Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with WINDOWS RESTORE and KAZY virus


  • This topic is locked This topic is locked
21 replies to this topic

#1 mikebowen

mikebowen

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Fuquay Varina, NC
  • Local time:09:29 AM

Posted 29 March 2011 - 06:15 PM

Okay, I have been around micros for about 30 years and SHOULD know better, but a sleepless night and all I can figure was an almost terminal "senior moment" finally caught up with me.

Working a 2g laptop with 250g drive, 1.5 tb external and Windows 7, I began to notice a major slowdown Sunday. Went to system manager's resource manager and found something was gulping 98% of my memory! Went to Processes and tried to figure the thief with minimal luck. Started trying to end processes to see if I could spot the problem, but almost instantly wound up with a crash dump. When I rebooted I got -- what else? WINDOWS RESTORE, with a bunch of damned realistic looking error messages (If you're 65, up late as hell, watching your laptop crash and burn, as a senior moment takes full control!) I fell for it! The rest is history.

Got a lot of .exe files which now ended in .exe*32, a blank 1.5tb external drive,
about a quarter of my desktop icons on a now-black screen and about 1mb of memory to play with.


I've tried: (1) Rkill; (2) Malwarebyte's Anti-Malware; (3) whatever the scan program is in Bleeping Computer (can't remember, I've tried so many) (4)my CenturyLink AV program (which has since been relegated to the ashheap of history!) (5) AVG's scan program. They claim to have gotten rid if the virus, but something remains, probably in the OR, since the memory is still minimal, disk hits are high, even when no activity, and the network is at a high rate constantly.

Any suggestions?

- Mike

.
DDS (Ver_11-03-05.01) - NTFS_AMD64 NETWORK
Run by MIKE at 18:13:47.28 on Tue 03/29/2011
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.1913.1138 [GMT -4:00]
.
AV: AVG Anti-Virus 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\windows\Explorer.EXE
C:\windows\system32\ctfmon.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\DAP\DAP.EXE
C:\DOCS\dds_2.scr
C:\windows\system32\conhost.exe
C:\windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.washingtonpost.com/
uDefault_Page_URL = hxxp://www.google.com/ig?brand=TSNA&bmod=TSNA
mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
mWinlogon: Userinit=userinit.exe,
BHO: Disabled:{02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Disabled:{5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
BHO: Canon Easy-WebPrint EX BHO: {3785d0ad-bfff-47f6-bf5b-a587c162fed9} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexbho.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files (x86)\AVG\AVG10\avgssie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.6.6209.1142\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: DAPIELoader Class: {ff6c3cf0-4b15-11d1-abed-709549c10000} - C:\PROGRA~2\DAP\DAPIEL~1.DLL
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - C:\Program Files (x86)\Norton Internet Security\Engine\17.0.0.136\coIEPlg.dll
TB: Canon Easy-WebPrint EX: {759d9886-0c6f-4498-bab6-4a5f47c6c72f} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexhlp.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
EB: Canon Easy-WebPrint EX: {21347690-ec41-4f9a-8887-1f4aee672439} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexhlp.dll
uRun: [DownloadAccelerator] "C:\Program Files (x86)\DAP\DAP.EXE" /STARTUP
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
mRun: [HostManager] C:\Program Files (x86)\Common Files\AOL\1281227215\ee\AOLSoftware.exe
mRun: [Ad Muncher] "C:\Program Files (x86)\Ad Muncher\AdMunch.exe" /bt
mRun: [AVG_TRAY] C:\Program Files (x86)\AVG\AVG10\avgtray.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\Event Planner Reminders Tray Icon.lnk - C:\Sierra\Planner\PLNRnote.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoResolveTrack = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Clean Traces - C:\Program Files (x86)\DAP\Privacy Package\dapcleanerie.htm
IE: &Download with &DAP - C:\Program Files (x86)\DAP\dapextie.htm
IE: Block frame with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=2.0&pass=JQR1T1VG&id=menu_ie_frame
IE: Block image with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=2.0&pass=JQR1T1VG&id=menu_ie_image
IE: Block link with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=2.0&pass=JQR1T1VG&id=menu_ie_link
IE: Don't filter page with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=2.0&pass=JQR1T1VG&id=menu_ie_exclude
IE: Download &all with DAP - C:\Program Files (x86)\DAP\dapextie2.htm
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MIF5BA~1\Office12\EXCEL.EXE/3000
IE: Free YouTube Download - C:\Users\MIKE\AppData\Roaming\DVDVideoSoftIEHelpers\youtubedownload.htm
IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: Report page to the Ad Muncher developers - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=2.0&pass=JQR1T1VG&id=menu_ie_report
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MIF5BA~1\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MIF5BA~1\Office12\REFIEBAR.DLL
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} - hxxp://www.imgag.com/cp/install/Crusher.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG10\avgpp.dll
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - C:\PROGRA~2\DAP\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - C:\PROGRA~2\DAP\dapie.dll
BHO-X64: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG10\avgssiea.dll
BHO-X64: WormRadar.com IESiteBlocker.NavFilter - No File
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.6209.1142\swg64.dll
BHO-X64: DAPIELoader Class: {FF6C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files (x86)\DAP\DAPIELoader64.dll
BHO-X64: DAPIELoader Class - No File
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
TB-X64: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB-X64: {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - No File
EB-X64: {21347690-EC41-4F9A-8887-1F4AEE672439} - No File
mRun-x64: [IgfxTray] C:\windows\system32\igfxtray.exe
mRun-x64: [Persistence] C:\windows\system32\igfxpers.exe
mRun-x64: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
mRun-x64: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun-x64: [TosVolRegulator] C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe
mRun-x64: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe
mRun-x64: [TosNC] %ProgramFiles%\Toshiba\BulletinBoard\TosNcCore.exe
mRun-x64: [TosReelTimeMonitor] %ProgramFiles%\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
mRun-x64: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
mRun-x64: [CanonSolutionMenu] C:\Program Files (x86)\Canon\SolutionMenu\CNSLMAIN.exe /logon
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;C:\Windows\System32\drivers\AVGIDSEH.sys [2010-9-13 27216]
R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\System32\drivers\avgrkx64.sys [2010-9-7 30288]
R0 hotcore3;hc3ServiceName;C:\Windows\System32\drivers\hotcore3.sys [2010-9-16 37456]
R0 tos_sps64;TOSHIBA tos_sps64 Service;C:\Windows\System32\drivers\tos_sps64.sys [2010-6-14 482384]
R1 Avgtdia;AVG TDI Driver;C:\Windows\System32\drivers\avgtdia.sys [2010-11-12 382032]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\System32\drivers\vwififlt.sys [2009-7-13 59904]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2010-6-14 215040]
R3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;C:\Windows\System32\drivers\rtl8192se.sys [2010-6-14 942080]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\System32\drivers\vwifimp.sys [2009-7-13 17920]
S1 Avgldx64;AVG AVI Loader Driver;C:\Windows\System32\drivers\avgldx64.sys [2010-12-8 308304]
S1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\System32\drivers\avgmfx64.sys [2010-9-7 41040]
S2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [2011-1-6 6128720]
S2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG10\avgwdsvc.exe [2010-10-22 265400]
S2 cfWiMAXService;ConfigFree WiMAX Service;C:\Program Files (x86)\Toshiba\ConfigFree\CFIWmxSvcs64.exe [2009-8-10 248688]
S2 ConfigFree Gadget Service;ConfigFree Gadget Service;C:\Program Files (x86)\Toshiba\ConfigFree\CFProcSRVC.exe [2009-7-14 42368]
S2 ConfigFree Service;ConfigFree Service;C:\Program Files (x86)\Toshiba\ConfigFree\CFSvcs.exe [2009-3-10 46448]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-8-9 135664]
S2 iYogiURLHit.exe;iYogi Hit Agent;C:\Program Files (x86)\iYogi SupportDock\Services\URLHit\iYogiURLHit.exe [2010-8-13 16896]
S2 JetDrive WindowsClosingService;JetDrive WindowsClosingService;C:\windows\System32\WindowsClosingService --> C:\windows\System32\WindowsClosingService [?]
S2 NIS;Norton Internet Security;"C:\Program Files (x86)\Norton Internet Security\Engine\17.0.0.136\ccSvcHst.exe" /s "NIS" /m "C:\Program Files (x86)\Norton Internet Security\Engine\17.0.0.136\diMaster.dll" /prefetch:1 --> C:\Program Files (x86)\Norton Internet Security\Engine\17.0.0.136\ccSvcHst.exe [?]
S2 SupportDockClientService.exe;iYogi Communication Agent;C:\Program Files (x86)\iYogi SupportDock\Services\CommAgent\SupportDockClientService.exe [2010-6-2 45568]
S3 AVGIDSDriver;AVGIDSDriver;C:\Windows\System32\drivers\AVGIDSDriver.sys [2010-8-3 157264]
S3 AVGIDSFilter;AVGIDSFilter;C:\Windows\System32\drivers\AVGIDSFilter.sys [2010-8-3 35920]
S3 DfSdkS;Defragmentation-Service;C:\Program Files (x86)\Ashampoo\Ashampoo WinOptimizer 6\DfSdkS.exe [2010-8-8 548704]
S3 epmntdrv;epmntdrv;C:\Windows\System32\epmntdrv.sys [2010-9-2 16776]
S3 EuGdiDrv;EuGdiDrv;C:\Windows\System32\EuGdiDrv.sys [2010-9-2 9096]
S3 GSService;GSService;C:\Windows\SysWOW64\GSService.exe [2010-11-2 364544]
S3 jetdrive;jddrv;C:\Windows\System32\drivers\jddrv.sys [2011-3-15 37248]
S3 STSService;STSService;"C:\Program Files (x86)\SoundTaxi Media Suite\STSService.exe" --> C:\Program Files (x86)\SoundTaxi Media Suite\STSService.exe [?]
S3 TMachInfo;TMachInfo;C:\Program Files (x86)\Toshiba\TOSHIBA Service Station\TMachInfo.exe [2010-6-14 51512]
S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2009-9-17 137560]
S3 TotRec8;Total Recorder WDM audio filter driver;C:\Windows\System32\drivers\TotRec8.sys [2010-8-8 122448]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-8-8 1255736]
.
=============== Created Last 30 ================
.
2011-03-29 20:15:57 -------- d-----w- C:\Users\MIKE\AppData\Local\WindowsUpdate
2011-03-29 16:48:30 -------- d--h--w- C:\$AVG
2011-03-29 16:29:28 -------- d-----w- C:\Users\MIKE\AppData\Roaming\AVG10
2011-03-29 16:24:51 -------- d--h--w- C:\PROGRA~3\Common Files
2011-03-29 16:23:07 -------- d-----w- C:\windows\System32\drivers\AVG
2011-03-29 16:22:32 -------- d-----w- C:\Program Files (x86)\AVG
2011-03-29 15:41:25 -------- d-----w- C:\windows\SysWow64\drivers\AVG
2011-03-29 15:40:37 -------- d-----w- C:\PROGRA~3\AVG10
2011-03-29 15:32:26 -------- d-----w- C:\PROGRA~3\MFAData
2011-03-29 13:16:33 -------- d-----w- C:\Users\MIKE\AppData\Roaming\Malwarebytes
2011-03-29 13:16:08 38224 ----a-w- C:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-03-29 13:16:07 -------- d-----w- C:\PROGRA~3\Malwarebytes
2011-03-29 13:16:04 24152 ----a-w- C:\windows\System32\drivers\mbam.sys
2011-03-29 13:16:04 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-03-29 10:40:32 8424784 ----a-w- C:\PROGRA~3\Microsoft\Windows Defender\Definition Updates\{A051AC21-C7BA-468B-A089-4CA0D33C6481}\mpengine.dll
2011-03-27 13:14:08 -------- d--h--w- C:\Logs
2011-03-27 10:45:00 -------- d--h--w- C:\Users\MIKE\AppData\Roaming\F-Secure
2011-03-27 07:07:30 602624 ----a-w- C:\windows\System32\PcPower.exe
2011-03-25 20:13:40 -------- d--h--w- C:\SCREENSHOT
2011-03-25 18:41:02 -------- d--h--w- C:\PHOTOS
2011-03-21 20:50:26 -------- d-----w- C:\Program Files (x86)\AshongSoft
2011-03-21 20:01:27 -------- d--h--w- C:\Users\MIKE\AppData\Roaming\IrfanView
2011-03-21 17:08:06 -------- d--h--w- C:\PROGRA~3\RoboTask
2011-03-21 17:02:54 -------- d-----w- C:\Users\MIKE\AppData\Local\RoboTask
2011-03-21 17:02:49 -------- d-----w- C:\Program Files (x86)\RoboTask
2011-03-15 12:04:56 8192 ----a-w- C:\windows\System32\jdboot.exe
2011-03-15 12:04:56 37248 ----a-w- C:\windows\System32\drivers\jddrv.sys
2011-03-15 12:04:56 23040 ----a-w- C:\windows\System32\jddac.dll
2011-03-15 12:04:56 22016 ----a-w- C:\windows\System32\jdnat.dll
2011-03-15 12:04:48 -------- d-----w- C:\Users\MIKE\AppData\Local\Abelssoft
2011-03-15 12:04:34 9216 ----a-w- C:\windows\SysWow64\WindowsClosingService.exe
2011-03-15 12:04:28 -------- d-----w- C:\Program Files (x86)\JetDrive
2011-03-14 15:46:59 -------- d-----w- C:\Users\MIKE\AppData\Roaming\4Media
2011-03-14 15:46:14 -------- d-----w- C:\Program Files (x86)\4Media
2011-03-14 15:46:13 -------- d-----w- C:\PROGRA~3\4Media
2011-03-09 20:13:14 961024 ----a-w- C:\windows\System32\CPFilters.dll
2011-03-09 20:13:13 723968 ----a-w- C:\windows\System32\EncDec.dll
2011-03-09 20:13:13 642048 ----a-w- C:\windows\SysWow64\CPFilters.dll
2011-03-09 20:13:12 534528 ----a-w- C:\windows\SysWow64\EncDec.dll
2011-03-09 20:13:12 1118720 ----a-w- C:\windows\System32\sbe.dll
2011-03-09 20:13:11 850432 ----a-w- C:\windows\SysWow64\sbe.dll
2011-03-09 20:13:11 259072 ----a-w- C:\windows\System32\mpg2splt.ax
2011-03-09 20:13:10 199680 ----a-w- C:\windows\SysWow64\mpg2splt.ax
2011-03-09 20:13:06 3138048 ----a-w- C:\windows\System32\mstscax.dll
2011-03-09 20:13:05 2690560 ----a-w- C:\windows\SysWow64\mstscax.dll
2011-03-09 20:13:04 1097216 ----a-w- C:\windows\System32\mstsc.exe
2011-03-09 20:13:04 1034240 ----a-w- C:\windows\SysWow64\mstsc.exe
2011-03-04 22:22:40 -------- d-----w- C:\Program Files (x86)\Wise PC Engineer
2011-03-03 19:59:29 -------- d--h--w- C:\Users\MIKE\AppData\Local\Modiac
2011-03-03 19:59:29 -------- d-----w- C:\Users\MIKE\AppData\Roaming\Modiac
2011-03-03 19:59:17 -------- d-----w- C:\Program Files (x86)\Modiac
2011-03-01 13:35:16 -------- d--h--w- C:\Users\MIKE\AppData\Roaming\Obsidium
2011-03-01 13:34:54 -------- d--h--w- C:\PROGRA~3\AllMyMovies
2011-03-01 13:34:54 -------- d-----w- C:\Program Files (x86)\AllMyMovies
.
==================== Find3M ====================
.
2011-02-02 22:11:20 270720 ------w- C:\windows\System32\MpSigStub.exe
2011-02-02 16:11:44 58696 ----a-w- C:\windows\SysWow64\AOLParconLink.exe
2011-01-13 11:19:53 499712 ----a-w- C:\windows\SysWow64\msvcp71.dll
2011-01-13 11:19:53 348160 ----a-w- C:\windows\SysWow64\msvcr71.dll
2011-01-07 08:06:50 46080 ----a-w- C:\windows\System32\atmlib.dll
2011-01-07 07:27:11 34304 ----a-w- C:\windows\SysWow64\atmlib.dll
2011-01-07 05:49:20 366080 ----a-w- C:\windows\System32\atmfd.dll
2011-01-07 05:33:11 294400 ----a-w- C:\windows\SysWow64\atmfd.dll
2011-01-05 06:20:30 612352 ----a-w- C:\windows\System32\vbscript.dll
2011-01-05 05:37:33 428032 ----a-w- C:\windows\SysWow64\vbscript.dll
2011-01-05 04:00:16 3127808 ----a-w- C:\windows\System32\win32k.sys
.
============= FINISH: 18:14:47.04 ===============

Attached File  Attach.txt   14.54KB   1 downloads
Sometimes the magic works...
and sometimes it doesn't.
- Old Lodge Skins

BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:29 AM

Posted 29 March 2011 - 06:44 PM

Hello mikebowen,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.

Before we get started we need to run a couple other scans to make sure what we are dealing with is only Windows Restore Virus.

1.
Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Posted Image
Click the "Scan" button to start scan


Posted Image
On completion of the scan click save log, save it to your desktop and post in your next reply

2.
  • 1. Please download OTL from one of the following mirrors:
  • This is THE Mirror
    2. Save it to your desktop.
    3. Double click on the Posted Image icon on your desktop.
    4. Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT

    5. Push the Quick Scan button.
    6. Two reports will open, copy and paste them in a reply here:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 mikebowen

mikebowen
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Fuquay Varina, NC
  • Local time:09:29 AM

Posted 29 March 2011 - 09:05 PM

Old Lodge Skins was apparently referring SPECIFICALLY to YOU when he made the crack in "Little Big Man" about "sometimes the magic works ... and sometimes it doesn't."

If this works, I am ready to testify that it is PURE, UNADULTERATED F.M. I'm just glad you're around.

Only thing I wasn't sure about was the sequence of events in the "billy oneal" canned speeches caper. Sorry if I did it wrong. I hope not. Anyway, here are the logs. (I realized as I was watching the OTL program run that I didn't see the last line - CREATERESTOREPOINT. I swear to god I copied it in! Not sure what happened, but was afraid to go back and try to run it again. Mea culpa.

Oh, and I owe you my first-born if this is successful! (Tell you the truth, she ain't much of a bargain, though!)

- Mike

Attached Files


Sometimes the magic works...
and sometimes it doesn't.
- Old Lodge Skins

#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:29 AM

Posted 29 March 2011 - 10:41 PM

Hello,

We need to Uninstall AVG Anti-Virus 2011 as it will interfere with some of the tools we use. We can reinstall when we are done.

1.
Please use AppRemover to remove AVG Anti-Virus 2011 from your machine.


2.
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

3.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


Things to include in your next reply::
Tdsskiller log
Combofix.txt
How is your machine running now?

Edited by fireman4it, 29 March 2011 - 10:42 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 mikebowen

mikebowen
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Fuquay Varina, NC
  • Local time:09:29 AM

Posted 30 March 2011 - 05:21 AM

Fireman4it,

Just a quick note. Have tried numerous times over a couple of hours to delete the AVG with AppRemover without success. Claims it finished, but ComboFix keeps telling me it's still there, and when I go back to AppRemover and run a scan, there it is. Any suggestion? Concerned about trying to run ComboFix with such dire warnings up front.

BTW, the TDSSKiller came through clean with no hits. (Not sure whether that is good or bad at this point, but opting for the good.)

Will wait to hear from you. Thanks again for all the help.

- Mike
Sometimes the magic works...
and sometimes it doesn't.
- Old Lodge Skins

#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:29 AM

Posted 30 March 2011 - 04:02 PM

Hello,

Go ahead and boot into Safemode with Networking. Then run Combofix and ignore any warnings about Avg.

Now reboot into Safe Mode with Networking.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option with Networking support.
Please see here for additional details.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 mikebowen

mikebowen
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Fuquay Varina, NC
  • Local time:09:29 AM

Posted 30 March 2011 - 07:43 PM

Fireman4it,

Nope. Still losing 97-98% memory. Am enclosing the TDSSKILLER.LOG and COMBOFIX.TXT.

Oddly: COMBOFIX did NOT ask about the Windows Recovery Console, but IMMEDIATELY said there was a new version available and had me download it. Did I get punked again?

Also, in checking properties on my files, all I have checked thus far have three (3) owners: SYSTEM, MIKE, and ADMINISTRATOR, all with the same privileges. There is, however, a BOOT directory now, with entries such as file folder "cs-CZ", "da-DK", etc. Inside that first is a file - "bootmgr.exe.mui" - with SYSTEM, ADMINISTRATORS and USERS having only "Read" and "Read and Execute" privileges, while a class called "TRUSTED INSTALLERS" is allowed ALL privileges. Only one I've checked so far.

Am I just getting paranoid? (Is there a reason to?)

- Mike

Attached Files


Sometimes the magic works...
and sometimes it doesn't.
- Old Lodge Skins

#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:29 AM

Posted 30 March 2011 - 08:15 PM

Hello,

Well your logs all look good. I don't see any signs of malware. Please run the following scanners.

1.
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

2.
Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Things to include in your next reply::
ESET log
DRWEB.csv report
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 mikebowen

mikebowen
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Fuquay Varina, NC
  • Local time:09:29 AM

Posted 30 March 2011 - 09:05 PM

Fireman4it,

Checking the System Manager under “Processes” I find the following:
AOLsoftware.exe*32
CFSnMgr.exe3*32
DAP.exe*32
FlashUtil10n_ActiveX.exe*32
GoogleToolbarUser_32.exe*32
iexplore.exe*32
iexplore.exe*32
NDSTray.exe*32
PLNRnote.exe*32
I got a sense the *32 suffix was part of the virus and has attached to some of my other software also. Any ideas?

- Mike
Sometimes the magic works...
and sometimes it doesn't.
- Old Lodge Skins

#10 mikebowen

mikebowen
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Fuquay Varina, NC
  • Local time:09:29 AM

Posted 31 March 2011 - 06:07 AM

Fireman4it,

CROSS MY HEART! I don't have ANY idea where that damned file with EXPLOIT came from!

Anyway, here are the logs from ESET and DRWEB. Unfortunately, despite a very promising start after booting up at about 44% memory usage, it rapidly began climbing and finally topped out between 94-96% and stayed there.

- Mike

Attached File  ESETScan.txt   160bytes   1 downloads

Attached File  DrWebcvs.txt   228bytes   1 downloads
Sometimes the magic works...
and sometimes it doesn't.
- Old Lodge Skins

#11 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:29 AM

Posted 31 March 2011 - 07:50 PM

Hello,

Checking the System Manager under “Processes” I find the following:
AOLsoftware.exe*32
CFSnMgr.exe3*32
DAP.exe*32
FlashUtil10n_ActiveX.exe*32
GoogleToolbarUser_32.exe*32
iexplore.exe*32
iexplore.exe*32
NDSTray.exe*32
PLNRnote.exe*32
I got a sense the *32 suffix was part of the virus and has attached to some of my other software also. Any ideas?


These are stating these are 32bit processes running and not 64bit.

Can you please uninstall Norton And see if that has any effect. Norton is know to be a resource hog. Can you also tell me which process is using the most memory?


  • 1. Please download OTL from one of the following mirrors:
  • This is THE Mirror
    2. Save it to your desktop.
    3. Double click on the Posted Image icon on your desktop.
    4. Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT

    5. Push the Quick Scan button.
    6. Two reports will open, copy and paste them in a reply here:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#12 mikebowen

mikebowen
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Fuquay Varina, NC
  • Local time:09:29 AM

Posted 31 March 2011 - 08:29 PM

Hello,

Update before starting OTL. Norton was included as a 60-day trial on the machine and was never activated, as well as I remember. I find NORTON and UNINSTALLNORTON when I search, but when I try to go to either, the system says they don't exist on this machine.

As for memory hogs from Task Manager's Resource Monitor, the culprit seems to be WMPRNETWK.EXE. "Commit" is 2,4923,800, while "Private" is 1,527,348.

Shall I go ahead with OTL, or is there another scan to assure Norton is gone?

- Mike
Sometimes the magic works...
and sometimes it doesn't.
- Old Lodge Skins

#13 mikebowen

mikebowen
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Fuquay Varina, NC
  • Local time:09:29 AM

Posted 31 March 2011 - 08:36 PM

Fireman4it,

Make that "Commit" for WMPNETWK.EXE 2,492,800.

This is on a 2gb system.

- Mike

(Just checked and found out this is the WINDOWS MEDIA PLAYER network. Don't use it, never have, never will, let's DITCH it!!!!"

Edited by mikebowen, 31 March 2011 - 09:04 PM.

Sometimes the magic works...
and sometimes it doesn't.
- Old Lodge Skins

#14 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:29 AM

Posted 31 March 2011 - 09:04 PM

Hello,

Here is a Norton uninstaller

Uninstall Norton

  • Download the Norton Removal Tool to your desktop.
  • On the Windows desktop, double-click the Norton Removal Tool icon.
  • Follow the on-screen instructions.
    Note:Your computer may be restarted more than once, and you may be asked to repeat some steps after the computer restarts
Norton should now be removed from your PC.


For illustrated instructions please refer to here:
http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039


2.
Try this and see if this helps with the cpu usage.


Open media player.

Click on organize and manage libaries.

Go through each of the medias and remove all the places to look especially C: and leave the one default location for each.

Now restart your machine and see how it goes.



Hope this helps those struggling.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#15 mikebowen

mikebowen
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Fuquay Varina, NC
  • Local time:09:29 AM

Posted 31 March 2011 - 10:51 PM

Fireman4it,

1. Norton is gone, finally.
2. Since I hadn't initialized Windows Media Player, had to go into SERVICES.MSC and DISABLE it through Properties. Also went into the registry and added a D-WORD of "1" under HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\HME. (Just thought that last one up myself. Seemed rather intuitive.)
3. GOOD NEWS is that without the WMPNETWK.EXE, memory usage is down to an average of 38-41%!!!!
4. Ran OTL, but seems only one report (OTL.txt) was created. Not sure what happened to EXTRA.TXT.

How does it look? And HOW can I get the 1.5 tb of files on E:\? I know the missing files are there on C:\ and E:\, because the scans kept reporting them.

- Mike

Attached Files

  • Attached File  OTL.Txt   76.39KB   1 downloads

Sometimes the magic works...
and sometimes it doesn't.
- Old Lodge Skins




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users