Reoccuring virus/malware even when quaratined

Solved
By phhege
Mar 20, 2010
Topic Status:
Not open for further replies.
  1. recent find using avg free version...did full system scan 36 viruses or unwanted programs found...prompted to restart but computer refused to get OS running...was able to boot from CD with non destructive start when I hit the R key but that's another thread topic.So most detections seem to be in MYBCKUP. I'll attemp to post log files requested in 8 step removal process.

    no pop up window when clickin on manage attachments?
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    See if there is a paper clip icon for the attachments. If you can't attach, paste the logs it- you might have to do it in 2 replies. a couple of others have mentioned this problem today.

    I'll;l check your logs when you get them up.

    Once you put the logs up, please don't run any other cleaning programs, Registry changes, etc.
  3. phhege

    phhege Newcomer, in training Topic Starter Posts: 16

    log files

    Avira AntiVir Personal
    Report file date: Saturday, March 20, 2010 12:00

    Scanning for 1878152 virus strains and unwanted programs.

    Licensee : Avira AntiVir Personal - FREE Antivirus
    Serial number : 0000149996-ADJIE-0000001
    Platform : Windows XP
    Windows version : (Service Pack 3) [5.1.2600]
    Boot mode : Normally booted
    Username : SYSTEM
    Computer name : YOUR-FA4067EFF5

    Version information:
    BUILD.DAT : 9.0.0.419 21701 Bytes 1/22/2010 18:29:00
    AVSCAN.EXE : 9.0.3.10 466689 Bytes 10/13/2009 15:26:33
    AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 14:58:24
    LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 15:35:49
    LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 14:58:52
    VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 11:35:52
    VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 17:19:25
    VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 17:21:37
    VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 17:22:15
    VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 17:23:15
    VBASE005.VDF : 7.10.4.204 2048 Bytes 3/5/2010 17:23:15
    VBASE006.VDF : 7.10.4.205 2048 Bytes 3/5/2010 17:23:15
    VBASE007.VDF : 7.10.4.206 2048 Bytes 3/5/2010 17:23:15
    VBASE008.VDF : 7.10.4.207 2048 Bytes 3/5/2010 17:23:16
    VBASE009.VDF : 7.10.4.208 2048 Bytes 3/5/2010 17:23:16
    VBASE010.VDF : 7.10.4.209 2048 Bytes 3/5/2010 17:23:16
    VBASE011.VDF : 7.10.4.210 2048 Bytes 3/5/2010 17:23:17
    VBASE012.VDF : 7.10.4.211 2048 Bytes 3/5/2010 17:23:17
    VBASE013.VDF : 7.10.4.242 153088 Bytes 3/8/2010 17:23:23
    VBASE014.VDF : 7.10.5.17 99328 Bytes 3/10/2010 17:23:27
    VBASE015.VDF : 7.10.5.44 107008 Bytes 3/11/2010 17:23:32
    VBASE016.VDF : 7.10.5.69 92672 Bytes 3/12/2010 17:23:36
    VBASE017.VDF : 7.10.5.91 119808 Bytes 3/15/2010 17:23:41
    VBASE018.VDF : 7.10.5.121 112640 Bytes 3/18/2010 17:03:02
    VBASE019.VDF : 7.10.5.138 139776 Bytes 3/18/2010 17:01:09
    VBASE020.VDF : 7.10.5.139 2048 Bytes 3/18/2010 17:01:09
    VBASE021.VDF : 7.10.5.140 2048 Bytes 3/18/2010 17:01:09
    VBASE022.VDF : 7.10.5.141 2048 Bytes 3/18/2010 17:01:13
    VBASE023.VDF : 7.10.5.142 2048 Bytes 3/18/2010 17:01:17
    VBASE024.VDF : 7.10.5.143 2048 Bytes 3/18/2010 17:01:17
    VBASE025.VDF : 7.10.5.144 2048 Bytes 3/18/2010 17:01:18
    VBASE026.VDF : 7.10.5.145 2048 Bytes 3/18/2010 17:01:19
    VBASE027.VDF : 7.10.5.146 2048 Bytes 3/18/2010 17:01:20
    VBASE028.VDF : 7.10.5.147 2048 Bytes 3/18/2010 17:01:21
    VBASE029.VDF : 7.10.5.148 2048 Bytes 3/18/2010 17:02:22
    VBASE030.VDF : 7.10.5.149 2048 Bytes 3/18/2010 17:02:23
    VBASE031.VDF : 7.10.5.154 38912 Bytes 3/19/2010 17:02:25
    Engineversion : 8.2.1.196
    AEVDF.DLL : 8.1.1.3 106868 Bytes 3/16/2010 17:25:41
    AESCRIPT.DLL : 8.1.3.18 1024378 Bytes 3/17/2010 17:44:47
    AESCN.DLL : 8.1.5.0 127347 Bytes 3/16/2010 17:25:26
    AESBX.DLL : 8.1.2.1 254323 Bytes 3/17/2010 17:44:57
    AERDL.DLL : 8.1.4.3 541043 Bytes 3/17/2010 17:44:18
    AEPACK.DLL : 8.2.1.1 426358 Bytes 3/19/2010 17:02:42
    AEOFFICE.DLL : 8.1.0.41 201083 Bytes 3/17/2010 17:43:59
    AEHEUR.DLL : 8.1.1.13 2470262 Bytes 3/17/2010 17:43:50
    AEHELP.DLL : 8.1.10.2 237941 Bytes 3/17/2010 17:41:38
    AEGEN.DLL : 8.1.3.2 373108 Bytes 3/19/2010 17:02:32
    AEEMU.DLL : 8.1.1.0 393587 Bytes 11/8/2009 11:38:26
    AECORE.DLL : 8.1.12.3 188789 Bytes 3/17/2010 17:40:28
    AEBB.DLL : 8.1.0.3 53618 Bytes 11/8/2009 11:38:20
    AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 12:47:59
    AVPREF.DLL : 9.0.3.0 44289 Bytes 8/26/2009 19:14:02
    AVREP.DLL : 8.0.0.7 159784 Bytes 3/16/2010 17:26:18
    AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 14:32:09
    AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 19:05:41
    AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 14:37:08
    SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 19:03:49
    SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 12:21:33
    NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 14:32:10
    RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 19:39:58
    RCTEXT.DLL : 9.0.73.0 86785 Bytes 10/13/2009 16:25:47

    Configuration settings for the scan:
    Jobname.............................: Local Hard Disks
    Configuration file..................: C:\Program Files\Avira\AntiVir Desktop\alldiscs.avp
    Logging.............................: low
    Primary action......................: interactive
    Secondary action....................: ignore
    Scan master boot sector.............: on
    Scan boot sector....................: on
    Boot sectors........................: C:, D:,
    Process scan........................: on
    Scan registry.......................: on
    Search for rootkits.................: off
    Integrity checking of system files..: off
    Scan all files......................: Intelligent file selection
    Scan archives.......................: on
    Recursion depth.....................: 20
    Smart extensions....................: on
    Macro heuristic.....................: on
    File heuristic......................: medium

    Start of the scan: Saturday, March 20, 2010 12:00

    The scan of running processes will be started
    Scan process 'avscan.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'vsmon.exe' - '0' Module(s) have been scanned
    Scan process 'zlclient.exe' - '0' Module(s) have been scanned
    Scan process 'avgnt.exe' - '1' Module(s) have been scanned
    Scan process 'igfxpers.exe' - '1' Module(s) have been scanned
    Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
    Scan process 'igfxtray.exe' - '1' Module(s) have been scanned
    Scan process 'SynTPEnh.exe' - '1' Module(s) have been scanned
    Scan process 'SynTPLpr.exe' - '1' Module(s) have been scanned
    Scan process 'PDVDServ.exe' - '1' Module(s) have been scanned
    Scan process 'alg.exe' - '1' Module(s) have been scanned
    Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
    Scan process 'PRISMXL.SYS' - '1' Module(s) have been scanned
    Scan process 'ForceField.exe' - '1' Module(s) have been scanned
    Scan process 'avguard.exe' - '1' Module(s) have been scanned
    Scan process 'sched.exe' - '1' Module(s) have been scanned
    Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
    Scan process 'ISWSVC.exe' - '1' Module(s) have been scanned
    Scan process 'explorer.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'lsass.exe' - '1' Module(s) have been scanned
    Scan process 'services.exe' - '1' Module(s) have been scanned
    Scan process 'winlogon.exe' - '1' Module(s) have been scanned
    Scan process 'csrss.exe' - '1' Module(s) have been scanned
    Scan process 'smss.exe' - '1' Module(s) have been scanned
    28 processes with 28 modules were scanned

    Starting master boot sector scan:
    Master boot sector HD0
    [INFO] No virus was found!
  4. phhege

    phhege Newcomer, in training Topic Starter Posts: 16

    log file part 2

    Avira AntiVir Personal
    Report file date: Saturday, March 20, 2010 12:00

    Scanning for 1878152 virus strains and unwanted programs.

    Licensee : Avira AntiVir Personal - FREE Antivirus
    Serial number : 0000149996-ADJIE-0000001
    Platform : Windows XP
    Windows version : (Service Pack 3) [5.1.2600]
    Boot mode : Normally booted
    Username : SYSTEM
    Computer name : YOUR-FA4067EFF5

    Version information:
    BUILD.DAT : 9.0.0.419 21701 Bytes 1/22/2010 18:29:00
    AVSCAN.EXE : 9.0.3.10 466689 Bytes 10/13/2009 15:26:33
    AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 14:58:24
    LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 15:35:49
    LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 14:58:52
    VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 11:35:52
    VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 17:19:25
    VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 17:21:37
    VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 17:22:15
    VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 17:23:15
    VBASE005.VDF : 7.10.4.204 2048 Bytes 3/5/2010 17:23:15
    VBASE006.VDF : 7.10.4.205 2048 Bytes 3/5/2010 17:23:15
    VBASE007.VDF : 7.10.4.206 2048 Bytes 3/5/2010 17:23:15
    VBASE008.VDF : 7.10.4.207 2048 Bytes 3/5/2010 17:23:16
    VBASE009.VDF : 7.10.4.208 2048 Bytes 3/5/2010 17:23:16
    VBASE010.VDF : 7.10.4.209 2048 Bytes 3/5/2010 17:23:16
    VBASE011.VDF : 7.10.4.210 2048 Bytes 3/5/2010 17:23:17
    VBASE012.VDF : 7.10.4.211 2048 Bytes 3/5/2010 17:23:17
    VBASE013.VDF : 7.10.4.242 153088 Bytes 3/8/2010 17:23:23
    VBASE014.VDF : 7.10.5.17 99328 Bytes 3/10/2010 17:23:27
    VBASE015.VDF : 7.10.5.44 107008 Bytes 3/11/2010 17:23:32
    VBASE016.VDF : 7.10.5.69 92672 Bytes 3/12/2010 17:23:36
    VBASE017.VDF : 7.10.5.91 119808 Bytes 3/15/2010 17:23:41
    VBASE018.VDF : 7.10.5.121 112640 Bytes 3/18/2010 17:03:02
    VBASE019.VDF : 7.10.5.138 139776 Bytes 3/18/2010 17:01:09
    VBASE020.VDF : 7.10.5.139 2048 Bytes 3/18/2010 17:01:09
    VBASE021.VDF : 7.10.5.140 2048 Bytes 3/18/2010 17:01:09
    VBASE022.VDF : 7.10.5.141 2048 Bytes 3/18/2010 17:01:13
    VBASE023.VDF : 7.10.5.142 2048 Bytes 3/18/2010 17:01:17
    VBASE024.VDF : 7.10.5.143 2048 Bytes 3/18/2010 17:01:17
    VBASE025.VDF : 7.10.5.144 2048 Bytes 3/18/2010 17:01:18
    VBASE026.VDF : 7.10.5.145 2048 Bytes 3/18/2010 17:01:19
    VBASE027.VDF : 7.10.5.146 2048 Bytes 3/18/2010 17:01:20
    VBASE028.VDF : 7.10.5.147 2048 Bytes 3/18/2010 17:01:21
    VBASE029.VDF : 7.10.5.148 2048 Bytes 3/18/2010 17:02:22
    VBASE030.VDF : 7.10.5.149 2048 Bytes 3/18/2010 17:02:23
    VBASE031.VDF : 7.10.5.154 38912 Bytes 3/19/2010 17:02:25
    Engineversion : 8.2.1.196
    AEVDF.DLL : 8.1.1.3 106868 Bytes 3/16/2010 17:25:41
    AESCRIPT.DLL : 8.1.3.18 1024378 Bytes 3/17/2010 17:44:47
    AESCN.DLL : 8.1.5.0 127347 Bytes 3/16/2010 17:25:26
    AESBX.DLL : 8.1.2.1 254323 Bytes 3/17/2010 17:44:57
    AERDL.DLL : 8.1.4.3 541043 Bytes 3/17/2010 17:44:18
    AEPACK.DLL : 8.2.1.1 426358 Bytes 3/19/2010 17:02:42
    AEOFFICE.DLL : 8.1.0.41 201083 Bytes 3/17/2010 17:43:59
    AEHEUR.DLL : 8.1.1.13 2470262 Bytes 3/17/2010 17:43:50
    AEHELP.DLL : 8.1.10.2 237941 Bytes 3/17/2010 17:41:38
    AEGEN.DLL : 8.1.3.2 373108 Bytes 3/19/2010 17:02:32
    AEEMU.DLL : 8.1.1.0 393587 Bytes 11/8/2009 11:38:26
    AECORE.DLL : 8.1.12.3 188789 Bytes 3/17/2010 17:40:28
    AEBB.DLL : 8.1.0.3 53618 Bytes 11/8/2009 11:38:20
    AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 12:47:59
    AVPREF.DLL : 9.0.3.0 44289 Bytes 8/26/2009 19:14:02
    AVREP.DLL : 8.0.0.7 159784 Bytes 3/16/2010 17:26:18
    AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 14:32:09
    AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 19:05:41
    AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 14:37:08
    SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 19:03:49
    SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 12:21:33
    NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 14:32:10
    RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 19:39:58
    RCTEXT.DLL : 9.0.73.0 86785 Bytes 10/13/2009 16:25:47

    Configuration settings for the scan:
    Jobname.............................: Local Hard Disks
    Configuration file..................: C:\Program Files\Avira\AntiVir Desktop\alldiscs.avp
    Logging.............................: low
    Primary action......................: interactive
    Secondary action....................: ignore
    Scan master boot sector.............: on
    Scan boot sector....................: on
    Boot sectors........................: C:, D:,
    Process scan........................: on
    Scan registry.......................: on
    Search for rootkits.................: off
    Integrity checking of system files..: off
    Scan all files......................: Intelligent file selection
    Scan archives.......................: on
    Recursion depth.....................: 20
    Smart extensions....................: on
    Macro heuristic.....................: on
    File heuristic......................: medium

    Start of the scan: Saturday, March 20, 2010 12:00

    The scan of running processes will be started
    Scan process 'avscan.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'vsmon.exe' - '0' Module(s) have been scanned
    Scan process 'zlclient.exe' - '0' Module(s) have been scanned
    Scan process 'avgnt.exe' - '1' Module(s) have been scanned
    Scan process 'igfxpers.exe' - '1' Module(s) have been scanned
    Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
    Scan process 'igfxtray.exe' - '1' Module(s) have been scanned
    Scan process 'SynTPEnh.exe' - '1' Module(s) have been scanned
    Scan process 'SynTPLpr.exe' - '1' Module(s) have been scanned
    Scan process 'PDVDServ.exe' - '1' Module(s) have been scanned
    Scan process 'alg.exe' - '1' Module(s) have been scanned
    Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
    Scan process 'PRISMXL.SYS' - '1' Module(s) have been scanned
    Scan process 'ForceField.exe' - '1' Module(s) have been scanned
    Scan process 'avguard.exe' - '1' Module(s) have been scanned
    Scan process 'sched.exe' - '1' Module(s) have been scanned
    Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
    Scan process 'ISWSVC.exe' - '1' Module(s) have been scanned
    Scan process 'explorer.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'lsass.exe' - '1' Module(s) have been scanned
    Scan process 'services.exe' - '1' Module(s) have been scanned
    Scan process 'winlogon.exe' - '1' Module(s) have been scanned
    Scan process 'csrss.exe' - '1' Module(s) have been scanned
    Scan process 'smss.exe' - '1' Module(s) have been scanned
    28 processes with 28 modules were scanned

    Starting master boot sector scan:
    Master boot sector HD0
    [INFO] No virus was found!
  5. phhege

    phhege Newcomer, in training Topic Starter Posts: 16

    hjt log file

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 5:03:16 PM, on 3/20/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16981)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: ZoneAlarm Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: ZoneAlarm Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
    O4 - HKLM\..\Run: [Gateway Extended Warranty] "C:\Program Files\Gateway\GWCares\GWCares.exe"
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
    O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [ISW] "C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" /icon="hidden"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_18.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_18.dll
    O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1268712555593
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: ZoneAlarm Toolbar IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    --
    End of file - 5770 bytes
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Okay- I'll work with all 3 logs when you get the other 2 up. Don't need another AV scan.
  7. phhege

    phhege Newcomer, in training Topic Starter Posts: 16

    mbam log

    Scan type: Quick Scan
    Objects scanned: 112428
    Time elapsed: 4 minute(s), 22 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
  8. phhege

    phhege Newcomer, in training Topic Starter Posts: 16

    super log

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 03/20/2010 at 03:26 PM

    Application Version : 4.34.1000

    Core Rules Database Version : 4702
    Trace Rules Database Version: 2514

    Scan type : Quick Scan
    Total Scan Time : 00:35:44

    Memory items scanned : 436
    Memory threats detected : 0
    Registry items scanned : 423
    Registry threats detected : 0
    File items scanned : 23223
    File threats detected : 62

    Adware.Tracking Cookie
    C:\My Backup -- 10-03-15 0909AM\Documents and Settings\Owner\Cookies\owner@bestgirlxxx[2].txt
    C:\My Backup -- 10-03-15 0909AM\WINDOWS\Temp\Cookies\owner@gotacha.rotator.hadj7.adjuggler[1].txt
    C:\My Backup -- 10-03-15 0909AM\WINDOWS\Temp\Cookies\owner@youpornmovs[1].txt
    C:\My Backup -- 10-03-15 0909AM\WINDOWS\Temp\Cookies\owner@adserver.adtechus[1].txt
    C:\My Backup -- 10-03-15 0909AM\WINDOWS\Temp\Cookies\owner@cdn4.specificclick[2].txt
    C:\My Backup -- 10-03-15 0909AM\WINDOWS\Temp\Cookies\owner@adprotraffic[1].txt
    C:\My Backup -- 10-03-15 0909AM\WINDOWS\Temp\Cookies\owner@tribalfusion[2].txt
    C:\My Backup -- 10-03-15 0909AM\WINDOWS\Temp\Cookies\owner@www.rv-finder[1].txt
    C:\My Backup -- 10-03-15 0909AM\WINDOWS\Temp\Cookies\owner@rv-finder[1].txt
    C:\My Backup -- 10-03-15 0909AM\WINDOWS\Temp\Cookies\owner@serving-sys[2].txt
    C:\My Backup -- 10-03-15 0909AM\WINDOWS\Temp\Cookies\owner@2o7[2].txt
    C:\My Backup -- 10-03-15 0909AM\WINDOWS\Temp\Cookies\owner@realmedia[1].txt
    C:\My Backup -- 10-03-15 0909AM\WINDOWS\Temp\Cookies\owner@ads.vidsense[1].txt
    C:\My Backup -- 10-03-15 0909AM\WINDOWS\Temp\Cookies\owner@kontera[1].txt
    C:\My Backup -- 10-03-15 0909AM\WINDOWS\Temp\Cookies\owner@pornmoviefans[2].txt
    C:\My Backup -- 10-03-15 0909AM\WINDOWS\Temp\Cookies\owner@adserve.gossipcenter[2].txt
    C:\My Backup -- 10-03-15 0909AM\WINDOWS\Temp\Cookies\owner@teenmixx[1].txt
    C:\My Backup -- 10-03-15 0909AM\WINDOWS\Temp\Cookies\owner@****-young[2].txt
    C:\My Backup -- 10-03-15 0909AM\WINDOWS\Temp\Cookies\owner@dc.tremormedia[1].txt
    C:\My Backup -- 10-03-15 0909AM\WINDOWS\Temp\Cookies\owner@interclick[1].txt
    C:\My Backup -- 10-03-15 0909AM\WINDOWS\Temp\Cookies\owner@www.parkteen[1].txt
    C:\My Backup -- 10-03-15 0909AM\WINDOWS\Temp\Cookies\owner@www.teensporno[2].txt
    C:\My Backup -- 10-03-15 0909AM\WINDOWS\Temp\Cookies\owner@clickthrough.kanoodle[2].txt
    C:\My Backup -- 10-03-15 0909AM\WINDOWS\Temp\Cookies\owner@www.porn-o-clock[1].txt
    C:\My Backup -- 10-03-15 0909AM\WINDOWS\Temp\Cookies\owner@collective-media[1].txt
    C:\My Backup -- 10-03-15 0909AM\WINDOWS\Temp\Cookies\owner@theclickcheck[1].txt
    C:\My Backup -- 10-03-15 0909AM\WINDOWS\Temp\Cookies\owner@trafficholder[2].txt
    C:\My Backup -- 10-03-15 0909AM\WINDOWS\Temp\Cookies\owner@www.long-porn-tube[1].txt
    C:\My Backup -- 10-03-15 0909AM\WINDOWS\Temp\Cookies\owner@www.teensvidsex[2].txt
    C:\My Backup -- 10-03-15 0909AM\WINDOWS\Temp\Cookies\owner@yourteenpics[1].txt
    C:\My Backup -- 10-03-15 0909AM\WINDOWS\Temp\Cookies\owner@specificclick[2].txt
    C:\My Backup -- 10-03-15 0909AM\WINDOWS\Temp\Cookies\owner@tacoda[2].txt
    C:\My Backup -- 10-03-15 0909AM\WINDOWS\Temp\Cookies\owner@www.teenbeex[2].txt
    C:\My Backup -- 10-03-15 0909AM\WINDOWS\Temp\Cookies\owner@specificmedia[2].txt
    C:\My Backup -- 10-03-15 0909AM\WINDOWS\Temp\Cookies\owner@top5countdown.mevio[1].txt
    C:\My Backup -- 10-03-15 0909AM\WINDOWS\Temp\Cookies\owner@tsprotraffic[1].txt
    C:\My Backup -- 10-03-15 0909AM\WINDOWS\Temp\Cookies\owner@at.atwola[2].txt
    C:\My Backup -- 10-03-15 0909AM\WINDOWS\Temp\Cookies\owner@www.pornshare4u[2].txt
    C:\My Backup -- 10-03-15 0909AM\WINDOWS\Temp\Cookies\owner@richmedia.yahoo[1].txt
    C:\My Backup -- 10-03-15 0909AM\WINDOWS\Temp\Cookies\owner@invitemedia[2].txt
    C:\My Backup -- 10-03-15 0909AM\WINDOWS\Temp\Cookies\owner@nextag[2].txt
    C:\My Backup -- 10-03-15 0909AM\WINDOWS\Temp\Cookies\owner@bs.serving-sys[2].txt
    C:\My Backup -- 10-03-15 0909AM\WINDOWS\Temp\Cookies\owner@advertise[2].txt
    C:\My Backup -- 10-03-15 0909AM\WINDOWS\Temp\Cookies\owner@247realmedia[1].txt
    C:\My Backup -- 10-03-15 0909AM\WINDOWS\Temp\Cookies\owner@oasn04.247realmedia[1].txt
    C:\My Backup -- 10-03-15 0909AM\WINDOWS\Temp\Cookies\owner@click.fastpartner[2].txt
    C:\My Backup -- 10-03-15 0909AM\WINDOWS\Temp\Cookies\owner@****thislady[1].txt
    C:\My Backup -- 10-03-15 0909AM\WINDOWS\Temp\Cookies\owner@tubexxxmatures[1].txt
    C:\My Backup -- 10-03-15 0909AM\WINDOWS\Temp\Cookies\owner@tailteens[1].txt
    C:\My Backup -- 10-03-15 0909AM\WINDOWS\Temp\Cookies\owner@content.yieldmanager[2].txt
    C:\My Backup -- 10-03-15 0909AM\WINDOWS\Temp\Cookies\owner@content.yieldmanager[3].txt
    C:\My Backup -- 10-03-15 0909AM\WINDOWS\Temp\Cookies\owner@pro-market[2].txt
    C:\My Backup -- 10-03-15 0909AM\WINDOWS\Temp\Cookies\owner@****ingmoviesonline[2].txt
    C:\My Backup -- 10-03-15 0909AM\WINDOWS\Temp\Cookies\owner@ads.bridgetrack[2].txt
    C:\My Backup -- 10-03-15 0909AM\WINDOWS\Temp\Cookies\owner@teenyclips[1].txt
    C:\My Backup -- 10-03-15 0909AM\WINDOWS\Temp\Cookies\owner@www.icityfind[1].txt
    C:\My Backup -- 10-03-15 0909AM\WINDOWS\Temp\Cookies\owner@ads.pubmatic[1].txt
    C:\My Backup -- 10-03-15 0909AM\WINDOWS\Temp\Cookies\owner@girlshardporn[2].txt
    C:\My Backup -- 10-03-15 0909AM\WINDOWS\Temp\Cookies\owner@www.doppelteens[1].txt
    C:\My Backup -- 10-03-15 0909AM\WINDOWS\Temp\Cookies\owner@a1.interclick[1].txt

    Trojan.Downloader-Gen
    C:\MY BACKUP -- 10-03-15 0909AM\WINDOWS\SYSTEM32\TWEXT.EXE

    Trojan.Agent/Gen-OnlineGames
    C:\TEMP\LAS VEGAS USA CASINO\INSTALL.EXE
  9. phhege

    phhege Newcomer, in training Topic Starter Posts: 16

    AV scan part 2...I didn't post it correctly, do you need it as it has detections on it? Should I delete double post of AV scan ? Thanks Bobbye and to all others here in the forum, I'm learning stuff just from reading similar posts!
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    No, please don do another Avast scan now. Looking at the Tracking Cookies in SAS tells me you're running from your backup- is that right? I will mention that some of the kinds of sites you're going to are going to be heavy on malware. The Tracking Cookies can be removed and prevented, but that only one part of it.

    Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
      Important! Save the renamed download to your desktop.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls.
    • Double click on the setup file on the desktop to run
    • If prompted to download and install the Recovery Console, please do so.
      (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
    • If prompted to update, please allow.
    • Click on Yes, to continue scanning for malware.
    • When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.
    Notes:

    • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      2. ComboFix may reset a number of Internet Explorer's settings.
      3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.
      4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run.
    .
    When that has finished, please run this online scan:
    Run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    Please note the line in the directions for the online scan that we do NOT want you to check for removal.

    Post the Combofix replrt and the Eset log in your next reply.
    Please do not visit any porn sites while I am helping clean the system.
  11. phhege

    phhege Newcomer, in training Topic Starter Posts: 16

    I went to fast and didn't follow directions for combo fix download...sorry but what shall I do next? Ihaven't run CF because I didn't save it desktop etc. and I'm running on a reinstall I think.
  12. phhege

    phhege Newcomer, in training Topic Starter Posts: 16

    I'm using Firefox got it redownloaded to my desk top but still not prompted to a name change, this goes by the name ComboFix(2).exe should I run it?
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]

    Now go back to the Combofix instructions and follow carefully.

    All the Tracking Cookies are located in "My Backup". All 62 of them have the same time. And the 2 Trojans that were found have same time. All show 10-15-20 indicating some kind of date. It's confusing because if you did a reinstall, it's not the 'backup' any more.
     
  14. phhege

    phhege Newcomer, in training Topic Starter Posts: 16

    I get an error message saying no disc in drive when trying to run combofix, I didn't see anything in your steps to run this program saying to insert disc.
  15. phhege

    phhege Newcomer, in training Topic Starter Posts: 16

    got that problem solved w/combofix but now it dislikes name change...huum
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Did you do the uninstall first? If so, there shouldn't have been any problem with 'name change'. You're not changing the name, you're giving it a name:

    If it still won't work, name it monday.exe.
  17. phhege

    phhege Newcomer, in training Topic Starter Posts: 16

  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    You have two antiviruses and two firewalls running:
    Avira antivirus
    ZoneAlarm Firewall
    and a MCAfee Security Suite with AV and firewall

    Please decide which you want to keep> one antivirus program, one firewall, and remove the others. Here are tools to help you:
    -------------------
    McAfee Removal
    -------------------
    To uninstall Avira:
    • Start> Settings> Control Panel> Add or Remove Programs (Windows 2000/ XP) or Start - Control Panel - Uninstall a program (Windows Vista / 7)
    • Wait for the list of installed programs to load, then click the name of the Avira program.
    • Click Remove next to the program's name (Windows 2000 / XP) or in the menu above the list (Windows Vista / 7).
    • Press Yes, to confirm the removal and then OK.
    • . Click Next until Finish. The software is removed.
    -------------------------------------------
    To uninstall ZoneAlarm:

    • [1] Go to Control Center> go to the Preferences tab of the Overview panel.
      [2] Clear the check box labeled Load ZoneAlarm at startup.
      [3] Reboot the computer.
      [4] In Windows start menu: Go to Start> Programs> Zone Labs
      [5] Click Uninstall ZoneAlarm.
      [6] During the uninstallation process, you will see a diaglog box titles "This is a security check from the Zone Labs security engine> Click YES in this dialog box.

    If you have the full, paid version of McAfee with current subscription, you might want to consider removing the free Avira and free ZoneAlarm if that is the version you have. Having 2 AV programs and 2 firewalls can make you more vulnerable- not less and it can also slow you down.

    Please do that while I am preparing the next step.
    ==========================================
    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!! DO NOT make any Registry Changes. And it is recommended that if you are running any Registry editing program, that you either uninstall or disable while we are in the cleaning process
    ==================================
    Instructions posted for this user are customized for phhege only. The tools used may cause damage if used on a computer with different infections. If you think you have similar problems, please start a new thread and follow the preliminary cleaning steps HERE. Attach the logs.
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    After finishing with one antivirus and one firewall removal, continue with this:

    The deletion of this one, D:\Autorun.inf suggest you had a possible FlashDrive infection:
    Threat Removal Procedure:

    • [1]. Download Flash_Disinfector and save it to your Desktop.
      [2]. After downloading, double-click on Flash_Disinfector to run it.
      [3]. Just follow the prompts and continue until it begin scanning.
      [​IMG]
      [4]. If asked to insert your flash drive or any removable device including USB Pen Drive and Memory Stick, please do so.
      [5]. It will scan removable drives, wait for the scan to finish. Done.
    ==================

    • [1]. Close any open browsers.
      2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\documents and settings\All Users\Application Data\Viewpoint
    c:\windows\system32\OOBE\oobebaln.exe
    c:\windows\Tasks\ISP signup reminder 2.job
    c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
    c:\windows\Tasks\ISP signup reminder 3.job
    Folder::
    c:\program files\Viewpoint
    
    Driver::
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.

    IF you decided to keep ZoneAlarm, you need to make sure this file c:\windows\system32\zllictbl.dat is set to read only as follows:
    Show Hidden Folders/Files
    • Open My Computer.
      [*] Go to Tools > Folder Options.
      [*] Select the View tab.
      [*] Scroll down to Hidden files and folders.
      [*] Select Show hidden files and folders.
      [*] Uncheck (untick) Hide extensions of known file types.
      [*] Uncheck (untick) Hide protected operating system files (Recommended).
      [*] Click Yes when prompted.
      [*] Click OK.
      [*] Close My Computer.


    Using Windows Explorer: Windows Key + E, navigate to:
    • C:\ProgramData\CheckPoint\ZoneAlarm\zllictbl.dat
    • Right click on the file> Properties
    • Check the 'read only' box. (leave the hidden box as is)
    • Click apply > OK >
    • Close Windows Explorer> Reboot.

    Go back and rehide the files and folders.

    Please include a new log from HijackThis with the combofix from above in your next reply.
  20. phhege

    phhege Newcomer, in training Topic Starter Posts: 16

  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    This looks much better! Did you disinfect the flash drive? If you used that to put your backup on the system, that is most likely why the malware seemed to be recurring. The entries in the HijackThis log now are showing as normal entries rather than 'My Backup.'


    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :Processes	
      
      :Services
      
      :Reg
      
      :Files  
      C:\My Backup -- 10-03-15 0909AM\WINDOWS\system32\sdra64.exe
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

    An FYI for you: this entry is still loading and running so it means you have not created the system recovery discs. You should go on and do that in case the need come up.
    O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
    Description: HP-specific program that reminds users to create System Recovery CDs. Once they use the Recovery CD Creator (Start -> PC Help & Tools -> Recovery CD Creator) to make the recovery CDs the entry will remove itself from the startup list

    You should update the Adobe Reader. You have v7- current is v9.xx and earlier are vulnerabilities.
    Visit this Adobe Reader site and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.


    Run the Eset online scan once more and if clean, I'll have you remove the cleaning tools and old restore points. Be sure to follow the Flash Disinfector instructions.
  22. phhege

    phhege Newcomer, in training Topic Starter Posts: 16

    Flashdrive cleaner has been run, no I don't have one or used one before. As mentioned in post 1 problem with restart...so I threw in OEM CD to get going...(old recovory CD's from 5yr's ago failed) ended up with mybackup stuff so I'm really lost in that department. So that's why some stuff needs updated and or removed like Macfee I uninstalled or so I thought, thanks for all your help. Here are the logs.

    View attachment log.txt

    View attachment 03232010_121418.txt
  23. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Nice going! And you got 40MB of 'space' out of it!
    Remove all of the tools we used and the files and folders they created
    Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer
    • Save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    The tool will delete itself once it finishes. If you are prompted to Reboot during the cleanup, select Yes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

    You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    I'm not sure whether your backup files were infected on the source or when you got them back on the system. The following updates are all important so check what you have and update if needed:
    [b Updates:
    The following updates should be current. If they are not, the system is vulnerable. Please update if needed:

    • [​IMG]
    • Microsoft Download Site You should get All updates marked Critical and the current SP updates: Windows XP SP3.Vista SP2
      [​IMG]
    • Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities.
      [​IMG]
    • Adobe Reader Make sure you have the most current update. Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities.

    Please empty the Recycle Bin

    Let me know if I can be of further help.
  24. phhege

    phhege Newcomer, in training Topic Starter Posts: 16

    In last Eset scan log is this ok?
    C:\My Backup -- 10-03-15 0909AM\WINDOWS\system32\sdra64.exe a variant of Win32/Kryptik.CZA trojan 00000000000000000000000000000000 I
    ESETSmartInstaller@High as downloader log:
    all ok
    removed all tools,files and folders...should I set restore point now?
  25. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    If you look at the bottom of the Eset log, you will see this entry listed again, but with C:\_OTM\MovedFiles. It's out of your system.

    Yes, please handle the restore points.

    Please follow these simple steps to keep your computer clean and secure:

    1.Disable and Enable System Restore: See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.
    2.Stay current on updates:previously given
    3.Make Internet Explorer safer. Follow the suggestions HERE This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features.
    4.Remove Temporary Internet Files regularly: Use ATF Cleaner by Atribune or TFC
    5. Use an AntiVirus Software(only one)
    See Virus, Spyware, and Malware Protection and Removal Resources

    6.Use a good, bi-directional firewall(one software firewall) I recommend either of these software firewalls.- both are free and good:
    Comodo or Zone Alarm
    7.Consider these programs for Extra Security
    • Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
    • IE/Spyad This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
    • MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
    • Google Toolbar Get the free google toolbar to help stop pop up windows.

    If I can be of further assistance, please let me know. .
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.