Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help Trojan PSW.Generic7.AUZH


  • This topic is locked This topic is locked
45 replies to this topic

#1 jessicar1

jessicar1

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 08 January 2010 - 04:39 PM

Help I dont' know what else to try. Avg found the trojan in c:\windows\system32 etsuap.dll . I put it in the vault and rebooted the computer. Once I rebooted I got an error saying that it was "unable to locate component "and "that the application has failed to start because netsuap.dll was not found. Re-installing the application may fix the problem" but if I x out of it the application will open. I now keep getting the errors for almost every application.

I restored it and tried to find it with malwarebytes and spybot but neither one picked it up. When it was restored I didn't get the errors anymore. AVG kept finding the trojan though..it kept popping up and there were almost 200 of the same thing found. I also tried deleting it from the registry, that didn't work either. I also tried to do a system restore and it wouldn't let me

I also ran a test on the file at jotti virus scan and virus scan total and these are the results. I had to restore the virus and turn off my resident shield to test it.

I'm not sure what they mean seeing they came up with different results...after the tests I revaulted it and turned my resident shield back on and rebooted the computer.

the jotti virus scan status says 12 out of 20 scanners reported malware - the results were all different..these are what were found

2010-01-06 Found nothing
2010-01-06 Trojan-PSW.Win32.Agent.orx
2010-01-07 Trojan-PWS.Win32.Agent!IK
2010-01-06 Trojan.Generic.2891721
2010-01-06 Win32:Kheagol-J
2010-01-07 Trojan-PWS.Win32.Agent
2010-01-06 PSW.Generic7.AUZH
2010-01-07 Trojan-PSW.Win32.Agent.orx
2010-01-06 Found nothing
2010-01-06 Found nothing
2010-01-06 Trojan.Generic.2891721
2010-01-06 Found nothing
2010-01-06 PUA.Packed.ASPack212
2010-01-05 Found nothing
2010-01-07 Found nothing
2010-01-06 Found nothing
2010-01-07 Trojan.PWS.Siggen.2124
2010-01-06 Trojan-PSW.Win32.Agent.orx
2010-01-06 W32/Pws.BNUB
2010-01-06 Found nothing


the virus total scan result was 22/40 (55%) it also found different ones



Antivirus Version Last Update Result
a-squared 4.5.0.48 2010.01.07 Trojan-PWS.Win32.Agent!IK
AhnLab-V3 5.0.0.2 2010.01.06 Win-Trojan/Xema.variant
AntiVir 7.9.1.122 2009.12.31 -
Antiy-AVL 2.0.3.7 2010.01.06 Trojan/Win32.Agent.gen
Authentium 5.2.0.5 2010.01.07 W32/Pws.BNUB
Avast 4.8.1351.0 2010.01.06 Win32:Kheagol-J
AVG 8.5.0.430 2010.01.04 PSW.Generic7.AUZH
BitDefender 7.2 2010.01.07 Trojan.Generic.2891721
CAT-QuickHeal 10.00 2010.01.05 -
ClamAV 0.94.1 2010.01.07 PUA.Packed.ASPack212
Comodo 3490 2010.01.06 -
DrWeb 5.0.1.12222 2010.01.07 Trojan.PWS.Siggen.2124
eSafe 7.0.17.0 2010.01.06 -
eTrust-Vet 35.1.7219 2010.01.06 Win32/Sipay.OO
F-Prot 4.5.1.85 2010.01.06 W32/Pws.BNUB
F-Secure 9.0.15370.0 2010.01.06 Trojan.Generic.2891721
Fortinet 4.0.14.0 2010.01.07 -
GData 19 2010.01.06 Trojan.Generic.2891721
Ikarus T3.1.1.79.0 2010.01.07 Trojan-PWS.Win32.Agent
Jiangmin 13.0.900 2010.01.06 Trojan/PSW.Agent.jcd
K7AntiVirus 7.10.940 2010.01.06 Trojan-PSW.Win32.Agent.orx
Kaspersky 7.0.0.125 2010.01.07 Trojan-PSW.Win32.Agent.orx
McAfee 5853 2010.01.06 -
McAfee+Artemis 5853 2010.01.06 -
McAfee-GW-Edition 6.8.5 2010.01.07 -
Microsoft 1.5302 2010.01.07 -
NOD32 4749 2010.01.06 -
Norman 6.04.03 2010.01.06 -
nProtect 2009.1.8.0 2010.01.06 Trojan-PWS/W32.Agent.144428
Panda 10.0.2.2 2010.01.06 -
PCTools 7.0.3.5 2010.01.07 -
Rising 22.29.03.01 2010.01.07 Trojan.DL.Win32.Nodef.amx
Sophos 4.49.0 2010.01.07 -
Sunbelt 3.2.1858.2 2010.01.07 -
Symantec 20091.2.0.41 2010.01.07 -
TheHacker 6.5.0.3.137 2010.01.06 Trojan/PSW.Agent.orx
TrendMicro 9.120.0.1004 2010.01.06 PAK_Generic.001
VBA32 3.12.12.1 2010.01.06 Trojan-PSW.Win32.Agent.orx
ViRobot 2010.1.6.2124 2010.01.06 -
VirusBuster 5.0.21.0 2010.01.06 -

Additional information
File size: 144428 bytes
MD5...: 23d0e065715ae16b430b928ae493c951
SHA1..: c683b79bf1b7adde602cd3e17fb6994fead11f37
SHA256: e29b88a5996be506058f6be8df435f84071752d1032a265e04cf2596cca6a9b3
ssdeep: 3072:pU714G5SqiIpR9HUVLYWRf/OYKehOItoa:pC1JkRyWLYWdaehOU1

PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x37001
timedatestamp.....: 0x4ac20b8e (Tue Sep 29 13:28:46 2009)
machinetype.......: 0x14c (I386)

( 7 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x30000 0x1f800 8.00 3774f699a990156cbadbc00fa79cf70d
.bss 0x31000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rdata 0x32000 0x1000 0x800 3.99 48a2bea256ce33836c94a34019e444be
.data 0x33000 0x2000 0xc00 7.92 e24d211dd79913dd330e473621480ec5
.reloc 0x35000 0x2000 0x1200 7.71 c6d715e309f0a610932859cae05a7582
.aspack 0x37000 0x2000 0x1200 5.63 227ad41be6dca505be262b2dd36cfe29
.adata 0x39000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e

( 2 imports )
> kernel32.dll: GetProcAddress, GetModuleHandleA, LoadLibraryA
> msvcrt.dll: __3@YAXPAX@Z

( 1 exports )
ctnxyiqygk

RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (38.5%)
Win32 Dynamic Link Library (generic) (34.2%)
Clipper DOS Executable (9.1%)
Generic Win/DOS Executable (9.0%)
DOS Executable Generic (9.0%)
packers (Kaspersky): ASPack
packers (Antiy-AVL): ASPack 2.12
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

does these mean its a virus, malware or a false positive? malwarebytes and spybot didn't find anything..and ideas on what else I can try? thanks

BC AdBot (Login to Remove)

 


#2 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:05:35 PM

Posted 09 January 2010 - 12:13 AM

Welcome to BC, jessicar1 :thumbsup: Pleased to see you took my advice.

Topic here in AVG Free Forums

Firstly, I see that you are using Spybot. If you have Spybot's Teatimer enabled, then you should now turn it off from within the Spybot user interface > "Advanced Mode", so that it doesn't interfere with your malware removal efforts.

It would also be a good idea to turn off AVG's resident shield also while we are working: See the following for how to:
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Note: Don't forget to turn these back on when we are finished!

Now, let's see what we can do with your malware problem ....

:huh: Please download TFC by Old Timer and save it to your desktop.
alternate download link
  • Save any unsaved work. (TFC will close ALL open programs including your browser!)
  • Double-click on TFC.exe to run it. (If you are using Vista, right-click on the file and choose "Run As Administrator".)
  • Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
  • Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.
:inlove: Please update your MBAM program.
  • On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note 1: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless of whether you are prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Note 2: MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes (like Spybot's Teatimer), they may interfere with the fix or alert you after scanning with MBAM. Please disable such programs until disinfection is complete or permit them to allow the changes. To disable these programs, please view this topic: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs


:trumpet: Please download SUPERAntiSpyware
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your Desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and click View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
:huh: Please download Dr.Web CureIt! and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (something like this ... 5mkuvc4z.exe).
(Or download drweb-cureit.exe from here )

Print these instructions (or copy them to a Notepad file) so they will be accessible: Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Now, reboot your computer in "Safe Mode" using the F8 method. (To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows logo splashscreen appears) press the F8 key repeatedly. The "Windows Advanced Options Menu" will appear with several options. Use the Up/Down arrow keys to navigate and select the option to run Windows in "Safe Mode".)

Scan with Dr.Web CureIt! as follows:
  • Double-click on <the randomly named file that you downloaded> to open the program and click Start.
  • If you see a message, warning that Dr.Web CureIt! is available free only for personal use, click Cancel to continue.
  • Click Start. (There is no need to update if you just downloaded the most current version.)
  • Read the "Dr.Web scanner anti-virus check" prompt and click Ok where asked to "Start scan now?"
    Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders.)
  • If prompted to download the "Full version / FREE trial", ignore it, and click the X to close the window.
  • If you see a message, warning that your HOSTS file has been modified and asking if you would like to restore it, click Yes.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured.)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply > Ok.
  • Back at the main window, click the green arrow Posted Image ("Start Scanning") button on the right, under the Dr.Web logo.
    (Please be patient as this scan could take a long time to complete.)
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click File and choose Save report list.
  • Save the DrWeb.csv report to your Desktop. :flowers: <<< Important!
  • Exit Dr.Web CureIt! when done.
Important! Reboot your computer normally (not to Safe Mode) because it could be possible that files in use will be moved/deleted during reboot.

After rebooting, post the contents of the log from Dr.Web.
  • On your Desktop, right-click on DrWeb.csv and choose Open with > Notepad
  • Copy and paste the entire file contents in your next reply.
    *******************************************
B) Now, please run a Full Scan this time with MBAM after again updating. Remove what it finds and then post the log from that too.

Edited by AustrAlien, 09 January 2010 - 01:59 AM.

AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#3 jessicar1

jessicar1
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 09 January 2010 - 02:02 PM

One question before I do any of this..do I restore the "virus" from the Avg virus vault first?

#4 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:05:35 PM

Posted 09 January 2010 - 04:15 PM

One question before I do any of this..do I restore the "virus" from the Avg virus vault first?

That is a good question: Considering that you are bombarded with popup notices making use of the computer difficult, if left in the Vault, it might be best if you restore from the Vault, then turn off AVG's resident shield and then proceed. Let's try it that way and see what happens.

Remember to re-enable AVG's resident shield after performing the scans, if you are using the computer to browse the internet again.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#5 jessicar1

jessicar1
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 10 January 2010 - 01:18 AM

ok so far I've done everything except for the Dr web cureit..here are the logs

Malwarebytes' Anti-Malware 1.44
Database version: 3531
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/9/2010 9:47:01 PM
mbam-log-2010-01-09 (21-47-01).txt

Scan type: Quick Scan
Objects scanned: 119523
Time elapsed: 5 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

----------------------------------------------

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/10/2010 at 00:22 AM

Application Version : 4.33.1000

Core Rules Database Version : 4462
Trace Rules Database Version: 2283

Scan type : Complete Scan
Total Scan Time : 01:48:08

Memory items scanned : 229
Memory threats detected : 1
Registry items scanned : 6397
Registry threats detected : 0
File items scanned : 217188
File threats detected : 183

Adware.Vundo/Variant-Crypt
C:\WINDOWS\SYSTEM32\NETSUAP.DLL
C:\WINDOWS\SYSTEM32\NETSUAP.DLL

Adware.Tracking Cookie
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@realmedia[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@interclick[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@adserver.adtechus[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@media6degrees[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@ads.pointroll[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@insightexpressai[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@sales.liveperson[3].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@cms.trafficmp[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@web-stat[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@bs.serving-sys[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@questionmarket[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@www.qksrv[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@atdmt[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@precisionclick[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@revsci[3].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@lfstmedia[3].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@trafficmp[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@specificclick[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@ads.bleepingcomputer[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@avgtechnologies.112.2o7[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@surveymonkey.122.2o7[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@samsclub.112.2o7[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@ads.bridgetrack[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@tacoda[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@247realmedia[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@stat.aldi[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@serving-sys[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@sales.liveperson[5].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@tribalfusion[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@sales.liveperson[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@oasn04.247realmedia[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@at.atwola[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@ads.gmodules[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@content.yieldmanager[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@collective-media[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@ads.undertone[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@stat.aldi[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@msnportal.112.2o7[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@popcapgames.122.2o7[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@ad.wsod[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@adbrite[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@cdn4.specificclick[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@specificmedia[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@pointroll[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@sales.liveperson[4].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@network.realmedia[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@clickondetroit[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@azjmp[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@www.clickondetroit[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@bonniercorp.122.2o7[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@linksynergy.walmart[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@accountonline[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@www.accountonline[1].txt
.msnportal.112.2o7.net [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.a.websponsors.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.a1.interclick.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.adlegend.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.ads.addynamix.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.adserver.adtechus.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.at.atwola.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.atdmt.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.atdmt.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.atdmt.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.atdmt.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.azjmp.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.bizrate.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.bravenet.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.chitika.net [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.collective-media.net [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.cvs.pnimedia.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.dmtracker.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.electronicarts.112.2o7.net [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.imrworldwide.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.imrworldwide.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.interclick.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.interclick.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.intermundomedia.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.invitemedia.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.invitemedia.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.invitemedia.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.invitemedia.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.kodakimagingnetwork.122.2o7.net [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.kontera.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.kontera.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.kontera.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.lfstmedia.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.lfstmedia.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.media.causes.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.media.causes.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.media6degrees.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.media6degrees.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.media6degrees.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.media6degrees.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.media6degrees.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.meetupcom.122.2o7.net [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.network.realmedia.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.popcapgames.122.2o7.net [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.roiservice.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.socialmedia.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.socialmedia.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.specificmedia.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.trafficmp.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.trafficmp.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.trafficmp.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.trafficmp.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.trafficmp.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.trafficmp.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.trafficmp.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.viacom.adbureau.net [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.videoegg.adbureau.net [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.warnerbros.112.2o7.net [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.xiti.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
.yieldmanager.net [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
ads.bridgetrack.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
cdn4.specificclick.net [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
cdn4.specificclick.net [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
cvs.pnimedia.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
media.mtvnservices.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
media.mtvnservices.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
rotator.adjuggler.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
rotator.adjuggler.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
server.iad.liveperson.net [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
server.iad.liveperson.net [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
sitestat.mayoclinic.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
stats.manticoretechnology.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
www.burstbeacon.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
www.clickmanage.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
www.clickmanage.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qrolg1i2.default\cookies.txt ]
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@2o7[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@avgtechnologies.112.2o7[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@content.yieldmanager[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@content.yieldmanager[3].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@lfstmedia[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@media6degrees[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@microsoftsto.112.2o7[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@popcapgames.122.2o7[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@revsci[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@trafficmp[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@www.googleadservices[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@yadro[1].txt

Adware.CouponBar
C:\WINDOWS\CPNPRT2.CID
C:\WINDOWS\SYSTEM32\CPNPRT2.CID

---------------------------------------------------------------------------------------------------------------------------------

After I did the last scan and rebooted I started to get the error messages again. I'm going to be running the drweb cureit scan and I will post the results of that as well when its done

Edited by jessicar1, 10 January 2010 - 03:38 AM.


#6 jessicar1

jessicar1
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 10 January 2010 - 05:55 AM

Here are the results from the dr web scan

netsuap.dll.old;C:\WINDOWS\system32;Trojan.PWS.Siggen.2124;Incurable.Moved.;
couponprinter.exe\data012;C:\Documents and Settings\HP_Administrator\My Documents\couponprinter.exe;Adware.Coupons.34;;
couponprinter.exe\data013;C:\Documents and Settings\HP_Administrator\My Documents\couponprinter.exe;Adware.Coupons.34;;
couponprinter.exe\data015;C:\Documents and Settings\HP_Administrator\My Documents\couponprinter.exe;Adware.Coupons.34;;
couponprinter.exe\data016;C:\Documents and Settings\HP_Administrator\My Documents\couponprinter.exe;Adware.Coupons.34;;
couponprinter.exe;C:\Documents and Settings\HP_Administrator\My Documents;Container contains infected objects;Moved.;
RegUBP2b-HP_Administrator.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;
Mysteryville2Setup-dm[1].exe;C:\Downloads;Adware.TryMedia;Incurable.Moved.;
SlgClientServicesRedists.exe\1.file;C:\Program Files\HP Games\Cake Mania\SlgClientServicesRedists.exe;Adware.SpywareStorm;;
SlgClientServicesRedists.exe;C:\Program Files\HP Games\Cake Mania;Archive contains infected objects;Moved.;
npCouponPrinter.dll;C:\Program Files\Mozilla Firefox\plugins;Adware.Coupons.34;Incurable.Moved.;
npCouponPrinter.dll;C:\Program Files\Netscape\Netscape Browser\plugins;Adware.Coupons.34;Incurable.Moved.;
Launch.exe;C:\Program Files\Oberon Media\Big City Adventure San Francisco;Trojan.DownLoad1.24555;Incurable.Moved.;
AOLCINST.EXE\core.cab\GTDOWNAO_106.ocx;C:\Program Files\Online Services\Aol\United States\AOL90\COMPS\COACH\AOLCINST.EXE;Adware.Gdown;;
AOLCINST.EXE;C:\Program Files\Online Services\Aol\United States\AOL90\COMPS\COACH;Archive contains infected objects;Moved.;
A0044386.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP244;Trojan.PWS.Siggen.2124;Incurable.Moved.;
A0044993.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP251;Trojan.PWS.Siggen.2124;Incurable.Moved.;
A0045014.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP252;Trojan.PWS.Siggen.2124;Incurable.Moved.;
A0045044.old;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP252;Trojan.PWS.Siggen.2124;Incurable.Moved.;
A0045045.reg;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP252;Trojan.StartPage.1505;Deleted.;
A0045046.exe\1.file;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP252\A0045046.exe;Adware.SpywareStorm;;
A0045046.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP252;Archive contains infected objects;Moved.;
A0045047.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP252;Trojan.DownLoad1.24555;Incurable.Moved.;
A0045048.EXE\core.cab\GTDOWNAO_106.ocx;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP252\A0045048.EXE;Adware.Gdown;;
A0045048.EXE;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP252;Archive contains infected objects;Moved.;
CouponPrinter.ocx;C:\WINDOWS;Adware.Coupons.34;Incurable.Moved.;
cakemania-setup.exe/SlgClientServicesRedists.exe\1.file;D:\I386\APPS\APP09711\src\install\Worldwide-MediaCenter\games\cakemania-setup.exe/SlgClientServicesRedists.exe;Adware.SpywareStorm;;
SlgClientServicesRedists.exe;D:\I386\APPS\APP09711\src\install\Worldwide-MediaCenter\games;Archive contains infected objects;;
cakemania-setup.exe;D:\I386\APPS\APP09711\src\install\Worldwide-MediaCenter\games;Archive contains infected objects;Moved.;
CompaqPresario_Spring06.exe/data016\data001;D:\I386\APPS\APP11298\src\CompaqPresario_Spring06.exe/data016;Adware.Msearch;;
CompaqPresario_Spring06.exe/data016\data005;D:\I386\APPS\APP11298\src\CompaqPresario_Spring06.exe/data016;Adware.Msearch;;
data016;D:\I386\APPS\APP11298\src;Container contains infected objects;;
CompaqPresario_Spring06.exe;D:\I386\APPS\APP11298\src;Archive contains infected objects;Moved.;
HPPavillion_Spring06.exe/data016\data001;D:\I386\APPS\APP11298\src\HPPavillion_Spring06.exe/data016;Adware.Msearch;;
HPPavillion_Spring06.exe/data016\data005;D:\I386\APPS\APP11298\src\HPPavillion_Spring06.exe/data016;Adware.Msearch;;
data016;D:\I386\APPS\APP11298\src;Container contains infected objects;;
HPPavillion_Spring06.exe;D:\I386\APPS\APP11298\src;Archive contains infected objects;Moved.;
A0045049.exe/SlgClientServicesRedists.exe\1.file;D:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP252\A0045049.exe/SlgClientServicesRedists.exe;Adware.SpywareStorm;;
SlgClientServicesRedists.exe;D:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP252;Archive contains infected objects;;
A0045049.exe;D:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP252;Archive contains infected objects;Moved.;
A0045050.exe/data016\data001;D:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP252\A0045050.exe/data016;Adware.Msearch;;
A0045050.exe/data016\data005;D:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP252\A0045050.exe/data016;Adware.Msearch;;
data016;D:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP252;Container contains infected objects;;
A0045050.exe;D:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP252;Archive contains infected objects;Moved.;
A0045051.exe/data016\data001;D:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP252\A0045051.exe/data016;Adware.Msearch;;
A0045051.exe/data016\data005;D:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP252\A0045051.exe/data016;Adware.Msearch;;
data016;D:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP252;Container contains infected objects;;
A0045051.exe;D:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP252;Archive contains infected objects;Moved.;


I'm still getting the errors after I rebooted..I'll do the last step tomorrow

#7 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:05:35 PM

Posted 10 January 2010 - 06:09 AM

jessicar1

It seems things are going smoothly at your end.

1. Please confirm that you were able to run SAS and Dr.Web in Safe Mode.

2. Please confirm that you have only the one user account "HP_Administrator".
Otherwise please run SAS scans in Safe Mode on each individual user account.

3. This is the error message you are seeing?
Posted Image

I would like an idea of how often you are seeing this message and what the program names are, for example when you start up the computer. In the image above, the name in this message is "Reminder.exe", and the .dll involved is cp3240mt.dll (a randomly named file created by the malware): Yours will be different of course.

Thanks
'Alien

Edited by AustrAlien, 10 January 2010 - 06:30 AM.

AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#8 jessicar1

jessicar1
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 10 January 2010 - 09:17 PM

Hello..thanks again for the help

1. Yes I'm able to run both of them in safemode

2. I actually have another one called administrator and I'm currently scanning that one..I have already done the sas and dr web is going right now (I'm on another computer)

3.Yes that is the error that I'm seeing except that it has the netsuap.dll file listed. I'm getting the error right after the computer starts to boot up..I get the right after another until I x out of all of them..I did it and wrote them all down (69 right after another) and then they stop until I tried to open anything..here is a list in order of what error messages I get

winlogon.exe (mouse doesn't move and I have to hit enter)
winlogon.exe (can move the mouse from this point on)
isass.exe
services.exe
isass.exe

then I get the welcome screen for windows

userinit.exe (3 times)
explorer.exe (twice)

then windows loads

ehtray.exe
rundll32.exe
igfxpers.exe
RTHDCPL.EXE
dmascheduler.exe
iaanotif.exe
RECGUARD.EXE
hpbootop.exe
hpztsb09.exe
hphupd05.exe
hpcmpmgr.exe
hpwuschd2.exe
pifsvc.exe
hkcmd.exe
realsched.exe
REGSHAVE.EXE
ONETOU~2.exe
qttask.exe
Discover.exe
E-FATIEDA.exe
googletoolbarnotifier.exe
Avgtray.exe
weather.exe
quickDCF.exe
updates from hp.exe
Nkmonitor.exe
picaboomain.exe
spuvolumewatcher.exe
rundll32.exe
elementsautoanalyzer.exe
RTHDCPL.EXE
Dmascheduler.exe
iaanotif.exe
RECGUARD.EXE
hpbootop.exe
hpztsb09.exe
HPWUSCHD2.exe
qttask.exe
discover.exe
weather.exe
quickDCF.exe
KBD.EXE
ALCMTR.EXE
igfxtray.exe
hpsysdrv.exe
jusched.exe
realsched.exe
ituneshelper.exe
discover.exe
weather.exe
KBD.EXE
ALCMTR.EXE
igfxtray.exe
Discover.exe
weather.exe
then weather bug opens and there are no more errors until I try to use something

#9 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:05:35 PM

Posted 10 January 2010 - 10:13 PM

That's quite a list ... and a lot of work for you. Thank you for doing that: It is just like I was imagining it might be.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#10 jessicar1

jessicar1
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 10 January 2010 - 11:25 PM

I don't think I like the sound of that..lol..do you think this can be fixed?
Do I still run the full scan with the MBAM again? and if so do I do it for both users?

anyways here are the logs sas and dr web logs for the scan on the administrator

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/10/2010 at 06:30 PM

Application Version : 4.33.1000

Core Rules Database Version : 4446
Trace Rules Database Version: 0

Scan type : Complete Scan
Total Scan Time : 01:15:24

Memory items scanned : 220
Memory threats detected : 0
Registry items scanned : 6305
Registry threats detected : 0
File items scanned : 35424
File threats detected : 3

Adware.Vundo/Variant-Crypt
C:\DOCUMENTS AND SETTINGS\HP_ADMINISTRATOR\DOCTORWEB\QUARANTINE\A0044386.DLL
C:\DOCUMENTS AND SETTINGS\HP_ADMINISTRATOR\DOCTORWEB\QUARANTINE\A0044993.DLL
C:\DOCUMENTS AND SETTINGS\HP_ADMINISTRATOR\DOCTORWEB\QUARANTINE\A0045014.DLL



Dr web log
A0045044.old;C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine;Trojan.PWS.Siggen.2124;Incurable.Moved.;
A0045046.exe\1.file;C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine\A0045046.exe;Adware.SpywareStorm;;
A0045046.exe;C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine;Archive contains infected objects;Moved.;
A0045047.exe;C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine;Trojan.DownLoad1.24555;Incurable.Moved.;
A0045048.EXE\core.cab\GTDOWNAO_106.ocx;C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine\A0045048.EXE;Adware.Gdown;;
A0045048.EXE;C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine;Archive contains infected objects;Moved.;
A0045049.exe/SlgClientServicesRedists.exe\1.file;C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine\A0045049.exe/SlgClientServicesRedists.exe;Adware.SpywareStorm;;
SlgClientServicesRedists.exe;C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine;Archive contains infected objects;;
A0045049.exe;C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine;Archive contains infected objects;Moved.;
A0045050.exe/data016\data001;C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine\A0045050.exe/data016;Adware.Msearch;;
A0045050.exe/data016\data005;C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine\A0045050.exe/data016;Adware.Msearch;;
data016;C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine;Container contains infected objects;;
A0045050.exe;C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine;Archive contains infected objects;Moved.;
A0045051.exe/data016\data001;C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine\A0045051.exe/data016;Adware.Msearch;;
A0045051.exe/data016\data005;C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine\A0045051.exe/data016;Adware.Msearch;;
data016;C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine;Container contains infected objects;;
A0045051.exe;C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine;Archive contains infected objects;Moved.;
AOLCINST.EXE\core.cab\GTDOWNAO_106.ocx;C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine\AOLCINST.EXE;Adware.Gdown;;
AOLCINST.EXE;C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine;Archive contains infected objects;Moved.;
cakemania-setup.exe/SlgClientServicesRedists.exe\1.file;C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine\cakemania-setup.exe/SlgClientServicesRedists.exe;Adware.SpywareStorm;;
SlgClientServicesRedists.exe;C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine;Archive contains infected objects;;
cakemania-setup.exe;C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine;Archive contains infected objects;Moved.;
CompaqPresario_Spring06.exe/data016\data001;C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine\CompaqPresario_Spring06.exe/data016;Adware.Msearch;;
CompaqPresario_Spring06.exe/data016\data005;C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine\CompaqPresario_Spring06.exe/data016;Adware.Msearch;;
data016;C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine;Container contains infected objects;;
CompaqPresario_Spring06.exe;C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine;Archive contains infected objects;Moved.;
couponprinter.exe\data012;C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine\couponprinter.exe;Adware.Coupons.34;;
couponprinter.exe\data013;C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine\couponprinter.exe;Adware.Coupons.34;;
couponprinter.exe\data015;C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine\couponprinter.exe;Adware.Coupons.34;;
couponprinter.exe\data016;C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine\couponprinter.exe;Adware.Coupons.34;;
couponprinter.exe;C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine;Container contains infected objects;Moved.;
CouponPrinter.ocx;C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine;Adware.Coupons.34;Incurable.Moved.;
HPPavillion_Spring06.exe/data016\data001;C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine\HPPavillion_Spring06.exe/data016;Adware.Msearch;;
HPPavillion_Spring06.exe/data016\data005;C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine\HPPavillion_Spring06.exe/data016;Adware.Msearch;;
data016;C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine;Container contains infected objects;;
HPPavillion_Spring06.exe;C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine;Archive contains infected objects;Moved.;
Launch.exe;C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine;Trojan.DownLoad1.24555;Incurable.Moved.;
Mysteryville2Setup-dm[1].exe;C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine;Adware.TryMedia;Incurable.Moved.;
netsuap.dll.old;C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine;Trojan.PWS.Siggen.2124;Incurable.Moved.;
npCouponPrinte0.dll;C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine;Adware.Coupons.34;Incurable.Moved.;
npCouponPrinter.dll;C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine;Adware.Coupons.34;Incurable.Moved.;
SlgClientServicesRedists.exe\1.file;C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine\SlgClientServicesRedists.exe;Adware.SpywareStorm;;
SlgClientServicesRedists.exe;C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine;Archive contains infected objects;Moved.;
A0045052.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP252;Adware.TryMedia;Incurable.Moved.;
A0045053.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP252;Adware.Coupons.34;Incurable.Moved.;
A0045054.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP252;Adware.Coupons.34;Incurable.Moved.;
A0045055.ocx;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP252;Adware.Coupons.34;Incurable.Moved.;
A0045101.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP253;Trojan.PWS.Siggen.2124;Incurable.Moved.;
A0045102.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP253;Trojan.PWS.Siggen.2124;Incurable.Moved.;
A0045103.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP253;Trojan.PWS.Siggen.2124;Incurable.Moved.;
A0045140.old;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP253;Trojan.PWS.Siggen.2124;Incurable.Moved.;
A0045141.exe\1.file;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP253\A0045141.exe;Adware.SpywareStorm;;
A0045141.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP253;Archive contains infected objects;Moved.;
A0045142.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP253;Trojan.DownLoad1.24555;Incurable.Moved.;
A0045143.EXE\core.cab\GTDOWNAO_106.ocx;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP253\A0045143.EXE;Adware.Gdown;;
A0045143.EXE;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP253;Archive contains infected objects;Moved.;
A0045144.exe/SlgClientServicesRedists.exe\1.file;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP253\A0045144.exe/SlgClientServicesRedists.exe;Adware.SpywareStorm;;
SlgClientServicesRedists.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP253;Archive contains infected objects;;
A0045144.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP253;Archive contains infected objects;Moved.;
A0045145.exe/data016\data001;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP253\A0045145.exe/data016;Adware.Msearch;;
A0045145.exe/data016\data005;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP253\A0045145.exe/data016;Adware.Msearch;;
data016;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP253;Container contains infected objects;;
A0045145.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP253;Archive contains infected objects;Moved.;
A0045146.exe/data016\data001;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP253\A0045146.exe/data016;Adware.Msearch;;
A0045146.exe/data016\data005;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP253\A0045146.exe/data016;Adware.Msearch;;
data016;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP253;Container contains infected objects;;
A0045146.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP253;Archive contains infected objects;Moved.;
A0045147.EXE\core.cab\GTDOWNAO_106.ocx;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP253\A0045147.EXE;Adware.Gdown;;
A0045147.EXE;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP253;Archive contains infected objects;Moved.;
A0045148.exe/SlgClientServicesRedists.exe\1.file;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP253\A0045148.exe/SlgClientServicesRedists.exe;Adware.SpywareStorm;;
SlgClientServicesRedists.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP253;Archive contains infected objects;;
A0045148.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP253;Archive contains infected objects;Moved.;
A0045149.exe/data016\data001;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP253\A0045149.exe/data016;Adware.Msearch;;
A0045149.exe/data016\data005;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP253\A0045149.exe/data016;Adware.Msearch;;
data016;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP253;Container contains infected objects;;
A0045149.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP253;Archive contains infected objects;Moved.;
A0045150.exe\data012;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP253\A0045150.exe;Adware.Coupons.34;;
A0045150.exe\data013;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP253\A0045150.exe;Adware.Coupons.34;;
A0045150.exe\data015;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP253\A0045150.exe;Adware.Coupons.34;;
A0045150.exe\data016;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP253\A0045150.exe;Adware.Coupons.34;;
A0045150.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP253;Container contains infected objects;Moved.;
A0045151.exe/data016\data001;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP253\A0045151.exe/data016;Adware.Msearch;;
A0045151.exe/data016\data005;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP253\A0045151.exe/data016;Adware.Msearch;;
data016;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP253;Container contains infected objects;;
A0045151.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP253;Archive contains infected objects;Moved.;
A0045152.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP253;Trojan.DownLoad1.24555;Incurable.Moved.;
A0045153.old;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP253;Trojan.PWS.Siggen.2124;Incurable.Moved.;
A0045154.exe\1.file;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP253\A0045154.exe;Adware.SpywareStorm;;
A0045154.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP253;Archive contains infected objects;Moved.;

Edited by jessicar1, 10 January 2010 - 11:27 PM.


#11 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:05:35 PM

Posted 10 January 2010 - 11:51 PM

do you think this can be fixed?
Do I still run the full scan with the MBAM again? and if so do I do it for both users?

I think you will get your computer back in good shape again.
If I ask you to make backups of all your personal files .... then you can start worrying? Oh, yes, I haven't asked: You do have all your stuff backed up of course ... don't you?

Re-boot your computer after the last scan if you have not done so already, normally (not in to Safe Mode).
Update and run the Full Scan with MBAM, and reboot normally again, and post the log. (No need to use MBAM in Safe Mode: It actually works better with Windows running normally.)
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#12 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:05:35 PM

Posted 11 January 2010 - 12:28 AM

jessicar1

I am going to ask you to do something a little .... ?unconventional. It is perfectly safe though.

I want to get information that is hidden and elusive; information about the malware that you have not been able to find so far. So, I am going to ask that you bear with me on this, and see what happens.

I want you to navigate to the location that netsuap.dll used to inhabit, before SAS removed it last time.
C:\WINDOWS\SYSTEM32 <<< folder
Within the SYSTEM32 folder, with its long list of contained files, I want you to right-click in a vacant area, and select New > Text Document so that you will create a new file called New Text Document.txt
Now I want you to re-name that file to "netsuap.dll" (You will get a warning about changing the extension .... but just click on Yes)

So you now have a totally harmless file of the same name replacing the the bad one that was there before.
I anticipate that the message you get now will be different to the one you were getting before, so I want you to now do something/open some application that you would expect to give you the error message, and I want you to let me know what the message says exactly. I am looking for a name - one that you probably have not come across yet.

I await the result with great interest.
Thank you
'Alien

PS That was the unconventional (but not original) bit: If there is a next step, it could be "flying by the seat of my pants".
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#13 jessicar1

jessicar1
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 11 January 2010 - 03:52 PM

Hello


Right now I'm running the full scans of mbab and will post the logs. I unfortunately haven't backed anything up for a little while..and I was afraid to start now in case anything was infected.

let me finish the mbab scans first..thanks again

#14 jessicar1

jessicar1
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 11 January 2010 - 09:12 PM

here are the 2 logs from the mbam

Malwarebytes' Anti-Malware 1.44
Database version: 3541
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/11/2010 3:57:55 PM
mbam-log-2010-01-11 (15-57-55).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 362896
Time elapsed: 1 hour(s), 52 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Malwarebytes' Anti-Malware 1.44
Database version: 3541
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

1/11/2010 11:17:38 PM
mbam-log-2010-01-11 (23-17-38).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 362716
Time elapsed: 51 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



I'm going to go and try that now

Edited by jessicar1, 11 January 2010 - 11:24 PM.


#15 jessicar1

jessicar1
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 11 January 2010 - 11:37 PM

I just tried what you mentioned and I'm still getting the exact same error as before. I tried to open internet explorer and this is the message

iexplorer.exe unable to locate component
this application has failed to start because netsuap.dll was not found. Re-installing the application may fix the problem

I also didn't get a warning when I renamed the test document netsuap.dll

should I delete the file? or try something else?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users