Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Broken browser


  • This topic is locked This topic is locked
23 replies to this topic

#1 JXP

JXP

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:10:49 PM

Posted 11 May 2010 - 05:18 AM

Hi,

Maybe someone here can help me remove a virus.
It began a week ago when my IE browser started redirecting and making random browser popups to ad sites. I used Avira Antivirus to remove the infected files, but the browser kept redirecting. Then I ran a Super Antispyware scan which found additional infected files. But the browser still continued to redirect after removing the virus. I can sometimes get the page I want if I paste in the address, but google searches redirect to another page of advertising. I also found I cannot run Windows Update any more. Any attempt to access Windows update from the start menu or from a browser will show an error page.

I checked the hosts file - no problem.
And I uninstalled Sun Java, deleted all the Java cache and runtime folders, then downloaded a fresh install.

Last week I removed tracking cookies and this virus:
C:\System Volume Information\_restore{E8EB6664-8A0D-4036-A527-4DC7C2168107}\RP9\A0003344.exe
contains suspiscious code HEUR/Malware
C:\System Volume Information\_restore{E8EB6664-8A0D-4036-A527-4DC7C2168107}\RP9\A000334s.exe
Is the TR/Small.BP.1 Trojan
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E8EB6664-8A0D-4036-A527-4DC7C2168107}\RP3\A0000088.EXE
Trojan.Agent/Gen-FakeAlert

Today I ran Malwarebytes and SAS in the manner recommended by bleepingcomputer:
I ran Malwarebytes and rebooted to complete the removal of the virus.
Then I ran ATF Cleaner and Super Antispyware in the safe mode and found no further infection.
All settings according to bleepingcomputer recommendations.
But when I checked the computer in regular mode, the browser began redirecting again.


Here are the log files:

Boot in regular Windows mode:
========

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4089

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/10/2010 7:43:14 PM
mbam-log-2010-05-10 (19-43-14).txt

Scan type: Quick scan
Objects scanned: 133317
Time elapsed: 13 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\M5T8QL3YW3 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\QZAIB7KITK (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\m5t8ql3yw3 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

========
Re-boot to complete the removal.
========
Re-boot again to safe mode to run AFT Cleaner and SAS.
========

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/10/2010 at 11:15 PM

Application Version : 4.37.1000

Core Rules Database Version : 4916
Trace Rules Database Version: 2728

Scan type : Complete Scan
Total Scan Time : 02:47:54

Memory items scanned : 251
Memory threats detected : 0
Registry items scanned : 4927
Registry threats detected : 0
File items scanned : 65318
File threats detected : 0

========
Re-boot to normal mode
-- IE browser is still re-directing, cannot access Windows Update.


Can anyone help?
Thank you in advance.

JXP

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:49 PM

Posted 13 May 2010 - 09:08 PM

Download this file and save it to your desktop:

http://download.bleepingcomputer.com/grinler/rkill.scr

Double-click the file to run it. A command window will open briefly. Then run a quick scan with Malwarebytes. Post the Malwarebytes log.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 JXP

JXP
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:10:49 PM

Posted 14 May 2010 - 12:29 PM

Hi Budapest,

Thank you for helping with my virus.


=== Here is the MAMB log after running rkill ===

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4099

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/14/2010 5:05:21 AM
mbam-log-2010-05-14 (05-05-21).txt

Scan type: Quick scan
Objects scanned: 125242
Time elapsed: 8 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

=== EOF ===

The IE browser is still redirecting, and I can't access Microsoft update.
My Avira pop-up warnings showed it recently quarantined a new virus before I ran rkill and MAMB:

TR/Orsam.A.837 [trojan] C:\System Volume Information\_restore{E8EB6664-8A0D-4036-A527-4DC7C2168107}\RP11\A0003494.exe.
HTML/Infected.WebPage.Gen [virus] C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\6F6DZKEN\2[1].php.
HTML/Infected.WebPage.Gen [virus] C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QTNO72GV\2[1].php.
Action performed: Deny access

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:49 PM

Posted 14 May 2010 - 04:10 PM

Please run another SAS scan in Safe Mode and post the log.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 JXP

JXP
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:10:49 PM

Posted 15 May 2010 - 12:20 AM

=== SAS full scan log run from safe mode after clearing caches and temp files ===

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/14/2010 at 09:34 PM

Application Version : 4.37.1000

Core Rules Database Version : 4933
Trace Rules Database Version: 2745

Scan type : Complete Scan
Total Scan Time : 01:36:18

Memory items scanned : 238
Memory threats detected : 0
Registry items scanned : 4934
Registry threats detected : 0
File items scanned : 29714
File threats detected : 0

----------
The IE browser is still redirecting, and I can't access Microsoft update.

Out of curiosity I looked in the real IE5 cache immediately after being redirected, and found new redirecting javascripts and XML files.
I guess this doesn't help find source virus.

#6 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:49 PM

Posted 17 May 2010 - 03:07 AM

Please download HostsXpert 4.3
  • Extract (unzip) HostsXpert.zip to a permanent folder on your hard drive such as C:\HostsXpert
  • Double-click HostsXpert.exe to run the program.
  • Click "Restore MS Hosts File".
  • Click OK at the confirmation box.
  • Click "Make ReadOnly?".
  • Click the X to exit the program.
-- Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#7 JXP

JXP
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:10:49 PM

Posted 17 May 2010 - 06:56 AM

I ran hostsexpert for restore and make readonly.
The hosts file was not changed from what Windows had written in it before, but is changed to read only now.

The IE browser is still redirecting and random popups, and I can't access Microsoft update.

#8 JXP

JXP
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:10:49 PM

Posted 18 May 2010 - 08:22 PM

I forgot, here is the hosts file:

# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a "#" symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
#
127.0.0.1 localhost

=== EOF ===

#9 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:49 PM

Posted 18 May 2010 - 08:32 PM

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Make sure the Sections option is checked (in the right hand panel). Leave all other options unchecked!
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#10 JXP

JXP
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:10:49 PM

Posted 18 May 2010 - 11:03 PM

I ran GMER per instructions:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-18 20:30:17
Windows 5.1.2600 Service Pack 3
Running: 0m7r49nl.exe; Driver: C:\DOCUME~1\J\LOCALS~1\Temp\pxtdypow.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution + 46A 804E4CC4 12 Bytes [90, 51, E1, F2, C0, 5A, E1, ...] {NOP ; PUSH ECX; LOOPZ 0xfffffffffffffff6; RCR BYTE [EDX-0x1f], 0xf2; JO 0xffffffffffffffd1; LOOPZ 0xfffffffffffffffe}
.text ntoskrnl.exe!ZwYieldExecution + 47A 804E4CD4 8 Bytes JMP E14620F2
.rsrc C:\WINDOWS\System32\DRIVERS\anvioctl.sys entry point in ".rsrc" section [0xF3F90334]
init C:\WINDOWS\System32\ANVMINI.DLL entry point in "init" section [0xBFE47300]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\nvsvc32.exe[208] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\System32\nvsvc32.exe[208] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\System32\nvsvc32.exe[208] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\System32\nvsvc32.exe[208] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\system32\rundll32.exe[360] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\system32\rundll32.exe[360] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\system32\rundll32.exe[360] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\system32\rundll32.exe[360] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[384] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[384] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[384] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[384] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\Explorer.EXE[392] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00E2000A
.text C:\WINDOWS\Explorer.EXE[392] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00E3000A
.text C:\WINDOWS\Explorer.EXE[392] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B0000C
.text C:\WINDOWS\Explorer.EXE[392] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\Explorer.EXE[392] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\Explorer.EXE[392] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\Explorer.EXE[392] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Documents and Settings\J\Desktop\0m7r49nl.exe[560] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Documents and Settings\J\Desktop\0m7r49nl.exe[560] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Documents and Settings\J\Desktop\0m7r49nl.exe[560] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Documents and Settings\J\Desktop\0m7r49nl.exe[560] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\System32\MsPMSPSv.exe[664] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\System32\MsPMSPSv.exe[664] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\System32\MsPMSPSv.exe[664] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\System32\MsPMSPSv.exe[664] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\anvshell.exe[748] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\anvshell.exe[748] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\anvshell.exe[748] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\anvshell.exe[748] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe[764] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe[764] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe[764] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe[764] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE[780] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE[780] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE[780] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE[780] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\system32\CTHELPER.EXE[796] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\system32\CTHELPER.EXE[796] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\system32\CTHELPER.EXE[796] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\system32\CTHELPER.EXE[796] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\AGRSMMSG.exe[828] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\AGRSMMSG.exe[828] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\AGRSMMSG.exe[828] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\AGRSMMSG.exe[828] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[888] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[888] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[888] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[888] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[892] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 009CA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[892] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 009CA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[892] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 009CA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[892] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 009CA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\asuskbservice.exe[1036] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\asuskbservice.exe[1036] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\asuskbservice.exe[1036] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\asuskbservice.exe[1036] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\system32\winlogon.exe[1080] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\system32\winlogon.exe[1080] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\system32\winlogon.exe[1080] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\system32\winlogon.exe[1080] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\system32\services.exe[1140] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\system32\services.exe[1140] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\system32\services.exe[1140] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\system32\services.exe[1140] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\System32\CTsvcCDA.exe[1152] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\System32\CTsvcCDA.exe[1152] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\System32\CTsvcCDA.exe[1152] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\System32\CTsvcCDA.exe[1152] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Java\jre6\bin\jqs.exe[1392] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Java\jre6\bin\jqs.exe[1392] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Java\jre6\bin\jqs.exe[1392] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Java\jre6\bin\jqs.exe[1392] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1404] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1404] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1404] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1404] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[1416] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[1416] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[1416] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[1416] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\MagicTune Premium\MagicTuneEngine.exe[1508] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\MagicTune Premium\MagicTuneEngine.exe[1508] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\MagicTune Premium\MagicTuneEngine.exe[1508] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\MagicTune Premium\MagicTuneEngine.exe[1508] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE[1520] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE[1520] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE[1520] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE[1520] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\system32\ctfmon.exe[1540] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\system32\ctfmon.exe[1540] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\system32\ctfmon.exe[1540] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\system32\ctfmon.exe[1540] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[1560] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[1560] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[1560] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[1560] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\MagicTune Premium\GammaTray.exe[1588] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\MagicTune Premium\GammaTray.exe[1588] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\MagicTune Premium\GammaTray.exe[1588] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\MagicTune Premium\GammaTray.exe[1588] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\System32\svchost.exe[1596] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009A000A
.text C:\WINDOWS\System32\svchost.exe[1596] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009B000A
.text C:\WINDOWS\System32\svchost.exe[1596] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0099000C
.text C:\WINDOWS\System32\svchost.exe[1596] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 00E6000A
.text C:\WINDOWS\System32\svchost.exe[1596] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00F1000A
.text C:\WINDOWS\system32\wscntfy.exe[2388] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\system32\wscntfy.exe[2388] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\system32\wscntfy.exe[2388] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\system32\wscntfy.exe[2388] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\MagicTune Premium\MagicTune.exe[3696] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 00BFA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\MagicTune Premium\MagicTune.exe[3696] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 00BFA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\MagicTune Premium\MagicTune.exe[3696] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 00BFA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\MagicTune Premium\MagicTune.exe[3696] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 00BFA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\System32\DRIVERS\anvioctl.sys suspicious modification

---- EOF - GMER 1.0.15 ----


After I exited GMER, I tried to turn on Avira and Agnitum, but the PC was running very slow. When clicking the system tray icons to activate protection, the screen locked up, but eventually showed menus which were also slow. After 10 minutes waiting for the protection to come on I tried to reboot through task manager. It would not reboot or shut down. The CPU Usage was at 100% - rarely happens on this machine.
I did a cold reboot using the reset button on the box.

#11 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:49 PM

Posted 18 May 2010 - 11:20 PM

Try this:

http://www.bleepingcomputer.com/virus-remo...sing-tdsskiller
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#12 JXP

JXP
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:10:49 PM

Posted 19 May 2010 - 01:28 AM

Hi Budapest,

It worked! :thumbsup:

U da man! :flowers:

As soon as I rebooted, I logged onto Windows update and installed two updates with no more redirecting.
Now I get real Google pages when I search. :trumpet: :inlove:

Here is text from the TDSS program running:

TDSS rootkit removing tool, Kaspersky Lab, 2010
version 2.3.0.0 May 12 2010 18"11"17

Scanning Services ...

Scanning Drivers ...
File "C:\WINDOWS\Ssystem32\DRIVERS\anvioctl.sys" infected by TDSS rootkit ... will be cured on next reboot

Completed

Results:
Registry objects infected / cured / cured on reboot: 0 / 0 / 0
File objects infected / cured / cured on reboot: 1 / 0 / 1

To finalize removal of infection and avoid loosing of data program will reboot on your PC now.
Close all programs and choos Y to restart or N to continue


Thank you for taking the time to help.

#13 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:49 PM

Posted 19 May 2010 - 01:38 AM

Good news!

If you’re clean, you should create a new Restore Point to prevent possible re-infection from an old one.

Go Start > Programs > Accessories > System Tools and click System Restore. Choose the radio button marked Create a Restore Point on the first screen then click Next. Give the Restore Point a name and then click Create. Then use Disk Cleanup to remove all but the most recently created Restore Point. Go Start > Run and type: "Cleanmgr" (without the quotes). Click Ok > More Options tab > Clean Up in the System Restore section to remove all previous restore points except the newly created one.

Also, go Start > Control Panel and double-click Add or Remove Programs. Post back and report any Java or JS2E entries that you have.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#14 JXP

JXP
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:10:49 PM

Posted 19 May 2010 - 02:03 AM

Current restore point is done and all others deleted.
I deleted all Java installs and deleted all Java cache folders and installed the newest Java last week.
Current Java is: Java™ 6 Update 20 Version 6.0.200. No others show in the add/remove programs.

Thanks again for the help!

#15 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:49 PM

Posted 19 May 2010 - 02:11 AM

Then I think you're good to go!
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users