suppose you could remember the exe name ?

And no I am fresh out of ideas now