Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

I Don't Know What Is Wrong! [Solved]

Started by bob snelgrove , Jun 24 2009 09:08 PM

  • This topic is locked This topic is locked

#31
chamber
Posted 07 July 2009 - 03:33 PM

chamber

    Face Burnin' Malware Fighter

  • Visiting Consultant
  • 2,712 posts
Hi bob,

Glad to see that finally finished, its a long old scan but it is worth it as it is so thorough.

Lets get rid of what it found then.

First off you should empty your deleted e-mail folders.

Then...

Please download OTM
  • Save it to your desktop.
  • Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :Processes
explorer.exe

:Services

:Reg

:Files
C:\Users\Bob\AppData\Local\Identities\{944342CA-3D1F-4FB4-B7B2-B5890E6C16F7}\Microsoft\Outlook Express\CA Anti-Spam.dbx 
C:\Users\Bob\AppData\Local\Identities\{944342CA-3D1F-4FB4-B7B2-B5890E6C16F7}\Microsoft\Outlook Express\Deleted Items.dbx 
C:\Users\Bob\AppData\Local\Identities\{944342CA-3D1F-4FB4-B7B2-B5890E6C16F7}\Microsoft\Outlook Express\Sent Items.bak 
C:\Users\Bob\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\14C92F84-0001971D.eml
C:\Users\Bob\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\160870CC-0001974B.eml 
C:\Users\Bob\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\306272D6-000196E6.eml 
C:\Users\Bob\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\36687596-000196B3.eml
C:\Users\Bob\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\38DB5CA7-00019767.eml 
C:\Users\Bob\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\51941E9D-00019768.eml 
C:\Users\Bob\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\570E072F-000196F8.eml 
C:\Users\Bob\AppData\Local\Microsoft\Windows Mail\Local Folders\Sent Items\097537E6-00001AAA.eml 
C:\Users\Bob\AppData\Local\Microsoft\Windows Mail\Local Folders\Sent Items\575360BF-00001A99.eml 
C:\Users\Bob\Desktop\Nikon Capture NX 2.0.0\cnx2.exe
C:\Users\Bob\Desktop\Nikon Capture NX 2.0.0\cnx2.exe
C:\Users\Bob\Desktop\zips\Nikon Capture NX 2.0.0.rar
C:\Users\Bob\Desktop\zips\Nikon Capture NX 2.0.0.rar
C:\Users\Bob\Documents\Downloads\best windows security for vista and xp 2008\privacy software\xp\evidence eliminator\insteelm2.exe 
C:\Users\Bob\Documents\Downloads\Nikon Capture NX 2.0.0\cnx2.exe
C:\Users\Bob\Documents\Downloads\Nikon Capture NX 2.0.0\cnx2.exe
C:\Users\Bob\Documents\Downloads\Nikon Capture NX 2.0.0.rar
C:\Users\Bob\Documents\Downloads\Nikon Capture NX 2.0.0.rar

:Commands
[purity]
[emptytemp]
[Reboot]
  • Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM and reboot your PC.
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


Also,

Can you let me know how things are now?

:)
  • 0

Advertisements

#32
bob snelgrove
Posted 07 July 2009 - 04:33 PM

bob snelgrove

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Here ya go. I'll report on how things are after browsing, etc.

All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\Users\Bob\AppData\Local\Identities\{944342CA-3D1F-4FB4-B7B2-B5890E6C16F7}\Microsoft\Outlook Express\CA Anti-Spam.dbx moved successfully.
C:\Users\Bob\AppData\Local\Identities\{944342CA-3D1F-4FB4-B7B2-B5890E6C16F7}\Microsoft\Outlook Express\Deleted Items.dbx moved successfully.
C:\Users\Bob\AppData\Local\Identities\{944342CA-3D1F-4FB4-B7B2-B5890E6C16F7}\Microsoft\Outlook Express\Sent Items.bak moved successfully.
File/Folder C:\Users\Bob\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\14C92F84-0001971D.eml not found.
File/Folder C:\Users\Bob\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\160870CC-0001974B.eml not found.
File/Folder C:\Users\Bob\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\306272D6-000196E6.eml not found.
File/Folder C:\Users\Bob\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\36687596-000196B3.eml not found.
File/Folder C:\Users\Bob\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\38DB5CA7-00019767.eml not found.
File/Folder C:\Users\Bob\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\51941E9D-00019768.eml not found.
File/Folder C:\Users\Bob\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\570E072F-000196F8.eml not found.
C:\Users\Bob\AppData\Local\Microsoft\Windows Mail\Local Folders\Sent Items\097537E6-00001AAA.eml moved successfully.
C:\Users\Bob\AppData\Local\Microsoft\Windows Mail\Local Folders\Sent Items\575360BF-00001A99.eml moved successfully.
C:\Users\Bob\Desktop\Nikon Capture NX 2.0.0\cnx2.exe moved successfully.
File/Folder C:\Users\Bob\Desktop\Nikon Capture NX 2.0.0\cnx2.exe not found.
C:\Users\Bob\Desktop\zips\Nikon Capture NX 2.0.0.rar moved successfully.
File/Folder C:\Users\Bob\Desktop\zips\Nikon Capture NX 2.0.0.rar not found.
C:\Users\Bob\Documents\Downloads\best windows security for vista and xp 2008\privacy software\xp\evidence eliminator\insteelm2.exe moved successfully.
C:\Users\Bob\Documents\Downloads\Nikon Capture NX 2.0.0\cnx2.exe moved successfully.
File/Folder C:\Users\Bob\Documents\Downloads\Nikon Capture NX 2.0.0\cnx2.exe not found.
C:\Users\Bob\Documents\Downloads\Nikon Capture NX 2.0.0.rar moved successfully.
File/Folder C:\Users\Bob\Documents\Downloads\Nikon Capture NX 2.0.0.rar not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Bob
->Temp folder emptied: 85832304 bytes
->Temporary Internet Files folder emptied: 94694238 bytes
->Java cache emptied: 222262 bytes
->FireFox cache emptied: 78871124 bytes
->Google Chrome cache emptied: 0 bytes
->Apple Safari cache emptied: 0 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Guest
->Temporary Internet Files folder emptied: 0 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
File delete failed. C:\Windows\temp\5154f92c-9de3-420d-9465-b6aa857ee3fa.tmp scheduled to be deleted on reboot.
File delete failed. C:\Windows\temp\JETD6FA.tmp scheduled to be deleted on reboot.
Windows Temp folder emptied: 2591 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 247.60 mb


OTM by OldTimer - Version 3.0.0.4 log created on 07072009_145035

Files moved on Reboot...
C:\Windows\temp\5154f92c-9de3-420d-9465-b6aa857ee3fa.tmp moved successfully.
File C:\Windows\temp\JETD6FA.tmp not found!

Registry entries deleted on Reboot...
  • 0

#33
chamber
Posted 07 July 2009 - 04:39 PM

chamber

    Face Burnin' Malware Fighter

  • Visiting Consultant
  • 2,712 posts
Ok.

Let me know and we'll proceed from there.
  • 0

#34
bob snelgrove
Posted 08 July 2009 - 07:33 AM

bob snelgrove

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Looking good. I think some of my IE problems are Java related. (trying different home pages)


thx!


bob
  • 0

#35
chamber
Posted 08 July 2009 - 02:12 PM

chamber

    Face Burnin' Malware Fighter

  • Visiting Consultant
  • 2,712 posts
Hi bob,

Glad to know things are running better. How is the different home page working out? What exactly was the problem with it?

Now for the good news,

Congratulations your logs appear clean!! :)

Clean up

Remove ComboFix
Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image

OTC
  • Download OTC to your desktop and run it
  • Click Yes to beginning the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

Browsers

Just because your computer came loaded with Internet Explorer doesn't mean that you have to use it, there are other free alternatives, FIREFOX and OPERA, both are free to use and are more secure than IE.

If you are using firefox you can stay more secure by adding NoScript and WOT (Web Of Trust)

NoScript stops Java scripts from starting on a web page unless you give permission for them, and WOT (Web Of Trust) has a comprehensive list of ratings for different websites allowing you to easily see if a website that you are about to go to has a bad reputation; in fact it will warn you to check if you are sure that you want to continue to a bad website.

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.

Additional Security Measures

Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week
(Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

SpywareBlaster- SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

You should have a good anti spyware program - We recommend MalwareBytes Anti-Malware and SUPERAntiSpyware

MVPS Hosts file The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer

Winpatrol Download and install the free version of Winpatrol. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.

Spring Cleaning

TFC - Temp File Cleaner by OldTimer - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders

Auslogics Disc Defrag or JKDefrag - Two good disc defragmenters for you to choose from.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place
  • 0

#36
bob snelgrove
Posted 08 July 2009 - 05:39 PM

bob snelgrove

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
chamber,

I got this when I ran the combo uninstall. I disabled avg resident shield but combo said it and anti spyware were still active.

thx

bob

combo_001.png
  • 0

#37
bob snelgrove
Posted 08 July 2009 - 09:14 PM

bob snelgrove

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
chamber,

I got this when I ran the combo uninstall. I disabled avg resident shield but combo said it and anti spyware were still active.

thx

bob

combo_001.png
  • 0

#38
chamber
Posted 09 July 2009 - 04:21 PM

chamber

    Face Burnin' Malware Fighter

  • Visiting Consultant
  • 2,712 posts
Hi bob,

Try typing combo-fix /u.

If that doesn't work then just delete the combofix icon on the desktop C:\combofix and C:\qoobox.

Then,

Now we need to create a new System Restore point.

Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.

Then use OTC and let me know how things are going.
  • 0

#39
bob snelgrove
Posted 09 July 2009 - 05:31 PM

bob snelgrove

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
chamber,

I had to remove the combo manually. The run command didn't work.

When I tried to run the restore command I got this:

restore.png

I'll wait to hear before continuing.

thx

bob
  • 0

#40
chamber
Posted 09 July 2009 - 11:43 PM

chamber

    Face Burnin' Malware Fighter

  • Visiting Consultant
  • 2,712 posts
To disable System Restore you would follow these steps:

1. Click on the Start button to open your Start Menu. The Start button looks like this: Posted Image
2. Click on the Control Panel menu option.
3. Click on the System and Maintenance menu option.
4. Click on the System menu option.
5. Click on System Protection in the left-hand task list.
6. Uncheck the checkboxes next to each hard drive listed under the Create restore points automatically on the selected disks: section. When you uncheck a disk you will be presented with the following screen.


Posted Image



You should click on the Turn System Protection Off button.

7. Press the Apply button and then the OK button.

System Restore is now disabled on your computer.

Enabling System Restore

1. Click on the Start button to open your Start Menu. The Start button looks like this: Posted Image
2. Click on the Control Panel menu option.
3. Click on the System and Maintenance menu option.
4. Click on the System menu option.
5. Click on System Protection in the left-hand task list
6. Put a checkmark in the checkboxes next to each hard drive listed under the Create restore points automatically on the selected disks: section.
7. Press the Apply button and then the OK button.

System Restore is now enabled on your computer.


That should work.
  • 0

Advertisements

#41
bob snelgrove
Posted 10 July 2009 - 12:16 AM

bob snelgrove

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
I did this and still get the error when running "%SystemRoot%\System32\restore\rstrui.exe"


thx


bob




To disable System Restore you would follow these steps:

1. Click on the Start button to open your Start Menu. The Start button looks like this: Posted Image
2. Click on the Control Panel menu option.
3. Click on the System and Maintenance menu option.
4. Click on the System menu option.
5. Click on System Protection in the left-hand task list.
6. Uncheck the checkboxes next to each hard drive listed under the Create restore points automatically on the selected disks: section. When you uncheck a disk you will be presented with the following screen.


Posted Image



You should click on the Turn System Protection Off button.

7. Press the Apply button and then the OK button.

System Restore is now disabled on your computer.

Enabling System Restore

1. Click on the Start button to open your Start Menu. The Start button looks like this: Posted Image
2. Click on the Control Panel menu option.
3. Click on the System and Maintenance menu option.
4. Click on the System menu option.
5. Click on System Protection in the left-hand task list
6. Put a checkmark in the checkboxes next to each hard drive listed under the Create restore points automatically on the selected disks: section.
7. Press the Apply button and then the OK button.

System Restore is now enabled on your computer.


That should work.


  • 0

#42
chamber
Posted 10 July 2009 - 12:40 AM

chamber

    Face Burnin' Malware Fighter

  • Visiting Consultant
  • 2,712 posts
Hi bob, sorry, that was instead of %SystemRoot%\System32\restore\rstrui.exe.

They will both do the same thing.

You should be all good to go.

Are you still having Java problems?
  • 0

#43
bob snelgrove
Posted 10 July 2009 - 08:02 AM

bob snelgrove

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts

Hi bob, sorry, that was instead of %SystemRoot%\System32\restore\rstrui.exe.

They will both do the same thing.

You should be all good to go.

Are you still having Java problems?



Do you still want me to run cleanmgr?

Yes, even Firefox just "disappears" regularly and IE goes "not responding"


thx

bob
  • 0

#44
chamber
Posted 10 July 2009 - 08:07 AM

chamber

    Face Burnin' Malware Fighter

  • Visiting Consultant
  • 2,712 posts
Yes run it.
  • 0

#45
bob snelgrove
Posted 10 July 2009 - 09:41 AM

bob snelgrove

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
OK

Ran clnmgr and otc.

Both browsers still do the no responding thing but that's been going on for a while.


thx


bob
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP