Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"Could not load or run 'C:\Users\admin\Temp\csrss.exe'


  • Please log in to reply
19 replies to this topic

#1 onetimer

onetimer

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:58 PM

Posted 07 July 2011 - 08:19 PM

"Could not load or run 'C:\Users\admin\Temp\csrss.exe' specified in the registry. Make sure the file exists on you computer or remove the reference to it in the registry." At first, I ignored it, but Internet Explorer only opens Https://www.facebook.com and Https://encrypted.google.com (right now I am using my laptop not my computer). What should I do?

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:05:58 PM

Posted 07 July 2011 - 10:12 PM

Welcome aboard Posted Image

You're surely infected.

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List last 10 Event Viewer log
  • List Users, Partitions and Memory size
Click Go and post the result.

=============================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

=============================================================================

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 onetimer

onetimer
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:58 PM

Posted 07 July 2011 - 11:11 PM

I cannot do that because the computer that is infected can't go on the internet (this is still the laptop). Would I be able to download the antivirus on a usb and upload it on the other computer?

#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:05:58 PM

Posted 07 July 2011 - 11:15 PM

Yes, you can download all tools I listed on good computer and move them to bad computer using USB stick.

Since we'll be moving USB stick between good and bad computer install this on GOOD computer....

Download, and run Flash Disinfector, and save it to your desktop (Windows Vista and Windows 7 users, scroll down)

*Please disable any AV / ScriptBlockers as they might detect Flash Disinfector to be malicious and block it. Hence, the failure in executing. You can enable them back after the cleaning process*

  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

Windows Vista and Windows 7 users
Flash Disinfector is not compatible with the above Windows version.
Please, use Panda USB Vaccine, or BitDefender’s USB Immunizer

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#5 onetimer

onetimer
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:58 PM

Posted 08 July 2011 - 12:32 AM

checkup.txt
"

Results of screen317's Security Check version 0.99.7
Windows Vista (UAC is enabled)
Out of date service pack!!
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Java™ 6 Update 16
Java™ 6 Update 18
Java™ 6 Update 5
Java™ SE Development Kit 6 Update 18
Out of date Java installed!
Adobe Flash Player
Adobe Reader 9.3.2
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Symantec AntiVirus DefWatch.exe
``````````End of Log````````````
"

Minitoolbox results
"
MiniToolBox by Farbar
Ran by admin (administrator) on 07-07-2011 at 23:37:27
Windows ™ Vista Home Premium Service Pack 2 (X64)

***************************************************************************


========================= IE Proxy Settings: ==============================

Proxy is enabled.
ProxyServer: http=127.0.0.1:64303

========================= End of IE Proxy Settings ========================
=============== Hosts content: ============================================

# Copyright © 1993-2006 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
::1 localhost

=============== End of Hosts ==============================================

================= IP Configuration: =======================================

# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : admin-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : hsd1.il.comcast.net.

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix . : hsd1.il.comcast.net.
Description . . . . . . . . . . . : Realtek 8185 Extensible Wireless Device
Physical Address. . . . . . . . . : 00-14-D1-EA-87-8A
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::2443:c97f:ed47:30c8%14(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.0.13(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Thursday, July 07, 2011 7:43:07 PM
Lease Expires . . . . . . . . . . : Friday, July 08, 2011 12:13:13 AM
Default Gateway . . . . . . . . . : 192.168.0.1
DHCP Server . . . . . . . . . . . : 192.168.0.1
DHCPv6 IAID . . . . . . . . . . . : 301995217
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-11-CC-63-4B-00-22-68-68-7A-D0
DNS Servers . . . . . . . . . . . : 68.87.72.134
68.87.77.134
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : hsd1.il.comcast.net.
Description . . . . . . . . . . . : Marvell Yukon 88E8071 PCI-E Gigabit Ethernet Controller
Physical Address. . . . . . . . . : 00-22-68-68-7A-D0
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 6:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 02-00-54-55-4E-01
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:10c6:8bf:3f57:fff2(Preferred)
Link-local IPv6 Address . . . . . : fe80::10c6:8bf:3f57:fff2%11(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter Local Area Connection* 7:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : hsd1.il.comcast.net.
Description . . . . . . . . . . . : isatap.hsd1.il.comcast.net.
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Server: cns.area4.il.chicago.comcast.net
Address: 68.87.72.134

Name: google.com
Addresses: 74.125.225.82
74.125.225.81
74.125.225.80
74.125.225.84
74.125.225.83



Pinging google.com [74.125.225.81] with 32 bytes of data:

Reply from 74.125.225.81: bytes=32 time=17ms TTL=56

Reply from 74.125.225.81: bytes=32 time=18ms TTL=56



Ping statistics for 74.125.225.81:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 17ms, Maximum = 18ms, Average = 17ms

Server: cns.area4.il.chicago.comcast.net
Address: 68.87.72.134

DNS request timed out.
timeout was 2 seconds.
Name: yahoo.com
Addresses: 209.191.122.70
67.195.160.76
69.147.125.65
72.30.2.43
98.137.149.56



Pinging yahoo.com [209.191.122.70] with 32 bytes of data:

Reply from 209.191.122.70: bytes=32 time=50ms TTL=51

Reply from 209.191.122.70: bytes=32 time=51ms TTL=51



Ping statistics for 209.191.122.70:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 50ms, Maximum = 51ms, Average = 50ms



Pinging 127.0.0.1 with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
14 ...00 14 d1 ea 87 8a ...... Realtek 8185 Extensible Wireless Device
10 ...00 22 68 68 7a d0 ...... Marvell Yukon 88E8071 PCI-E Gigabit Ethernet Controller
1 ........................... Software Loopback Interface 1
11 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
13 ...00 00 00 00 00 00 00 e0 isatap.hsd1.il.comcast.net.
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.13 25
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.0.0 255.255.255.0 On-link 192.168.0.13 281
192.168.0.13 255.255.255.255 On-link 192.168.0.13 281
192.168.0.255 255.255.255.255 On-link 192.168.0.13 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.0.13 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.0.13 281
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
11 18 ::/0 On-link
1 306 ::1/128 On-link
11 18 2001::/32 On-link
11 266 2001:0:4137:9e76:10c6:8bf:3f57:fff2/128
On-link
14 281 fe80::/64 On-link
11 266 fe80::/64 On-link
11 266 fe80::10c6:8bf:3f57:fff2/128
On-link
14 281 fe80::2443:c97f:ed47:30c8/128
On-link
1 306 ff00::/8 On-link
11 266 ff00::/8 On-link
14 281 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

================= End of IP Configuration =================================

========================= Event log errors: ===============================

Application errors:
==================
Error: (07/07/2011 07:43:17 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (07/07/2011 07:43:13 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "msadctls,processorArchitecture="x86",type="win32",version="1.0.1801.0"1".
Dependent Assembly msadctls,processorArchitecture="x86",type="win32",version="1.0.1801.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (07/07/2011 07:43:13 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "msadctls,processorArchitecture="x86",type="win32",version="1.0.1801.0"1".
Dependent Assembly msadctls,processorArchitecture="x86",type="win32",version="1.0.1801.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (07/07/2011 07:43:13 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "msadctls,processorArchitecture="x86",type="win32",version="1.0.1801.0"1".
Dependent Assembly msadctls,processorArchitecture="x86",type="win32",version="1.0.1801.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (07/07/2011 07:43:13 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "msadctls,processorArchitecture="x86",type="win32",version="1.0.1801.0"1".
Dependent Assembly msadctls,processorArchitecture="x86",type="win32",version="1.0.1801.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (07/07/2011 07:16:29 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (07/07/2011 06:58:42 PM) (Source: ESENT) (User: )
Description: Catalog Database (1488) Catalog Database: A bad page link (error -327) has been detected in a B-Tree (ObjectId: 8, PgnoRoot: 35) of database C:\Windows\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb (620 => 1269, Catalog Database0).

Error: (07/07/2011 06:56:22 PM) (Source: EventSystem) (User: )
Description: 80070005EventSystem.EventSubscription{CEB8B221-89C5-41A8-98CE-79B413BF150B}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}

Error: (07/07/2011 06:51:11 PM) (Source: ESENT) (User: )
Description: Catalog Database (1488) Catalog Database: A bad page link (error -327) has been detected in a B-Tree (ObjectId: 8, PgnoRoot: 35) of database C:\Windows\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb (2088 => 2699, Catalog Database0).

Error: (07/07/2011 06:51:09 PM) (Source: ESENT) (User: )
Description: Catalog Database (1488) Catalog Database: A bad page link (error -327) has been detected in a B-Tree (ObjectId: 8, PgnoRoot: 35) of database C:\Windows\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb (894 => 2694, Catalog Database0).


System errors:
=============
Error: (07/07/2011 07:43:17 PM) (Source: Service Control Manager) (User: )
Description: SRTSP

Error: (07/07/2011 07:43:17 PM) (Source: Service Control Manager) (User: )
Description: Norton Internet Security%%3

Error: (07/07/2011 07:42:56 PM) (Source: SRTSP) (User: )
Description: Error loading Symantec real time Anti-Virus driver.

Error: (07/07/2011 07:42:56 PM) (Source: SRTSP) (User: )
Description: Error loading virus definitions.

Error: (07/07/2011 07:16:29 PM) (Source: Service Control Manager) (User: )
Description: SRTSP

Error: (07/07/2011 07:16:29 PM) (Source: Service Control Manager) (User: )
Description: Norton Internet Security%%3

Error: (07/07/2011 07:15:19 PM) (Source: SRTSP) (User: )
Description: Error loading Symantec real time Anti-Virus driver.

Error: (07/07/2011 07:15:19 PM) (Source: SRTSP) (User: )
Description: Error loading virus definitions.

Error: (07/07/2011 06:59:00 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (User: SYSTEM)
Description: 0x8e5e0147Windows PowerShell 2.0 and WinRM 2.0 for Windows Vista for x64-based Systems (KB968930){095C6B5C-93D4-4FD5-9F27-B7A2829C83F2}102

Error: (07/07/2011 06:58:48 PM) (Source: Microsoft-Windows-Servicing) (User: SYSTEM)
Description: Windows Servicing failed to complete the process of setting package KB950099 (Language Pack) into Resolved(Resolved) state


Microsoft Office Sessions:
=========================
Error: (06/02/2011 06:23:00 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 3 seconds with 0 seconds of active time. This session ended with a crash.

Error: (03/13/2011 06:46:27 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 3 seconds with 0 seconds of active time. This session ended with a crash.

Error: (01/20/2011 05:27:40 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 6 seconds with 0 seconds of active time. This session ended with a crash.

Error: (02/24/2010 08:22:50 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6514.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 1 seconds with 0 seconds of active time. This session ended with a crash.


========================= End of Event log errors =========================

========================= Memory info: ====================================

Percentage of memory in use: 22%
Total physical RAM: 5886.26 MB
Available physical RAM: 4571.23 MB
Total Pagefile: 11897.03 MB
Available Pagefile: 10668.05 MB
Total Virtual: 4095.88 MB
Available Virtual: 4013.93 MB

======================= Partitions: =======================================

1 Drive c: (OS) (Fixed) (Total:581.52 GB) (Free:419.74 GB) NTFS
2 Drive d: () (Removable) (Total:15.21 GB) (Free:15.2 GB) FAT32

================= Users: ==================================================

User accounts for \\ADMIN-PC

-------------------------------------------------------------------------------
admin Administrator Guest
The command completed successfully.

================= End of Users ============================================
"

Malwarebytes log
"
Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 7045

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19048

7/7/2011 11:45:03 PM
mbam-log-2011-07-07 (23-45-03).txt

Scan type: Quick scan
Objects scanned: 188635
Time elapsed: 3 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 3
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Value: (default) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Load (Trojan.Agent) -> Value: Load -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell.Gen) -> Value: Shell -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CLASSES_ROOT\exefile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("C:\Users\admin\AppData\Local\hqa.exe" -a "%1" %*) Good: ("%1" %*) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\admin\AppData\Local\Temp\0.9686534003070524.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\Users\admin\AppData\Local\Temp\JWcg.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\admin\AppData\Local\Temp\temp1_wpepro09x.zip\WPE PRO.exe (HackTool.Sniffer.WpePro) -> Quarantined and deleted successfully.
c:\Users\admin\AppData\Local\Temp\temp2_wpepro09x.zip\WPE PRO.exe (HackTool.Sniffer.WpePro) -> Quarantined and deleted successfully.
"
The GMER results were empty after the scan.
Is there anything else I need to do?
Thanks in advance for all the help!

#6 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:05:58 PM

Posted 08 July 2011 - 10:42 AM

I don't see any AV program running.
I can see what looks like Norton's leftovers.
What's the story there?

Re-run MiniToolbox.

Checkmark following boxes:
  • Flush DNS
  • Reset IE Proxy Settings
Click Go and post the result.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Re-run MiniToolbox again.

Checkmark following boxes:
  • Report IE Proxy Settings
Click Go and post the result.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#7 onetimer

onetimer
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:58 PM

Posted 08 July 2011 - 11:59 AM

Minitoolbox re-run #1
"MiniToolBox by Farbar
Ran by admin (administrator) on 08-07-2011 at 11:41:58
Windows ™ Vista Home Premium Service Pack 2 (X64)

***************************************************************************


================= Flush DNS: ==============================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

================= End of Flush DNS ========================================

"Reset IE Proxy Settings": Proxy Settings were reset.

"
Minitoolbox re-run number 2
"MiniToolBox by Farbar
Ran by admin (administrator) on 08-07-2011 at 11:43:04
Windows ™ Vista Home Premium Service Pack 2 (X64)

***************************************************************************


========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= End of IE Proxy Settings ========================
"
After I ran all of this, I reset my Bad Computer, and no error messages appeared and everything worked perfectly! Thank you for all of your time and help.:)

#8 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:05:58 PM

Posted 08 July 2011 - 12:08 PM

Good news but we still need to double check couple of things.

You didn't comment:

I don't see any AV program running.
I can see what looks like Norton's leftovers.
What's the story there?


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#9 onetimer

onetimer
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:58 PM

Posted 08 July 2011 - 01:01 PM

I don't know why anythin Norton related is on this computer (this is the computer that was infected) and I downloaded AVG Security, which checks everything that Malwarebytes anti-malware doesn't and vis-versa.

#10 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:05:58 PM

Posted 08 July 2011 - 01:02 PM

Run Norton Removal Tool: http://us.norton.com/support/kb/web_view.jsp?wv_type=public_web&docurl=20080710133834EN

Post fresh Security Check log.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#11 onetimer

onetimer
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:58 PM

Posted 08 July 2011 - 02:15 PM

I downloaded the Norton removal tool and it said that "Symantic AntiVirus 9 or later" needes to be removed by the Add/Remove Programs. I looked but I couldn't find it anywhere. Do you know where I should look?

#12 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:05:58 PM

Posted 08 July 2011 - 02:51 PM

Did you look under "Norton...."?

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#13 onetimer

onetimer
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:58 PM

Posted 08 July 2011 - 04:01 PM

Yes, I looked under Norton.

#14 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:05:58 PM

Posted 08 July 2011 - 04:10 PM

Use AppRemover to uninstall it: http://www.appremover.com/
Let me know, if it detected\removed Norton.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#15 onetimer

onetimer
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:58 PM

Posted 08 July 2011 - 04:49 PM

Appremover detected and removed Symantic AntiVirus.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users