Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP DELUXE-ANTIVIRUS-ANTIVIRUS PRO-DEFENDER32 - AND OTHERS


  • Please log in to reply
16 replies to this topic

#1 Lynn0210

Lynn0210

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 03 July 2009 - 11:36 AM

I have WIndows XP Prof on a Dell Dual Core 410
I use Firefox most of the time
I have Kaspersky as virus and firewall protection

I regularly run Malwarebytes .. especially if KIS alerts me to an attack
CCleaner is run after any type of infection
followed by disk defragmenter.

Something attacked my computer yesterday and totally crashed
Kaspersky .. and most of my software it seems..

Browsers keep crashing.. programs wont run
Computer locks up too..

PopUps all over the place now that Kaspersky is down.. (wont load and gives me
error messages)

Malwarebytes detects 15 items but cannot seem to remove them or disinfect
Ad-Aware the same thing.. detects but does not remove
Bit Defender same thing .. detects but does not remove

I ran a dds if you need that

After this clean up.. I would appreciate recommendations for keeping my
computer safe and avoiding these attacks .. or at least getting the best
protection I can..



Please help .. thanks

BC AdBot (Login to Remove)

 


m

#2 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:05:37 AM

Posted 03 July 2009 - 11:43 AM

Install RootRepeal

Click here - Official Rootrepeal Site, and download RootRepeal.zip. I recommend downloading to your desktop.
Fatdcuk at Malwarebytes posted a comprehensive tutorial - Self Help guide can be found here if needed.: Malwarebytes Removal and Self Help Guides.
Click RootRepeal.exe to open the scanner.
Click the Report tab, now click on Scan. A Window will open asking what to include in the scan.
Check the following items:
Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services

Click OK
Scan your C Drive (Or your current system drive) and click OK. The scan will begin. This my take a moment, so please be patient. When the scan completes, click Save Report.
Name the log RootRepeal.txt and save it to your Documents folder - (Default folder).
Paste the log into your next reply.

Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 Lynn0210

Lynn0210
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 03 July 2009 - 03:10 PM

Here's the log:


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Time: 2009/07/03 14:34
Program Version: Version 1.3.0.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: dump_iastor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iastor.sys
Address: 0xA702D000 Size: 749568 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA0A05000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Lynn\Favorites\HOSTGATOR
Status: Locked to the Windows API!

Path: c:\documents and settings\all users\application data\pure networks\log\logfile.nmsrvc_exe.txt
Status: Size mismatch (API: 60484, Raw: 60350)

Path: C:\Documents and Settings\Lynn\Desktop\COMPLETED\AFFILIATE INFO - INVESTING ETC\Blackhat Black Book Secret Million Dollar $$ Casino Industry Gambling Affiliate Marketing\Blackhat Black Book Secret Million Dollar $$ Casino Industry Gambling Affiliate Marketing.rar
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Lynn\Desktop\COMPLETED\AFFILIATE INFO - INVESTING ETC\Google AdSense Secrets Or What Google Never Told You About Making Money With AdSense (3rd Edition)\Google AdSense Secrets Or What Google Never Told You About Making Money With AdSense (3rd Edition).pdf
Status: Locked to the Windows API!

Path: c:\documents and settings\all users\application data\kaspersky lab\avp8\report\01\00000110_events.dat
Status: Size mismatch (API: 1027402, Raw: 1027332)

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa72da7ae

#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa72dc1ea

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa72dbb9c

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa72d9950

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa72ddb7c

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa72d9d92

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa72d9f92

#: 066 Function Name: NtDeviceIoControlFile
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa72dbeac

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa72de084

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa72da0a8

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa72da110

#: 084 Function Name: NtFsControlFile
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa72dbd5e

#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa72dd620

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa72db9f8

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa72d9ab2

#: 125 Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa72ddba6

#: 160 Function Name: NtQueryKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa72da178

#: 161 Function Name: NtQueryMultipleValueKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa72d9e7c

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa72d9c5a

#: 193 Function Name: NtReplaceKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa72d95d2

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa72dca74

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa72d9734

#: 206 Function Name: NtResumeThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa72ddf56

#: 207 Function Name: NtSaveKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa72d93d0

#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa72dc08c

#: 213 Function Name: NtSetContextThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa72da6ac

#: 237 Function Name: NtSetSecurityObject
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa72dd71a

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa72ddbd0

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa72d9b08

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa72ddcb4

#: 254 Function Name: NtSuspendThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa72ddde0

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa72dd54c

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa72da47e

Stealth Objects
-------------------
Object: Hidden Module [Name: CLI.Aspect.DeviceDFP.Graphics.Runtime.dll]
Process: cli.exe (PID: 3132) Address: 0x059d0000 Size: 53248

Object: Hidden Module [Name: CLI.Aspect.VeryLargeDesktop.Graphics.Shared.dll]
Process: cli.exe (PID: 3132) Address: 0x05530000 Size: 36864

Object: Hidden Module [Name: CLI.Aspect.InfoCentre.Graphics.Runtime.dll]
Process: cli.exe (PID: 3132) Address: 0x05030000 Size: 45056

Object: Hidden Module [Name: CLI.Implementation.dll]
Process: cli.exe (PID: 3132) Address: 0x00c60000 Size: 45056

Object: Hidden Module [Name: LOG.Foundation.dll]
Process: cli.exe (PID: 3132) Address: 0x01160000 Size: 45056

Object: Hidden Module [Name: LOG.Foundation.Service.dll]
Process: cli.exe (PID: 3132) Address: 0x011c0000 Size: 53248

Object: Hidden Module [Name: CLI.Foundation.dll]
Process: cli.exe (PID: 3132) Address: 0x01190000 Size: 77824

Object: Hidden Module [Name: LOG.Foundation.Shared.dll]
Process: cli.exe (PID: 3132) Address: 0x011e0000 Size: 28672

Object: Hidden Module [Name: CLI.Foundation.XManifestation.dll]
Process: cli.exe (PID: 3132) Address: 0x01200000 Size: 36864

Object: Hidden Module [Name: System.Runtime.Remoting.dll]
Process: cli.exe (PID: 3132) Address: 0x01220000 Size: 307200

Object: Hidden Module [Name: CLI.Component.Runtime.dll]
Process: cli.exe (PID: 3132) Address: 0x035c0000 Size: 94208

Object: Hidden Module [Name: ATICCCom.dll]
Process: cli.exe (PID: 3132) Address: 0x035f0000 Size: 28672

Object: Hidden Module [Name: AEM.Foundation.dll]
Process: cli.exe (PID: 3132) Address: 0x036e0000 Size: 36864

Object: Hidden Module [Name: CLI.Caste.Graphics.Shared.dll]
Process: cli.exe (PID: 3132) Address: 0x03b50000 Size: 61440

Object: Hidden Module [Name: DEM.Graphics.I0601.dll]
Process: cli.exe (PID: 3132) Address: 0x03c50000 Size: 53248

Object: Hidden Module [Name: CLI.Component.Runtime.Shared.dll]
Process: cli.exe (PID: 3132) Address: 0x03c10000 Size: 45056

Object: Hidden Module [Name: CLI.Caste.Graphics.Runtime.dll]
Process: cli.exe (PID: 3132) Address: 0x03bb0000 Size: 307200

Object: Hidden Module [Name: DEM.Foundation.dll]
Process: cli.exe (PID: 3132) Address: 0x03c30000 Size: 28672

Object: Hidden Module [Name: ACE.Graphics.DisplaysManager.Shared.dll]
Process: cli.exe (PID: 3132) Address: 0x03c70000 Size: 36864

Object: Hidden Module [Name: CLI.Aspect.MultiVPU3.Graphics.Runtime.dll]
Process: cli.exe (PID: 3132) Address: 0x04ae0000 Size: 45056

Object: Hidden Module [Name: CLI.Aspect.MultiVPU3.Graphics.Shared.dll]
Process: cli.exe (PID: 3132) Address: 0x04b00000 Size: 36864

Object: Hidden Module [Name: CLI.Aspect.MultiVPU2.Graphics.Runtime.dll]
Process: cli.exe (PID: 3132) Address: 0x04b20000 Size: 45056

Object: Hidden Module [Name: CLI.Aspect.MultiVPU2.Graphics.Shared.dll]
Process: cli.exe (PID: 3132) Address: 0x04b40000 Size: 36864

Object: Hidden Module [Name: CLI.Aspect.MultiVPU.Graphics.Runtime.dll]
Process: cli.exe (PID: 3132) Address: 0x04b60000 Size: 45056

Object: Hidden Module [Name: System.Management.dll]
Process: cli.exe (PID: 3132) Address: 0x04d60000 Size: 380928

Object: Hidden Module [Name: ATIDEMGR.dll]
Process: cli.exe (PID: 3132) Address: 0x04d10000 Size: 299008

Object: Hidden Module [Name: CLI.Aspect.IntegratedUMAFrameBuffer.Graphics.Runtime.dll]
Process: cli.exe (PID: 3132) Address: 0x05010000 Size: 28672

Object: Hidden Module [Name: CLI.Aspect.DeviceCV.Graphics.Shared.dll]
Process: cli.exe (PID: 3132) Address: 0x05210000 Size: 45056

Object: Hidden Module [Name: CLI.Aspect.HotkeysHandling.Graphics.Runtime.dll]
Process: cli.exe (PID: 3132) Address: 0x05070000 Size: 28672

Object: Hidden Module [Name: CLI.Aspect.InfoCentre.Graphics.Shared.dll]
Process: cli.exe (PID: 3132) Address: 0x05050000 Size: 36864

Object: Hidden Module [Name: CLI.Aspect.HotkeysHandling.Graphics.Shared.dll]
Process: cli.exe (PID: 3132) Address: 0x05090000 Size: 28672

Object: Hidden Module [Name: CLI.Aspect.Radeon3D.Graphics.Shared.dll]
Process: cli.exe (PID: 3132) Address: 0x050d0000 Size: 69632

Object: Hidden Module [Name: CLI.Aspect.MultiVPU.Graphics.Shared.dll]
Process: cli.exe (PID: 3132) Address: 0x053f0000 Size: 36864

Object: Hidden Module [Name: CLI.Aspect.DeviceCV2.Graphics.Runtime.dll]
Process: cli.exe (PID: 3132) Address: 0x05250000 Size: 61440

Object: Hidden Module [Name: CLI.Aspect.CustomFormats.Graphics.Shared.dll]
Process: cli.exe (PID: 3132) Address: 0x05230000 Size: 36864

Object: Hidden Module [Name: CLI.Aspect.DeviceCV2.Graphics.Shared.dll]
Process: cli.exe (PID: 3132) Address: 0x05270000 Size: 45056

Object: Hidden Module [Name: CLI.Aspect.DeviceTV2.Graphics.Runtime.dll]
Process: cli.exe (PID: 3132) Address: 0x052b0000 Size: 69632

Object: Hidden Module [Name: CLI.Aspect.VeryLargeDesktop.Graphics.Runtime.dll]
Process: cli.exe (PID: 3132) Address: 0x05510000 Size: 45056

Object: Hidden Module [Name: CLI.Aspect.VPURecover.Graphics.Runtime.dll]
Process: cli.exe (PID: 3132) Address: 0x056e0000 Size: 36864

Object: Hidden Module [Name: CLI.Aspect.MMVideo.Graphics.Runtime.dll]
Process: cli.exe (PID: 3132) Address: 0x05610000 Size: 53248

Object: Hidden Module [Name: CLI.Aspect.DisplaysColour2.Graphics.Shared.dll]
Process: cli.exe (PID: 3132) Address: 0x055b0000 Size: 36864

Object: Hidden Module [Name: CLI.Aspect.Radeon3DLegacy.Graphics.Runtime.dll]
Process: cli.exe (PID: 3132) Address: 0x05570000 Size: 53248

Object: Hidden Module [Name: CLI.Aspect.Radeon3D.Graphics.Runtime.dll]
Process: cli.exe (PID: 3132) Address: 0x05550000 Size: 61440

Object: Hidden Module [Name: CLI.Aspect.DisplaysColour2.Graphics.Runtime.dll]
Process: cli.exe (PID: 3132) Address: 0x05590000 Size: 53248

Object: Hidden Module [Name: CLI.Aspect.DisplaysColour.Graphics.Shared.dll]
Process: cli.exe (PID: 3132) Address: 0x055f0000 Size: 36864

Object: Hidden Module [Name: CLI.Aspect.DisplaysColour.Graphics.Runtime.dll]
Process: cli.exe (PID: 3132) Address: 0x055d0000 Size: 53248

Object: Hidden Module [Name: CLI.Aspect.VideoOverlay.Graphics.Shared.dll]
Process: cli.exe (PID: 3132) Address: 0x05680000 Size: 36864

Object: Hidden Module [Name: CLI.Aspect.MMVideo.Graphics.Shared.dll]
Process: cli.exe (PID: 3132) Address: 0x05640000 Size: 45056

Object: Hidden Module [Name: CLI.Aspect.VideoOverlay.Graphics.Runtime.dll]
Process: cli.exe (PID: 3132) Address: 0x05660000 Size: 45056

Object: Hidden Module [Name: CLI.Aspect.SmartGart.Graphics.Runtime.dll]
Process: cli.exe (PID: 3132) Address: 0x056c0000 Size: 36864

Object: Hidden Module [Name: ACE.Graphics.VideoOverlay.Shared.dll]
Process: cli.exe (PID: 3132) Address: 0x056a0000 Size: 28672

Object: Hidden Module [Name: CLI.Aspect.DeviceCRT.Graphics.Runtime.dll]
Process: cli.exe (PID: 3132) Address: 0x05750000 Size: 45056

Object: Hidden Module [Name: CLI.Aspect.WorkstationConfig.Graphics.Runtime.dll]
Process: cli.exe (PID: 3132) Address: 0x05720000 Size: 45056

Object: Hidden Module [Name: CLI.Aspect.VPURecover.Graphics.Shared.dll]
Process: cli.exe (PID: 3132) Address: 0x05700000 Size: 36864

Object: Hidden Module [Name: CLI.Aspect.DeviceCRT2.Graphics.Runtime.dll]
Process: cli.exe (PID: 3132) Address: 0x057b0000 Size: 45056

Object: Hidden Module [Name: CLI.Aspect.DeviceCRT.Graphics.Shared.dll]
Process: cli.exe (PID: 3132) Address: 0x05780000 Size: 69632

Object: Hidden Module [Name: CLI.Aspect.DeviceLCD2.Graphics.Runtime.dll]
Process: cli.exe (PID: 3132) Address: 0x05860000 Size: 36864

Object: Hidden Module [Name: CLI.Aspect.DeviceLCD.Graphics.Runtime.dll]
Process: cli.exe (PID: 3132) Address: 0x05820000 Size: 36864

Object: Hidden Module [Name: CLI.Aspect.DeviceCRT2.Graphics.Shared.dll]
Process: cli.exe (PID: 3132) Address: 0x057f0000 Size: 69632

Object: Hidden Module [Name: CLI.Aspect.DeviceLCD.Graphics.Shared.dll]
Process: cli.exe (PID: 3132) Address: 0x05840000 Size: 36864

Object: Hidden Module [Name: CLI.Aspect.DeviceCV.Graphics.Runtime.dll]
Process: cli.exe (PID: 3132) Address: 0x058a0000 Size: 61440

Object: Hidden Module [Name: CLI.Aspect.DeviceLCD2.Graphics.Shared.dll]
Process: cli.exe (PID: 3132) Address: 0x05880000 Size: 36864

Object: Hidden Module [Name: CLI.Aspect.DeviceTV.Graphics.Runtime.dll]
Process: cli.exe (PID: 3132) Address: 0x059b0000 Size: 69632

Object: Hidden Module [Name: DEM.Graphics.I0600.dll]
Process: cli.exe (PID: 3132) Address: 0x058d0000 Size: 28672

Object: Hidden Module [Name: CLI.Aspect.SmartGart.Graphics.Shared.dll]
Process: cli.exe (PID: 3132) Address: 0x05900000 Size: 36864

Object: Hidden Module [Name: CLI.Aspect.WorkstationConfig.Graphics.Shared.dll]
Process: cli.exe (PID: 3132) Address: 0x05920000 Size: 36864

Object: Hidden Module [Name: DEM.Graphics.I0602.dll]
Process: cli.exe (PID: 3132) Address: 0x05940000 Size: 28672

Object: Hidden Module [Name: CLI.Aspect.DeviceProperty.Graphics.Shared.dll]
Process: cli.exe (PID: 3132) Address: 0x05960000 Size: 28672

Object: Hidden Module [Name: CLI.Aspect.DeviceProperty2.Graphics.Shared.dll]
Process: cli.exe (PID: 3132) Address: 0x05980000 Size: 28672

Object: Hidden Module [Name: CLI.Aspect.DeviceProperty2.Graphics.Runtime.dll]
Process: cli.exe (PID: 3132) Address: 0x059a0000 Size: 28672

Object: Hidden Module [Name: CLI.Aspect.PowerPlay3.Graphics.Runtime.dll]
Process: cli.exe (PID: 3132) Address: 0x05ae0000 Size: 61440

Object: Hidden Module [Name: CLI.Aspect.OverDrive3.Graphics.Runtime.dll]
Process: cli.exe (PID: 3132) Address: 0x05a60000 Size: 86016

Object: Hidden Module [Name: CLI.Aspect.DeviceDFP2.Graphics.Runtime.dll]
Process: cli.exe (PID: 3132) Address: 0x05a10000 Size: 53248

Object: Hidden Module [Name: CLI.Aspect.DeviceDFP.Graphics.Shared.dll]
Process: cli.exe (PID: 3132) Address: 0x059f0000 Size: 53248

Object: Hidden Module [Name: CLI.Aspect.DeviceDFP2.Graphics.Shared.dll]
Process: cli.exe (PID: 3132) Address: 0x05a30000 Size: 53248

Object: Hidden Module [Name: CLI.Aspect.OverDrive2.Graphics.Runtime.dll]
Process: cli.exe (PID: 3132) Address: 0x05ab0000 Size: 36864

Object: Hidden Module [Name: CLI.Aspect.OverDrive3.Graphics.Shared.dll]
Process: cli.exe (PID: 3132) Address: 0x05a90000 Size: 36864

Object: Hidden Module [Name: CLI.Aspect.DisplaysOptions.Graphics.Runtime.dll]
Process: cli.exe (PID: 3132) Address: 0x05b20000 Size: 45056

Object: Hidden Module [Name: CLI.Aspect.PowerPlay3.Graphics.Shared.dll]
Process: cli.exe (PID: 3132) Address: 0x05b00000 Size: 36864

Object: Hidden Module [Name: CLI.Aspect.Radeon3DLegacy.Graphics.Shared.dll]
Process: cli.exe (PID: 3132) Address: 0x05b40000 Size: 61440

Object: Hidden Module [Name: CLI.Aspect.DeviceTV2.Graphics.Shared.dll]
Process: cli.exe (PID: 3132) Address: 0x05ca0000 Size: 69632

Object: Hidden Module [Name: CLI.Aspect.DeviceTV.Graphics.Shared.dll]
Process: cli.exe (PID: 3132) Address: 0x05e00000 Size: 69632

Object: Hidden Module [Name: CLI.Aspect.DisplaysOptions.Graphics.Shared.dll]
Process: cli.exe (PID: 3132) Address: 0x05e50000 Size: 36864

Object: Hidden Module [Name: CLI.Aspect.OverDrive2.Graphics.Shared.dll]
Process: cli.exe (PID: 3132) Address: 0x05e20000 Size: 28672

Object: Hidden Module [Name: CLI.Aspect.IntegratedUMAFrameBuffer.Graphics.Shared.dll]
Process: cli.exe (PID: 3132) Address: 0x05e70000 Size: 28672

Object: Hidden Module [Name: APM.Foundation.dll]
Process: cli.exe (PID: 3132) Address: 0x05ea0000 Size: 36864

Object: Hidden Handle [Index: 14020, Type: File]
Process: aap.exe (PID: 3272) Address: 0x87fbdab8 Size: -

Object: Hidden Module [Name: CLI.Aspect.DeviceTV.Graphics.Shared.dll]
Process: cli.exe (PID: 2824) Address: 0x04fa0000 Size: 69632

Object: Hidden Module [Name: CLI.Aspect.DeviceProperty.Graphics.Shared.dll]
Process: cli.exe (PID: 2824) Address: 0x04ec0000 Size: 28672

Object: Hidden Module [Name: CLI.Aspect.Radeon3D.Graphics.Wizard.dll]
Process: cli.exe (PID: 2824) Address: 0x04990000 Size: 135168

Object: Hidden Module [Name: CLI.Aspect.DeviceCV2.Graphics.Wizard.dll]
Process: cli.exe (PID: 2824) Address: 0x04110000 Size: 1241088

Object: Hidden Module [Name: ATICCCom.dll]
Process: cli.exe (PID: 2824) Address: 0x03780000 Size: 28672

Object: Hidden Module [Name: CLI.Implementation.dll]
Process: cli.exe (PID: 2824) Address: 0x00c60000 Size: 45056

Object: Hidden Module [Name: LOG.Foundation.dll]
Process: cli.exe (PID: 2824) Address: 0x01160000 Size: 45056

Object: Hidden Module [Name: LOG.Foundation.Service.dll]
Process: cli.exe (PID: 2824) Address: 0x011c0000 Size: 53248

Object: Hidden Module [Name: CLI.Foundation.dll]
Process: cli.exe (PID: 2824) Address: 0x01190000 Size: 77824

Object: Hidden Module [Name: LOG.Foundation.Shared.dll]
Process: cli.exe (PID: 2824) Address: 0x011e0000 Size: 28672

Object: Hidden Module [Name: CLI.Foundation.XManifestation.dll]
Process: cli.exe (PID: 2824) Address: 0x01200000 Size: 36864

Object: Hidden Module [Name: System.Runtime.Remoting.dll]
Process: cli.exe (PID: 2824) Address: 0x01220000 Size: 307200

Object: Hidden Module [Name: CLI.Component.Wizard.Shared.dll]
Process: cli.exe (PID: 2824) Address: 0x03710000 Size: 36864

Object: Hidden Module [Name: CLI.Component.Wizard.dll]
Process: cli.exe (PID: 2824) Address: 0x03640000 Size: 634880

Object: Hidden Module [Name: CLI.Foundation.Clients.dll]
Process: cli.exe (PID: 2824) Address: 0x036f0000 Size: 53248

Object: Hidden Module [Name: CLI.Component.Runtime.dll]
Process: cli.exe (PID: 2824) Address: 0x03750000 Size: 94208

Object: Hidden Module [Name: AEM.Foundation.dll]
Process: cli.exe (PID: 2824) Address: 0x037c0000 Size: 36864

Object: Hidden Module [Name: CLI.Caste.Graphics.Shared.dll]
Process: cli.exe (PID: 2824) Address: 0x037a0000 Size: 61440

Object: Hidden Module [Name: ACE.Graphics.DisplaysManager.Shared.dll]
Process: cli.exe (PID: 2824) Address: 0x037e0000 Size: 36864

Object: Hidden Module [Name: CLI.Caste.Graphics.Wizard.dll]
Process: cli.exe (PID: 2824) Address: 0x03d20000 Size: 94208

Object: Hidden Module [Name: CLI.Caste.Graphics.Wizard.Shared.dll]
Process: cli.exe (PID: 2824) Address: 0x03d50000 Size: 28672

Object: Hidden Module [Name: CLI.Aspect.DeviceCV.Graphics.Wizard.dll]
Process: cli.exe (PID: 2824) Address: 0x03eb0000 Size: 1241088

Object: Hidden Module [Name: CLI.Aspect.DeviceTV2.Graphics.Wizard.dll]
Process: cli.exe (PID: 2824) Address: 0x04490000 Size: 159744

Object: Hidden Module [Name: CLI.Aspect.DeviceLCD2.Graphics.Wizard.dll]
Process: cli.exe (PID: 2824) Address: 0x04390000 Size: 421888

Object: Hidden Module [Name: CLI.Aspect.DeviceLCD.Graphics.Wizard.dll]
Process: cli.exe (PID: 2824) Address: 0x042b0000 Size: 421888

Object: Hidden Module [Name: CLI.Aspect.DeviceTV.Graphics.Wizard.dll]
Process: cli.exe (PID: 2824) Address: 0x04430000 Size: 159744

Object: Hidden Module [Name: CLI.Aspect.DisplaysManager.Graphics.Wizard.dll]
Process: cli.exe (PID: 2824) Address: 0x04710000 Size: 2379776

Object: Hidden Module [Name: CLI.Aspect.DeviceCV.Graphics.Shared.dll]
Process: cli.exe (PID: 2824) Address: 0x04980000 Size: 45056

Object: Hidden Module [Name: CLI.Aspect.InfoCentre.Graphics.Wizard.dll]
Process: cli.exe (PID: 2824) Address: 0x04c50000 Size: 339968

Object: Hidden Module [Name: CLI.Aspect.MMVideo.Graphics.Wizard.dll]
Process: cli.exe (PID: 2824) Address: 0x04a70000 Size: 471040

Object: Hidden Module [Name: CLI.Aspect.TransCode.Local.Wizard.dll]
Process: cli.exe (PID: 2824) Address: 0x04b70000 Size: 520192

Object: Hidden Module [Name: CLI.Aspect.DeviceProperty2.Graphics.Shared.dll]
Process: cli.exe (PID: 2824) Address: 0x04f00000 Size: 28672

Object: Hidden Module [Name: CLI.Aspect.DeviceCV2.Graphics.Shared.dll]
Process: cli.exe (PID: 2824) Address: 0x04ee0000 Size: 45056

Object: Hidden Module [Name: CLI.Aspect.CustomFormats.Graphics.Shared.dll]
Process: cli.exe (PID: 2824) Address: 0x04f20000 Size: 36864

Object: Hidden Module [Name: CLI.Aspect.DeviceLCD2.Graphics.Shared.dll]
Process: cli.exe (PID: 2824) Address: 0x04f70000 Size: 36864

Object: Hidden Module [Name: CLI.Aspect.DeviceLCD.Graphics.Shared.dll]
Process: cli.exe (PID: 2824) Address: 0x04f50000 Size: 36864

Object: Hidden Module [Name: CLI.Aspect.DeviceTV2.Graphics.Shared.dll]
Process: cli.exe (PID: 2824) Address: 0x04fe0000 Size: 69632

Object: Hidden Module [Name: CLI.Aspect.Radeon3D.Graphics.Shared.dll]
Process: cli.exe (PID: 2824) Address: 0x05030000 Size: 69632

Object: Hidden Module [Name: atixclib.dll]
Process: cli.exe (PID: 2824) Address: 0x05130000 Size: 28672

Object: Hidden Module [Name: CLI.Aspect.TransCode.Local.Shared.dll]
Process: cli.exe (PID: 2824) Address: 0x050d0000 Size: 299008

Object: Hidden Module [Name: CLI.Aspect.MMVideo.Graphics.Shared.dll]
Process: cli.exe (PID: 2824) Address: 0x05070000 Size: 45056

Object: Hidden Module [Name: CLI.Aspect.InfoCentre.Graphics.Shared.dll]
Process: cli.exe (PID: 2824) Address: 0x05310000 Size: 36864

Object: Hidden Code [ETHREAD: 0x86e92020]
Process: System Address: 0x895b21a0 Size: 2246

Object: Hidden Code [ETHREAD: 0x86f25020]
Process: System Address: 0x8959cf9f Size: 100

Object: Hidden Code [ETHREAD: 0x86e8fda8]
Process: System Address: 0x895d0517 Size: 2795

Object: Hidden Code [ETHREAD: 0x86f12da8]
Process: System Address: 0x8959fc11 Size: 1009

Object: Hidden Code [Driver: iastor, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8957c1c0 Size: 3652

==EOF==

#4 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:05:37 AM

Posted 03 July 2009 - 05:30 PM

Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#5 Lynn0210

Lynn0210
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 03 July 2009 - 07:29 PM

SmitFraudFix v2.423

Scan done at 20:27:48.79, Fri 07/03/2009
Run from C:\Documents and Settings\Lynn\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\cFosSpeed\spd.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\hpzipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\cFosSpeed\cFosSpeed.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\brastia.exe
C:\Program Files\Antivirus Agent Pro\aap.exe
C:\Documents and Settings\Lynn\XP Deluxe Protector\xpdeluxe.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Documents and Settings\Lynn\Desktop\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe

hosts

hosts file corrupted !

209.44.111.62 antispy.microsoft.com

C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Lynn

C:\Documents and Settings\Lynn\XP Deluxe Protector FOUND !

C:\DOCUME~1\Lynn\LOCALS~1\Temp


C:\Documents and Settings\Lynn\Application Data


Start Menu

C:\DOCUME~1\Lynn\STARTM~1\XP Deluxe Protector.lnk FOUND !

C:\DOCUME~1\Lynn\FAVORI~1


Desktop

C:\DOCUME~1\Lynn\Desktop\XP Deluxe Protector.lnk FOUND !

C:\Program Files


Corrupted keys


Desktop Components



o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!



404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!



Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

RK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""




DNS

Description: Intel® 82566DC Gigabit Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 65.32.5.111
DNS Server Search Order: 65.32.5.112

HKLM\SYSTEM\CCS\Services\Tcpip\..\{F04856AA-E8E1-4D42-9279-01339B5FF5E3}: DhcpNameServer=65.32.5.111 65.32.5.112
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=65.32.5.111 65.32.5.112


Scanning for wininet.dll infection


End

#6 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:05:37 AM

Posted 03 July 2009 - 08:34 PM

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.


After that, please update and rerun malwarebytes - post the new log.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#7 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:05:37 AM

Posted 03 July 2009 - 09:24 PM

Part II - We also need to replace your HOSTS file - yours is corrupted. I suggest using this one: mvps hosts file site with info. Direct download link: HOSTS

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#8 Lynn0210

Lynn0210
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 03 July 2009 - 10:35 PM

regarding hosts file..

there seems to be more than one method of installing
since I dont know much about this area .. can you tell
me how to install

#9 Lynn0210

Lynn0210
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 03 July 2009 - 10:50 PM

SmitFraudFix v2.423

Scan done at 23:34:02.29, Fri 07/03/2009
Run from C:\Documents and Settings\Lynn\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts

127.0.0.1 localhost
::1 localhost
209.44.111.62 antiaware-pro.com
209.44.111.62 www.antiaware-pro.com

VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files

C:\Documents and Settings\Lynn\XP Deluxe Protector\ Deleted
C:\DOCUME~1\Lynn\STARTM~1\XP Deluxe Protector.lnk Deleted
C:\DOCUME~1\Lynn\Desktop\XP Deluxe Protector.lnk Deleted

IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


RK


DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{F04856AA-E8E1-4D42-9279-01339B5FF5E3}: DhcpNameServer=65.32.5.111 65.32.5.112
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=65.32.5.111 65.32.5.112


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

"System"=""


RK.2



Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End

#10 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:05:37 AM

Posted 03 July 2009 - 10:50 PM

I will be glad to. If you download the file to your desktop, you can double click the .zip file. That will open an extraction window. To the right, there should be a line that says "Extract all files". Click that then click Next - Next - Finish. This will place a new folder on your desktop called Hosts - and it should open a window with the extracted files. Double Click MVPS.bat and the batch file will do all the work for you. :thumbsup:

Let me know if this doesn't help.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#11 Lynn0210

Lynn0210
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 03 July 2009 - 10:50 PM

Still getting popups from malware.. not as many

desktop color and fonts all changed

am running malwarebytes now..

#12 Lynn0210

Lynn0210
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 04 July 2009 - 02:03 AM

Malwarebytes' Anti-Malware 1.34
Database version: 1861
Windows 5.1.2600 Service Pack 3

7/4/2009 3:00:02 AM
mbam-log-2009-07-04 (03-00-02).txt

Scan type: Full Scan (C:\|J:\|K:\|L:\|M:\|N:\|O:\|P:\|Q:\|R:\|)
Objects scanned: 191979
Time elapsed: 1 hour(s), 58 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Malwarebytes does not seem to be picking up the remaining
infected items..

#13 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:05:37 AM

Posted 04 July 2009 - 11:42 AM

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#14 Lynn0210

Lynn0210
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 05 July 2009 - 05:55 AM

I have tried 3 times to use DrWeb
It goes through the Express scan fine
but on the complete scan it gets stuck on a certain
file and wont budge past there.

The last time it got stuck.. I left it overnight so I am sure it
was stuck after 4-5 hours in the same place.

What do you suggest?

#15 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:05:37 AM

Posted 05 July 2009 - 04:50 PM

Let's try an alternate

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users