Solved 5 step virus removal error

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following:

Code:
:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[emptyjava]
[CLEARALLRESTOREPOINTS]
[Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

  • Double-click OTL.exe to start the program.
  • Close all other programs apart from OTL as this step will require a reboot
  • On the OTL main screen, press the CLEANUP button
  • Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current (including Service Pack 3 installation!!!)

4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. (Windows XP only) Run defrag at your convenience.

11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

13. Please, let me know, how your computer is doing.
 
another note, i disabled avast for 1 hour and started ESET, it ran about half way which took about an hour and then it completed the rest of the scan very quickly. I was wondering if AVAST turned back on and caused ESET to conclude rapidly?
 
another question about ESET. When the window opened, it had Remove Threats checked. I checked Scan Archives but i might of unchecked Remove Threats, can't remember exactly. Waiting to hear from you before doing your last post, thanks, jimmy
 
Yes those threats were not removed.

Let's remove them manually.

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    Code:
    :OTL
    
    :Files
    C:\WINDOWS\system32\update.exe 
    C:\WINDOWS\Downloaded Program Files\juliecam.exe 
    C:\WINDOWS\Downloaded Program Files\star.exe
    C:\WINDOWS\Downloaded Program Files\CONFLICT.1\juliecam.exe 
    C:\WINDOWS\Downloaded Program Files\CONFLICT.1\star.exe 
    C:\WINDOWS\Downloaded Program Files\CONFLICT.2\juliecam.exe 
    C:\WINDOWS\Downloaded Program Files\CONFLICT.3\juliecam.exe 
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NewDotNet.zip 
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NewDotNet8.zip 
    C:\Documents and Settings\All Users\Application Data\Tarma Installer\{DA00D550-BB91-4A26-AAE5-9172D626CAAE}\_Setupx.dll
    
    :Commands
    [purity]
    [emptytemp]
    [emptyjava]
    [emptyflash]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • You will get a log that shows the results of the fix. Please post it.
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply. Only one log will be created.


Then continue with my reply #51.
 
I figured i would just re-run ESET to check since you logged off. I wanted to increase the avast disable time, which i set to 'disable until restart'. I then re-ran ESETscan and it showed the same errors plus two new ones for a total of 12. Here is the 2nd log;

C:\WINDOWS\system32\update.exe a variant of Win32/Aditer trojan cleaned by deleting - quarantined
C:\WINDOWS\Downloaded Program Files\juliecam.exe a variant of Win32/Dialer.AG application cleaned by deleting - quarantined
C:\WINDOWS\Downloaded Program Files\star.exe a variant of Win32/Dialer.AG application cleaned by deleting - quarantined
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\juliecam.exe a variant of Win32/Dialer.AG application cleaned by deleting - quarantined
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\star.exe a variant of Win32/Dialer.AG application cleaned by deleting - quarantined
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\juliecam.exe a variant of Win32/Dialer.AG application cleaned by deleting - quarantined
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\juliecam.exe a variant of Win32/Dialer.AG application cleaned by deleting - quarantined
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NewDotNet.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NewDotNet8.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
C:\Documents and Settings\All Users\Application Data\Tarma Installer\{DA00D550-BB91-4A26-AAE5-9172D626CAAE}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application cleaned by deleting - quarantined
C:\System Volume Information\_restore{6995F97A-0C11-46E7-AD16-F4EBACBCE82E}\RP8\A0012599.exe a variant of Win32/Aditer trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{6995F97A-0C11-46E7-AD16-F4EBACBCE82E}\RP8\A0012600.dll a variant of Win32/Adware.Yontoo.B application cleaned by deleting - quarantined

Additionally, i selected the delete option for quarantined files before hitting FINISH. Sorry about that, getting punch drunk methinks. Think i am ready to proceed, what do you think? Don't yell too loud!
 
Here is the OTL fix log;

All processes killed
========== OTL ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: nate
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: dad
->Temp folder emptied: 111877 bytes
->Temporary Internet Files folder emptied: 133065333 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 470 bytes

User: dad.PREFERRE-406GQB
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Administrator.PREFERRE-406GQB
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: MATRIX
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: NetworkService.NT AUTHORITY

User: Owner.PREFERRE-406GQB
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService.NT AUTHORITY
->Temporary Internet Files folder emptied: 0 bytes

User: Administrator.PREFERRE-406GQB.000
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: NetworkService.NT AUTHORITY.000
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Owner.PREFERRE-406GQB.000
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService.NT AUTHORITY.000
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: NetworkService.NT AUTHORITY.001
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Owner.PREFERRE-406GQB.001
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService.NT AUTHORITY.001
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Judd
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Deana
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Mom
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 664 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 127.00 mb


[EMPTYFLASH]

User: Default User
->Flash cache emptied: 0 bytes

User: All Users

User: NetworkService

User: LocalService

User: nate
->Flash cache emptied: 0 bytes

User: dad
->Flash cache emptied: 0 bytes

User: dad.PREFERRE-406GQB

User: Administrator

User: Administrator.PREFERRE-406GQB
->Flash cache emptied: 0 bytes

User: MATRIX
->Flash cache emptied: 0 bytes

User: NetworkService.NT AUTHORITY

User: Owner.PREFERRE-406GQB

User: LocalService.NT AUTHORITY

User: Administrator.PREFERRE-406GQB.000

User: NetworkService.NT AUTHORITY.000

User: Owner.PREFERRE-406GQB.000

User: LocalService.NT AUTHORITY.000

User: NetworkService.NT AUTHORITY.001

User: Owner.PREFERRE-406GQB.001

User: LocalService.NT AUTHORITY.001

User: Judd
->Flash cache emptied: 0 bytes

User: Deana
->Flash cache emptied: 0 bytes

User: Mom
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


[EMPTYJAVA]

User: Default User

User: All Users

User: NetworkService

User: LocalService

User: nate
->Java cache emptied: 0 bytes

User: dad
->Java cache emptied: 0 bytes

User: dad.PREFERRE-406GQB

User: Administrator

User: Administrator.PREFERRE-406GQB
->Java cache emptied: 0 bytes

User: MATRIX
->Java cache emptied: 0 bytes

User: NetworkService.NT AUTHORITY

User: Owner.PREFERRE-406GQB

User: LocalService.NT AUTHORITY

User: Administrator.PREFERRE-406GQB.000

User: NetworkService.NT AUTHORITY.000

User: Owner.PREFERRE-406GQB.000

User: LocalService.NT AUTHORITY.000

User: NetworkService.NT AUTHORITY.001

User: Owner.PREFERRE-406GQB.001

User: LocalService.NT AUTHORITY.001

User: Judd
->Java cache emptied: 0 bytes

User: Deana
->Java cache emptied: 0 bytes

User: Mom
->Java cache emptied: 0 bytes

Total Java Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.31.0 log created on 02102012_170719

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\dad\Local Settings\Temp\~DFCF55.tmp not found!
File\Folder C:\Documents and Settings\dad\Local Settings\Temp\~DFD218.tmp not found!
File\Folder C:\Documents and Settings\dad\Local Settings\Temporary Internet Files\Content.IE5\ZVDM9SFF\╪***vk not found!
File\Folder C:\Documents and Settings\dad\Local Settings\Temporary Internet Files\Content.IE5\ZVDM9SFF\ not found!
File\Folder C:\Documents and Settings\dad\Local Settings\Temporary Internet Files\Content.IE5\ZVDM9SFF\r not found!
File\Folder C:\Documents and Settings\dad\Local Settings\Temporary Internet Files\Content.IE5\4M82YD0O\ not found!
C:\Documents and Settings\dad\Local Settings\Temporary Internet Files\Content.IE5\9UOPK6TK\showthread[1].htm moved successfully.
C:\Documents and Settings\dad\Local Settings\Temporary Internet Files\Content.IE5\9UOPK6TK\background-banner-middle-v9[1].jpg moved successfully.
C:\Documents and Settings\dad\Local Settings\Temporary Internet Files\Content.IE5\9UOPK6TK\list-item-plus[1].png moved successfully.
C:\Documents and Settings\dad\Local Settings\Temporary Internet Files\Content.IE5\9UOPK6TK\background_banner_green_50_v9[1].jpg moved successfully.
C:\Documents and Settings\dad\Local Settings\Temporary Internet Files\Content.IE5\HIRENNQ8\api[2].htm moved successfully.
C:\Documents and Settings\dad\Local Settings\Temporary Internet Files\Content.IE5\HIRENNQ8\background_button_green_full[1].png moved successfully.
C:\Documents and Settings\dad\Local Settings\Temporary Internet Files\Content.IE5\HIRENNQ8\background-banner-right-v9[1].jpg moved successfully.
C:\Documents and Settings\dad\Local Settings\Temporary Internet Files\Content.IE5\HIRENNQ8\api[1].htm moved successfully.
File move failed. C:\WINDOWS\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...
 
Overall, the machine is excellent, but i haven't gotten to everything yet. I will be sure to comment. Working on my windows updates getting ready for sp3. Having prob with .Net 2.0 install but i found some microsoft help pages for that, just taking more time as everyone wants to get on. That last OTL script didn't remove the restore points, but i did it manually thru start/control panel/system/system restore.

Do i just leave MBR on the desktop? is that the running copy now?
Also having jusched.exe ending after a few minutes online but i am waiting until i have all the windows updates in.

Thanks so much for the help, the malwares & infections are gone.
 
You can delete it.

Tanks!

And thank you again for the jusched fix, you truly are a Malware Innihilator!:approve:

Got the .Net 2.0 out of the way, everything is ready for SP3 or so i thought, freakin' computers, l luv'em but they drive me insane sometimes. Thru the windows update site it failed after looking like it was working. It does everything and installs the files and when it goes to update the register, the SP3 setup gets an error saying "access is denied". Been following the microsoft help page. Downloaded the SP3 from their download center and tried to install that way but got same error. Disabled avast & tried again, same error. That is where i stopped last night. Next step goes to the registry. I am working off this page;

http://support.microsoft.com/kb/949377

Breakfast is ready! Gotta go. I'll be back later. jimmy
 
I am installing from a downloaded copy and see everything, first it inspects, does an inventory, does backups of files, registry, creates a restore point and installs the files, then it goes to updating registry, a popup of 'access is denied' pops up.
The exact error message is 'access is denied', when clicking OK to that msg get;
Service Pack 3 setup error. Service Pack installation did not complete. Clicking OK to that uninstalls everything and auto reboots.

Here is the page i am working from;
http://support.microsoft.com/kb/949377
I did the two resolutions and the microsoft fix it wizard under Reset the registry and the file permissions, which they recommend if the two resolutions don't work. That finished OK, same error everytime.

Then, on this page, i got from microsoft knowledge database,
http://www.askvg.com/windows-xp-service-pack-3-sp3-setup-error-access-is-denied/
I created the SP3.bat file and ran it, which was nice cause it show everything as it did it. And i saw an Avast reg key 'RegSetKeySecurity' during resetting the acl.
I finally found the TroubleShooting tab under Settings in Avast and disabled the 3 items that were selected, boot scans and such, set the shields to disabled permanently and rebooted thinking i had it now. No such luck, same error comes up. I am thinking of uninstalling avast and trying that. Again, what am i missing with avast cause i believe i am not properly disabling it. Thanks, out of here probably for the night but i would really appreciate your help. jimmy
 
Lets run the following tool. This will help determine which files need permissions restored.

Please download and save Junction.zip

Unzip it and place Junction.exe in the Windows directory (C:\Windows).
Go to Start>Run (Vista and Windows 7 users use "Start search" box).
Copy and paste the following command in the Run box and click OK (Vista and Windows 7 users press "Enter"):

cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

A command window opens starting to scan the system.
Wait until a log file opens.
Copy and paste the log in your next reply.
 
window opened & got 'junction is not recognized as an internal or external command,operable program or batch file.'
 
Another thing i saw each time i attempted the install, after it failed & recovered & rebooted. When i logged on, a cmd window would open, and i could only catch part of the msg as the window auto closed in a sec. Something was not found i believe the msg said but not sure, it closed real fast. Do you know if that is saved somewhere on the machine? Checked event viewer for system, did not see it there. Got a couple of errors in event viewer, maybe i should work on them first. One is a printer spooler service and another is the upload manager service failed to start, acct specified for this service is different from acct specified for other services running same process.
 
At this point....

In this forum, we make sure, your computer is free of malware and your computer is clean :)
Because the access to malware forum is very limited, your best option is to create new topic about your current issue, at Windows section.
You'll get more attention.

Good luck!
 
Thanks Broni, i totally understand. Just trying to take advantage of you!:)

A last update for ya, the machine is running excellent & i like Avast already. The install of the recovery console boot screen is way cool.

I uninstalled Avast, the SP3 install still got 'access is denied', so it is not Avast.
Then i nuked an old printer/scanner service in the registry with RegSeeker, i only use the search function as the rest of it scares me a bit. Upon reload, my Event Viewer was clean of errors, still nogo on install of SP3. Concentrated on trying to see the dataset that pops up in a cmd window after logging on after the uninstall of SP3. The dataset was C:\Windows\Installer\..... Client....... and the extension was .vbs, i think. Nothing in the Installer folder looked even close, no vbs extensions anywhere on my system. Gonna try microsoft, yeah, this ought to be good. Thanks again. jimmy
 
Last post on this thread. Started reading posts on windows/installer and the bad things that can happen and it all came back to me. A few years ago, i think i ran that Windows Installer Cleanup utility, it is all a blur now. They should call that utility Really Bad Things Can Happen!:) Gonna stop for now with SP2, this unit doesn't have much life left methinks. Thought for sure, the hard drive had bitten the dust, so, all in all, i am extremely happy with it as it is. later, jimmy

p.s. - read a post about it where the lady called microsoft support for help and things ended worse than she started. Guess i will not be calling microsoft!:grinthumb
 
Back