Inactive [A] Malwarebytes - blocked potently malicious website popup

Status
Not open for further replies.
Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    Code: 
    :OTL
DRV - File not found [Kernel | On_Demand | Unknown] -- -- (a0tp9dkh)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No CLSID value found.
O3 - HKU\S-1-5-21-1220945662-1004336348-839522115-1003\..\Toolbar\WebBrowser: (no name) - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No CLSID value found.
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html File not found
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
[2011/02/07 01:18:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\iKkHgEc01804

:Commands
[purity]
[emptytemp]
[emptyjava]
[emptyflash]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • You will get a log that shows the results of the fix. Please post it.

==========================================================================

1. Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

2. Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it.
  • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Do NOT post JavaRa log.

===============================================================

Last scans....

1. Download Security Check from HERE, and save it to your Desktop.
  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

    NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


3. Download Temp File Cleaner (TFC)
  • Double click on TFC.exe to run the program.
  • Click on Start button to begin cleaning process.
  • TFC will close all running programs, and it may ask you to restart computer.


4. Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click on List of found threats
  • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • NOTE. If Eset won't find any threats, it won't produce any log.
 
OTL seems to make the computer unresponsive.

I copy what was in your post for the custom scan/fixes. Close everything thats open on the computer. Run OTL, paste into custom scan/fixes, and click Run Fix.

The entire desktop disappears, along with the windows task bar. OTL is the only visible window. At the bottom of OTL it says

Killing Processes. Do not Interrupt...

I left it there for around two hours, nothing changed. Even scrolling the mouse over the minimize button showed no tool-tip. So I restarted the computer.

I now have a Thumbs.db file on the desktop, same location as OTL.

Should I try running OTL in safe mode?
 
:eek: worked like a charm...

Heres the log... *though my windows log-in screen seems alot different now???*

All processes killed
========== OTL ==========
Error: No service named a0tp9dkh was found to stop!
Service\Driver key a0tp9dkh not found.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D7E97865-918F-41E4-9CD0-25AB1C574CE8} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\ not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D7E97865-918F-41E4-9CD0-25AB1C574CE8} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\ not found.
Registry value HKEY_USERS\S-1-5-21-1220945662-1004336348-839522115-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D7E97865-918F-41E4-9CD0-25AB1C574CE8} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Google Sidewiki...\ deleted successfully.
Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
C:\WINDOWS\Downloaded Program Files\erma.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}\ not found.
Folder C:\Documents and Settings\All Users.WINDOWS\Application Data\iKkHgEc01804\ not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->FireFox cache emptied: 3329024 bytes

User: Administrator.NONE-76AAAFB655
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: All Users.WINDOWS

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Default User.WINDOWS
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 56475 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: LocalService.NT AUTHORITY
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 39947 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService.NT AUTHORITY
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Owner
->Temp folder emptied: 111183617 bytes
->Temporary Internet Files folder emptied: 511439 bytes
->Java cache emptied: 206206 bytes
->FireFox cache emptied: 2516295 bytes
->Google Chrome cache emptied: 344453065 bytes
->Flash cache emptied: 105874 bytes

User: suskawicz
->Temp folder emptied: 17171927 bytes
->Temporary Internet Files folder emptied: 12507666 bytes
->FireFox cache emptied: 43564121 bytes
->Flash cache emptied: 10074 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2162283 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 21962914 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 59411502 bytes
RecycleBin emptied: 21361353 bytes

Total Files Cleaned = 611.00 mb


[EMPTYJAVA]

User: Administrator

User: Administrator.NONE-76AAAFB655

User: All Users

User: All Users.WINDOWS

User: Default User

User: Default User.WINDOWS

User: LocalService

User: LocalService.NT AUTHORITY

User: NetworkService

User: NetworkService.NT AUTHORITY

User: Owner
->Java cache emptied: 0 bytes

User: suskawicz

Total Java Files Cleaned = 0.00 mb


[EMPTYFLASH]

User: Administrator

User: Administrator.NONE-76AAAFB655

User: All Users

User: All Users.WINDOWS

User: Default User

User: Default User.WINDOWS
->Flash cache emptied: 0 bytes

User: LocalService

User: LocalService.NT AUTHORITY

User: NetworkService

User: NetworkService.NT AUTHORITY

User: Owner
->Flash cache emptied: 0 bytes

User: suskawicz
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.48.0 log created on 06122012_205318

Files\Folders moved on Reboot...
File move failed. C:\Documents and Settings\suskawicz\Local Settings\Temp\{FB803E89-6A91-4859-9FD5-628CA1D2CEFD}\ISSetup.dll scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\suskawicz\Local Settings\Temp\{FB803E89-6A91-4859-9FD5-628CA1D2CEFD}\_Setup.dll scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\suskawicz\Local Settings\Temp\{F42C7114-8E60-4889-9C1B-FC14821FEEB8}\ISSetup.dll scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\suskawicz\Local Settings\Temp\{F42C7114-8E60-4889-9C1B-FC14821FEEB8}\_Setup.dll scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\suskawicz\Local Settings\Temp\{B2ED9C26-7996-4DCE-AB0D-87B0651B275A}\ISSetup.dll scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\suskawicz\Local Settings\Temp\{B2ED9C26-7996-4DCE-AB0D-87B0651B275A}\_Setup.dll scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\suskawicz\Local Settings\Temp\{A3C35D4D-5F6F-41F6-98B1-98E1F276AC77}\ISSetup.dll scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\suskawicz\Local Settings\Temp\{A3C35D4D-5F6F-41F6-98B1-98E1F276AC77}\_Setup.dll scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\suskawicz\Local Settings\Temp\{52F5DBFA-47DE-4107-81AE-98B95DBCD3C3}\ISSetup.dll scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\suskawicz\Local Settings\Temp\{52F5DBFA-47DE-4107-81AE-98B95DBCD3C3}\_Setup.dll scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\suskawicz\Local Settings\Temp\{18CF8319-1B00-4DBC-99DC-2E39FF88B278}\ISSetup.dll scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\suskawicz\Local Settings\Temp\{18CF8319-1B00-4DBC-99DC-2E39FF88B278}\_Setup.dll scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\suskawicz\Local Settings\Temp\IEC17.tmp scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\suskawicz\Local Settings\Temp\IEC57.tmp scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\suskawicz\Local Settings\Temp\set15.tmp scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\suskawicz\Local Settings\Temp\_is2.tmp scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\suskawicz\Local Settings\Temp\_is3.tmp scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\suskawicz\Local Settings\Temp\_is76.exe scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\suskawicz\Local Settings\Temp\_is77.exe scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\suskawicz\Local Settings\Temp\_is78.exe scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\suskawicz\Local Settings\Temp\_is79.exe scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\suskawicz\Local Settings\Temp\_is81.exe scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\suskawicz\Local Settings\Temp\_is82.exe scheduled to be moved on reboot.

Registry entries deleted on Reboot...
 
also the extension of files on my current is no longer visible...

was this change because of OTL???

if so do you know how to put it back, or will a quick google search sir-vice.

Edit : fixed...
 
The pop-up from Malwarbytes is back ( first post )... I saw it twice today. :( Haven't seen it for days... thought it was gone.

Heres the logs.. I still have to complete the ESET Online Scanner scan, my computer felt like shutting off when I was about 50% through... will start it now.

==== OTL ====
All processes killed
========== OTL ==========
Error: No service named a0tp9dkh was found to stop!
Service\Driver key a0tp9dkh not found.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D7E97865-918F-41E4-9CD0-25AB1C574CE8} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\ not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D7E97865-918F-41E4-9CD0-25AB1C574CE8} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\ not found.
Registry value HKEY_USERS\S-1-5-21-1220945662-1004336348-839522115-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D7E97865-918F-41E4-9CD0-25AB1C574CE8} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Google Sidewiki...\ deleted successfully.
Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
C:\WINDOWS\Downloaded Program Files\erma.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}\ not found.
Folder C:\Documents and Settings\All Users.WINDOWS\Application Data\iKkHgEc01804\ not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->FireFox cache emptied: 3329024 bytes

User: Administrator.NONE-76AAAFB655
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: All Users.WINDOWS

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Default User.WINDOWS
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 56475 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: LocalService.NT AUTHORITY
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 39947 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService.NT AUTHORITY
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Owner
->Temp folder emptied: 111183617 bytes
->Temporary Internet Files folder emptied: 511439 bytes
->Java cache emptied: 206206 bytes
->FireFox cache emptied: 2516295 bytes
->Google Chrome cache emptied: 344453065 bytes
->Flash cache emptied: 105874 bytes

User: suskawicz
->Temp folder emptied: 17171927 bytes
->Temporary Internet Files folder emptied: 12507666 bytes
->FireFox cache emptied: 43564121 bytes
->Flash cache emptied: 10074 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2162283 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 21962914 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 59411502 bytes
RecycleBin emptied: 21361353 bytes

Total Files Cleaned = 611.00 mb


[EMPTYJAVA]

User: Administrator

User: Administrator.NONE-76AAAFB655

User: All Users

User: All Users.WINDOWS

User: Default User

User: Default User.WINDOWS

User: LocalService

User: LocalService.NT AUTHORITY

User: NetworkService

User: NetworkService.NT AUTHORITY

User: Owner
->Java cache emptied: 0 bytes

User: suskawicz

Total Java Files Cleaned = 0.00 mb


[EMPTYFLASH]

User: Administrator

User: Administrator.NONE-76AAAFB655

User: All Users

User: All Users.WINDOWS

User: Default User

User: Default User.WINDOWS
->Flash cache emptied: 0 bytes

User: LocalService

User: LocalService.NT AUTHORITY

User: NetworkService

User: NetworkService.NT AUTHORITY

User: Owner
->Flash cache emptied: 0 bytes

User: suskawicz
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.48.0 log created on 06122012_205318

Files\Folders moved on Reboot...
File move failed. C:\Documents and Settings\suskawicz\Local Settings\Temp\{FB803E89-6A91-4859-9FD5-628CA1D2CEFD}\ISSetup.dll scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\suskawicz\Local Settings\Temp\{FB803E89-6A91-4859-9FD5-628CA1D2CEFD}\_Setup.dll scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\suskawicz\Local Settings\Temp\{F42C7114-8E60-4889-9C1B-FC14821FEEB8}\ISSetup.dll scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\suskawicz\Local Settings\Temp\{F42C7114-8E60-4889-9C1B-FC14821FEEB8}\_Setup.dll scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\suskawicz\Local Settings\Temp\{B2ED9C26-7996-4DCE-AB0D-87B0651B275A}\ISSetup.dll scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\suskawicz\Local Settings\Temp\{B2ED9C26-7996-4DCE-AB0D-87B0651B275A}\_Setup.dll scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\suskawicz\Local Settings\Temp\{A3C35D4D-5F6F-41F6-98B1-98E1F276AC77}\ISSetup.dll scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\suskawicz\Local Settings\Temp\{A3C35D4D-5F6F-41F6-98B1-98E1F276AC77}\_Setup.dll scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\suskawicz\Local Settings\Temp\{52F5DBFA-47DE-4107-81AE-98B95DBCD3C3}\ISSetup.dll scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\suskawicz\Local Settings\Temp\{52F5DBFA-47DE-4107-81AE-98B95DBCD3C3}\_Setup.dll scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\suskawicz\Local Settings\Temp\{18CF8319-1B00-4DBC-99DC-2E39FF88B278}\ISSetup.dll scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\suskawicz\Local Settings\Temp\{18CF8319-1B00-4DBC-99DC-2E39FF88B278}\_Setup.dll scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\suskawicz\Local Settings\Temp\IEC17.tmp scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\suskawicz\Local Settings\Temp\IEC57.tmp scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\suskawicz\Local Settings\Temp\set15.tmp scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\suskawicz\Local Settings\Temp\_is2.tmp scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\suskawicz\Local Settings\Temp\_is3.tmp scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\suskawicz\Local Settings\Temp\_is76.exe scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\suskawicz\Local Settings\Temp\_is77.exe scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\suskawicz\Local Settings\Temp\_is78.exe scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\suskawicz\Local Settings\Temp\_is79.exe scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\suskawicz\Local Settings\Temp\_is81.exe scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\suskawicz\Local Settings\Temp\_is82.exe scheduled to be moved on reboot.

Registry entries deleted on Reboot...

==== CheckUp Log ====
Results of screen317's Security Check version 0.99.24
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
avast! Free Antivirus
AVG Security Toolbar
```````````````````````````````
Anti-malware/Other Utilities Check:
DJ Java Decompiler v.3.12.12.96
JavaFX 2.1.1
JavaFX 2.0.3 SDK
Java(TM) 6 Update 31
Java(TM) 7 Update 5
Java(TM) SE Development Kit 7 Update 3
Java 3D 1.5.2
Out of date Java installed!
Adobe Flash Player 9 (Out of date Flash Player installed!)
````````````````````````````````
Process Check:
objlist.exe by Laurent
Malwarebytes' Anti-Malware mbamservice.exe
Malwarebytes' Anti-Malware mbamgui.exe
AVAST Software Avast AvastSvc.exe
AVAST Software Avast avastUI.exe
``````````End of Log````````````
=== FSS Log ===
Farbar Service Scanner Version: 09-06-2012
Ran by Owner (administrator) on 12-06-2012 at 21:47:10
Running from "C:\Documents and Settings\Owner\Desktop"
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.
Windows Firewall:
=============
Firewall Disabled Policy:
==================
System Restore:
============
System Restore Disabled Policy:
========================
Windows Update:
============
Windows Autoupdate Disabled Policy:
============================
File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit
**** End of log ****
 
Here's the ESET Log

C:\Program Files\LivingPlay Games\lplayun.exea variant of Win32/Adware.Gamevance.BE applicationcleaned by deleting - quarantined
C:\System Volume Information\_restore{AC58636A-A9BA-4ECD-8B69-7EB1164988F8}\RP248\A0177690.dlla variant of Win32/Adware.Gamevance.BR applicationcleaned by deleting - quarantined
C:\System Volume Information\_restore{AC58636A-A9BA-4ECD-8B69-7EB1164988F8}\RP248\A0177693.exea variant of Win32/Adware.RK applicationcleaned by deleting - quarantined
C:\System Volume Information\_restore{AC58636A-A9BA-4ECD-8B69-7EB1164988F8}\RP256\A0194846.dlla variant of Win32/Adware.Yontoo.B applicationcleaned by deleting - quarantined
C:\System Volume Information\_restore{AC58636A-A9BA-4ECD-8B69-7EB1164988F8}\RP256\A0194847.dlla variant of Win32/Adware.Yontoo.B applicationcleaned by deleting - quarantined
C:\System Volume Information\_restore{AC58636A-A9BA-4ECD-8B69-7EB1164988F8}\RP256\A0194848.dlla variant of Win32/Adware.Gamevance.BR applicationcleaned by deleting - quarantined
C:\System Volume Information\_restore{AC58636A-A9BA-4ECD-8B69-7EB1164988F8}\RP256\A0194849.dlla variant of Win32/Adware.Gamevance.BR applicationcleaned by deleting - quarantined
C:\System Volume Information\_restore{AC58636A-A9BA-4ECD-8B69-7EB1164988F8}\RP256\A0197905.exea variant of Win32/Adware.Gamevance.BE applicationcleaned by deleting - quarantined
 
Update Adobe Flash Player
Download the Latest Adobe Flash for Firefox and IE Without Any Extras: http://www.404techsupport.com/2010/...-flash-for-firefox-and-ie-without-any-extras/

=======================================================

Uninstall:
JavaFX 2.1.1
JavaFX 2.0.3 SDK
Java(TM) 6 Update 31
Java(TM) SE Development Kit 7 Update 3
Java 3D 1.5.2

==============================================================

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following:

Code: 
:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[emptyjava]
[CLEARALLRESTOREPOINTS]
[Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

  • Double-click OTL.exe to start the program.
  • Close all other programs apart from OTL as this step will require a reboot
  • On the OTL main screen, press the CLEANUP button
  • Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current.

4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. (Windows XP only) Run defrag at your convenience.

11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

13. Please, let me know, how your computer is doing.
 
Here's the OTL log... my modem died or something.

Total Flash Files Cleaned = 0.00 mb


[EMPTYJAVA]

User: Administrator

User: Administrator.NONE-76AAAFB655

User: All Users

User: All Users.WINDOWS

User: Default User

User: Default User.WINDOWS

User: LocalService

User: LocalService.NT AUTHORITY

User: NetworkService

User: NetworkService.NT AUTHORITY

User: Owner
->Java cache emptied: 0 bytes

User: suskawicz

Total Java Files Cleaned = 0.00 mb

Unable to start System Restore Service. Error code 10

OTL by OldTimer - Version 3.2.48.0 log created on 06182012_205415

Files\Folders moved on Reboot...
File move failed. C:\Documents and Settings\suskawicz\Local Settings\Temp\{FB803E89-6A91-4859-9FD5-628CA1D2CEFD}\ISSetup.dll scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\suskawicz\Local Settings\Temp\{FB803E89-6A91-4859-9FD5-628CA1D2CEFD}\_Setup.dll scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\suskawicz\Local Settings\Temp\{F42C7114-8E60-4889-9C1B-FC14821FEEB8}\ISSetup.dll scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\suskawicz\Local Settings\Temp\{F42C7114-8E60-4889-9C1B-FC14821FEEB8}\_Setup.dll scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\suskawicz\Local Settings\Temp\{B2ED9C26-7996-4DCE-AB0D-87B0651B275A}\ISSetup.dll scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\suskawicz\Local Settings\Temp\{B2ED9C26-7996-4DCE-AB0D-87B0651B275A}\_Setup.dll scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\suskawicz\Local Settings\Temp\{A3C35D4D-5F6F-41F6-98B1-98E1F276AC77}\ISSetup.dll scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\suskawicz\Local Settings\Temp\{A3C35D4D-5F6F-41F6-98B1-98E1F276AC77}\_Setup.dll scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\suskawicz\Local Settings\Temp\{52F5DBFA-47DE-4107-81AE-98B95DBCD3C3}\ISSetup.dll scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\suskawicz\Local Settings\Temp\{52F5DBFA-47DE-4107-81AE-98B95DBCD3C3}\_Setup.dll scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\suskawicz\Local Settings\Temp\{18CF8319-1B00-4DBC-99DC-2E39FF88B278}\ISSetup.dll scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\suskawicz\Local Settings\Temp\{18CF8319-1B00-4DBC-99DC-2E39FF88B278}\_Setup.dll scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\suskawicz\Local Settings\Temp\IEC17.tmp scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\suskawicz\Local Settings\Temp\IEC57.tmp scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\suskawicz\Local Settings\Temp\set15.tmp scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\suskawicz\Local Settings\Temp\_is2.tmp scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\suskawicz\Local Settings\Temp\_is3.tmp scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\suskawicz\Local Settings\Temp\_is76.exe scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\suskawicz\Local Settings\Temp\_is77.exe scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\suskawicz\Local Settings\Temp\_is78.exe scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\suskawicz\Local Settings\Temp\_is79.exe scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\suskawicz\Local Settings\Temp\_is81.exe scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\suskawicz\Local Settings\Temp\_is82.exe scheduled to be moved on reboot.

Registry entries deleted on Reboot...

Going to go clean-up now...

As far as my computer I still have seen that pop-up about the malicious website trying to connect with me...
And problem with the internet, random disconnects...
 
That's not good.

Let's try to boot your computer using the Ultimate Boot CD for Windows (UBCD4win).

Please print this guide for future reference!

You will need a blank CD, a clean computer and a flash drive.

Please follow the steps below and let me know if you were successful. If you were unable to create the UBCD4win, please tell me what error messages you got and/or what steps you got hung up on.

:step1:

1. Download and Run Ultimate Boot CD for Windows
  • Save it to your Desktop.
  • Double-Click on the UBCD4Win.EXE that you just downloaded to your desktop.
  • Follow all of the instructions/prompts that come up.
    NOTES:
    • Do not install to a folder with spaces in it's name.
    • Your Anti-Virus may report viruses or trojans when you extract UBCD4Win, these are "False-Positives." Read HERE for information regarding the files that normally trigger AV software.
2. Insert your XP CD with SP1/SP2/SP3 into a CD Rom drive
  • Double-Click on UBCD4WinBuilder.exe located in your C:\ubcd4win folder.
  • Click "I agree" to the Builders License.
  • Click NO to Search for Windows Installation Files
  • Make the following selections from the Main Screen that pops up:
    • Builder
      • Source:(path to Windows installation files)
        • Enter the path to the drive where your XP CD is located.
        • You can click on the "..." button on the right to navigate to the path as well.
      • Custom: (include files and folders from this directory)
        • No information is necessary, leave blank.
      • Output: (C:\ubcd4win\BartPE)
        • Keep the default BartPE
    • Media output
      • Choose Create ISO image
      • Do not choose Burn to CD/DVD


      Please note: If your XP install disc is SP1 then please .....
      1. Disable- DComLaunch Service
      2. Enable- LargeIDE Fix

        This can be done by pressing the "Plugin" button and checking or unchecking the appropriate selections

      Also note: If you have a Dell XP install disc you will need to follow the instructions here
      http://www.ubcd4win.com/faq.htm#dell

    3. Click on the "Build" button
    • You will see the Windows EULA message. Click on I Agree
    • You will now see the Build Screen. Let it run it's course
    • When the Build is finished you can click close, then exit


    4. Burn your ISO file to CD
    • Please see HERE on how to burn an ISO to CD.

==========

:step2:

Next, from your clean computer:

Download Farbar Recovery Scan Tool
and save it to your flash drive.

Now plug your flashdrive back into your sick computer and follow the next instructions:

==========

:step3:

1. Restart Your sick Computer Using the UBCD4Win Disc That You Have Created
  • Insert the UBCD4Win disc in to one of your CD/DVD drives.
  • Restart your computer.
    • The computer should choose to boot from the UBCD4Win CD automatically. If it doesn't and you are asked if you want to boot from CD, then choose that option.
  • In the window that pops up select Launch The Ultimate Boot CD For Windows and press Enter.
    • It may take a little longer for the Desktop to appear than it does when you start your computer normally. Just let the process run itself until the desktop appears.
  • Once the desktop appears, you will receive a message asking: Do you want to start Network support?
    • Click on Yes if you want to use the PE environment to get online post your log and reply by way of an Ethernet connection.
  • You should now have a desktop that looks like this:
    Main.jpg

==========

:step4:

  • Single click My computer from your UBCD4W desktop to navigate to the Farbar Recovery Scan Tool you saved to your flash drive.
  • Double click on it to begin running the tool.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your next reply.
 
Heres the update...

I've tried to find the xp disc... I can't. I got this computer from my uncle who custom built it him self. He swears he gave the disc to me.

Do I need the a CD with XP on it cause your instructions it says both... blank and with XP service pack - 3 (in my case)?

The "Clean" computer that I plan on using does not have a cd burner... just a normal cd drive...???

I have heard of bootable flash drives with ISO's on them... if that is possible, could you walk me through that it???

Would calling my ISP and changing my IP address resolve these malicious websites that are trying to connect with me???
 
In your case you create CD on your computer but you still need Windows XP CD.
Ask around. Some friend may have have it.
 
And probably the biggest question, and I don't mean this to say that I don't believe that you are not capable of cleaning my computer I only mean this for convenience for you and me...

Would just a reformat of the harddrive and fresh install of windows resolve this issue???

I don't have a burner either on this computer... :'( sorry I left that out, thought my computer was out of the question...

I have a buddy in Chicago who went to college for computer sciences... basically he's boss... :)

More than positive he'll have the means to do this...

I mentioned the other day to him that I was having this problem and he was interested in helping, I told him I was working with you on this... but I guess I'll see if I can get him on board...

For the mean time, my malwarebytes trial is going to end... which mean I'll be switching to the free version of the program, but that version does not have the Malicious Website blocking feature that I currently have...

So after my trial runs out should I stay disconnected from the internet until I'm ready to post the FRST log???
 
Would just a reformat of the harddrive and fresh install of windows resolve this issue???
Click to expand...
Absolutely.

So after my trial runs out should I stay disconnected from the internet until I'm ready to post the FRST log???
Click to expand...
Not necessarily.
 
well... "Not necessarily", doesn't do it for me... :eek:

Could the repercussion of staying connected while not blocking the malicious websites result in further infection of my computer???
Or will my computer be alright... cause right now it still works and the internet is working...
 
Well we don't know what type of infection we're dealing here with so you can afford to stay disconnected that would be the best option.
 
Haven't been using my internet but I wanted to update you on whats going on...

I still waiting to hear back from my friend about the xp disc and stuff,

I'm also having some serious issues with my internet and modem. I went to use my xbox (connected Ethernet directly to the modem)
the connection failed...

Could not resolve DNS something or something...

It has been like this for a couple days now... no connection no nothing even at the cable company they could not get the modem to connect to the internet.

I'm breaking up my post cause I think I'm going to get disconnected...
 
In the systems event viewer under admin in the control panel, in the security log around every 3 sec there is a new log that appears

the cat. is policy and it says that Windows Firewall group policy has been applied...

also there are lots of svchosts running in my task manager... one kept spiking resources only when I plug my computers ethernet to the modem. So I decided to terminate it, afterward a system shutdown was initiated by NT Authority/Network Service.

I have found references to this NT Authority/Network Service all over event viewer...

Lots are log ons and outs...
Setting Security privileges to the account...

I also have seen Anonymous attempt to log on to my computer...
 
in the event viewer there was a log that said

svchost(1764) an attempt to open the file "C:\WINDOWS\system32\CatRoot2\edb.log" for read/writed acess failed with system 5 error. "Acess Denied"

not sure what that is about...

Also alot of the services on the computer especially those that have to do with networking DNS client DHCP client and just about everything to do with remote access... under their properties have their logon config set to

This Account : NT Authority/Network Service

rather than what just about ever other thing is set to

Local System Account

None of this means much to me I really don't know that much about computers but this stuff seemed shaded...
 
There is also a bunch of really strange stuff also going on...

Like the Event Log service stopping and then restarting....

While I was sitting next to my computer, already logged on I saw a log created in the Event Viewer of apparently me trying to log in to my computer using my user name but the log in failed because of a bad password... wtf

There is also a really strange Service called

##Id_String2.6844F930_1628_4223_B5CC_5BB94B879762##
and thats also the discription of the service...

it also has dependence on TCP/IP protocal driver

I also scheduled a boot-time scan with avast and it found a rootkit on my computer and deleted it...
Win32 Rootkit - Gen [RTK] the process it was running was alg.exe
 
Status
Not open for further replies.

Similar threads

A
A clever Google-hosted, malicious ad fakes the KeePass website
Replies
3
Views
302
Fastturtle
F
A
Microsoft Defender caught flagging legit URLs as malicious
Replies
14
Views
783
ZedRM
ZedRM
C
Solved Malware \ProductData + possibly more, on two devices
Replies
4
Views
7K
Broni
Broni

Latest posts

Back