Thanks. We get backed up here when the moon is full and people click on everything that pops-up!
I'd like you to submit a file for identification. It's been getting removed and keeps coming back:
Please go to
http://virusscan.jotti.org/en to upload a suspicious file for analysis.
- Copy this file and paste it in the Submit box:
C:\WINDOWS\system32\mssque32.exe,
- Click on Submit.
- Wait for the scan. Paste the results in your next reply.
Avira names it
TR/Crypt.ZPACK.Gen and states
generic and
unknown variant. That's too vague.
userinit specifies the programs that Winlogon runs when a user logs on.
-------------
Please download
OTMovit by Old Timer and save to your desktop.
Important: before you run OTMoveIt, you will need to unhide files:
Control Panel> Folder Options> View tab>
Uncheck 'do not show hidden files and folders'>
Check 'show hidden files and folders'>
Uncheck 'hide protected operating system files-Recommended'>
Uncheck 'hide extensions of known file types'> Apply> OK.
- Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
- Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
Code:
:Processes
:Services
c:\windows\system32\GameMon.des
:Reg
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•A~*]"AB141C35E9F4BF344B9FC010BB17F68A"=""
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€–€|ÿÿÿÿÀ•€|ù•A~*]"AB141C35E9F4BF344B9FC010BB17F68A"=""
:Files
c:\docume~1\Trias\LOCALS~1\Temp\NBV158.tmp
c:\windows\system32\GameMon.des -service
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
- Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
- Click the red Moveit! button.
- A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
- Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose
Yes.
---------------------------------------
Please go back a hide the files and folders
When you have finished, rescan with HijackThis and leave the new log. Virus ID and OTMoveIT..
We'll go from there.