Saved Bookmarks
| 1. |
Solve : Major attack and I don't know who to trust?? |
|
Answer» Re-running ComboFix to remove infections:
Tried this once and it didn't work. Error message PEV.exe has encountered a problem and must close. Also tried to turn the firwall off after reboot and it didn't work. Perhaps I wasn't fast enough as the screen seems locked on the Online Armour message. I'm back online to redownload the ComboFix and start from scratch one more time. Another error message came up. One of those 0X800***** ones but I just clicked OK as ComboFix was still on the screen. I'll try it again. Still no luck. Online Armor seems to be stopping the process. It made me "Allow" 3 files when I restarted it to go back online. Do I have to rename the file again? Is there a way to stop the firewalls from starting. When Online Armor is disabled, Windows Firewall starts up and I have to jump to the Control panel to stop that. I'll try one more time while I wait for your reply. It may work now that I have OKed the files in Online Armor.OK, third times a charm. Got a few error messages: ONLINE_ARMOR_WTS: oasrv.exe - Application Error Instruction at 0X00e5205c - memory could not read oasrv.exe - Application Error 0X0040745e - 0X00e434a4 After the Combo Fix ran this time Online Armor is missing from the taskbar. It also wanted me to make a decision about module hidserv.dll and module %1 associated with regedit.exe. I blocked them both as I didn't KNOW what they were. Here is the log: ComboFix 11-05-26.01 - HP_Administrator 26/05/2011 20:16:09.4.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.2.1033.18.958.482 [GMT -4:00] Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF} AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095} FW: Online Armor Firewall *Disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A} . . ((((((((((((((((((((((((( Files Created from 2011-04-27 to 2011-05-27 ))))))))))))))))))))))))))))))) . . 2011-05-27 00:01 . 2011-05-27 00:0128752----a-w-c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9FB231EF-0036-4D0F-85EA-3DF4A8ED3BAC}\MpKsl83bc2927.sys 2011-05-27 00:01 . 2011-05-18 16:376962000----a-w-c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9FB231EF-0036-4D0F-85EA-3DF4A8ED3BAC}\mpengine.dll 2011-05-26 23:41 . 2011-05-18 16:376962000----a-w-c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll 2011-05-23 22:37 . 2011-05-23 22:37388096----a-r-c:\documents and settings\HP_Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2011-05-23 22:36 . 2011-05-23 22:40--------d-----w-c:\program files\Trend Micro 2011-05-23 22:23 . 2011-05-23 22:23--------d-----w-c:\program files\TrendMicro 2011-05-23 21:33 . 2011-05-23 21:33--------d-----w-c:\documents and settings\HP_Administrator\Application Data\Malwarebytes 2011-05-23 21:33 . 2010-12-20 22:0938224----a-w-c:\windows\system32\drivers\mbamswissarmy.sys 2011-05-23 21:33 . 2011-05-23 21:33--------d-----w-c:\documents and settings\All Users\Application Data\Malwarebytes 2011-05-23 21:33 . 2010-12-20 22:0820952----a-w-c:\windows\system32\drivers\mbam.sys 2011-05-23 21:33 . 2011-05-23 21:33--------d-----w-c:\program files\Malwarebytes' Anti-Malware 2011-05-23 17:55 . 2011-05-23 17:55--------d-----w-c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com 2011-05-23 17:55 . 2011-05-23 17:55--------d-----w-c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2011-05-23 17:54 . 2011-05-23 17:55--------d-----w-c:\program files\SUPERAntiSpyware 2011-05-23 17:35 . 2011-05-23 17:35--------d-----w-c:\program files\CCleaner 2011-05-23 16:44 . 2011-05-23 17:22--------d-----w-c:\documents and settings\All Users\Application Data\OnlineArmor 2011-05-23 16:44 . 2011-05-23 16:45--------d-----w-c:\documents and settings\HP_Administrator\Application Data\OnlineArmor 2011-05-23 16:43 . 2011-04-06 17:0239048----a-w-c:\windows\system32\drivers\oahlp32.sys 2011-05-23 16:43 . 2011-04-06 17:0125192----a-w-c:\windows\system32\drivers\OAmon.sys 2011-05-23 16:43 . 2011-04-06 17:0129464----a-w-c:\windows\system32\drivers\OAnet.sys 2011-05-23 16:43 . 2011-04-06 17:01205864----a-w-c:\windows\system32\drivers\OADriver.sys 2011-05-23 16:42 . 2011-05-27 00:03--------d-----w-c:\program files\Online Armor 2011-05-23 12:38 . 2011-05-23 12:38--------d-----w-C:\Softpaq 2011-05-23 07:07 . 2011-05-23 07:07664----a-w-c:\documents and settings\NetworkService\Local Settings\Application Data\d3d9caps.tmp 2011-05-22 22:56 . 2011-05-22 22:56--------d-----w-c:\documents and settings\All Users\Application Data\nView_Profiles 2011-05-22 16:25 . 2011-05-22 16:26--------d-----w-c:\program files\Microsoft Security Client 2011-05-21 13:19 . 2011-05-21 13:23--------d-----w-c:\documents and settings\HP_Administrator\Application Data\FixCleaner 2011-05-21 13:17 . 2011-05-21 13:28--------d-----w-c:\program files\FixCleaner 2011-05-21 11:08 . 2011-05-21 11:08--------d-----w-c:\documents and settings\HP_Administrator\Application Data\DriverCure 2011-05-21 11:08 . 2011-05-21 11:08--------d-----w-c:\documents and settings\HP_Administrator\Application Data\ParetoLogic 2011-05-21 11:08 . 2011-05-22 16:18--------d-----w-c:\documents and settings\All Users\Application Data\ParetoLogic 2011-05-20 23:38 . 2011-05-20 23:38--------d-----w-c:\documents and settings\HP_Administrator\Application Data\MSNInstaller 2011-05-08 13:29 . 2011-05-19 23:47--------d-----w-c:\documents and settings\HP_Administrator\Application Data\Nitro PDF 2011-05-08 13:28 . 2011-04-06 01:5517712----a-w-c:\windows\system32\nitrolocalui.dll 2011-05-08 13:28 . 2011-04-06 01:5526416----a-w-c:\windows\system32\nitrolocalmon.dll 2011-05-08 13:28 . 2011-05-08 13:28--------d-----w-c:\documents and settings\All Users\Application Data\Nitro PDF 2011-05-08 13:27 . 2011-05-08 13:27--------d-----w-c:\documents and settings\HP_Administrator\Application Data\Downloaded Installations 2011-05-08 13:15 . 2011-02-28 22:37180624----a-w-c:\windows\system32\Primomonnt.dll 2011-05-08 13:15 . 2011-05-20 23:34--------d-----w-c:\program files\Nitro PDF 2011-05-07 17:32 . 2011-05-07 17:32--------d-----w-c:\documents and settings\HP_Administrator\Local Settings\Application Data\Kobo 2011-05-07 17:31 . 2011-05-07 17:32--------d-----w-c:\program files\Kobo . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-05-21 11:20 . 2004-08-10 04:0014336----a-w-c:\windows\system32\svchost.exe 2011-04-14 09:07 . 2010-12-20 00:29472808----a-w-c:\windows\system32\deployJava1.dll 2011-04-14 06:40 . 2008-07-08 22:0173728----a-w-c:\windows\system32\javacpl.cpl 2011-03-29 19:09 . 2011-03-29 19:0921504----a-w-c:\windows\system32\drivers\libusb0.sys 2011-03-29 19:09 . 2011-03-29 19:0937376----a-w-c:\windows\system32\libusb0.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512] "RTHDCPL"="RTHDCPL.EXE" [2006-03-08 16010240] "AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-25 7311360] "nwiz"="nwiz.exe" [2006-01-25 1519616] "HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288] "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408] "@OnlineArmor GUI"="c:\program files\Online Armor\OAui.exe" [2011-04-06 2477032] . c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\ wkcalrem.LNK - c:\program files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [2004-6-23 15360] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 282624] Updates From HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-6-5 36903] . c:\documents and settings\Default User\Start Menu\Programs\Startup\ Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-6-5 27136] . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\ONLINE~2\oaevent.dll" [2011-04-06 354720] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-03 22:21548352----a-w-c:\program files\SUPERAntiSpyware\SASWINLO.DLL . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier] 2009-08-13 19:51177440----a-w-c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D-Link RangeBooster G WUA-2340] 2006-09-01 16:091880064----a-w-c:\program files\D-Link\RangeBooster G WUA-2340\AirPlusCFG.exe . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= "c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Adobe\\Photoshop 5.0 LE\\photosle.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "57772:TCP"= 57772:TCP:Pando Media Booster "57772:UDP"= 57772:UDP:Pando Media Booster . R0 sonypvl2;sonypvl2;c:\windows\system32\drivers\sonypvl2.sys [06/08/2006 1:38 PM 19478] R1 MpKsl83bc2927;MpKsl83bc2927;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9FB231EF-0036-4D0F-85EA-3DF4A8ED3BAC}\MpKsl83bc2927.sys [26/05/2011 8:01 PM 28752] R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [23/05/2011 12:43 PM 205864] R1 oahlpXX;Online Armor helper driver;c:\windows\system32\drivers\oahlp32.sys [23/05/2011 12:43 PM 39048] R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [23/05/2011 12:43 PM 25192] R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [23/05/2011 12:43 PM 29464] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 2:25 PM 12872] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 2:41 PM 67656] R1 sonypvf2;sonypvf2;c:\windows\system32\drivers\sonypvf2.sys [06/08/2006 1:38 PM 635012] R1 sonypvt2;sonypvt2;c:\windows\system32\drivers\sonypvt2.sys [06/08/2006 1:38 PM 431236] R2 OAcat;Online Armor Helper Service;c:\program files\Online Armor\oacat.exe [23/05/2011 12:42 PM 381512] R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [08/08/2010 7:56 AM 583640] R2 SvcOnlineArmor;Online Armor;c:\program files\Online Armor\oasrv.exe [23/05/2011 12:42 PM 4326472] S1 MpKsl260ec945;MpKsl260ec945;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6DE8016F-E060-4066-9D1D-0C92C0E051F9}\MpKsl260ec945.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6DE8016F-E060-4066-9D1D-0C92C0E051F9}\MpKsl260ec945.sys [?] S3 A5AGU;D-Link USB Wireless Network Adapter Service;c:\windows\system32\drivers\A5AGU.sys [08/05/2006 7:10 PM 347648] . Contents of the 'Scheduled Tasks' folder . 2011-05-21 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34] . 2011-05-27 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 16:26] . . ------- Supplementary Scan ------- . uStart Page = hxxp://sympatico.msn.ca/ uDefault_Search_URL = hxxp://www.google.com/ie mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=63&bd=PAVILION&pf=desktop uInternet Settings,ProxyOverride = *.local uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 IE: eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html TCP: DhcpNameServer = 192.168.2.1 DPF: {861DB4B6-3838-11D2-8E50-002018200E57} - hxxp://data6.archives.ca/mrsidi_cab/MrSIDI.cab . - - - - ORPHANS REMOVED - - - - . HKLM-Run-PCDrProfiler - (no file) HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-05-26 20:24 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @DENIED: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(668) c:\program files\SUPERAntiSpyware\SASWINLO.DLL c:\windows\system32\WININET.dll . - - - - - - - > 'explorer.exe'(636) c:\windows\system32\WININET.dll c:\docume~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll c:\windows\system32\nview.dll c:\windows\system32\nvwddi.dll c:\windows\system32\ieframe.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe c:\windows\arservice.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\eHome\ehRecvr.exe c:\windows\eHome\ehSched.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\LightScribe\LSSrvc.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\windows\system32\nvsvc32.exe c:\windows\ehome\mcrdsvc.exe c:\windows\system32\dllhost.exe c:\windows\system32\wscntfy.exe c:\windows\RTHDCPL.EXE c:\windows\ARPWRMSG.EXE c:\windows\system32\rundll32.exe c:\windows\eHome\ehmsas.exe c:\program files\Online Armor\OAhlp.exe . ************************************************************************** . Completion time: 2011-05-26 20:30:29 - machine was rebooted ComboFix-quarantined-files.txt 2011-05-27 00:30 ComboFix2.txt 2011-05-26 22:10 . Pre-Run: 90,545,614,848 bytes free Post-Run: 90,534,047,744 bytes free . - - End Of File - - 798D704585D07673445577B99431B60AQuote Is there a way to stop the firewalls from starting. When Online Armor is disabled, Windows Firewall starts up and I have to jump to the Control panel to stop that.Here's what I do with my firewall. If I'm installing a new program I disable my third-party firewall and enable my Windows firewall otherwise a 10 job will turn into a 30 min. chore.In fact, that's what I had to do when I tried to run ComboFix yesterday on my computer. SysProt Antirootkit Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors). http://sites.google.com/site/sysprotantirootkit/ Unzip it into a folder on your desktop.
I hope this is the complete scan as I had to do a search for it on my computer: SysProt AntiRootkit v1.0.1.0 by swatkat ****************************************************************************************** ****************************************************************************************** No Hidden Processes found ****************************************************************************************** ****************************************************************************************** No Hidden Kernel Modules found ****************************************************************************************** ****************************************************************************************** No SSDT Hooks found ****************************************************************************************** ****************************************************************************************** No Kernel Hooks found ****************************************************************************************** ****************************************************************************************** No hidden files/folders found Just a note, Online Armor is back on my taskbar. When I shut down last night, Windows asked if I wanted to load the changes (probably from ComboFix).I'd like to scan your machine with ESET OnlineScan •Hold down Control and click on the following link to open ESET OnlineScan in a new window. ESET OnlineScan •Click the button. •For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
•Click the button. •Accept any security warnings from your browser. •Check •Push the Start button. •ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time. •When the scan completes, push •Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply. •Push the button. •Push A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt Hi SuperDave, Here is what was on the log: C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP2\A0000064.iniWin32/Adware.AntimalwareDoctor.AE.Gen applicationPlease run ESET again and this time, clean the infection.Hi SuperDave, Here is the file log: C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP2\A0000064.iniWin32/Adware.AntimalwareDoctor.AE.Gen applicationcleaned by deleting - quarantined I checked delete upon exit before closing the program.That looks good. If there are no other issues, let's do some cleanup. Download OTL to your desktop. To remove all of the tools we used and the files and folders they created do the following: Double click OTL.exe.
********************************************************* To turn off Windows XP System Restore: NOTE: These instructions ASSUME that you are using the default Windows XP Start Menu and have not changed to the Classic Start menu. To re-enable the default menu, right-click Start, click Properties, click Start menu (not Classic) and then click OK. 1. Click Start. 2. Right-click the My Computer icon, and then click Properties. 3. Click the System Restore tab. 4. Check "Turn off System Restore" or "Turn off System Restore on all drives" 5. Click Apply. 6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this. 7. Click OK. 8. Restart the computer and follow the instructions in the next section to turn on System Restore. To turn on Windows XP System Restore: 1. Click Start. 2. Right-click My Computer, and then click Properties. 3. Click the System Restore tab. 4. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives." 5. Click Apply, and then click OK. ******************************************************* Clean out your temporary internet files and temp files. Download TFC by OldTimer to your desktop. Double-click TFC.exe to run it. Note: If you are running on Vista, right-click on the file and choose Run As Administrator TFC will close all programs when run, so make sure you have saved all your work before you begin. * Click the Start button to begin the cleaning process. * Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. * Please let TFC run uninterrupted until it is finished. Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning. ***************************************************** Use the Secunia Software Inspector to check for out of date software. •Click Start Now •Check the box next to Enable thorough system inspection. •Click Start •Allow the scan to finish and scroll down to see if any updates are needed. •Update anything listed. . ---------- Go to Microsoft Windows Update and get all critical updates. ---------- I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free. SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox. * Using SpywareBlaster to protect your computer from Spyware and Malware * If you don't know what ActiveX controls are, see here Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future. Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly. Safe Surfing! |
|