Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AntiVirus 2012 - Personal Shield Pro - Can't start system


  • This topic is locked This topic is locked
13 replies to this topic

#1 whftherb

whftherb

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:33 AM

Posted 17 August 2011 - 07:32 AM

Hello -

I don't have my logs prep'd yet. You'll see why. I have my brother-in-law's XP Pro desktop - Intel core, 1gB RAM, two drives: C:\ 7gB left and D:\Storage about 30% full. C is too full, I know. Two user accounts, both admins. Using Symantec Enpoint 11.6.

I used the self help section and ran RKill then MBAM in safe mode as normal mode was useless. Cleaned off 20 infections using his account. Looked promising but it was way slow. So slow, I couldn't get it to shut down or restart. Disk always being accessed. Went to Safe Mode - attempted to chkdsk D: (Completed) and C: (had to reschedule) but no shut down. Hard reset, no chkdsk, hangs at the desktop. Hard reset. Attempted Safe Mode, it hangs at MUP.sys and will go no further. I used ERD to call a restore point (the only one available) back to Aug 13. It came back in normal mode. This time I launched wife's account wanting to at least get chkdsk to run on C: The infection is also on her profile. That was my mistake. So now, it will boot sometimes and sometimes not.

So, rather than chase my tail, I thought I'd come here (as I've done before) and ask for some help.

So, we do have data backed up. Can't quite get normal Windows to run as patient as we might be and it looks like Safe Mode is flumoxed.


I'll await further instructions.

Thanks.

H

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:33 AM

Posted 21 August 2011 - 01:59 PM

Hello, you will need access to another PC and a blank CD
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 whftherb

whftherb
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:33 AM

Posted 21 August 2011 - 02:10 PM

OK Done!

But let me point out some changes since the initial post. I wish I'd done this correctly the first time...

After about a dozen restarts, I was able to get Safe Mode to work. The symptom there was you tried to restart and it always came to Windows is Shutting Down, but never completed. Hard reset was the only option. Logged into "Tim", installed, updated and ram MBAM. Found 20 baddies. Removed them. Rebooted to normal mode. Now running MBAM on Tim in normal mode. It's found one (1) baddie thus far and is about half way through. I've not yet tried logging in to "Tara" because I fear her profile is impacted (or perhaps All Users).

But I do have a spare computer (right next door to the sick one). I have the knowledge and expertise to burn disks, create .ISOs. I do have the initial software needed for "help" here on a thumbdrive after reading the opening pages.

So, maybe the first paragraph changes what you had in mind. Shall we wait for MBAM to complete it's normal full scan in XP's normal mode?

H

Edited by whftherb, 21 August 2011 - 02:11 PM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:33 AM

Posted 21 August 2011 - 02:36 PM

OK, I am moving this to Am I Infected as it is now a bootable computer.

Let us see if we can get Safe mode to run.
Vista users my need to save it to the desktop first then right-click the icon and choose "Run as Administrator".

Please download and run SafeBootKeyRepair.exe.

Once it has completed, please try booting into Safe Mode.


Next run Superantisypware (SAS):

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.


Now reboot to Normal and run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Troubleshoot Malwarebytes' Anti-Malware

Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 whftherb

whftherb
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:33 AM

Posted 21 August 2011 - 04:43 PM

OK, boopme - we are still in a peck of trouble.

I ran SAS_Free from Safe Mode. It found 37 items, 34 of which were tracking cookies. I removed all and attempted a reboot. It would not come to normal mode (to run MBAM) and it stuck on the XP "blue catepillar" which I let run for about 15 minutes. No log on screen, just the blue cat. Hard reset. Let it come to normal, clicked "Tim" to log in, desktop arrives. But all the icons, shortcuts and programs that point to a .exe are no longer associated. IOW, I cannot launch anything because Win comes and says we need to find a program to run the .exe - browse to find or go to the net... the .exe and .dll files all show the same "generic" icon. Also, I could not find the SAS log.

So, I went back to Safe Mode and the same "no association" appears there. So I need to re-register program files and dll-s. Regsrvr ???

H

Quick update: Did research - found this gem:


Before playing with the registry try this first. Open the File Types dialog from any Explorer window -- use My Documents or My Computer (Tools | Folder Options | File Types Tab). Scroll down to where .EXE would be in the alphabetical order and make certain .EXE is not there (if it is, then edit it there by changing the association to Application). Finally, select the New button, type in EXE for the extension and select the Advanced button. From the list pick "Application."

So, MBAM log should be coming up shortly.

H

Edited by whftherb, 21 August 2011 - 05:07 PM.


#6 whftherb

whftherb
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:33 AM

Posted 21 August 2011 - 05:14 PM

Spoke too soon!

Some icons and shortcuts work, but many do not. Still have the generic shortcut icon graphic on many. The Quick Launch bar icons work. MBAM is available. Launching it now. But this .exe thing - I've got to find a fix.

H

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:33 AM

Posted 21 August 2011 - 06:56 PM

I do not know if this is XP,Vista etc??

Go here to Doug KNox's Windows® XP File Association Fixes
Run 9th down on left... EXE File Association Fix ... the EXE not EML one.



FOR VISTA
Go to File association fixes for Windows Vista

Click the exe box
Instructions:
To fix the association for a particular file type, download the corresponding fix from the above links table (Use Right-click - Save as option in your browser to download the fixes). Unzip the fix and extract the .REG file to the Desktop. Right-click the REG file and choose Merge. Note that you need to be an administrator to apply these fixes.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 whftherb

whftherb
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:33 AM

Posted 21 August 2011 - 08:00 PM

OK although it has been a long struggle, here's the SAS and MBAM logs.

System health: Not good. I comes to the desktop, and for instance the thumb drive won't be recognized in normal mode. I had to go to Safe Mode to draw out the logs. If I do anything in normal mode, and then attempt to log out or restart, it comes to "Windows is saving your settings" or "Windows is shutting down" and stays there. The only way out of that is a hard reset. Often on reboot, Windows XP's initialization comes up (the blue caterpillar) and that's it. A hard reset usually brings it back to the log on screen or I can go Safe Mode with F8.

I did full scans on MBAM and SAS. In order to get these logs, I had to go Safe Mode. Let me copy and paste the logs and await further instructions. And in SAS there is no "Stats/Logs tab - I had to navigate to the folder to extract logs. Please: Note the .exe problem is still with me in normal as well as Safe mode. Although I tried the Windows Explorer > Tools > Folder Options trick, it works once but does not stick and only lasts one iteration where I have to go back in. Slow and painful... I did find that SAS was in the systray and would launch. I found MBAM on the Quick Launch bar, that worked. Many icons will not work due to the .exe problem above.

Logs:
Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7529

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

8/21/2011 7:12:54 PM
mbam-log-2011-08-21 (19-12-53).txt

Scan type: Full scan (C:\|)
Objects scanned: 292729
Time elapsed: 57 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/21/2011 at 08:11 PM

Application Version : 5.0.1118

Core Rules Database Version : 7585
Trace Rules Database Version: 5397

Scan type : Complete Scan
Total Scan Time : 00:56:05

Operating System Information
Windows XP Professional 32-bit, Service Pack 3 (Build 5.01.2600)
Administrator

Memory items scanned : 583
Memory threats detected : 0
Registry items scanned : 40795
Registry threats detected : 1
File items scanned : 44789
File threats detected : 3

Adware.Tracking Cookie
C:\Documents and Settings\Tim Bishop\Cookies\tim_bishop@doubleclick[1].txt
ad.insightexpressai.com [ C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\MFCNDP7X ]
cdn.tremormedia.com [ C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\MFCNDP7X ]

System.BrokenFileAssociation
HKCR\.exe


I scanned twice with SAS. This log is a bit longer. The log above is shorter but "cleaner".
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/21/2011 at 05:22 PM

Application Version : 5.0.1118

Core Rules Database Version : 7585
Trace Rules Database Version: 5397

Scan type : Complete Scan
Total Scan Time : 00:39:36

Operating System Information
Windows XP Professional 32-bit, Service Pack 3 (Build 5.01.2600)
Administrator

Memory items scanned : 390
Memory threats detected : 1
Registry items scanned : 40788
Registry threats detected : 1
File items scanned : 43556
File threats detected : 39

Trojan.Agent/Gen-Bancos
C:\PROGRA~1\BATCHP~1\LOADBA~1.DLL
C:\PROGRA~1\BATCHP~1\LOADBA~1.DLL
C:\PROGRAM FILES\BATCH PHOTO FACTORY\LOADBATCH.DLL

Adware.Tracking Cookie
ad.insightexpressai.com [ C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\MFCNDP7X ]
media.kyte.tv [ C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\MFCNDP7X ]
media1.break.com [ C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\MFCNDP7X ]
objects.tremormedia.com [ C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\MFCNDP7X ]
secure-us.imrworldwide.com [ C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\MFCNDP7X ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\COOKIES\SYSTEM@APMEBF[1].TXT
a.ads2.msads.net [ C:\DOCUMENTS AND SETTINGS\TARA BISHOP\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\ENKVR2M8 ]
ads2.msads.net [ C:\DOCUMENTS AND SETTINGS\TARA BISHOP\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\ENKVR2M8 ]
b.ads2.msads.net [ C:\DOCUMENTS AND SETTINGS\TARA BISHOP\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\ENKVR2M8 ]
cdn.media.abc.com [ C:\DOCUMENTS AND SETTINGS\TARA BISHOP\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\ENKVR2M8 ]
cdn4.specificclick.net [ C:\DOCUMENTS AND SETTINGS\TARA BISHOP\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\ENKVR2M8 ]
convoad.technoratimedia.com [ C:\DOCUMENTS AND SETTINGS\TARA BISHOP\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\ENKVR2M8 ]
core.insightexpressai.com [ C:\DOCUMENTS AND SETTINGS\TARA BISHOP\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\ENKVR2M8 ]
ia.media-imdb.com [ C:\DOCUMENTS AND SETTINGS\TARA BISHOP\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\ENKVR2M8 ]
media.kyte.tv [ C:\DOCUMENTS AND SETTINGS\TARA BISHOP\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\ENKVR2M8 ]
media.mtvnservices.com [ C:\DOCUMENTS AND SETTINGS\TARA BISHOP\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\ENKVR2M8 ]
media.vmixcore.com [ C:\DOCUMENTS AND SETTINGS\TARA BISHOP\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\ENKVR2M8 ]
msnbcmedia.msn.com [ C:\DOCUMENTS AND SETTINGS\TARA BISHOP\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\ENKVR2M8 ]
multimedia.msn.com [ C:\DOCUMENTS AND SETTINGS\TARA BISHOP\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\ENKVR2M8 ]
objects.tremormedia.com [ C:\DOCUMENTS AND SETTINGS\TARA BISHOP\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\ENKVR2M8 ]
s0.2mdn.net [ C:\DOCUMENTS AND SETTINGS\TARA BISHOP\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\ENKVR2M8 ]
secure-uk.imrworldwide.com [ C:\DOCUMENTS AND SETTINGS\TARA BISHOP\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\ENKVR2M8 ]
secure-us.imrworldwide.com [ C:\DOCUMENTS AND SETTINGS\TARA BISHOP\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\ENKVR2M8 ]
ad.insightexpressai.com [ C:\DOCUMENTS AND SETTINGS\TIM BISHOP\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\4GV48XH9 ]
cdn.tremormedia.com [ C:\DOCUMENTS AND SETTINGS\TIM BISHOP\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\4GV48XH9 ]
content.yieldmanager.edgesuite.net [ C:\DOCUMENTS AND SETTINGS\TIM BISHOP\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\4GV48XH9 ]
convoad.technoratimedia.net [ C:\DOCUMENTS AND SETTINGS\TIM BISHOP\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\4GV48XH9 ]
media.crooksandliars.com [ C:\DOCUMENTS AND SETTINGS\TIM BISHOP\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\4GV48XH9 ]
media.heavy.com [ C:\DOCUMENTS AND SETTINGS\TIM BISHOP\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\4GV48XH9 ]
objects.tremormedia.com [ C:\DOCUMENTS AND SETTINGS\TIM BISHOP\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\4GV48XH9 ]
secure-us.imrworldwide.com [ C:\DOCUMENTS AND SETTINGS\TIM BISHOP\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\4GV48XH9 ]
.doubleclick.net [ C:\DOCUMENTS AND SETTINGS\TIM BISHOP\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.imrworldwide.com [ C:\DOCUMENTS AND SETTINGS\TIM BISHOP\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.imrworldwide.com [ C:\DOCUMENTS AND SETTINGS\TIM BISHOP\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]

Adware.CouponBar
C:\WINDOWS\CPNPRT2.CID
C:\WINDOWS\SYSTEM32\CPNPRT2.CID

Trojan.Agent/Gen-Faldesc[RE]
C:\WINDOWS\SYSTEM32\SPRESTRTK.DLL

System.BrokenFileAssociation
HKCR\.exe

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:33 AM

Posted 21 August 2011 - 08:10 PM

It does appear that it took out banker. This one is a bit longer but we need to try it.

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NOTE: In some instances if no malware is found there will be no log produced.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 whftherb

whftherb
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:33 AM

Posted 22 August 2011 - 05:29 PM

ESET Scan finished. Log is here:

C:\Documents and Settings\Tim Bishop\Desktop\Sys Utils\VSO_ConvertXtoDVD_3.5.3.139_keygen.rar a variant of Win32/Keygen.AS application deleted - quarantined
C:\Documents and Settings\Tim Bishop\Desktop\Sys Utils\Microsoft Genuine Maker 2009\3.1 Loader.exe a variant of Win32/HiddenStart.A application deleted - quarantined
C:\Documents and Settings\Tim Bishop\My Documents\Remove\smitRem\Process.exe Win32/PrcView application cleaned by deleting - quarantined
C:\Documents and Settings\Tim Bishop\My Documents\SmitfraudFix\Process.exe Win32/PrcView application cleaned by deleting - quarantined
C:\Documents and Settings\Tim Bishop\My Documents\SmitfraudFix\restart.exe Win32/Shutdown.NAA application cleaned by deleting - quarantined
C:\WINDOWS\Temp\258.tmp a variant of Win32/Kryptik.RUJ trojan cleaned by deleting - quarantined

I will tell you, Symantec Endpoint Protection (the chosen Malware suite on this machine) barked about "Traffic from IP ###.###.###.### Bocked. BlackHole Toolkit Activity 15 detected. This came up several times, I removed the ethernet cable. I've just reinserted it to do this message. Now I'll kill it again just as a precaution.

My second machine is still available, right next door...

Thanks.

Awaiting further instructions. Computer is slow, and often will not shut down. .Exe is still broken. I have to apply the Doug Knox fix.

H

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:33 AM

Posted 22 August 2011 - 06:59 PM

Probably just SEP doing its job and keeping the bad guys awat.

But we'll Double Check
Rootkit scanning

Please download Sophos Anti-rootkit & save it to your desktop.
alternate download link
Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

Be sure to print out and read the Sophos Anti-Rookit User Manual and Release Notes.
  • Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
  • Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
  • A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now".
  • Click Yes and allow the driver and its randomly named .tmp file (i.e. F.tmp) to load if asked.
  • If the scan did not start automatically, make sure the following are checked:
    • Running processes
    • Windows Registry
    • Local Hard Drives
  • Click Start scan.
  • Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
  • When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
  • Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
    • Files tagged as Removable: No are not marked for removal and cannot be removed.
    • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
    • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  • Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
  • A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
  • After reboot, a dialog box displays the files you selected for removal and the action taken.
  • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
  • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
  • This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\<username>\Local Settings\Temp\.
Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 whftherb

whftherb
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:33 AM

Posted 22 August 2011 - 09:35 PM

OK, boopme - SAR scan done. Nothing came up as "problematic" - I didn't get the prompt to delete anything. Log follows:


Sophos Anti-Rootkit Version 1.5.4 © 2009 Sophos Plc
Started logging on 8/22/2011 at 21:30:26 PM
User "Tim Bishop" on computer "TIM"
Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x100 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\LRCGX171\7321;kvinvtype=doc;kvexpandable=1;kvdim=undefinedxundefined;kvpid=1445419;kvbw=0;kvthrottle=0;misc=1313973212718;kvrid=131eee80565bb862451db9af09011f38[1]
Hidden: file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\H62CQMAP\il=6303;sz=300x250;tile=2;u=il-6303_ID-08131AB5FC261AA6E9ADDC[1].2EB4F8E;ae=10;bkv30=0;bkv32=0;bkv33=0;bkv79171=1;grid=4790;olid=-4790;ord=1616737924050128
Hidden: file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\NEMOX6LY\il=6303;sz=300x250;tile=2;u=il-6303_ID-08131AB1FC261AA6E00B96[1].2EE231C;ae=10;bkv30=0;bkv32=0;bkv33=0;bkv79171=1;grid=4790;olid=-4790;ord=3755502660252435
Hidden: file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\388MUVAD\%253A%252F%252Fpresspause.mevio[2].com%252F%253Futm_campaign%253De6e278_572913_264016_113681_23740_none%2526utm_source%253De6e278%2526utm_medium%253De6e278
Hidden: file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\388MUVAD\%253A%252F%252Fpresspause.mevio[1].com%252F%253Futm_campaign%253De6e278_572913_264016_113681_23740_none%2526utm_source%253De6e278%2526utm_medium%253De6e278
Hidden: file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\12HCUK0K\%253A%252F%252Fpresspause.mevio[1].com%252F%253Futm_campaign%253De6e278_572913_264016_113681_23740_none%2526utm_source%253De6e278%2526utm_medium%253De6e278
Hidden: file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\045KWW2P\23151.pub.ezanga[1].com%2526utm_medium%253DCPC%2526utm_term%253Drunofcategoryeducation%2526utm_content%253Dtext%25252Blink%2526utm_campaign%253DEZ_Video_KW
Hidden: file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\045KWW2P\2F%252Fhotoff.mevio[1].com%252F%253Futm_source%253D141324%2526utm_term%253D281687_34520%2526utm_campaign%253D141324_281687_34520_410%2526utm_medium%253DCPC
Hidden: file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\388MUVAD\A%252F%252Fgamesweaseltv.mevio[1].com%252F%253Futm_campaign%253D088aeb_572913_263885_113973_23740_none%2526utm_source%253D088aebc%2526utm_medium%253D088aeb
Hidden: file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\388MUVAD\%253A%252F%252Fpresspause.mevio[3].com%252F%253Futm_campaign%253De6e278_572913_264016_113681_23740_none%2526utm_source%253De6e278%2526utm_medium%253De6e278
Hidden: file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\12HCUK0K\A%252F%252Fgamesweaseltv.mevio[1].com%252F%253Futm_campaign%253D088aeb_572913_263885_113973_23740_none%2526utm_source%253D088aebc%2526utm_medium%253D088aeb
Hidden: file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\388MUVAD\3A%252F%252Fgamesweaseltv.mevio[1].com%252F%253Futm_campaign%253D088aeb_572913_263885_113911_1830_107%2526utm_source%253D088aebc%2526utm_medium%253D088aeb
Hidden: file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\4RRKR9RR\3A%252F%252Fgamesweaseltv.mevio[1].com%252F%253Futm_campaign%253D088aeb_572913_263885_113911_1830_107%2526utm_source%253D088aebc%2526utm_medium%253D088aeb
Hidden: file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\12HCUK0K\3A%252F%252Fmoviereviews.mevio[1].com%252F%253Futm_campaign%253D1f89de_572913_264103_113320_155686_6763%2526utm_source%253D1f89de%2526utm_medium%253D1f89de
Hidden: file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\4RRKR9RR\A%252F%252Fgamesweaseltv.mevio[1].com%252F%253Futm_campaign%253D088aeb_572913_263885_113973_23740_none%2526utm_source%253D088aebc%2526utm_medium%253D088aeb
Hidden: file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\4RRKR9RR\A%252F%252Fgamesweaseltv.mevio[2].com%252F%253Futm_campaign%253D088aeb_572913_263885_113973_23740_none%2526utm_source%253D088aebc%2526utm_medium%253D088aeb
Hidden: file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\12HCUK0K\3A%252F%252Fmoviereviews.mevio[2].com%252F%253Futm_campaign%253D1f89de_572913_264103_113320_155686_6763%2526utm_source%253D1f89de%2526utm_medium%253D1f89de
Hidden: file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\6J8JJANY\%253A%252F%252Fpresspause.mevio[1].com%252F%253Futm_campaign%253De6e278_572913_264016_113681_23740_none%2526utm_source%253De6e278%2526utm_medium%253De6e278
Hidden: file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\12HCUK0K\%253A%252F%252Fpresspause.mevio[2].com%252F%253Futm_campaign%253De6e278_572913_264016_113681_23740_none%2526utm_source%253De6e278%2526utm_medium%253De6e278
Hidden: file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\388MUVAD\%253A%252F%252Fpresspause.mevio[4].com%252F%253Futm_campaign%253De6e278_572913_264016_113681_23740_none%2526utm_source%253De6e278%2526utm_medium%253De6e278
Hidden: file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\6J8JJANY\elebritycrush.mevio[1].com%252F%253Futm_source%253D414aa7%2526utm_term%253D281687_36862%2526utm_campaign%253D414aa7_281687_36862_407%2526utm_medium%253Dcpc
Hidden: file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\4RRKR9RR\e;playlistsafe=true;rand=96609;sessionstart=landingpage;safefilter=off;playlistpos=0;page=category;playlisteverythree=false;playtimes=0;pid=1;~cs=w[1].gif
Hidden: file C:\WINDOWS\system32\drivers\sptd.sys
Hidden: file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\045KWW2P\education;adlocation=site_below_player;dcopt=ist;campaign=;page=category;kw=blinkx;pid=16;sz=468x62,300x251;;source=site;t=;tile=2;ord=8251150188660246[1]
Hidden: file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\388MUVAD\elebritycrush.mevio[1].com%252F%253Futm_source%253D414aa7%2526utm_term%253D281687_36862%2526utm_campaign%253D414aa7_281687_36862_407%2526utm_medium%253Dcpc
Hidden: file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\4RRKR9RR\elebritycrush.mevio[1].com%252F%253Futm_source%253D414aa7%2526utm_term%253D281687_36862%2526utm_campaign%253D414aa7_281687_36862_407%2526utm_medium%253Dcpc
Hidden: file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\388MUVAD\2F%252Fhotoff.mevio[1].com%252F%253Futm_source%253D141324%2526utm_term%253D281687_36862%2526utm_campaign%253D141324_281687_36862_410%2526utm_medium%253DCPC
Hidden: file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\12HCUK0K\2F%252Fhotoff.mevio[1].com%252F%253Futm_source%253D141324%2526utm_term%253D281687_36862%2526utm_campaign%253D141324_281687_36862_410%2526utm_medium%253DCPC
Hidden: file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\12HCUK0K\2F%252Fhotoff.mevio[2].com%252F%253Futm_source%253D141324%2526utm_term%253D281687_36862%2526utm_campaign%253D141324_281687_36862_410%2526utm_medium%253DCPC
Hidden: file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\388MUVAD\3A%252F%252Fgamesweaseltv.mevio[1].com%252F%253Futm_campaign%253D088aeb_572913_263885_113911_1831_107%2526utm_source%253D088aebc%2526utm_medium%253D088aeb
Hidden: file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\4RRKR9RR\3A%252F%252Fnearlythenews.mevio[1].com%252F%253Futm_campaign%253D2a316b_572913_264117_113991_24240_none%2526utm_source%253D2a316b%2526utm_medium%253D2a316b
Hidden: file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\6J8JJANY\3A%252F%252Fgamesweaseltv.mevio[1].com%252F%253Futm_campaign%253D088aeb_572913_263885_113911_1831_107%2526utm_source%253D088aebc%2526utm_medium%253D088aeb
Hidden: file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\12HCUK0K\elebritycrush.mevio[1].com%252F%253Futm_source%253D414aa7%2526utm_term%253D281687_36862%2526utm_campaign%253D414aa7_281687_36862_407%2526utm_medium%253Dcpc
Hidden: file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\12HCUK0K\elebritycrush.mevio[2].com%252F%253Futm_source%253D414aa7%2526utm_term%253D281687_36862%2526utm_campaign%253D414aa7_281687_36862_407%2526utm_medium%253Dcpc
Hidden: file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\4RRKR9RR\elebritycrush.mevio[2].com%252F%253Futm_source%253D414aa7%2526utm_term%253D281687_36862%2526utm_campaign%253D414aa7_281687_36862_407%2526utm_medium%253Dcpc
Hidden: file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\6J8JJANY\%253A%252F%252Fpresspause.mevio[1].com%252F%253Futm_campaign%253De6e278_572913_264016_113991_24240_none%2526utm_source%253De6e278%2526utm_medium%253De6e278
Hidden: file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\12HCUK0K\3A%252F%252Fgamesweaseltv.mevio[1].com%252F%253Futm_campaign%253D088aeb_572913_263885_113911_1831_107%2526utm_source%253D088aebc%2526utm_medium%253D088aeb
Hidden: file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\6J8JJANY\3A%252F%252Fgamesweaseltv.mevio[2].com%252F%253Futm_campaign%253D088aeb_572913_263885_113911_1831_107%2526utm_source%253D088aebc%2526utm_medium%253D088aeb
Hidden: file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\045KWW2P\2-0-1_33-0-1_79171-1-1+;tile=1;u=il-5493_ID-08131AB3FC261AA6E5601E[1].2B28D64;ae=20;bkv30=1;bkv32=0;bkv33=0;bkv79171=1;grid=-1;olid=-1;ord=2080332115325601
Hidden: file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\4RRKR9RR\91b0e21a014c;kvexpandable=1;kvdim=twig-bottom;kvbw=0;kvpid=1637722;kva2544=100;kva2534=100;kva1834=100;kvagt25=100;kvagt18=100;kvgm=100;kvrti=1925311-3[1]
Hidden: file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\045KWW2P\education;adlocation=site_below_player;dcopt=ist;campaign=;page=category;kw=blinkx;pid=16;sz=468x62,300x251;;source=site;t=;tile=2;ord=309872131596555[1].8
Hidden: file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\045KWW2P\elebritycrush.mevio[1].com%252F%253Futm_source%253D414aa7%2526utm_term%253D281687_38952%2526utm_campaign%253D414aa7_281687_38952_408%2526utm_medium%253Dcpc
Hidden: file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\4RRKR9RR\no;sz=728x90;dcopt=ist;tile=1;pos=lb;ugc=false;url=http%3A%2F%2Fwww.dailyrx[1].com%2F%3Futm_source-337-6763-107%26utm_medium-Mediality;ord=2206451356610180
Hidden: file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\4RRKR9RR\=yes;bf=no;sz=160x600;tile=2;pos=wsl;ugc=false;url=http%3A%2F%2Fwww.dailyrx[1].com%2F%3Futm_source-337-6763-107%26utm_medium-Mediality;ord=2206451356610180
Hidden: file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\388MUVAD\p_rb;bf=no;sz=300x250;tile=3;pos=mr1;ugc=false;url=http%3A%2F%2Fwww.dailyrx[1].com%2F%3Futm_source-337-6763-107%26utm_medium-Mediality;ord=2206451356610180
Hidden: file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\388MUVAD\%253A%252F%252Fmoviereviews.mevio[1].com%252F%253Futm_campaign%253D1f89de_572913_264103_113911_1830_107%2526utm_source%253D1f89de%2526utm_medium%253D1f89de
Hidden: file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\12HCUK0K\%253A%252F%252Fmoviereviews.mevio[1].com%252F%253Futm_campaign%253D1f89de_572913_264103_113911_1830_107%2526utm_source%253D1f89de%2526utm_medium%253D1f89de
Hidden: file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\388MUVAD\%253A%252F%252Fmoviereviews.mevio[2].com%252F%253Futm_campaign%253D1f89de_572913_264103_113911_1830_107%2526utm_source%253D1f89de%2526utm_medium%253D1f89de
Hidden: file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\4RRKR9RR\%253A%252F%252Fpresspause.mevio[1].com%252F%253Futm_campaign%253De6e278_572913_264016_113991_24240_none%2526utm_source%253De6e278%2526utm_medium%253De6e278
Hidden: file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\4RRKR9RR\%253A%252F%252Fpresspause.mevio[2].com%252F%253Futm_campaign%253De6e278_572913_264016_113991_24240_none%2526utm_source%253De6e278%2526utm_medium%253De6e278
Hidden: file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\388MUVAD\%253A%252F%252Fpresspause.mevio[1].com%252F%253Futm_campaign%253De6e278_572913_264016_113991_24240_none%2526utm_source%253De6e278%2526utm_medium%253De6e278
Hidden: file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\6J8JJANY\w-nintendo-entertainment-system%253Futm_source%253DADO-ussearch%2526utm_medium%253Dorganic%2526utm_campaign%253Da1%2526utm_term%253DADO_113911_1831_107[1]
Hidden: file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\6J8JJANY\w-nintendo-entertainment-system%253Futm_source%253DADO-ussearch%2526utm_medium%253Dorganic%2526utm_campaign%253Da1%2526utm_term%253DADO_113911_1831_107[2]
Hidden: file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\4RRKR9RR\314052099,122150b21387b8b,games,ax.40-an.14;;cmsid=;cmw=owl;sz=300x250;net=cm;env=ifr;ord1=375028;dcopt=ist;contx=games;an=40;dc=w;btg=an[1].14;ord=2045770
Hidden: file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\6J8JJANY\games,ax.40-cm.games_l-an.14;;cmsid=;cmw=owl;sz=300x250;net=cm;env=ifr;ord1=592019;dcopt=ist;contx=games;an=40;dc=w;btg=cm.games_l;btg=an[1].14;ord=2045911
Hidden: file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\6J8JJANY\education;adlocation=site_below_header;dcopt=ist;campaign=;page=category;kw=blinkx;pid=16;sz=728x90,728x91;;source=site;t=;tile=1;ord=2174625739644290[1].2
Hidden: file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\LM4MJ7NM\vpg=autos[1].aol%2Fcar-finder%2Fmake-toyota;kvugc=0;kvui=9dd8f38ccd0e11e0a3283f8b07dea2f9;kvmn=93235364;target=_blank;aduho=-240;grp=52350968;misc=52350968
Hidden: file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\045KWW2P\education;adlocation=site_below_player;dcopt=ist;campaign=;page=category;kw=blinkx;pid=16;sz=468x62,300x251;;source=site;t=;tile=2;ord=49354826226150[1].62
Hidden: file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\045KWW2P\%252Fhotoff.mevio[1].com%252F%253Futm_source%253D141324%2526utm_term%253D280686_609637%2526utm_campaign%253D141324_280686_609637_410%2526utm_medium%253DCPC
Hidden: file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\0A9JKTL5\.fash_l-ex.22-ex.14;;cmsid=;cmw=owl;sz=300x250;net=cm;env=ifr;ord1=580520;dcopt=ist;contx=music;an=20;dc=w;btg=cm.fash_l;btg=ex.22;btg=ex[1].14;ord=5715178
Info: Starting disk scan of F: (NTFS).
Stopped logging on 8/22/2011 at 22:01:17 PM


Now, I did go into Symantec and will provide two things even though you didn't ask for them. One is the Intrusion Prot log:

17 8/12/2011 7:49:43 PM Intrusion Prevention Critical Incoming TCP 93.186.170.59 00-00-00-00-00-00 192.168.1.146 00-18-F3-45-3E-9D C:\DOCUME~1\TIMBIS~1\LOCALS~1\Temp\wscaxornme.exe Tim Bishop TIM Default 1 8/12/2011 7:48:42 PM 8/12/2011 7:48:42 PM [SID: 23837] Malicious Site: Malicious IP Address detected.

18 8/12/2011 7:49:50 PM Active Response Major Incoming None 93.186.170.59 00-00-00-00-00-00 192.168.1.146 00-18-F3-45-3E-9D Tim Bishop TIM Default 1 8/12/2011 7:48:43 PM 8/12/2011 7:48:43 PM Traffic from IP address 93.186.170.59 is blocked from 8/12/2011 7:48:43 PM to 8/12/2011 7:58:43 PM.

19 8/12/2011 7:59:47 PM Active Response Disengaged Information None None 93.186.170.59 00-00-00-00-00-00 0.0.0.0 00-00-00-00-00-00 Tim Bishop TIM Default 1 8/12/2011 7:58:45 PM 8/12/2011 7:58:45 PM Active Response that started at 08/12/2011 19:48:43 is disengaged. The traffic from IP address 93.186.170.59 was blocked for 600 second(s).

20 8/12/2011 10:09:26 PM Intrusion Prevention Critical Outgoing TCP 91.220.0.31 00-00-00-00-00-00 192.168.1.146 00-18-F3-45-3E-9D C:\DOCUME~1\TIMBIS~1\LOCALS~1\Temp\9b88.exe Tim Bishop TIM Default 1 8/12/2011 10:08:22 PM 8/12/2011 10:08:22 PM [SID: 24250] System Infected: Trojan Kazy Activity detected.

21 8/13/2011 2:57:12 AM Intrusion Prevention Critical Outgoing TCP 74.50.121.112 00-00-00-00-00-00 192.168.1.146 00-18-F3-45-3E-9D C:\DOCUME~1\TIMBIS~1\LOCALS~1\Temp\0.9977726314435913.exe Tim Bishop TIM Default 1 8/13/2011 2:56:07 AM 8/13/2011 2:56:07 AM [SID: 24191] Web Attack: Cycbot Backdoor Activity detected.

22 8/13/2011 2:57:25 AM Intrusion Prevention Critical Outgoing TCP 66.199.251.242 00-00-00-00-00-00 192.168.1.146 00-18-F3-45-3E-9D C:\DOCUME~1\TIMBIS~1\LOCALS~1\Temp\0.9977726314435913.exe Tim Bishop TIM Default 3 8/13/2011 2:56:07 AM 8/13/2011 2:56:20 AM [SID: 24191] Web Attack: Cycbot Backdoor Activity detected.

23 8/13/2011 2:57:25 AM Intrusion Prevention Critical Outgoing TCP 96.9.169.85 00-00-00-00-00-00 192.168.1.146 00-18-F3-45-3E-9D C:\DOCUME~1\TIMBIS~1\LOCALS~1\Temp\0.9977726314435913.exe Tim Bishop TIM Default 5 8/13/2011 2:56:10 AM 8/13/2011 2:56:21 AM [SID: 24107] System Infected: Cycbot Backdoor Activity detected.

24 8/13/2011 3:01:11 AM Intrusion Prevention Critical Outgoing TCP 74.50.121.112 00-00-00-00-00-00 192.168.1.146 00-18-F3-45-3E-9D C:\DOCUME~1\TIMBIS~1\LOCALS~1\Temp\0.9977726314435913.exe Tim Bishop TIM Default 1 8/13/2011 3:00:06 AM 8/13/2011 3:00:06 AM [SID: 24191] Web Attack: Cycbot Backdoor Activity detected.

25 8/13/2011 3:01:34 AM Intrusion Prevention Critical Outgoing TCP 96.9.169.85 00-00-00-00-00-00 192.168.1.146 00-18-F3-45-3E-9D C:\DOCUME~1\TIMBIS~1\LOCALS~1\Temp\0.9977726314435913.exe Tim Bishop TIM Default 3 8/13/2011 2:59:46 AM 8/13/2011 3:00:29 AM [SID: 24107] System Infected: Cycbot Backdoor Activity detected.

26 8/13/2011 3:01:34 AM Intrusion Prevention Critical Outgoing TCP 173.212.215.170 00-00-00-00-00-00 192.168.1.146 00-18-F3-45-3E-9D C:\DOCUME~1\TIMBIS~1\LOCALS~1\Temp\0.9977726314435913.exe Tim Bishop TIM Default 2 8/13/2011 3:00:05 AM 8/13/2011 3:00:29 AM [SID: 24191] Web Attack: Cycbot Backdoor Activity detected.

27 8/13/2011 3:02:50 AM Intrusion Prevention Critical Outgoing TCP 173.212.215.170 00-00-00-00-00-00 192.168.1.146 00-18-F3-45-3E-9D C:\DOCUME~1\TIMBIS~1\LOCALS~1\Temp\0.9977726314435913.exe Tim Bishop TIM Default 1 8/13/2011 3:01:45 AM 8/13/2011 3:01:45 AM [SID: 24191] Web Attack: Cycbot Backdoor Activity detected.

28 8/13/2011 3:02:50 AM Intrusion Prevention Critical Outgoing TCP 96.9.169.85 00-00-00-00-00-00 192.168.1.146 00-18-F3-45-3E-9D C:\DOCUME~1\TIMBIS~1\LOCALS~1\Temp\0.9977726314435913.exe Tim Bishop TIM Default 4 8/13/2011 3:01:45 AM 8/13/2011 3:01:45 AM [SID: 24107] System Infected: Cycbot Backdoor Activity detected.

29 8/13/2011 3:02:56 AM Intrusion Prevention Critical Outgoing TCP 66.199.251.242 00-00-00-00-00-00 192.168.1.146 00-18-F3-45-3E-9D C:\DOCUME~1\TIMBIS~1\LOCALS~1\Temp\0.9977726314435913.exe Tim Bishop TIM Default 1 8/13/2011 3:01:55 AM 8/13/2011 3:01:55 AM [SID: 24191] Web Attack: Cycbot Backdoor Activity detected.

30 8/13/2011 3:42:29 AM Intrusion Prevention Critical Outgoing TCP 66.199.251.242 00-00-00-00-00-00 192.168.1.146 00-18-F3-45-3E-9D C:\Documents and Settings\Tim Bishop\Application Data\Microsoft\conhost.exe Tim Bishop TIM Default 2 8/13/2011 3:41:11 AM 8/13/2011 3:41:23 AM [SID: 24191] Web Attack: Cycbot Backdoor Activity detected.

31 8/13/2011 3:42:58 AM Intrusion Prevention Critical Outgoing TCP 96.9.169.85 00-00-00-00-00-00 192.168.1.146 00-18-F3-45-3E-9D C:\Documents and Settings\Tim Bishop\Application Data\Microsoft\conhost.exe Tim Bishop TIM Default 6 8/13/2011 3:41:13 AM 8/13/2011 3:41:56 AM [SID: 24107] System Infected: Cycbot Backdoor Activity detected.

32 8/13/2011 3:42:58 AM Intrusion Prevention Critical Outgoing TCP 173.212.215.170 00-00-00-00-00-00 192.168.1.146 00-18-F3-45-3E-9D C:\Documents and Settings\Tim Bishop\Application Data\Microsoft\conhost.exe Tim Bishop TIM Default 1 8/13/2011 3:41:56 AM 8/13/2011 3:41:56 AM [SID: 24191] Web Attack: Cycbot Backdoor Activity detected.

33 8/16/2011 6:38:27 PM Intrusion Prevention Critical Outgoing TCP 192.168.1.2 00-00-00-00-00-00 192.168.1.8 00-18-F3-45-3E-9D C:\WINDOWS\system32\ntoskrnl.exe Tim Bishop TIM Default 1 8/16/2011 6:37:26 PM 8/16/2011 6:37:26 PM [SID: 23179] OS Attack: MS Windows Server Service RPC Handling CVE-2008-4250 detected.

34 8/16/2011 6:38:33 PM Intrusion Prevention Critical Outgoing TCP 192.168.1.7 00-00-00-00-00-00 192.168.1.8 00-18-F3-45-3E-9D C:\WINDOWS\system32\ntoskrnl.exe Tim Bishop TIM Default 1 8/16/2011 6:37:27 PM 8/16/2011 6:37:27 PM [SID: 23179] OS Attack: MS Windows Server Service RPC Handling CVE-2008-4250 detected.

35 8/16/2011 6:38:50 PM Intrusion Prevention Critical Outgoing TCP 192.168.1.3 00-00-00-00-00-00 192.168.1.8 00-18-F3-45-3E-9D C:\WINDOWS\system32\ntoskrnl.exe Tim Bishop TIM Default 1 8/16/2011 6:37:47 PM 8/16/2011 6:37:47 PM [SID: 23179] OS Attack: MS Windows Server Service RPC Handling CVE-2008-4250 detected.

36 8/16/2011 6:38:50 PM Intrusion Prevention Critical Outgoing TCP 192.168.1.5 00-00-00-00-00-00 192.168.1.8 00-18-F3-45-3E-9D C:\WINDOWS\system32\ntoskrnl.exe Tim Bishop TIM Default 1 8/16/2011 6:37:47 PM 8/16/2011 6:37:47 PM [SID: 23179] OS Attack: MS Windows Server Service RPC Handling CVE-2008-4250 detected.

37 8/16/2011 7:10:39 PM Intrusion Prevention Critical Outgoing TCP 192.168.1.2 00-00-00-00-00-00 192.168.1.8 00-18-F3-45-3E-9D C:\WINDOWS\system32\ntoskrnl.exe Tim Bishop TIM Default 1 8/16/2011 7:09:34 PM 8/16/2011 7:09:34 PM [SID: 23179] OS Attack: MS Windows Server Service RPC Handling CVE-2008-4250 detected.

38 8/16/2011 7:10:39 PM Intrusion Prevention Critical Outgoing TCP 192.168.1.7 00-00-00-00-00-00 192.168.1.8 00-18-F3-45-3E-9D C:\WINDOWS\system32\ntoskrnl.exe Tim Bishop TIM Default 1 8/16/2011 7:09:34 PM 8/16/2011 7:09:34 PM [SID: 23179] OS Attack: MS Windows Server Service RPC Handling CVE-2008-4250 detected.

39 8/16/2011 7:10:39 PM Intrusion Prevention Critical Outgoing TCP 192.168.1.3 00-00-00-00-00-00 192.168.1.8 00-18-F3-45-3E-9D C:\WINDOWS\system32\ntoskrnl.exe Tim Bishop TIM Default 1 8/16/2011 7:09:35 PM 8/16/2011 7:09:35 PM [SID: 23179] OS Attack: MS Windows Server Service RPC Handling CVE-2008-4250 detected.

40 8/16/2011 7:11:01 PM Intrusion Prevention Critical Outgoing TCP 192.168.1.5 00-00-00-00-00-00 192.168.1.8 00-18-F3-45-3E-9D C:\WINDOWS\system32\ntoskrnl.exe Tim Bishop TIM Default 1 8/16/2011 7:09:55 PM 8/16/2011 7:09:55 PM [SID: 23179] OS Attack: MS Windows Server Service RPC Handling CVE-2008-4250 detected.

41 8/16/2011 7:40:40 PM Intrusion Prevention Critical Outgoing TCP 192.168.1.3 00-00-00-00-00-00 192.168.1.8 00-18-F3-45-3E-9D C:\WINDOWS\system32\ntoskrnl.exe Tim Bishop TIM Default 1 8/16/2011 7:39:36 PM 8/16/2011 7:39:36 PM [SID: 23179] OS Attack: MS Windows Server Service RPC Handling CVE-2008-4250 detected.

42 8/16/2011 7:40:40 PM Intrusion Prevention Critical Outgoing TCP 192.168.1.2 00-00-00-00-00-00 192.168.1.8 00-18-F3-45-3E-9D C:\WINDOWS\system32\ntoskrnl.exe Tim Bishop TIM Default 1 8/16/2011 7:39:37 PM 8/16/2011 7:39:37 PM [SID: 23179] OS Attack: MS Windows Server Service RPC Handling CVE-2008-4250 detected.

43 8/16/2011 7:41:02 PM Intrusion Prevention Critical Outgoing TCP 192.168.1.7 00-00-00-00-00-00 192.168.1.8 00-18-F3-45-3E-9D C:\WINDOWS\system32\ntoskrnl.exe Tim Bishop TIM Default 1 8/16/2011 7:39:57 PM 8/16/2011 7:39:57 PM [SID: 23179] OS Attack: MS Windows Server Service RPC Handling CVE-2008-4250 detected.

44 8/16/2011 7:41:02 PM Intrusion Prevention Critical Outgoing TCP 192.168.1.5 00-00-00-00-00-00 192.168.1.8 00-18-F3-45-3E-9D C:\WINDOWS\system32\ntoskrnl.exe Tim Bishop TIM Default 1 8/16/2011 7:39:57 PM 8/16/2011 7:39:57 PM [SID: 23179] OS Attack: MS Windows Server Service RPC Handling CVE-2008-4250 detected.

45 8/16/2011 8:10:45 PM Intrusion Prevention Critical Outgoing TCP 192.168.1.2 00-00-00-00-00-00 192.168.1.8 00-18-F3-45-3E-9D C:\WINDOWS\system32\ntoskrnl.exe Tim Bishop TIM Default 1 8/16/2011 8:09:40 PM 8/16/2011 8:09:40 PM [SID: 23179] OS Attack: MS Windows Server Service RPC Handling CVE-2008-4250 detected.

46 8/16/2011 8:10:45 PM Intrusion Prevention Critical Outgoing TCP 192.168.1.3 00-00-00-00-00-00 192.168.1.8 00-18-F3-45-3E-9D C:\WINDOWS\system32\ntoskrnl.exe Tim Bishop TIM Default 1 8/16/2011 8:09:40 PM 8/16/2011 8:09:40 PM [SID: 23179] OS Attack: MS Windows Server Service RPC Handling CVE-2008-4250 detected.

47 8/16/2011 8:10:45 PM Intrusion Prevention Critical Outgoing TCP 192.168.1.7 00-00-00-00-00-00 192.168.1.8 00-18-F3-45-3E-9D C:\WINDOWS\system32\ntoskrnl.exe Tim Bishop TIM Default 1 8/16/2011 8:09:40 PM 8/16/2011 8:09:40 PM [SID: 23179] OS Attack: MS Windows Server Service RPC Handling CVE-2008-4250 detected.

48 8/16/2011 8:11:02 PM Intrusion Prevention Critical Outgoing TCP 192.168.1.5 00-00-00-00-00-00 192.168.1.8 00-18-F3-45-3E-9D C:\WINDOWS\system32\ntoskrnl.exe Tim Bishop TIM Default 1 8/16/2011 8:10:01 PM 8/16/2011 8:10:01 PM [SID: 23179] OS Attack: MS Windows Server Service RPC Handling CVE-2008-4250 detected.

49 8/17/2011 6:48:39 AM Intrusion Prevention Critical Incoming TCP 173.212.204.54 00-00-00-00-00-00 192.168.1.8 00-18-F3-45-3E-9D C:\WINDOWS\system32\svchost.exe Tim Bishop TIM Default 2 8/17/2011 6:47:37 AM 8/17/2011 6:47:37 AM [SID: 23793] HTTP Malicious RMF File detected.

50 8/17/2011 6:48:39 AM Active Response Major Incoming None 173.212.204.54 00-00-00-00-00-00 192.168.1.8 00-18-F3-45-3E-9D Tim Bishop TIM Default 1 8/17/2011 6:47:37 AM 8/17/2011 6:47:37 AM Traffic from IP address 173.212.204.54 is blocked from 8/17/2011 6:47:37 AM to 8/17/2011 6:57:37 AM.

51 8/21/2011 4:13:24 PM Intrusion Prevention Critical Incoming TCP 173.212.204.50 00-00-00-00-00-00 192.168.1.6 00-18-F3-45-3E-9D C:\WINDOWS\system32\svchost.exe Default 2 8/21/2011 4:12:18 PM 8/21/2011 4:12:19 PM [SID: 23793] HTTP Malicious RMF File detected.

52 8/21/2011 4:13:25 PM Active Response Major Incoming None 173.212.204.50 00-00-00-00-00-00 192.168.1.6 00-18-F3-45-3E-9D Default 1 8/21/2011 4:12:19 PM 8/21/2011 4:12:19 PM Traffic from IP address 173.212.204.50 is blocked from 8/21/2011 4:12:19 PM to 8/21/2011 4:22:19 PM.

53 8/21/2011 4:23:22 PM Active Response Disengaged Information None None 173.212.204.50 00-00-00-00-00-00 0.0.0.0 00-00-00-00-00-00 Tim Bishop TIM Default 1 8/21/2011 4:22:19 PM 8/21/2011 4:22:19 PM Active Response that started at 08/21/2011 16:12:19 is disengaged. The traffic from IP address 173.212.204.50 was blocked for 600 second(s).

54 8/21/2011 6:27:41 PM Intrusion Prevention Critical Incoming TCP 173.212.204.50 00-00-00-00-00-00 192.168.1.6 00-18-F3-45-3E-9D C:\WINDOWS\system32\svchost.exe Tim Bishop TIM Default 2 8/21/2011 6:26:35 PM 8/21/2011 6:26:35 PM [SID: 23793] HTTP Malicious RMF File detected.

55 8/21/2011 6:27:41 PM Active Response Major Incoming None 173.212.204.50 00-00-00-00-00-00 192.168.1.6 00-18-F3-45-3E-9D Tim Bishop TIM Default 1 8/21/2011 6:26:36 PM 8/21/2011 6:26:36 PM Traffic from IP address 173.212.204.50 is blocked from 8/21/2011 6:26:36 PM to 8/21/2011 6:36:36 PM.

56 8/21/2011 6:37:41 PM Active Response Disengaged Information None None 173.212.204.50 00-00-00-00-00-00 0.0.0.0 00-00-00-00-00-00 Tim Bishop TIM Default 1 8/21/2011 6:36:37 PM 8/21/2011 6:36:37 PM Active Response that started at 08/21/2011 18:26:36 is disengaged. The traffic from IP address 173.212.204.50 was blocked for 600 second(s).

57 8/21/2011 7:47:19 PM Intrusion Prevention Critical Outgoing TCP 95.163.66.180 00-00-00-00-00-00 192.168.1.6 00-18-F3-45-3E-9D C:\WINDOWS\system32\svchost.exe Tim Bishop TIM Default 1 8/21/2011 7:46:14 PM 8/21/2011 7:46:14 PM [SID: 24225] Web Attack: Blackhole Toolkit Website 5 detected.

58 8/22/2011 7:19:09 AM Intrusion Prevention Critical Incoming TCP 109.236.82.46 00-00-00-00-00-00 192.168.1.6 00-18-F3-45-3E-9D C:\WINDOWS\system32\svchost.exe Tim Bishop TIM Default 1 8/22/2011 7:18:08 AM 8/22/2011 7:18:08 AM [SID: 23793] HTTP Malicious RMF File detected.

59 8/22/2011 7:19:09 AM Active Response Major Incoming None 109.236.82.46 00-00-00-00-00-00 192.168.1.6 00-18-F3-45-3E-9D Tim Bishop TIM Default 1 8/22/2011 7:18:08 AM 8/22/2011 7:18:08 AM Traffic from IP address 109.236.82.46 is blocked from 8/22/2011 7:18:08 AM to 8/22/2011 7:28:08 AM.

60 8/22/2011 7:29:12 AM Active Response Disengaged Information None None 109.236.82.46 00-00-00-00-00-00 0.0.0.0 00-00-00-00-00-00 Tim Bishop TIM Default 1 8/22/2011 7:28:08 AM 8/22/2011 7:28:08 AM Active Response that started at 08/22/2011 07:18:08 is disengaged. The traffic from IP address 109.236.82.46 was blocked for 600 second(s).

61 8/22/2011 7:40:15 AM Intrusion Prevention Critical Incoming TCP 208.76.54.68 00-00-00-00-00-00 192.168.1.6 00-18-F3-45-3E-9D C:\WINDOWS\system32\svchost.exe Tim Bishop TIM Default 1 8/22/2011 7:39:12 AM 8/22/2011 7:39:12 AM [SID: 23323] Web Attack: Malicious Toolkit Website 2 detected.

62 8/22/2011 7:40:15 AM Active Response Major Incoming None 208.76.54.68 00-00-00-00-00-00 192.168.1.6 00-18-F3-45-3E-9D Tim Bishop TIM Default 1 8/22/2011 7:39:14 AM 8/22/2011 7:39:14 AM Traffic from IP address 208.76.54.68 is blocked from 8/22/2011 7:39:13 AM to 8/22/2011 7:49:13 AM.

63 8/22/2011 7:40:43 AM Intrusion Prevention Critical Incoming TCP 109.236.82.46 00-00-00-00-00-00 192.168.1.6 00-18-F3-45-3E-9D C:\WINDOWS\system32\svchost.exe Tim Bishop TIM Default 1 8/22/2011 7:39:39 AM 8/22/2011 7:39:39 AM [SID: 23793] HTTP Malicious RMF File detected.

64 8/22/2011 7:40:43 AM Active Response Major Incoming None 109.236.82.46 00-00-00-00-00-00 192.168.1.6 00-18-F3-45-3E-9D Tim Bishop TIM Default 1 8/22/2011 7:39:40 AM 8/22/2011 7:39:40 AM Traffic from IP address 109.236.82.46 is blocked from 8/22/2011 7:39:40 AM to 8/22/2011 7:49:40 AM.

65 8/22/2011 7:49:35 AM Intrusion Prevention Critical Incoming TCP 89.208.141.137 00-00-00-00-00-00 192.168.1.6 00-18-F3-45-3E-9D C:\WINDOWS\system32\svchost.exe Tim Bishop TIM Default 1 8/22/2011 7:48:30 AM 8/22/2011 7:48:30 AM [SID: 24290] Web Attack: Blackhole Toolkit Activity 15 detected.

66 8/22/2011 7:49:35 AM Active Response Major Incoming None 89.208.141.137 00-00-00-00-00-00 192.168.1.6 00-18-F3-45-3E-9D Tim Bishop TIM Default 1 8/22/2011 7:48:32 AM 8/22/2011 7:48:32 AM Traffic from IP address 89.208.141.137 is blocked from 8/22/2011 7:48:31 AM to 8/22/2011 7:58:31 AM.

67 8/22/2011 7:50:15 AM Active Response Disengaged Information None None 208.76.54.68 00-00-00-00-00-00 0.0.0.0 00-00-00-00-00-00 Tim Bishop TIM Default 1 8/22/2011 7:49:14 AM 8/22/2011 7:49:14 AM Active Response that started at 08/22/2011 07:39:13 is disengaged. The traffic from IP address 208.76.54.68 was blocked for 600 second(s).

68 8/22/2011 7:50:43 AM Active Response Disengaged Information None None 109.236.82.46 00-00-00-00-00-00 0.0.0.0 00-00-00-00-00-00 Tim Bishop TIM Default 1 8/22/2011 7:49:40 AM 8/22/2011 7:49:40 AM Active Response that started at 08/22/2011 07:39:40 is disengaged. The traffic from IP address 109.236.82.46 was blocked for 600 second(s).

69 8/22/2011 7:59:36 AM Active Response Disengaged Information None None 89.208.141.137 00-00-00-00-00-00 0.0.0.0 00-00-00-00-00-00 Tim Bishop TIM Default 1 8/22/2011 7:58:32 AM 8/22/2011 7:58:32 AM Active Response that started at 08/22/2011 07:48:31 is disengaged. The traffic from IP address 89.208.141.137 was blocked for 600 second(s).

70 8/22/2011 9:02:32 PM Intrusion Prevention Critical Incoming TCP 109.236.82.46 00-00-00-00-00-00 192.168.1.6 00-18-F3-45-3E-9D C:\WINDOWS\system32\svchost.exe Tim Bishop TIM Default 4 8/22/2011 9:01:29 PM 8/22/2011 9:01:29 PM [SID: 23793] HTTP Malicious RMF File detected.

71 8/22/2011 9:02:32 PM Active Response Major Incoming None 109.236.82.46 00-00-00-00-00-00 192.168.1.6 00-18-F3-45-3E-9D Tim Bishop TIM Default 1 8/22/2011 9:01:30 PM 8/22/2011 9:01:30 PM Traffic from IP address 109.236.82.46 is blocked from 8/22/2011 9:01:30 PM to 8/22/2011 9:11:30 PM.

72 8/22/2011 9:12:36 PM Active Response Disengaged Information None None 109.236.82.46 00-00-00-00-00-00 0.0.0.0 00-00-00-00-00-00 Tim Bishop TIM Default 1 8/22/2011 9:11:31 PM 8/22/2011 9:11:31 PM Active Response that started at 08/22/2011 21:01:30 is disengaged. The traffic from IP address 109.236.82.46 was blocked for 600 second(s).

And the other is the snapshot of Symantec's current Quarantine which I can try to add as an attachment if you need it. These extras may or may not help. One thing I noticed, and it may be genuine: As SARK ran, there's this strange process in Task Mgr called "xgfclk.exe". If I tried to kill it, it returns. Right now, without SARK, it's not there so it may be a process that SARK launches.

System health: A little better but it still has trouble restarting out of the user profile. It gets as far as "Windows is shutting down" and then it's hung. If I hard reset, I have to go to Safe Mode first and then restart from there as a normal boot is not happening.

I did this little experiment. I created a new Acct called Admin (I'm going to do one anyway after this is over). Logged in to it, logged out. Logged in again to it and did a restart. Worked. Logged in to Tim and logged out. Logged in to Tim again and attempted a restart from within. Sadly, it gets as far as "Windows is shutting down" and then it's hung.

I did also merge the Doug Knox reg fix. That claims success but in fact fails. I have to go to Win-E, Tools, etc. etc. Then .exe is associated with Application but as soon as I log out or restart, it's reverted.

OK. So that's as much as I can tell you at this point. Shall we continue?


Thank you.

H

Edited by whftherb, 22 August 2011 - 09:39 PM.


#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:33 AM

Posted 22 August 2011 - 10:51 PM

Well whftherb,there are several things that just are not right. I cannot pin it down. But evenn the item in task manager you mentioned appears to be a malware.. There are system corruptions etc..
We should move this and get a deeper look.


Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.

Include this link to this topic also.
http://www.bleepingcomputer.com/forums/topic414794.html/page__pid__2382536#entry2382536
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,963 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:08:33 AM

Posted 23 August 2011 - 02:48 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/topic415790.html you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users