Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with About:Blank


  • This topic is locked This topic is locked
18 replies to this topic

#1 mtautoken

mtautoken

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:22 PM

Posted 26 May 2009 - 07:20 AM

When I open IE my window changes from the home page to About:Blank and shows a warning asking to "Continue Unprotected" or "Get Security software"

This seemed to start sometime after I kept seeing this "Personal Anti Virus" asking for $$.

I ran AVG in safe mode.

Then loaded Firefox.

Purchased Norton 360 and ran 2 or 3 complete scans with updates.

Ran Regcure with current updates.

Ran About:buster.

Ran the DDS. Results below.



DDS (Ver_09-05-14.01) - NTFSx86
Run by User at 4:45:37.40 on Tue 05/26/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.465 [GMT -7:00]

AV: AVG 7.5.552 *On-access scanning enabled* (Outdated) {41564737-3200-1071-989B-0000E87B4FB1}
AV: Norton 360 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Winamp\winampa.exe
svchost.exe
C:\Program Files\Brownie\BrstsWnd.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Apple Computer\DVD@ccess\DVDAccess.exe
C:\Program Files\eFax Messenger 4.3\J2GTray.exe
C:\GO_Win\GO_Server.exe
C:\Program Files\Brownie\brpjp04a.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\User\My Documents\PC Repair Tools\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\User\Application Data\mjusbsp\magicJack.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\User\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.sti.net/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: &Helper: {2e59498d-7e44-4452-9044-0973b080b9e8} - c:\windows\system32\winexplorer.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\3.0.0.135\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\3.0.0.135\IPSBHO.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\3.0.0.135\coIEPlg.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Gadwin PrintScreen 2.6] c:\program files\gadwin systems\printscreen\PrintScreen.exe /nosplash
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [Zinio DLM] c:\program files\zinio\ZinioReader.exe /autostart
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [cdloader] "c:\documents and settings\user\application data\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [AdobeUpdater] "c:\program files\common files\adobe\updater5\AdobeUpdater.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [SetDefPrt] "c:\program files\brother\brmfl04g\BrStDvPt.exe"
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [BrStsWnd] "c:\program files\brownie\BrstsWnd.exe" Autorun
mRun: [SetDefPrt2] "c:\program files\brother\brmfl04g\BrStDvPt.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb11.exe
mRun: [HPHUPD06] "c:\program files\hp\{aac4fc36-8f89-4587-8dd3-ebc57c83374d}\hphupd06.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HPHmon06] c:\windows\system32\hphmon06.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
dRun: [AVG7_Run] c:\progra~1\grisoft\avg7\avgw.exe /RUNONCE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dvd@cc~1.lnk - c:\program files\apple computer\dvd@ccess\DVDAccess.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\efax43~1.lnk - c:\program files\efax messenger 4.3\J2GTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {4B6310D8-95C1-4acd-95FC-EAA1C975ABB0} - {9FC0AE07-9B28-4405-882E-735D9C91DA85} - c:\go_win\gowebie.dll
Trusted Zone: microsoft.com\office
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1182226175500
DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} - hxxps://www2.gotomeeting.com/default/applets/g2mdlax.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks 2005\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360\engine\3.0.0.135\CoIEPlg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\f75z658n.default\
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0300000.087\SymEFA.sys [2009-5-18 310320]
R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2007-6-19 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2007-6-19 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2007-6-19 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2007-6-19 10760]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0300000.087\BHDrvx86.sys [2009-5-18 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0300000.087\cchpx86.sys [2009-5-18 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090513.001\IDSXpx86.sys [2009-5-19 276344]
R2 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avg7\avgamsvr.exe [2007-6-19 418816]
R2 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avg7\avgupsvc.exe [2007-6-19 49664]
R2 AVGEMS;AVG E-mail Scanner;c:\progra~1\grisoft\avg7\avgemc.exe [2007-6-19 406528]
R2 AvgTdi;AVG Network Redirector;c:\windows\system32\drivers\avgtdi.sys [2007-6-19 4960]
R2 DVDAccss;DVDAccss;c:\windows\system32\drivers\DVDAccss.sys [2007-12-7 29156]
R2 GO_Server;GO_Server;c:\go_win\GO_Server.exe [2008-12-29 22024]
R2 N360;Norton 360;c:\program files\norton 360\engine\3.0.0.135\ccSvcHst.exe [2009-5-18 115560]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-5-19 101936]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090523.003\NAVENG.SYS [2009-5-23 89104]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090523.003\NAVEX15.SYS [2009-5-23 876144]

=============== Created Last 30 ================

2009-05-22 07:48 <DIR> --d----- c:\windows\system32\N360_BACKUP
2009-05-20 08:14 <DIR> --d----- c:\program files\Microsoft IntelliPoint
2009-05-18 21:32 <DIR> --d--r-- c:\program files\Norton Support
2009-05-18 20:25 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-05-18 20:25 23,848 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-05-18 20:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
2009-05-18 20:25 36,400 a----r-- c:\windows\system32\drivers\SymIM.sys
2009-05-18 20:25 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-05-18 20:25 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-05-18 20:25 7,386 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-05-18 20:25 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-05-18 20:25 <DIR> --d----- c:\program files\Symantec
2009-05-18 20:25 <DIR> --d----- c:\program files\common files\Symantec Shared
2009-05-18 20:24 <DIR> --d----- c:\windows\system32\drivers\N360
2009-05-18 20:24 <DIR> --d----- c:\program files\Norton 360
2009-05-18 20:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2009-05-18 20:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton
2009-05-18 17:27 <DIR> --d----- c:\program files\NortonInstaller
2009-05-18 17:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-05-18 16:06 <DIR> --d----- c:\docume~1\user\applic~1\GetRightToGo
2009-05-18 12:16 <DIR> --d----- c:\program files\InterMute
2009-05-18 06:57 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-18 05:37 372,736 a------- c:\windows\system32\winexplorer.dll
2009-04-28 05:16 <DIR> --d----- c:\program files\common files\Uninstall

==================== Find3M ====================

2009-03-14 07:49 70,376 a------- c:\docume~1\user\applic~1\GDIPFONTCACHEV1.DAT
2009-03-08 15:30 54,452 a---h--- c:\windows\system32\mlfcache.dat
2009-03-06 09:17 94,813 -------- c:\windows\HPHins03.dat
2009-03-06 07:44 283,648 a------- c:\windows\system32\pdh.dll
2009-03-02 17:18 826,368 a------- c:\windows\system32\wininet.dll

============= FINISH: 4:46:44.46 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:22 PM

Posted 07 June 2009 - 02:56 PM

Hello and :thumbup2: to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here
.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.


Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay
.

-----------------------------------------------------------

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Kind regards
Net_Surfer

:)

#3 mtautoken

mtautoken
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:22 PM

Posted 14 June 2009 - 08:07 AM

OK, I have attached both logs. I just ran them again.

I am not super efficient on my PC so please send easy to understand instructions.

Thank you again for your help.

Ken

Attached Files



#4 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:22 PM

Posted 15 June 2009 - 07:53 PM

Hello mtautoken, :)
And :) to Bleeping Computer Malware Removal Forum
, My Nick is Net_Surfer I'll be glad to help you with your computer problems.

I will be working on your Malware issues, this may or may not solve other issues you may have with your machine.

Sorry about the delay, but the amount of people posting with infected computers is through the roof and sometimes we can't get to logs as fast as we would like to.


Please note that whatever repairs we make, are for fixing "your computer problems only" and by no means should be used on another computer.


You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown Here.

-----------------------------------------------------------

Please be patient and I'd be grateful if you would note the following:

The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.

1. Please reply using the AddReply button in the lower right hand corner of your screen. Do not start a new topic.
2. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
3. All of my posts need to be checked by my coach, so please be patient while I attempt to remove your malware.
4. Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

In the meantime Please, Do NOT install any new programs or update anything unless told to do so while we are fixing your problem.

Please give me some time to review your logs and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay
.

Kind regards
Net_Surfer

:thumbup2:

#5 mtautoken

mtautoken
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:22 PM

Posted 16 June 2009 - 07:49 AM

OK, Thanks. I won't add anything to my PC until we fix this thing.

Ken

#6 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:22 PM

Posted 16 June 2009 - 01:16 PM

Hello again, :thumbup2:

Sorry for the delay. The forum is exceptionally busy. I have reviewed your logs and proposed a fix. I am patiently waiting for my coach to approve the clean-up.
If possible I would encourage you to minimize use of that computer until we can get it cleaned up. I appreciate your patience.

Regards,
Net_Surfer

:)

#7 mtautoken

mtautoken
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:22 PM

Posted 16 June 2009 - 10:18 PM

A OK, Thanks again.

Ken

#8 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:22 PM

Posted 18 June 2009 - 10:50 AM

Hi mtautoken, :)

please observe these rules while we work
:
  • Please Read All Instructions Carefully
  • Perform all actions in the order given.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Do not attempt to clean your computer with any tools other than the ones I ask you to use during the cleanup process.
  • In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.
  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
  • Please continue to review my answers until I tell you that your machine is clean and free of malware. (Remember absence of symptoms does not mean that everything is clear).
Just because you can't see a problem doesn't mean it isn't there.

If you can do these things, everything should go smoothly. :thumbup2:

------------------------------^-----------------------------


RegCure Warning!
The following is referring to < RegCure >.
Please be aware that bleepingcomputer staff do not recommend the usage of registry cleaners / tools due to the following facts:
  • Registry tools can cause irreparable damage to your Operating System.
  • Most reg cleaners aren't "bad" as such, but they aren't perfect and even the best have been known to cause problems.
  • The point we are trying to make is that the risk of using one far outweighs any benefit.
  • If it does work perfectly you will not see any difference
    If it doesn't work properly you may end up with an expensive doorstop.
  • Registry tools can, as a result of the above, render your pc to be inoperable.
This is done, assuming that the major audience here at this board might be inexperienced users and thus a suggested safeguard from our side.
If you feel you have the need for a registry cleaner, then you are just as welcome to keep it. This is what we refer to an "optional fix" and is up to the user, so just take this as a recommendation from my side.


Registry cleaners should be used with caution and always back up your registry before deleting what it says are invalid entries.
be careful you do not overclean your Registry and come to regret it. What's called invalid may be what your system needs to run correctly.

Please read this blog by: miekiemoes. Link

----------------------------^-------------------------------


Please follow the instructions of the next set of steps:

Step #1.

Going over your logs I noticed that you have TWO anti-virus installed and running in your system.

I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore, please go to add/remove in the control panel and remove either AVG 7.5 or NORTON 360

AVG 7.5 is an outdated version and since you mentioned that you just paid for Norton 360 then you should keep Norton.
.

Step #2.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

c:\go_win\gowebie.dll

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

Step #3.

Please disable your Noton 360 anti-virus and anti spyware programs during the following steps.
If you are unsure on how to do this, please read this guide
Your anti spyware program is: Ad-aware 6 Personal

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.
Tutorial if needed

Step #3.

Please download Posted Image ATF Cleaner-3 and save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

    If you use Firefox browser:

  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    If you use Opera browser:

  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

It's normal after running ATF cleaner that the PC will be slower to boot the first time.

*Cleaning Prefetch may result in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_...refetch-XP.html

Step #4.

ESET Online Scan
ESET Online Scanner is a user friendly, free and powerful tool which you can use to remove malware from any PC utilizing only your web browser without having to install anti-virus software. ESET Online Scanner uses the same ThreatSenseŽ technology and signatures as ESET Smart Security/ESET NOD32 Antivirus, and is always up-to-date.

IMPORTANT: Administrator privileges are required to run ESET Online Scanner

Sometimes malware that is removed from your computer leaves other traces behind. These traces may not be active, but they are unwanted on your computer.
Therefore, by using ESET online scanner it is possible for us to find leftover or missed malware files on your computer and we can now further clean up your computer
.

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)
Posted Image
Credit: Billy Oneal for the canned instructions. You can refer to this short video by: neomage
**Note**
To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.
Step #5.

We need to see more information about what is happening in your machine. Please perform the following scan:

Run random's system information tool (RSIT)

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE

Please note that it is important that RSIT be run and a log created while in normal mode. *If you run it and create your log while in safe mode, you will be asked to redo it again properly.
  • Download random's system information tool (RSIT) by random/random and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open.

    Please post the contents of both here in your next reply.

    log.txt (<<--- will be maximized) and info.txt (<<--- will be minimized)
Summary of the logs I will need in your next reply:
  • The report log from Jotti or Virustotal
  • The MBAM report log.
  • The ESET Online Scan report log.
  • The the 2 logs created by RSIT: log.txt and info.txt
And a description of any remaining problems in your next post.

How is your Computer running now?.


Upon completing the above steps I will review your logs again and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks.
.
Kind regards
Net_Surfer

:)

Edited by Net_Surfer, 18 June 2009 - 12:55 PM.


#9 mtautoken

mtautoken
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:22 PM

Posted 20 June 2009 - 12:57 PM

Below are the scan results you requested I send.

The ESET Online Scan came back with no threats found. I attached the RSIT reults files.

The PC seems to be running great so far. Thank you so much for all your help.

I think it was the Mbam scan that found and deleted my problematic registry files. Should I use this scan as a scheduled maintenance in lieu of the reg cure? Or can I use it when I am suspecting that my Norton 360 has allowed something past it and the PC's performance is limited?

Thank you again,

Ken


Jotti's malware scan
Filename: gowebie.dll
Status: Scan finished. 0 out of 20 scanners reported malware.
Scan taken on: Fri 19 Jun 2009 07:35:07 (CET) Permalink




Additional info
File size: 452104 bytes
Filetype: PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
MD5: 700cf0042bbc6093cc7d2cc5f96e80a0
SHA1: 737d44be4eabb8499e6c25695763ff728a6663ab


Scanners

2009-06-18 Found nothing
2009-06-18 Found nothing

2009-06-19 Found nothing
2009-06-19 Found nothing

2009-06-18 Found nothing
2009-06-19 Found nothing

2009-06-18 Found nothing
2009-06-19 Found nothing

2009-06-18 Found nothing
2009-06-18 Found nothing

2009-06-18 Found nothing
2009-06-18 Found nothing

2009-06-19 Found nothing
2009-06-19 Found nothing

2009-06-19 Found nothing
2009-06-19 Found nothing

2009-06-18 Found nothing
2009-06-18 Found nothing

2009-06-19 Found nothing
2009-06-18 Found nothing





Malwarebytes' Anti-Malware 1.38
Database version: 2307
Windows 5.1.2600 Service Pack 2

6/18/2009 11:36:52 PM
mbam-log-2009-06-18 (23-36-52).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|)
Objects scanned: 177454
Time elapsed: 31 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1a26f07f-0d60-4835-91cf-1e1766a0ec56} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2e59498d-7e44-4452-9044-0973b080b9e8} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\zangoax.clientdetector (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\zangoax.clientdetector.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\zangoax.userprofiles (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\zangoax.userprofiles.1 (Adware.Zango) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Attached Files



#10 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:22 PM

Posted 21 June 2009 - 03:38 AM

I think it was the Mbam scan that found and deleted my problematic registry files. Should I use this scan as a scheduled maintenance in lieu of the reg cure? Or can I use it when I am suspecting that my Norton 360 has allowed something past it and the PC's performance is limited?

Do you pay for Ad-Aware and RegCure? If not, I recommend uninstalling them. MBAM is doing the same job, except well, better.

To replace RegCure I will recommend: WinPatrol. As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE.

Hi mtautoken, :)

let's do the following to see if we can get rid of one leftover baddie.


Step #1.
Please make sure you disable ALL of your Antivirus/Antispyware/Firewall prior to our fix.. Please visit HERE if you don't know how.. Please re-enable them after performing all steps given..

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

Why we recommend disabling autoruns and autoplay
  • The autorun/autoplay feature, when enabled, causes one of two things to happen depending on previously made choices.

    1. When a cd-rom or dvd is inserted, or a usb device (camera, flashdrive, external hard drive, etc) is attached, Windows will open a message window that provides a list of actions to take based on the content of the device or media.
    2. If on a prior occasion of the message window, the user selected to always perform the same action with certain types of media/device, there will be no message window opened upon detection of media/device. Instead, it will automatically run the previously selected program or execute the same behaviour.

  • Example: with autorun/autoplay enabled you insert a music cd.: Windows will detect the cd and it's contents, then open a message window that might offer to play the cd with Media Player, Music Match Jukebox, or any of the many applications you may or may not have installed.

  • Insert a Movie DVD and Windows might prompt you to view it with Power DVD, Media Player, etc.
    o Example: with autorun/autoplay enabled and on a previous prompt for action the box was checked to always apply the same action, Windows might automatically open Roxio CD Creator or Nero Burning ROM when a blank cd is inserted.
    o Plug in a usb camera and Windows might open or prompt you to use the Scanner and Camera Transfer Wizard to transfer the pictures to your computer.
    o Plug in a flash drive and Windows might open or prompt you to use Windows Explorer to browse the contents of the flash drive. Very commonly it will also just automatically execute an infection residing on the flash drive, thereby infecting your computer.
    o Insert a game cd or software cd, and Windows might automatically begin the installation setup.

    Malware authors have begun to exploit the autorun/autoplay feature, so the author of ComboFix, in an effort to help protect your computer from becoming infected via that avenue, configured ComboFix to disable it. Many other security apps disable it as well, and Microsoft recommends disabling it.

    Disabling autorun/autoplay does not prevent you from accessing any of those media sources.

    They are still available by:

  • Opening My Computer and accessing the source drive (cd, dvd, usb flash or external hard drive).
  • Pictures on a camera can still be accessed/transferred through My Pictures and selecting Get Pictures from a Scanner or Camera.
  • Media can also be accessed via the program you intend to use it with, such as music cds accessed via Media Player,
  • blank cds via your burning program, image handling software provided with the camera, etc.
I do recommend you leave the feature disabled and get into the habit of accessing those media devices manually, however, I will send you the information required to re-enable the autoplay feature should you decide to do so.

Step #2.

Backup Your Registry with ERUNT


Install ERUNT
(This tool will create a complete backup of your registry to ensure we have a safety net If something goes wrong. Do not delete the backup until we are finished).
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program HERE

When we are finished with fixing your computer (I will make it clear when we are), you can uninstall ERUNT through Add/Remove Programs. The backups will be stored at C:\WINDOWS\erdnt, and will not be deleted when ERUNT is uninstalled.

CAUTION:
Altering system files; & or modifying the registry can be risky and BleepingComputer.com and its members cannot accept liability for any adverse effects caused by following advice freely given on this site
.

Step #3.

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text inside the code box below, Do Not include the word: CODE

REGEDIT4

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2dd2823d-e809-11dd-9e91-0011092c89a1}]
Name the file as regedit.reg, making sure save as type is set to " All Files ".
Double click on regedit.reg & allow it to run.

Step #4.

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

Step #5.

Your Microsoft Windows installation is out of date!.
Using unpatched Windows systems on the Internet are a security risk to everyone. When there are insecure computers connected to the Internet, malware spreads faster and more extensively, distributed denial-of-service attacks are easier to launch, and spammers have more platforms from which to send e-mail. Whenever a security problem in its software is found, Microsoft will usually create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your computer. Keeping up-to-date with all these security patches will help prevent malware from reinfecting your machine. If you are not sure how to do this, see How to use Microsoft Update.

For additional information, be sure to read "Windows Xp Service Pack 3 (sp3) Information".

Then go here to check for & install updates to Microsoft applications.
Note: The update process uses ActiveX, so you will need to use Internet Explorer for it, and allow the ActiveX control that it wants to install.

Please reboot and repeat the update process until there are no more updates to install.

Step #6.

Re-scan with RSIT and post the log so I can see if the changes were made.

Summary of the logs I will need in your next reply:
  • The the log created by RSIT
And a description of any remaining problems in your next post.

How is your Computer running now?.

Upon completing the above steps I will review your logs again and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks.
.
Kind regards
Net_Surfer

:thumbup2:

#11 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:22 PM

Posted 22 June 2009 - 07:14 PM

:) Bump :)
Hello mtautoken. :)
:cool: :)
Are you still there
???
:thumbup2:

If you are please follow the instructions in my previous post.

Please continue to review my answers until I tell you your machine appears to be clear. Remember absence of symptoms does not mean that everything is clear.


If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Unfortunately, if I do not hear back from you within 2 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread.


Kind regards
Net_Surfer

:)

#12 mtautoken

mtautoken
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:22 PM

Posted 23 June 2009 - 12:05 PM

Yes I am still here. I have just been busy. Sorry.

I will run the other scans and such today or tonight.

Thanks again.

#13 mtautoken

mtautoken
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:22 PM

Posted 25 June 2009 - 12:50 AM

Well I didn't get too far tonight.

I'm prety sure that I am disabling my norton 360 correctly. The link to your instructions was not too helpfull. I think they outline a different version than what I have.

Anyway when I try to save flash_Disinfector to the desktop I always get an error copying file or folder window. It states, "Cannot copy flash_Disinfector[1]: Access is denied.

Make sure the disk is not full or write-protected and that the file is not currently in use".

Another thing I forgot to mention. after I installed a usb style keychain pic viewer several months ago, I have had this windows installer and Instant Share trying to insatll every time the PC starts up. I have to use the task manager to stop it from running and trying to install something. Today was no exception.

Let me know how to proceed from here.

Thank you again for your help and concerns with my PC.

Ken

#14 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:22 PM

Posted 25 June 2009 - 10:59 AM

Hello mtautoken,

Those steps I gave you in my earlier post will take care of that problem. you have an autorun infection so you need to do the following so we can trick the malware in your system.

Try this:

Uninstall/delete any previous downloads of Flash Disinfector and this time when you save it, rename Flash Disinfector Tool to: sUBs.exe
that will do. :thumbup2:

Then try and run it.

If that doesn't work then please run the tool in safe mode.


If all went well then please complete the steps provided in my earlier post. but this time I need you to run MBAM one more time just before you update your Windows XP System, I will like to see the MBAM log also in case you got more malware.

STEPS to follow:

Flash Disinfector: follow the instructions; The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.

ERUNT: so we can back up your registry.

Run the batch file I provided: so it will get rid of the bad registry key.

MBAM: run the tool just in case you got more infections since its been a few days since last check and post the log.
Clean your System Restore Points with the steps provided.

Update your System to XPSP3.

RSIT: Run the tool and post the log

Best regards
Net_Surfer


#15 mtautoken

mtautoken
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:22 PM

Posted 26 June 2009 - 10:12 PM

I'm having some problems with the scans.

RE: Create a new restor point, after Ckicking OK a small window came up for Disk Cleanup Stating: Disk Cleanup is calculating how much Space you will be able to free on C drive, this may take a few minutes.

The window disapears after about 10 seconds. When I go back to run, the cleanmgr is still there, so I click OK and the same thing happens. I left it to run while I was out today, thinking that maybe it was running and when it was finished I would see a message indicating that. But no.

I forgot to mention that every time I restart my PC Two processes start, Windows Installer and Instant Share, The only way I can stop them is to kill them with the task manager. I have tryed to let them run, but nothing ever happens but they eat up PC resources.

Thank you again, Sorry I'm having so much trouble.

Ken




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users