XP DELUXE-ANTIVIRUS-ANTIVIRUS PRO-DEFENDER32

When posting your problem, do not run and post a ComboFix logs. ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer. Any posts containing CF Logs will be ignored.

To receive help, you should instead provide a detailed description of your problem, detailed word-for-word error messages that you are receiving, screenshots of strange behaviour, and your operating system. This information is much more useful to our helpers than a ComboFix log.

XP DELUXE-ANTIVIRUS-ANTIVIRUS PRO-DEFENDER32 - AND OTHERS, Something attacked and trashed Kapersky--now its open house!

Options

Lynn0210 View Member Profile	Jul 3 2009, 11:36 AM Post #1
New Member Group: Members Posts: 10 Joined: 3-July 09 Member No.: 347,871	I have WIndows XP Prof on a Dell Dual Core 410 I use Firefox most of the time I have Kaspersky as virus and firewall protection I regularly run Malwarebytes .. especially if KIS alerts me to an attack CCleaner is run after any type of infection followed by disk defragmenter. Something attacked my computer yesterday and totally crashed Kaspersky .. and most of my software it seems.. Browsers keep crashing.. programs wont run Computer locks up too.. PopUps all over the place now that Kaspersky is down.. (wont load and gives me error messages) Malwarebytes detects 15 items but cannot seem to remove them or disinfect Ad-Aware the same thing.. detects but does not remove Bit Defender same thing .. detects but does not remove I ran a dds if you need that After this clean up.. I would appreciate recommendations for keeping my computer safe and avoiding these attacks .. or at least getting the best protection I can.. Please help .. thanks

rigel View Member Profile	Jul 3 2009, 11:43 AM Post #2
BC 1st Responder Group: Global Moderator Posts: 9,844 Joined: 21-October 04 From: South Carolina - USA Member No.: 3,905	Install RootRepeal Click here - Official Rootrepeal Site, and download RootRepeal.zip. I recommend downloading to your desktop. Fatdcuk at Malwarebytes posted a comprehensive tutorial - Self Help guide can be found here if needed.: Malwarebytes Removal and Self Help Guides. Click RootRepeal.exe to open the scanner. Click the Report tab, now click on Scan. A Window will open asking what to include in the scan. Check the following items: Drivers Files Processes SSDT Stealth Objects Hidden Services Click OK Scan your C Drive (Or your current system drive) and click OK. The scan will begin. This my take a moment, so please be patient. When the scan completes, click Save Report. Name the log RootRepeal.txt and save it to your Documents folder - (Default folder). Paste the log into your next reply. Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High -------------------- "In a world where you can be anything, be yourself." ~ unknown Become a BleepingComputer fan: Facebook

Lynn0210 View Member Profile	Jul 3 2009, 03:10 PM Post #3
New Member Group: Members Posts: 10 Joined: 3-July 09 Member No.: 347,871	Here's the log: ROOTREPEAL © AD, 2007-2009 ================================================== Scan Time: 2009/07/03 14:34 Program Version: Version 1.3.0.0 Windows Version: Windows XP Media Center Edition SP3 ================================================== Drivers ------------------- Name: dump_iastor.sys Image Path: C:\WINDOWS\System32\Drivers\dump_iastor.sys Address: 0xA702D000 Size: 749568 File Visible: No Signed: - Status: - Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xA0A05000 Size: 49152 File Visible: No Signed: - Status: - Hidden/Locked Files ------------------- Path: C:\hiberfil.sys Status: Locked to the Windows API! Path: C:\Documents and Settings\Lynn\Favorites\HOSTGATOR Status: Locked to the Windows API! Path: c:\documents and settings\all users\application data\pure networks\log\logfile.nmsrvc_exe.txt Status: Size mismatch (API: 60484, Raw: 60350) Path: C:\Documents and Settings\Lynn\Desktop\COMPLETED\AFFILIATE INFO - INVESTING ETC\Blackhat Black Book Secret Million Dollar $$ Casino Industry Gambling Affiliate Marketing\Blackhat Black Book Secret Million Dollar $$ Casino Industry Gambling Affiliate Marketing.rar Status: Locked to the Windows API! Path: C:\Documents and Settings\Lynn\Desktop\COMPLETED\AFFILIATE INFO - INVESTING ETC\Google AdSense Secrets Or What Google Never Told You About Making Money With AdSense (3rd Edition)\Google AdSense Secrets Or What Google Never Told You About Making Money With AdSense (3rd Edition).pdf Status: Locked to the Windows API! Path: c:\documents and settings\all users\application data\kaspersky lab\avp8\report\01\00000110_events.dat Status: Size mismatch (API: 1027402, Raw: 1027332) SSDT ------------------- #: 025 Function Name: NtClose Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa72da7ae #: 031 Function Name: NtConnectPort Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa72dc1ea #: 037 Function Name: NtCreateFile Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa72dbb9c #: 041 Function Name: NtCreateKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa72d9950 #: 052 Function Name: NtCreateSymbolicLinkObject Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa72ddb7c #: 063 Function Name: NtDeleteKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa72d9d92 #: 065 Function Name: NtDeleteValueKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa72d9f92 #: 066 Function Name: NtDeviceIoControlFile Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa72dbeac #: 068 Function Name: NtDuplicateObject Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa72de084 #: 071 Function Name: NtEnumerateKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa72da0a8 #: 073 Function Name: NtEnumerateValueKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa72da110 #: 084 Function Name: NtFsControlFile Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa72dbd5e #: 097 Function Name: NtLoadDriver Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa72dd620 #: 116 Function Name: NtOpenFile Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa72db9f8 #: 119 Function Name: NtOpenKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa72d9ab2 #: 125 Function Name: NtOpenSection Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa72ddba6 #: 160 Function Name: NtQueryKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa72da178 #: 161 Function Name: NtQueryMultipleValueKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa72d9e7c #: 177 Function Name: NtQueryValueKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa72d9c5a #: 193 Function Name: NtReplaceKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa72d95d2 #: 200 Function Name: NtRequestWaitReplyPort Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa72dca74 #: 204 Function Name: NtRestoreKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa72d9734 #: 206 Function Name: NtResumeThread Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa72ddf56 #: 207 Function Name: NtSaveKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa72d93d0 #: 210 Function Name: NtSecureConnectPort Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa72dc08c #: 213 Function Name: NtSetContextThread Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa72da6ac #: 237 Function Name: NtSetSecurityObject Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa72dd71a #: 240 Function Name: NtSetSystemInformation Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa72ddbd0 #: 247 Function Name: NtSetValueKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa72d9b08 #: 253 Function Name: NtSuspendProcess Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa72ddcb4 #: 254 Function Name: NtSuspendThread Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa72ddde0 #: 255 Function Name: NtSystemDebugControl Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa72dd54c #: 257 Function Name: NtTerminateProcess Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa72da47e Stealth Objects ------------------- Object: Hidden Module [Name: CLI.Aspect.DeviceDFP.Graphics.Runtime.dll] Process: cli.exe (PID: 3132) Address: 0x059d0000 Size: 53248 Object: Hidden Module [Name: CLI.Aspect.VeryLargeDesktop.Graphics.Shared.dll] Process: cli.exe (PID: 3132) Address: 0x05530000 Size: 36864 Object: Hidden Module [Name: CLI.Aspect.InfoCentre.Graphics.Runtime.dll] Process: cli.exe (PID: 3132) Address: 0x05030000 Size: 45056 Object: Hidden Module [Name: CLI.Implementation.dll] Process: cli.exe (PID: 3132) Address: 0x00c60000 Size: 45056 Object: Hidden Module [Name: LOG.Foundation.dll] Process: cli.exe (PID: 3132) Address: 0x01160000 Size: 45056 Object: Hidden Module [Name: LOG.Foundation.Service.dll] Process: cli.exe (PID: 3132) Address: 0x011c0000 Size: 53248 Object: Hidden Module [Name: CLI.Foundation.dll] Process: cli.exe (PID: 3132) Address: 0x01190000 Size: 77824 Object: Hidden Module [Name: LOG.Foundation.Shared.dll] Process: cli.exe (PID: 3132) Address: 0x011e0000 Size: 28672 Object: Hidden Module [Name: CLI.Foundation.XManifestation.dll] Process: cli.exe (PID: 3132) Address: 0x01200000 Size: 36864 Object: Hidden Module [Name: System.Runtime.Remoting.dll] Process: cli.exe (PID: 3132) Address: 0x01220000 Size: 307200 Object: Hidden Module [Name: CLI.Component.Runtime.dll] Process: cli.exe (PID: 3132) Address: 0x035c0000 Size: 94208 Object: Hidden Module [Name: ATICCCom.dll] Process: cli.exe (PID: 3132) Address: 0x035f0000 Size: 28672 Object: Hidden Module [Name: AEM.Foundation.dll] Process: cli.exe (PID: 3132) Address: 0x036e0000 Size: 36864 Object: Hidden Module [Name: CLI.Caste.Graphics.Shared.dll] Process: cli.exe (PID: 3132) Address: 0x03b50000 Size: 61440 Object: Hidden Module [Name: DEM.Graphics.I0601.dll] Process: cli.exe (PID: 3132) Address: 0x03c50000 Size: 53248 Object: Hidden Module [Name: CLI.Component.Runtime.Shared.dll] Process: cli.exe (PID: 3132) Address: 0x03c10000 Size: 45056 Object: Hidden Module [Name: CLI.Caste.Graphics.Runtime.dll] Process: cli.exe (PID: 3132) Address: 0x03bb0000 Size: 307200 Object: Hidden Module [Name: DEM.Foundation.dll] Process: cli.exe (PID: 3132) Address: 0x03c30000 Size: 28672 Object: Hidden Module [Name: ACE.Graphics.DisplaysManager.Shared.dll] Process: cli.exe (PID: 3132) Address: 0x03c70000 Size: 36864 Object: Hidden Module [Name: CLI.Aspect.MultiVPU3.Graphics.Runtime.dll] Process: cli.exe (PID: 3132) Address: 0x04ae0000 Size: 45056 Object: Hidden Module [Name: CLI.Aspect.MultiVPU3.Graphics.Shared.dll] Process: cli.exe (PID: 3132) Address: 0x04b00000 Size: 36864 Object: Hidden Module [Name: CLI.Aspect.MultiVPU2.Graphics.Runtime.dll] Process: cli.exe (PID: 3132) Address: 0x04b20000 Size: 45056 Object: Hidden Module [Name: CLI.Aspect.MultiVPU2.Graphics.Shared.dll] Process: cli.exe (PID: 3132) Address: 0x04b40000 Size: 36864 Object: Hidden Module [Name: CLI.Aspect.MultiVPU.Graphics.Runtime.dll] Process: cli.exe (PID: 3132) Address: 0x04b60000 Size: 45056 Object: Hidden Module [Name: System.Management.dll] Process: cli.exe (PID: 3132) Address: 0x04d60000 Size: 380928 Object: Hidden Module [Name: ATIDEMGR.dll] Process: cli.exe (PID: 3132) Address: 0x04d10000 Size: 299008 Object: Hidden Module [Name: CLI.Aspect.IntegratedUMAFrameBuffer.Graphics.Runtime.dll] Process: cli.exe (PID: 3132) Address: 0x05010000 Size: 28672 Object: Hidden Module [Name: CLI.Aspect.DeviceCV.Graphics.Shared.dll] Process: cli.exe (PID: 3132) Address: 0x05210000 Size: 45056 Object: Hidden Module [Name: CLI.Aspect.HotkeysHandling.Graphics.Runtime.dll] Process: cli.exe (PID: 3132) Address: 0x05070000 Size: 28672 Object: Hidden Module [Name: CLI.Aspect.InfoCentre.Graphics.Shared.dll] Process: cli.exe (PID: 3132) Address: 0x05050000 Size: 36864 Object: Hidden Module [Name: CLI.Aspect.HotkeysHandling.Graphics.Shared.dll] Process: cli.exe (PID: 3132) Address: 0x05090000 Size: 28672 Object: Hidden Module [Name: CLI.Aspect.Radeon3D.Graphics.Shared.dll] Process: cli.exe (PID: 3132) Address: 0x050d0000 Size: 69632 Object: Hidden Module [Name: CLI.Aspect.MultiVPU.Graphics.Shared.dll] Process: cli.exe (PID: 3132) Address: 0x053f0000 Size: 36864 Object: Hidden Module [Name: CLI.Aspect.DeviceCV2.Graphics.Runtime.dll] Process: cli.exe (PID: 3132) Address: 0x05250000 Size: 61440 Object: Hidden Module [Name: CLI.Aspect.CustomFormats.Graphics.Shared.dll] Process: cli.exe (PID: 3132) Address: 0x05230000 Size: 36864 Object: Hidden Module [Name: CLI.Aspect.DeviceCV2.Graphics.Shared.dll] Process: cli.exe (PID: 3132) Address: 0x05270000 Size: 45056 Object: Hidden Module [Name: CLI.Aspect.DeviceTV2.Graphics.Runtime.dll] Process: cli.exe (PID: 3132) Address: 0x052b0000 Size: 69632 Object: Hidden Module [Name: CLI.Aspect.VeryLargeDesktop.Graphics.Runtime.dll] Process: cli.exe (PID: 3132) Address: 0x05510000 Size: 45056 Object: Hidden Module [Name: CLI.Aspect.VPURecover.Graphics.Runtime.dll] Process: cli.exe (PID: 3132) Address: 0x056e0000 Size: 36864 Object: Hidden Module [Name: CLI.Aspect.MMVideo.Graphics.Runtime.dll] Process: cli.exe (PID: 3132) Address: 0x05610000 Size: 53248 Object: Hidden Module [Name: CLI.Aspect.DisplaysColour2.Graphics.Shared.dll] Process: cli.exe (PID: 3132) Address: 0x055b0000 Size: 36864 Object: Hidden Module [Name: CLI.Aspect.Radeon3DLegacy.Graphics.Runtime.dll] Process: cli.exe (PID: 3132) Address: 0x05570000 Size: 53248 Object: Hidden Module [Name: CLI.Aspect.Radeon3D.Graphics.Runtime.dll] Process: cli.exe (PID: 3132) Address: 0x05550000 Size: 61440 Object: Hidden Module [Name: CLI.Aspect.DisplaysColour2.Graphics.Runtime.dll] Process: cli.exe (PID: 3132) Address: 0x05590000 Size: 53248 Object: Hidden Module [Name: CLI.Aspect.DisplaysColour.Graphics.Shared.dll] Process: cli.exe (PID: 3132) Address: 0x055f0000 Size: 36864 Object: Hidden Module [Name: CLI.Aspect.DisplaysColour.Graphics.Runtime.dll] Process: cli.exe (PID: 3132) Address: 0x055d0000 Size: 53248 Object: Hidden Module [Name: CLI.Aspect.VideoOverlay.Graphics.Shared.dll] Process: cli.exe (PID: 3132) Address: 0x05680000 Size: 36864 Object: Hidden Module [Name: CLI.Aspect.MMVideo.Graphics.Shared.dll] Process: cli.exe (PID: 3132) Address: 0x05640000 Size: 45056 Object: Hidden Module [Name: CLI.Aspect.VideoOverlay.Graphics.Runtime.dll] Process: cli.exe (PID: 3132) Address: 0x05660000 Size: 45056 Object: Hidden Module [Name: CLI.Aspect.SmartGart.Graphics.Runtime.dll] Process: cli.exe (PID: 3132) Address: 0x056c0000 Size: 36864 Object: Hidden Module [Name: ACE.Graphics.VideoOverlay.Shared.dll] Process: cli.exe (PID: 3132) Address: 0x056a0000 Size: 28672 Object: Hidden Module [Name: CLI.Aspect.DeviceCRT.Graphics.Runtime.dll] Process: cli.exe (PID: 3132) Address: 0x05750000 Size: 45056 Object: Hidden Module [Name: CLI.Aspect.WorkstationConfig.Graphics.Runtime.dll] Process: cli.exe (PID: 3132) Address: 0x05720000 Size: 45056 Object: Hidden Module [Name: CLI.Aspect.VPURecover.Graphics.Shared.dll] Process: cli.exe (PID: 3132) Address: 0x05700000 Size: 36864 Object: Hidden Module [Name: CLI.Aspect.DeviceCRT2.Graphics.Runtime.dll] Process: cli.exe (PID: 3132) Address: 0x057b0000 Size: 45056 Object: Hidden Module [Name: CLI.Aspect.DeviceCRT.Graphics.Shared.dll] Process: cli.exe (PID: 3132) Address: 0x05780000 Size: 69632 Object: Hidden Module [Name: CLI.Aspect.DeviceLCD2.Graphics.Runtime.dll] Process: cli.exe (PID: 3132) Address: 0x05860000 Size: 36864 Object: Hidden Module [Name: CLI.Aspect.DeviceLCD.Graphics.Runtime.dll] Process: cli.exe (PID: 3132) Address: 0x05820000 Size: 36864 Object: Hidden Module [Name: CLI.Aspect.DeviceCRT2.Graphics.Shared.dll] Process: cli.exe (PID: 3132) Address: 0x057f0000 Size: 69632 Object: Hidden Module [Name: CLI.Aspect.DeviceLCD.Graphics.Shared.dll] Process: cli.exe (PID: 3132) Address: 0x05840000 Size: 36864 Object: Hidden Module [Name: CLI.Aspect.DeviceCV.Graphics.Runtime.dll] Process: cli.exe (PID: 3132) Address: 0x058a0000 Size: 61440 Object: Hidden Module [Name: CLI.Aspect.DeviceLCD2.Graphics.Shared.dll] Process: cli.exe (PID: 3132) Address: 0x05880000 Size: 36864 Object: Hidden Module [Name: CLI.Aspect.DeviceTV.Graphics.Runtime.dll] Process: cli.exe (PID: 3132) Address: 0x059b0000 Size: 69632 Object: Hidden Module [Name: DEM.Graphics.I0600.dll] Process: cli.exe (PID: 3132) Address: 0x058d0000 Size: 28672 Object: Hidden Module [Name: CLI.Aspect.SmartGart.Graphics.Shared.dll] Process: cli.exe (PID: 3132) Address: 0x05900000 Size: 36864 Object: Hidden Module [Name: CLI.Aspect.WorkstationConfig.Graphics.Shared.dll] Process: cli.exe (PID: 3132) Address: 0x05920000 Size: 36864 Object: Hidden Module [Name: DEM.Graphics.I0602.dll] Process: cli.exe (PID: 3132) Address: 0x05940000 Size: 28672 Object: Hidden Module [Name: CLI.Aspect.DeviceProperty.Graphics.Shared.dll] Process: cli.exe (PID: 3132) Address: 0x05960000 Size: 28672 Object: Hidden Module [Name: CLI.Aspect.DeviceProperty2.Graphics.Shared.dll] Process: cli.exe (PID: 3132) Address: 0x05980000 Size: 28672 Object: Hidden Module [Name: CLI.Aspect.DeviceProperty2.Graphics.Runtime.dll] Process: cli.exe (PID: 3132) Address: 0x059a0000 Size: 28672 Object: Hidden Module [Name: CLI.Aspect.PowerPlay3.Graphics.Runtime.dll] Process: cli.exe (PID: 3132) Address: 0x05ae0000 Size: 61440 Object: Hidden Module [Name: CLI.Aspect.OverDrive3.Graphics.Runtime.dll] Process: cli.exe (PID: 3132) Address: 0x05a60000 Size: 86016 Object: Hidden Module [Name: CLI.Aspect.DeviceDFP2.Graphics.Runtime.dll] Process: cli.exe (PID: 3132) Address: 0x05a10000 Size: 53248 Object: Hidden Module [Name: CLI.Aspect.DeviceDFP.Graphics.Shared.dll] Process: cli.exe (PID: 3132) Address: 0x059f0000 Size: 53248 Object: Hidden Module [Name: CLI.Aspect.DeviceDFP2.Graphics.Shared.dll] Process: cli.exe (PID: 3132) Address: 0x05a30000 Size: 53248 Object: Hidden Module [Name: CLI.Aspect.OverDrive2.Graphics.Runtime.dll] Process: cli.exe (PID: 3132) Address: 0x05ab0000 Size: 36864 Object: Hidden Module [Name: CLI.Aspect.OverDrive3.Graphics.Shared.dll] Process: cli.exe (PID: 3132) Address: 0x05a90000 Size: 36864 Object: Hidden Module [Name: CLI.Aspect.DisplaysOptions.Graphics.Runtime.dll] Process: cli.exe (PID: 3132) Address: 0x05b20000 Size: 45056 Object: Hidden Module [Name: CLI.Aspect.PowerPlay3.Graphics.Shared.dll] Process: cli.exe (PID: 3132) Address: 0x05b00000 Size: 36864 Object: Hidden Module [Name: CLI.Aspect.Radeon3DLegacy.Graphics.Shared.dll] Process: cli.exe (PID: 3132) Address: 0x05b40000 Size: 61440 Object: Hidden Module [Name: CLI.Aspect.DeviceTV2.Graphics.Shared.dll] Process: cli.exe (PID: 3132) Address: 0x05ca0000 Size: 69632 Object: Hidden Module [Name: CLI.Aspect.DeviceTV.Graphics.Shared.dll] Process: cli.exe (PID: 3132) Address: 0x05e00000 Size: 69632 Object: Hidden Module [Name: CLI.Aspect.DisplaysOptions.Graphics.Shared.dll] Process: cli.exe (PID: 3132) Address: 0x05e50000 Size: 36864 Object: Hidden Module [Name: CLI.Aspect.OverDrive2.Graphics.Shared.dll] Process: cli.exe (PID: 3132) Address: 0x05e20000 Size: 28672 Object: Hidden Module [Name: CLI.Aspect.IntegratedUMAFrameBuffer.Graphics.Shared.dll] Process: cli.exe (PID: 3132) Address: 0x05e70000 Size: 28672 Object: Hidden Module [Name: APM.Foundation.dll] Process: cli.exe (PID: 3132) Address: 0x05ea0000 Size: 36864 Object: Hidden Handle [Index: 14020, Type: File] Process: aap.exe (PID: 3272) Address: 0x87fbdab8 Size: - Object: Hidden Module [Name: CLI.Aspect.DeviceTV.Graphics.Shared.dll] Process: cli.exe (PID: 2824) Address: 0x04fa0000 Size: 69632 Object: Hidden Module [Name: CLI.Aspect.DeviceProperty.Graphics.Shared.dll] Process: cli.exe (PID: 2824) Address: 0x04ec0000 Size: 28672 Object: Hidden Module [Name: CLI.Aspect.Radeon3D.Graphics.Wizard.dll] Process: cli.exe (PID: 2824) Address: 0x04990000 Size: 135168 Object: Hidden Module [Name: CLI.Aspect.DeviceCV2.Graphics.Wizard.dll] Process: cli.exe (PID: 2824) Address: 0x04110000 Size: 1241088 Object: Hidden Module [Name: ATICCCom.dll] Process: cli.exe (PID: 2824) Address: 0x03780000 Size: 28672 Object: Hidden Module [Name: CLI.Implementation.dll] Process: cli.exe (PID: 2824) Address: 0x00c60000 Size: 45056 Object: Hidden Module [Name: LOG.Foundation.dll] Process: cli.exe (PID: 2824) Address: 0x01160000 Size: 45056 Object: Hidden Module [Name: LOG.Foundation.Service.dll] Process: cli.exe (PID: 2824) Address: 0x011c0000 Size: 53248 Object: Hidden Module [Name: CLI.Foundation.dll] Process: cli.exe (PID: 2824) Address: 0x01190000 Size: 77824 Object: Hidden Module [Name: LOG.Foundation.Shared.dll] Process: cli.exe (PID: 2824) Address: 0x011e0000 Size: 28672 Object: Hidden Module [Name: CLI.Foundation.XManifestation.dll] Process: cli.exe (PID: 2824) Address: 0x01200000 Size: 36864 Object: Hidden Module [Name: System.Runtime.Remoting.dll] Process: cli.exe (PID: 2824) Address: 0x01220000 Size: 307200 Object: Hidden Module [Name: CLI.Component.Wizard.Shared.dll] Process: cli.exe (PID: 2824) Address: 0x03710000 Size: 36864 Object: Hidden Module [Name: CLI.Component.Wizard.dll] Process: cli.exe (PID: 2824) Address: 0x03640000 Size: 634880 Object: Hidden Module [Name: CLI.Foundation.Clients.dll] Process: cli.exe (PID: 2824) Address: 0x036f0000 Size: 53248 Object: Hidden Module [Name: CLI.Component.Runtime.dll] Process: cli.exe (PID: 2824) Address: 0x03750000 Size: 94208 Object: Hidden Module [Name: AEM.Foundation.dll] Process: cli.exe (PID: 2824) Address: 0x037c0000 Size: 36864 Object: Hidden Module [Name: CLI.Caste.Graphics.Shared.dll] Process: cli.exe (PID: 2824) Address: 0x037a0000 Size: 61440 Object: Hidden Module [Name: ACE.Graphics.DisplaysManager.Shared.dll] Process: cli.exe (PID: 2824) Address: 0x037e0000 Size: 36864 Object: Hidden Module [Name: CLI.Caste.Graphics.Wizard.dll] Process: cli.exe (PID: 2824) Address: 0x03d20000 Size: 94208 Object: Hidden Module [Name: CLI.Caste.Graphics.Wizard.Shared.dll] Process: cli.exe (PID: 2824) Address: 0x03d50000 Size: 28672 Object: Hidden Module [Name: CLI.Aspect.DeviceCV.Graphics.Wizard.dll] Process: cli.exe (PID: 2824) Address: 0x03eb0000 Size: 1241088 Object: Hidden Module [Name: CLI.Aspect.DeviceTV2.Graphics.Wizard.dll] Process: cli.exe (PID: 2824) Address: 0x04490000 Size: 159744 Object: Hidden Module [Name: CLI.Aspect.DeviceLCD2.Graphics.Wizard.dll] Process: cli.exe (PID: 2824) Address: 0x04390000 Size: 421888 Object: Hidden Module [Name: CLI.Aspect.DeviceLCD.Graphics.Wizard.dll] Process: cli.exe (PID: 2824) Address: 0x042b0000 Size: 421888 Object: Hidden Module [Name: CLI.Aspect.DeviceTV.Graphics.Wizard.dll] Process: cli.exe (PID: 2824) Address: 0x04430000 Size: 159744 Object: Hidden Module [Name: CLI.Aspect.DisplaysManager.Graphics.Wizard.dll] Process: cli.exe (PID: 2824) Address: 0x04710000 Size: 2379776 Object: Hidden Module [Name: CLI.Aspect.DeviceCV.Graphics.Shared.dll] Process: cli.exe (PID: 2824) Address: 0x04980000 Size: 45056 Object: Hidden Module [Name: CLI.Aspect.InfoCentre.Graphics.Wizard.dll] Process: cli.exe (PID: 2824) Address: 0x04c50000 Size: 339968 Object: Hidden Module [Name: CLI.Aspect.MMVideo.Graphics.Wizard.dll] Process: cli.exe (PID: 2824) Address: 0x04a70000 Size: 471040 Object: Hidden Module [Name: CLI.Aspect.TransCode.Local.Wizard.dll] Process: cli.exe (PID: 2824) Address: 0x04b70000 Size: 520192 Object: Hidden Module [Name: CLI.Aspect.DeviceProperty2.Graphics.Shared.dll] Process: cli.exe (PID: 2824) Address: 0x04f00000 Size: 28672 Object: Hidden Module [Name: CLI.Aspect.DeviceCV2.Graphics.Shared.dll] Process: cli.exe (PID: 2824) Address: 0x04ee0000 Size: 45056 Object: Hidden Module [Name: CLI.Aspect.CustomFormats.Graphics.Shared.dll] Process: cli.exe (PID: 2824) Address: 0x04f20000 Size: 36864 Object: Hidden Module [Name: CLI.Aspect.DeviceLCD2.Graphics.Shared.dll] Process: cli.exe (PID: 2824) Address: 0x04f70000 Size: 36864 Object: Hidden Module [Name: CLI.Aspect.DeviceLCD.Graphics.Shared.dll] Process: cli.exe (PID: 2824) Address: 0x04f50000 Size: 36864 Object: Hidden Module [Name: CLI.Aspect.DeviceTV2.Graphics.Shared.dll] Process: cli.exe (PID: 2824) Address: 0x04fe0000 Size: 69632 Object: Hidden Module [Name: CLI.Aspect.Radeon3D.Graphics.Shared.dll] Process: cli.exe (PID: 2824) Address: 0x05030000 Size: 69632 Object: Hidden Module [Name: atixclib.dll] Process: cli.exe (PID: 2824) Address: 0x05130000 Size: 28672 Object: Hidden Module [Name: CLI.Aspect.TransCode.Local.Shared.dll] Process: cli.exe (PID: 2824) Address: 0x050d0000 Size: 299008 Object: Hidden Module [Name: CLI.Aspect.MMVideo.Graphics.Shared.dll] Process: cli.exe (PID: 2824) Address: 0x05070000 Size: 45056 Object: Hidden Module [Name: CLI.Aspect.InfoCentre.Graphics.Shared.dll] Process: cli.exe (PID: 2824) Address: 0x05310000 Size: 36864 Object: Hidden Code [ETHREAD: 0x86e92020] Process: System Address: 0x895b21a0 Size: 2246 Object: Hidden Code [ETHREAD: 0x86f25020] Process: System Address: 0x8959cf9f Size: 100 Object: Hidden Code [ETHREAD: 0x86e8fda8] Process: System Address: 0x895d0517 Size: 2795 Object: Hidden Code [ETHREAD: 0x86f12da8] Process: System Address: 0x8959fc11 Size: 1009 Object: Hidden Code [Driver: iastor, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x8957c1c0 Size: 3652 ==EOF==

rigel View Member Profile	Jul 3 2009, 05:30 PM Post #4
BC 1st Responder Group: Global Moderator Posts: 9,844 Joined: 21-October 04 From: South Carolina - USA Member No.: 3,905	Please download SmitfraudFix Double-click SmitfraudFix.exe Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present). Please copy/paste the content of that report into your next reply. Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. http://www.beyondlogic.org/consulting/proc...processutil.htm -------------------- "In a world where you can be anything, be yourself." ~ unknown Become a BleepingComputer fan: Facebook

Lynn0210 View Member Profile	Jul 3 2009, 07:29 PM Post #5
New Member Group: Members Posts: 10 Joined: 3-July 09 Member No.: 347,871	SmitFraudFix v2.423 Scan done at 20:27:48.79, Fri 07/03/2009 Run from C:\Documents and Settings\Lynn\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in normal mode »»»»»»»»»»»»»»»»»»»»»»»» Process C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\cFosSpeed\spd.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\hpzipm12.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe C:\Program Files\cFosSpeed\cFosSpeed.exe C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\WINDOWS\stsystra.exe C:\WINDOWS\ehome\ehtray.exe C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe C:\WINDOWS\system32\brastia.exe C:\Program Files\Antivirus Agent Pro\aap.exe C:\Documents and Settings\Lynn\XP Deluxe Protector\xpdeluxe.exe C:\Program Files\Digital Line Detect\DLG.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Documents and Settings\Lynn\Desktop\SmitfraudFix\Policies.exe C:\WINDOWS\system32\cmd.exe C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe »»»»»»»»»»»»»»»»»»»»»»»» hosts hosts file corrupted ! 209.44.111.62 antispy.microsoft.com »»»»»»»»»»»»»»»»»»»»»»»» C:\ »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32 »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Lynn C:\Documents and Settings\Lynn\XP Deluxe Protector FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Lynn\LOCALS~1\Temp »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Lynn\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu C:\DOCUME~1\Lynn\STARTM~1\XP Deluxe Protector.lnk FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Lynn\FAVORI~1 »»»»»»»»»»»»»»»»»»»»»»»» Desktop C:\DOCUME~1\Lynn\Desktop\XP Deluxe Protector.lnk FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components »»»»»»»»»»»»»»»»»»»»»»»» o4Patch !!!Attention, following keys are not inevitably infected!!! o4Patch Credits: Malware Analysis & Diagnostic Code: S!Ri »»»»»»»»»»»»»»»»»»»»»»»» IEDFix !!!Attention, following keys are not inevitably infected!!! IEDFix Credits: Malware Analysis & Diagnostic Code: S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix !!!Attention, following keys are not inevitably infected!!! Agent.OMZ.Fix Credits: Malware Analysis & Diagnostic Code: S!Ri »»»»»»»»»»»»»»»»»»»»»»»» VACFix !!!Attention, following keys are not inevitably infected!!! »»»»»»»»»»»»»»»»»»»»»»»» 404Fix !!!Attention, following keys are not inevitably infected!!! 404Fix Credits: Malware Analysis & Diagnostic Code: S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs !!!Attention, following keys are not inevitably infected!!! »»»»»»»»»»»»»»»»»»»»»»»» Winlogon !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "Userinit"="C:\\WINDOWS\\system32\\userinit.exe," »»»»»»»»»»»»»»»»»»»»»»»» RK [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System"="" »»»»»»»»»»»»»»»»»»»»»»»» DNS Description: Intel® 82566DC Gigabit Network Connection - Packet Scheduler Miniport DNS Server Search Order: 65.32.5.111 DNS Server Search Order: 65.32.5.112 HKLM\SYSTEM\CCS\Services\Tcpip\..\{F04856AA-E8E1-4D42-9279-01339B5FF5E3}: DhcpNameServer=65.32.5.111 65.32.5.112 HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=65.32.5.111 65.32.5.112 »»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End

rigel View Member Profile	Jul 3 2009, 08:34 PM Post #6
BC 1st Responder Group: Global Moderator Posts: 9,844 Joined: 21-October 04 From: South Carolina - USA Member No.: 3,905	You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site. Please reboot your computer in Safe Mode by doing the following : Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, a menu with options should appear; Select the first option, to run Windows in Safe Mode, then press "Enter". Choose your usual account. Once in Safe Mode, double-click SmitfraudFix.exe Select option #2 - Clean by typing 2 and press "Enter" to delete infected files. You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection. The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter". The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report. The report can also be found at the root of the system drive, usually at C:\rapport.txt Warning : running option #2 on a non infected computer will remove your Desktop background. After that, please update and rerun malwarebytes - post the new log. -------------------- "In a world where you can be anything, be yourself." ~ unknown Become a BleepingComputer fan: Facebook

rigel View Member Profile	Jul 3 2009, 09:24 PM Post #7
BC 1st Responder Group: Global Moderator Posts: 9,844 Joined: 21-October 04 From: South Carolina - USA Member No.: 3,905	Part II - We also need to replace your HOSTS file - yours is corrupted. I suggest using this one: mvps hosts file site with info. Direct download link: HOSTS -------------------- "In a world where you can be anything, be yourself." ~ unknown Become a BleepingComputer fan: Facebook

Lynn0210 View Member Profile	Jul 3 2009, 10:35 PM Post #8
New Member Group: Members Posts: 10 Joined: 3-July 09 Member No.: 347,871	regarding hosts file.. there seems to be more than one method of installing since I dont know much about this area .. can you tell me how to install

Lynn0210 View Member Profile	Jul 3 2009, 10:50 PM Post #9
New Member Group: Members Posts: 10 Joined: 3-July 09 Member No.: 347,871	SmitFraudFix v2.423 Scan done at 23:34:02.29, Fri 07/03/2009 Run from C:\Documents and Settings\Lynn\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in safe mode »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» hosts 127.0.0.1 localhost ::1 localhost 209.44.111.62 antiaware-pro.com 209.44.111.62 www.antiaware-pro.com »»»»»»»»»»»»»»»»»»»»»»»» VACFix VACFix Credits: Malware Analysis & Diagnostic Code: S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix S!Ri's WS2Fix: LSP not Found. »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files C:\Documents and Settings\Lynn\XP Deluxe Protector\ Deleted C:\DOCUME~1\Lynn\STARTM~1\XP Deluxe Protector.lnk Deleted C:\DOCUME~1\Lynn\Desktop\XP Deluxe Protector.lnk Deleted »»»»»»»»»»»»»»»»»»»»»»»» IEDFix IEDFix Credits: Malware Analysis & Diagnostic Code: S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix Agent.OMZ.Fix Credits: Malware Analysis & Diagnostic Code: S!Ri »»»»»»»»»»»»»»»»»»»»»»»» 404Fix 404Fix Credits: Malware Analysis & Diagnostic Code: S!Ri »»»»»»»»»»»»»»»»»»»»»»»» RK »»»»»»»»»»»»»»»»»»»»»»»» DNS HKLM\SYSTEM\CCS\Services\Tcpip\..\{F04856AA-E8E1-4D42-9279-01339B5FF5E3}: DhcpNameServer=65.32.5.111 65.32.5.112 HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=65.32.5.111 65.32.5.112 »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !!!Attention, following keys are not inevitably infected!!! "System"="" »»»»»»»»»»»»»»»»»»»»»»»» RK.2 »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» End

rigel View Member Profile	Jul 3 2009, 10:50 PM Post #10
BC 1st Responder Group: Global Moderator Posts: 9,844 Joined: 21-October 04 From: South Carolina - USA Member No.: 3,905	I will be glad to. If you download the file to your desktop, you can double click the .zip file. That will open an extraction window. To the right, there should be a line that says "Extract all files". Click that then click Next - Next - Finish. This will place a new folder on your desktop called Hosts - and it should open a window with the extracted files. Double Click MVPS.bat and the batch file will do all the work for you. Let me know if this doesn't help. -------------------- "In a world where you can be anything, be yourself." ~ unknown Become a BleepingComputer fan: Facebook

Lynn0210 View Member Profile	Jul 3 2009, 10:50 PM Post #11
New Member Group: Members Posts: 10 Joined: 3-July 09 Member No.: 347,871	Still getting popups from malware.. not as many desktop color and fonts all changed am running malwarebytes now..

Lynn0210 View Member Profile	Jul 4 2009, 02:03 AM Post #12
New Member Group: Members Posts: 10 Joined: 3-July 09 Member No.: 347,871	Malwarebytes' Anti-Malware 1.34 Database version: 1861 Windows 5.1.2600 Service Pack 3 7/4/2009 3:00:02 AM mbam-log-2009-07-04 (03-00-02).txt Scan type: Full Scan (C:\\|J:\\|K:\\|L:\\|M:\\|N:\\|O:\\|P:\\|Q:\\|R:\\|) Objects scanned: 191979 Time elapsed: 1 hour(s), 58 minute(s), 1 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Malwarebytes does not seem to be picking up the remaining infected items..

rigel View Member Profile	Jul 4 2009, 11:42 AM Post #13
BC 1st Responder Group: Global Moderator Posts: 9,844 Joined: 21-October 04 From: South Carolina - USA Member No.: 3,905	Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page. Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet. alternate download link Note: The file will be randomly named (i.e. 5mkuvc4z.exe). Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". Scan with Dr.Web CureIt as follows: Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs. The Express scan will automatically begin. (This is a short scan of files currently running in memory, boot sectors, and targeted folders). If prompted to dowload the Full version Free Trial, ignore and click the X to close the window. If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured) After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media. In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok. Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo. Please be patient as this scan could take a long time to complete. When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found. Click Select All, then choose Cure > Move incurable. In the top menu, click file and choose save report list. Save the DrWeb.csv report to your desktop. Exit Dr.Web Cureit when done. Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot. After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report) -------------------- "In a world where you can be anything, be yourself." ~ unknown Become a BleepingComputer fan: Facebook

Lynn0210 View Member Profile	Jul 5 2009, 05:55 AM Post #14
New Member Group: Members Posts: 10 Joined: 3-July 09 Member No.: 347,871	I have tried 3 times to use DrWeb It goes through the Express scan fine but on the complete scan it gets stuck on a certain file and wont budge past there. The last time it got stuck.. I left it overnight so I am sure it was stuck after 4-5 hours in the same place. What do you suggest?

rigel View Member Profile	Jul 5 2009, 04:50 PM Post #15
BC 1st Responder Group: Global Moderator Posts: 9,844 Joined: 21-October 04 From: South Carolina - USA Member No.: 3,905	Let's try an alternate I'd like us to scan your machine with ESET OnlineScan Hold down Control and click on the following link to open ESET OnlineScan in a new window. ESET OnlineScan Click the button. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps) Click on to download the ESET Smart Installer. Save it to your desktop. Double click on the icon on your desktop. Check Click the button. Accept any security warnings from your browser. Check Push the Start button. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time. When the scan completes, push Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply. Push the button. Push -------------------- "In a world where you can be anything, be yourself." ~ unknown Become a BleepingComputer fan: Facebook

« Next Oldest · Am I infected? What do I do? · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Virus Removal Guides