TechSpot

Trojan horse is back

By gooodjunkk
Aug 18, 2010
  1. Uhhg, what a nightmare. I think my previous problem is back. :(

    My previous topic is here: http://www.techspot.com/vb/topic151668.html

    I thought the problem was solved, but at 6:38 am yesterday morning, my AVG resident shield notified me that c:\WINDOWS\system32\spool\prtprocs\w32x86\31cE3a79.dll was infected with Trojan horse BackDoor.Generic12.CHLU (again, but last time it was a different file & the trojan was ....Generic12.CEGH). I Moved the file to the virus vault.

    The first time AVG detected this trojan was on 8/12 at 2:53pm & I noticed then that the file c:\windows\system32\TsWpfWrpx.dll had been modified at exactly the same time. I found the file in Windows Explorer & looked at the properties. It was a read only, archived, hidden, system file & I tried but couldn't delete it & couldn't change the attributes.

    So I scanned the file; both AVG & Malwarebytes said no threat detected, but Spybot, identified it as virtuamonde.dll (I think). I fouind a website that said terrible scary things about the virus & how hard it is to remove, but it went on to say that it could be removed & gave a list files, processes & registry keys to find & delete (TsWpfWrpx.dll was not one of them). I looked, but found none of the listed processes or files or registry keys on my system.

    Eventually, I was able to modify the access controls of the file from the command prompt with CACLS. Then I changed the file attributes with attrib & deleted the file in Windows Explorer & emptied my recycle bin.

    This seemed to help, but my Malwarebytes was no longer working. That's when I noticed in the AVG resident shield history that when the virus was detected back on the 12th, it listed mbamservice.exe as the process & when it detected it yesterday morning, the process was mbam.exe.

    So, assuming my malwarebytes was now infected or damaged or both, I uninstalled it. I like Malwarebytes, so I downloaded a new setup file & reinstalled it. It seems to be running ok now, but the website blocker is starting to become active, which was one of the first symptoms I noticed right after the first infection & the IP addresses it's blocking seem to be the same ones it started blocking back on the 12th (at 2:53pm).

    So now I don't know if I'm still infected or re-infected or if I helped or made things worse by trying to cure myself, but I'm pretty sure I need help again. :eek:

    I'm not sure what to do... should I start over with the 8 steps??
     
  2. crunchie

    crunchie Malware Helper Posts: 728

    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:


    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\System32\config\*.sav
    CREATERESTOREPOINT


    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  3. gooodjunkk

    gooodjunkk TS Rookie Topic Starter Posts: 43

    I get the "OTL has encountered a problem & needs to close" message when I try to run OTL.

    Error signature
    AppName: otl.exe
    AppVer: 3.2.10.0
    NodName: kernel32.dll
    ModVer: 5.1.2600.5781
    Offset: 00012afb

    Error Report Contents indicate the following files will be included in this report: c:\DOCUME~1\Owner\LOCAL~1\Temp\5bb0_appcompat.txt
     
  4. crunchie

    crunchie Malware Helper Posts: 728

    Please Run the ESET Online Scanner and post the ScanLog with your post for assistance.
    • You will need to use Internet Explorer to complete this scan.
    • You will need to temporarily Disable your current Anti-virus program.
    • Be sure the option to Remove found threats is Un-checked at this time (we may have it clean what it finds at a later time), and the option to Scan unwanted applications is Checked.
    • When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.

    NOTE: If you are unable to complete the ESET scan, please try another from the list below:

     
  5. gooodjunkk

    gooodjunkk TS Rookie Topic Starter Posts: 43

    ESET didn't find anything, but I somehow I missed checking the box to scan archives. Log is posted below.

    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=ab3207012866ca45b56e047016e767d0
    # end=finished
    # remove_checked=false
    # archives_checked=true
    # unwanted_checked=true
    # unsafe_checked=true
    # antistealth_checked=true
    # utc_time=2010-08-16 04:34:27
    # local_time=2010-08-15 09:34:27 (-0800, Pacific Daylight Time)
    # country="United States"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 34904722 34904722 0 0
    # compatibility_mode=1024 16777191 100 0 12184419 12184419 0 0
    # compatibility_mode=1536 16777215 100 0 0 0 0 0
    # compatibility_mode=3585 16777214 100 0 0 0 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=136064
    # found=5
    # cleaned=0
    # scan_time=6617
    C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4131\setup.exe probably a variant of Win32/Agent.HZHBURL trojan 00000000000000000000000000000000 I
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DNSFlushcws1.zip Win32/Bagle.gen.zip worm 00000000000000000000000000000000 I
    K:\DnldAps\Nero-6.6.1.15a.exe Win32/Toolbar.AskSBar application 00000000000000000000000000000000 I
    K:\DnldAps\usrat.exe multiple threats 00000000000000000000000000000000 I
    K:\DnldAps\wherewasgod.exe multiple threats 00000000000000000000000000000000 I
    esets_scanner_update returned -1 esets_gle=53251
    # version=7
    # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=ab3207012866ca45b56e047016e767d0
    # end=finished
    # remove_checked=true
    # archives_checked=true
    # unwanted_checked=true
    # unsafe_checked=true
    # antistealth_checked=true
    # utc_time=2010-08-16 06:53:30
    # local_time=2010-08-15 11:53:30 (-0800, Pacific Daylight Time)
    # country="United States"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 34913160 34913160 0 0
    # compatibility_mode=1024 16777191 100 0 12192857 12192857 0 0
    # compatibility_mode=1536 16777215 100 0 0 0 0 0
    # compatibility_mode=3585 16777214 100 0 0 0 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=136364
    # found=6
    # cleaned=6
    # scan_time=6520
    C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4131\setup.exe probably a variant of Win32/Agent.HZHBURL trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DNSFlushcws1.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0001128.exe probably a variant of Win32/Agent.HZHBURL trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    K:\DnldAps\Nero-6.6.1.15a.exe Win32/Toolbar.AskSBar application (deleted - quarantined) 00000000000000000000000000000000 C
    K:\DnldAps\usrat.exe multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
    K:\DnldAps\wherewasgod.exe multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
    # version=7
    # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=ab3207012866ca45b56e047016e767d0
    # end=stopped
    # remove_checked=true
    # archives_checked=true
    # unwanted_checked=true
    # unsafe_checked=true
    # antistealth_checked=true
    # utc_time=2010-08-16 07:13:59
    # local_time=2010-08-16 12:13:59 (-0800, Pacific Daylight Time)
    # country="United States"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 34959777 34959777 0 0
    # compatibility_mode=1024 16777175 100 0 12239474 12239474 0 0
    # compatibility_mode=1536 16777215 100 0 0 0 0 0
    # compatibility_mode=3585 16777214 100 0 0 0 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=99737
    # found=0
    # cleaned=0
    # scan_time=4336
    # version=7
    # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=ab3207012866ca45b56e047016e767d0
    # end=stopped
    # remove_checked=true
    # archives_checked=true
    # unwanted_checked=true
    # unsafe_checked=true
    # antistealth_checked=true
    # utc_time=2010-08-18 01:30:44
    # local_time=2010-08-17 06:30:44 (-0800, Pacific Daylight Time)
    # country="United States"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 35067390 35067390 0 0
    # compatibility_mode=1024 16777175 100 0 12347087 12347087 0 0
    # compatibility_mode=1536 16777215 100 0 0 0 0 0
    # compatibility_mode=3585 16777214 100 0 0 0 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=82892
    # found=0
    # cleaned=0
    # scan_time=5724
    # version=7
    # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=ab3207012866ca45b56e047016e767d0
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=true
    # antistealth_checked=true
    # utc_time=2010-08-19 01:00:28
    # local_time=2010-08-18 06:00:28 (-0800, Pacific Daylight Time)
    # country="United States"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 35153694 35153694 0 0
    # compatibility_mode=1024 16777175 100 0 12433391 12433391 0 0
    # compatibility_mode=1536 16777215 100 0 0 0 0 0
    # compatibility_mode=3585 16777214 100 0 0 0 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=138273
    # found=0
    # cleaned=0
    # scan_time=4006
     
  6. crunchie

    crunchie Malware Helper Posts: 728

    Can you post up a DDS log please and try to run OTL again.
     
  7. gooodjunkk

    gooodjunkk TS Rookie Topic Starter Posts: 43

    Here are the DDS logs. Still can't run OTL (I get the same error msg as before).


    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Owner at 18:33:36.25 on Wed 08/18/2010
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2031.1416 [GMT -7:00]

    AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    svchost.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files\AVG\AVG9\avgnsx.exe
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\PROGRA~1\AVG\AVG9\avgtray.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\WINDOWS\system32\LVComsX.exe
    C:\Documents and Settings\Owner\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = 127.0.0.1
    mURLSearchHooks: H - No File
    BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
    BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\acrobat\activex\AcroIEHelper.ocx
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
    TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
    TB: Plaxo: {81ca3009-6200-4a6d-93c6-f1e9a6821c7f} - c:\program files\plaxo\ie toolbar\0.9.5.42\plx_tlbr.dll
    EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
    uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
    mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
    mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
    mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
    mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
    uPolicies-explorer: NoCommonGroups = 0 (0x0)
    uPolicies-explorer: NoFileSharing = 1 (0x1)
    uPolicies-explorer: NoPrintSharing = 1 (0x1)
    uPolicies-explorer: NoResolveTrack = 1 (0x1)
    uPolicies-explorer: NoSimpleStartMenu = 0 (0x0)
    uPolicies-explorer: NoSMMyDocs = 1 (0x1)
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
    DPF: {01111C00-3E00-11D2-8470-0060089874ED} - hxxp://help.rr.com/Foundrysdccommon/download/tgctlar.cab
    DPF: {01111F00-3E00-11D2-8470-0060089874ED} - hxxp://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
    DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://activation.rr.com/install/downloads/tgctlcm.cab
    DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
    DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
    DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://toad4.inkfrog.com/scripts/ImageUploader5.cab
    DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} - hxxp://www.myheritage.com/Genoogle/Components/ActiveX/SearchEngineQuery.dll
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1235580186484
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1258580924828
    DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://games.pogo.com/online2/pogo/bookworm_adventures/popcaploader_v10.cab
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
    Notify: avgrsstarter - avgrsstx.dll
    Notify: igfxcui - igfxdev.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: WinFax PRO IShellExecuteHook: {a213b520-c6c2-11d0-af9d-008029e1027e} - c:\program files\symantec\winfax\WfxSeh32.Dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

    ============= SERVICES / DRIVERS ===============

    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-11 216400]
    R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-12-11 29584]
    R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-12-11 243024]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
    R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-15 308136]
    R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-8-18 304464]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-8-18 20952]
    R3 QCEmerald;Logitech QuickCam Web(PID_0850);c:\windows\system32\drivers\lvce.sys [2006-10-7 44544]
    S3 MouseMaestro;MouseMaestro;c:\windows\system32\drivers\maestro8.sys [2009-7-28 8104]
    S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [2008-1-5 13532]
    S4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2004-8-27 198256]
    S4 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\CCPWDSVC.EXE [2004-8-27 79472]
    S4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2004-8-27 181872]
    S4 gupdate1ca109a4feb59f4;Google Update Service (gupdate1ca109a4feb59f4);c:\program files\google\update\GoogleUpdate.exe [2009-7-29 133104]
    S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-2-18 24652]

    =============== Created Last 30 ================

    2010-08-18 07:34:21 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-08-18 07:34:20 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-08-18 07:34:20 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-08-18 01:55:32 0 d-----w- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com
    2010-08-18 01:55:32 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
    2010-08-18 01:55:23 0 d-----w- c:\program files\SUPERAntiSpyware
    2010-08-17 23:51:01 0 d-----w- C:\VundoFix Backups
    2010-08-16 02:40:37 0 d-----w- c:\program files\ESET
    2010-08-13 21:59:26 0 d-sha-r- C:\cmdcons
    2010-08-12 21:52:41 0 d-----w- c:\docume~1\owner\applic~1\41C28C7638D87F0CA4294A5BC8D8943F
    2010-08-06 09:57:07 438 ----a-w- c:\program files\080620102570757.bat
    2010-08-06 07:15:48 0 d-----w- c:\docume~1\owner\applic~1\Oberon Media
    2010-08-06 07:14:47 0 d-----w- c:\program files\MSN Games

    ==================== Find3M ====================

    2010-07-15 15:09:09 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2010-07-15 15:09:08 12536 ----a-w- c:\windows\system32\avgrsstx.dll
    2010-07-15 15:08:27 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
    2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
    2010-06-21 15:27:11 354304 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
    2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll
    2010-06-05 13:47:48 14366 ----a-w- c:\windows\skype.dat
    2010-06-05 13:47:39 32854 ----a-w- c:\windows\iniLS.dat
    2010-05-27 19:00:15 1880 ----a-w- c:\windows\AUTOLNCH.REG
    2010-05-26 21:37:52 168242 ----a-w- c:\windows\hphins33.dat
    2005-06-24 08:02:53 0 --sha-w- c:\windows\sminst\HPCD.sys
    2009-06-19 01:00:01 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009061820090619\index.dat

    ============= FINISH: 18:34:23.87 ===============
     

    Attached Files:

  8. crunchie

    crunchie Malware Helper Posts: 728

    Log looks clean. Are you still getting notifications from AVG?
     
  9. gooodjunkk

    gooodjunkk TS Rookie Topic Starter Posts: 43

    No notifications from AVG since 6:38 yesterday morning
     
  10. crunchie

    crunchie Malware Helper Posts: 728

    Just keep an eye out and let me know.

    ==

    After something like this it is a good idea to Flush the Restore Points and start fresh.
    To flush the XP system Restore Points.

    Go to Start | Run and type msconfig and press enter.

    When msconfig opens, click the Launch System Restore Button.
    On the next page, click the System Restore Settings link on the left.

    Check the box labelled 'Turn off System restore'.

    Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.

    Note that all previous restore points will be lost.
     
  11. gooodjunkk

    gooodjunkk TS Rookie Topic Starter Posts: 43

    I will keep an eye out, for sure. Thanks again for all your help.

    System Restore was already turned off. If I remember correctly, I did that after I deleted the TsWpfWrpx.dll file, because I was afraid if I didn't, it would be restored as soon as I rebooted. I went ahead & turned it back on just now, though.

    Any ideas on why I can't get OTL to run on my computer?
     
  12. crunchie

    crunchie Malware Helper Posts: 728

    Not sure about OTL. I haven't seen that error with it.
    Perhaps it is just a corrupt download? You could try downloading it again and maybe run it in safe mode if it doesn't run in normal.
     
  13. gooodjunkk

    gooodjunkk TS Rookie Topic Starter Posts: 43

    Ok, I will try that. Also, is it ok at this point to run windows update & update java to the latest version?
     
  14. crunchie

    crunchie Malware Helper Posts: 728

    What service pack do you have on XP?

    Do this for Java;

    Please download JavaRa

    If you get this message:
    Problems with the download? Please use this direct link or try another mirror.

    Select the Direct link download unzip it to your Desktop.

    Double click JavaRa.exe then click Remove Older Versions.

    Next, open JavaRa.exe again, and select Search For Updates.

    Select Update Using Sun Java's Website --> Search, and continue the instructions for downloading and installing the latest Java version. Look for JDK 6 Update 21 (JDK or JRE). On the right select this one Download JRE..

    In Vista and Windows 7 run the tool as Administrator.
     
  15. gooodjunkk

    gooodjunkk TS Rookie Topic Starter Posts: 43

    XP Home (2002) Service Pack 3 & I installed several updates maybe a week ago (maybe less, shortly after I thought we had fixed the problem the first time). Will go get JavaRe.exe & do that now.
     
  16. gooodjunkk

    gooodjunkk TS Rookie Topic Starter Posts: 43

    Here is JavaRa.log & already installed the latest version (JDK 6 Update 21 [JRE])

    JavaRa 1.16 Removal Log.

    Report follows after line.

    ------------------------------------

    The JavaRa removal process was started on Thu Aug 19 14:08:25 2010

    Found and removed: C:\Program Files\Java\jre1.5.0_06

    Found and removed: C:\Program Files\Java\jre1.6.0_01

    Found and removed: C:\Documents and Settings\Owner\Application Data\Sun\Java\jre1.6.0_17

    Found and removed: C:\WINDOWS\Installer\{7148F0A8-6813-11D6-A77B-00B0D0142000}

    Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.4

    Found and removed: Software\JavaSoft\Java2D\1.5.0_05

    Found and removed: Software\JavaSoft\Java2D\1.5.0_06

    Found and removed: Software\JavaSoft\Java2D\1.5.0_10

    Found and removed: SOFTWARE\Classes\Installer\Features\8A0F842331866D117AB7000B0D510005

    Found and removed: SOFTWARE\Classes\Installer\Features\8A0F842331866D117AB7000B0D510006

    Found and removed: SOFTWARE\Classes\Installer\Features\8A0F842331866D117AB7000B0D511000

    Found and removed: SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D510005

    Found and removed: SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D510006

    Found and removed: SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D511000

    Found and removed: SOFTWARE\Classes\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D510005

    Found and removed: SOFTWARE\Classes\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D510006

    Found and removed: SOFTWARE\Classes\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D511000

    Found and removed: SOFTWARE\Classes\JavaPlugin.150_05

    Found and removed: SOFTWARE\Classes\JavaPlugin.150_06

    Found and removed: SOFTWARE\Classes\JavaPlugin.150_10

    Found and removed: SOFTWARE\Classes\JavaWebStart.isInstalled.1.5.0.0

    Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.5.0_05

    Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.5.0_06

    Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.5.0_10

    Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.5

    Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.5.0_05

    Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.5.0_06

    Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.5.0_10

    Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ACBB9B2318A96D117A58000B0D510005

    Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ACBB9B2318A96D117A58000B0D510006

    Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ACBB9B2318A96D117A58000B0D511000

    Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D510005

    Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D510006

    Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D511000

    Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}

    Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBB}

    Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC}

    Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBC}

    Found and removed: SOFTWARE\Classes\Installer\Features\8A0F842331866D117AB7000B0D610001

    Found and removed: SOFTWARE\Classes\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D610001

    Found and removed: SOFTWARE\Classes\JavaPlugin.160_01

    Found and removed: SOFTWARE\Classes\JavaPlugin.160_17

    Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.6.0_01

    Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.6.0_17

    Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.6.0_01

    Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.6.0_17

    Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D610001

    Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ACBB9B2318A96D117A58000B0D610001

    Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D610001

    Found and removed: SOFTWARE\Classes\Installer\Products\8A0F841731866D117AB7000B0D410200

    Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F841731866D117AB7000B0D410200

    Found and removed: SOFTWARE\Classes\JavaPlugin.142

    Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.4.2

    Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.4.2

    Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1

    Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_02

    Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_03

    Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_04

    Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.4.2

    Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.5.0_05

    Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.5.0_06

    Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.5.0_10

    Found and removed: Software\Classes\JavaPlugin.142

    Found and removed: Software\Classes\JavaPlugin.160_01

    Found and removed: Software\Classes\JavaPlugin.160_17

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}

    Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Common Files\Java\Update\Base Images\jre1.5.0.b64\

    Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.5.0_05\

    Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.5.0_06\

    Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.5.0_10\

    Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_01\

    Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_01\bin\

    Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2

    Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2.0_01

    Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.6.0_01

    Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.6.0_17

    Found and removed: Software\JavaSoft\Java2D\1.6.0_01

    Found and removed: Software\JavaSoft\Java Runtime Environment\1.6.0_01

    Found and removed: Software\JavaSoft\Java Runtime Environment\1.6.0_17

    Found and removed: SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D610001

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}

    Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ACB9B14518A96D117A58000B0D410200

    Found and removed: SOFTWARE\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500}

    Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Program Files\Common Files\Java\Update\Base Images\jre1.6.0.b105\patch-jre1.6.0_01.b06\

    Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Program Files\Common Files\Java\Update\Base Images\jre1.5.0.b64\core1.zip

    Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Program Files\Common Files\Java\Update\Base Images\jre1.5.0.b64\core2.zip

    Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Program Files\Common Files\Java\Update\Base Images\jre1.5.0.b64\core3.zip

    ------------------------------------

    Finished reporting.
     
  17. crunchie

    crunchie Malware Helper Posts: 728

    Ok. No reason that I can see why you should not run Windows Updates :).
     
  18. gooodjunkk

    gooodjunkk TS Rookie Topic Starter Posts: 43

    No updates were needed. I don't know what to think about computer now. For the most part, it runs fairly well, but I still think something is not right. :suspiciou

    No more notifications from AVG, but my AVG Tray icon disappeared, along with it's associated .exe file, which is kinda wierd. The program still loads when Windows starts up & I can still load the user interface through the shortcut in the start menu. It appears to functioning properly, it shows all components are active, it will scan & it automatically updates every day. When I click the tray icon shortcut in the start menu, the AVG setup program box pops up to guide me through the process of installing AVG, but I didn't think I should do that just yet.

    Malwarebytes is still actively blocking attempts to connect to malicious websites, when I haven't attempted to contact any website at all. But, it's slowed way down... to around 25 times a day.

    My biggest concern is that once in while everything slows way down for no apparent reason. When I load the task manager, the Performance tab shows 100% cpu usage (or close to it) & the processes tab shows that explorer.exe is using most of that... up to 99%. Then, after while, everything seems to just go back to normal.

    There's that... then the fact that OTL wont run at all on my computer, even in safe mode is bothering me. And, that TsWpfWrpx.dll file that Spybot identified as Virtumonde.dll, but couldn't remove. I was so relieved after I finally unlocked & deleted it that it never occurred to me that there could be other files, as well as registry stuff that needed to be removed.

    I don't know if any of these problems are even related. :confused: Where do I go from here?
     
  19. crunchie

    crunchie Malware Helper Posts: 728

    Out of curiousity, try and run the OTL version from here; http://oldtimer.geekstogo.com/OTL.com and post the logs if it runs.

    Edit. AVG might just need reinstalling. If you uninstall that version then download the latest and also the AVG removal tool and run that before the installation, that should fix those problems up (with AVG).
     
  20. gooodjunkk

    gooodjunkk TS Rookie Topic Starter Posts: 43

    That didn't work either :(
     
  21. crunchie

    crunchie Malware Helper Posts: 728

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.pif
    * Rkill.exe


    • * Double-click on the Rkill desktop icon to run the tool.
      * If using Vista or Windows 7 right-click on it and choose Run As Administrator.
      * A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
      * If not, delete the file, then download and use the one provided in Link 2.
      * If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
      * Do not reboot until instructed.
      * If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run then try to immediately run the following.

    Now download and run exeHelper.


    • * Please download exeHelper from Raktor to your desktop.
      * Double-click on exeHelper.com to run the fix.
      * A black window should pop up, press any key to close once the fix is completed.
      * A log file named log.txt will be created in the directory where you ran exeHelper.com
      * Attach the log.txt file to your next message.

    Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

    =================================================================

    Try again straight away to run OTL.
     
  22. gooodjunkk

    gooodjunkk TS Rookie Topic Starter Posts: 43

    Rkill & exeHelper both ran first time. Got the exact same error message when I tried to run OTL.

    exeHelper by Raktor
    Build 20100414
    Run at 01:55:22 on 08/21/10
    Now searching...
    Checking for numerical processes...
    Checking for sysguard processes...
    Checking for bad processes...
    Checking for bad files...
    Checking for bad registry entries...
    Resetting filetype association for .exe
    Resetting filetype association for .com
    Resetting userinit and shell values...
    Resetting policies...
    --Finished--
     
  23. crunchie

    crunchie Malware Helper Posts: 728

    Very strange. Let's try Combofix again.

    Please download ComboFix by sUBs from HERE or HERE
    • You must download it to and run it from your Desktop
    • Physically disconnect from the internet.
    • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
    • Double click combofix.exe & follow the prompts.
    • When finished, it will produce a log. Please save that log to post in your next reply.
    • Re-enable all the programs that were disabled during the running of ComboFix..

    Note:
    Do not mouse-click combofix's window while it is running. That may cause it to stall.

    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Run Combofix ONCE only!!
     
  24. gooodjunkk

    gooodjunkk TS Rookie Topic Starter Posts: 43

    I thought I had disabled everything but combofix warned me AVG was still running. I tried, but for some reason I can't completely disable AVG resident shield, no matter what I do. This is the same thing that happened the first time I ran combofix (in safe mode that time). This time I even tried to kill the process with Process Explorer, but it wouldn't let me (access denied).
     

    Attached Files:

  25. crunchie

    crunchie Malware Helper Posts: 728

    Please go to Jotti's or to virustotal and have this file scanned. Post the results back here.

    c:\windows\system32\drivers\atapi.sys
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...