Windows Vista and A Virus? - Page 6

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
#### PERMISSIONS AFTER FIX ####

it was in the correct file, and only took a minute to run?

Let me rewrite it - something's hinky.

Will post it again asap - could be tomorrow, though. Or late tonight.

PP:)

Let me rewrite it - something's hinky.

Will post it again asap - could be tomorrow, though. Or late tonight.

PP:)

thank you :)

thank you :)

OK - I was a bit sloppy with that batch file, but not enough to cause that error.
Let's have another go at it:

-- Download the attached FixPerms.zip to your Desktop and Extract the FixPerms Folder from the ZIP to the Desktop.

Then, open an Elevated Command Prompt
At the prompt, Copy&Paste:
"%userprofile%\desktop\FixPerms\RunThis.cmd"
and hit ENTER

Let it run for as long as it takes. A log ought to pop up. Please attach that for me.

PP:)

ok, I got it to run but it said it was too big for notepad, this is just a copy and paste

Elapsed Time: 00 00:01:00
Done: 33916, Modified 33915, Failed 1, Syntax errors 0
Last Done : HKEY_CURRENT_USER\Volatile Environment\1
Last Failed: HKEY_CURRENT_USER\Software\SecuROM\License information : 2 The syst
em cannot find the file specified.

Elapsed Time: 00 00:00:00
Done: 1, Modified 1, Failed 0, Syntax errors 0
Last Done : HKEY_CURRENT_USER

Elapsed Time: 00 00:13:10
Done: 337110, Modified 337108, Failed 2, Syntax errors 0
Last Done : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{E1C2A72B-9DEE
-4DDD-B40A-9BFBD8DB3849}\Parameters\Tcpip
Last Failed: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg : 5 A
ccess is denied.

Elapsed Time: 00 00:00:00
Done: 1, Modified 1, Failed 0, Syntax errors 0
Last Done : HKEY_LOCAL_MACHINE

Elapsed Time: 00 00:05:15
Done: 96444, Modified 96444, Failed 0, Syntax errors 0
Last Done : HKEY_CLASSES_ROOT\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}

Elapsed Time: 00 00:00:00
Done: 1, Modified 1, Failed 0, Syntax errors 0
Last Done : HKEY_CLASSES_ROOT

Elapsed Time: 00 00:00:00
Done: 0, Modified 0, Failed 0, Syntax errors 0

Elapsed Time: 00 00:00:00
Done: 0, Modified 0, Failed 0, Syntax errors 0
The process has finished!!
Press any key to continue . . .

So now someone has hacked my computer and has gotten all of my information, including my social, which I don't use online so I don't understand that one, and set up all kinds of accounts that charge my phone bill. This may be a completely separate issue but now I have no idea what to do. They are using my email address to do this apparently. Sorry to throw this at you too, but any idea as to what I do to stop it? Do I have to wipe the whole system or can I just change my passwords? :(

So now someone has hacked my computer and has gotten all of my information, including my social, which I don't use online so I don't understand that one, and set up all kinds of accounts that charge my phone bill. This may be a completely separate issue but now I have no idea what to do. They are using my email address to do this apparently. Sorry to throw this at you too, but any idea as to what I do to stop it? Do I have to wipe the whole system or can I just change my passwords? :(

That's terrible!

Are you sure you've been hacked? There are a lot of ways to steal identities and defraud people these days....

That said, you did have traces of rootkit activity on your computer when you first posted. The steps crunchie had you perform removed those traces, but I don't think either of us dug any deeper than that. It is quite possible that you could have had a rootkitted trojan on your machine that compromised your information. It could well have been removed before you posted here. Honestly, I didn't think the logs were that bad - 'Course, baddies could have been well hidden.

-- The way you describe it, I am less inclined to think you were hacked. I mean, billing your phone bill? Why not credit card(s)?
And, I imagine your email is given out all over the place. . . .
Plus your remark about Social - I would look at other avenues as well as the computer.

-- If it were me and I thought my computer was compromised, I'd wipe the hard drive and reinstall Windows. Better safe than sorry...

-- There are a few more scans that we can run to look more closely for rootkits. Even if you decide to format, I suggest running them just to see if they can point you in the right direction toward getting to the bottom of this.

Here are some excellent articles that deal with this scenario:
http://www.dslreports.com/faq/10451
http://www.dslreports.com/faq/10063
http://miekiemoes.blogspot.com/2008/06/malware-removal-where-to-draw-line.html
http://technet.microsoft.com/en-us/library/cc512587.aspx

--- I know this is not much consolation, but it looks like subinacl.exe ran properly . . . .

Let me know how you want to proceed and if I can do anything to help.

PP:)

Yes, my email and phone number are out there for work and even more so lately. The company that sent the email's rep made the computer suggestion and I said the same thing, how'd they get my social from my computer? It actually looks as though it is all one company with different "programs" that are charged to your home phone. This happened once before, just not so many and microsoft said to reset my passwords and it stopped. This guy said it was the system because it was hard to set up one of their accounts and it had to go through 3rd party verification and all that. I have decided after working on it all day though that he was full of it. I think someone got my email again and did it through that and it is not some complicated mess like he led me to believe. I had my son look at my computer today and he couldn't find any "trollers" he called it or something like that. He says it's easy to figure out passwords and use someones email. I guess I will just keep changing my password more often and see what happens. So sorry I confused matters, just wanted to make sure it wasn't all related, I'm pretty ignorant to things like this. Let's keep working on if only because I am not ready to give it up to the beast. I've called everyone and if they took my info the offenders already have it now and everyone who needs to know is aware. I don't have any credit card info on this computer. Thanks for the links I will look them over tonight. So, all that said... Back to the issue at hand.

I don't have any credit card info on this computer. Thanks for the links I will look them over tonight. So, all that said... Back to the issue at hand.

AllRightyThen - On we go!

Let's try again to set up that reg key and see what happens:

Open another elevated command prompt and Copy&Paste

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS" /v "Installed" /d "1" /f
and hit ENTER

Then, Copy&Paste

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS" /ve /f
and hit ENTER

You should get a confirmation/success message each time. Then, open registry editor and drill down and verify the MSFS key truly exists.

With any luck, that will work :)
PP

it is here :)

it is here :)

Finally! LOL! Lovin' that Vista!

See if you are able to install Adobe now - hopefully that will complete OK and then we can look at security again.

Typical busy Fall weekend upcoming - will check in as time permits.

PP:)

Adobe Reader reinstalled, so yeah! :) now I'm just trying to figure out how to get my plug_ins back for acrobat pro without knowing which ones to replace.....LOL, that's what I get for buying the student version! So, great, progress! I definitely owe you. So, I know we aren't completely done but, if you need graphics, illustration or other artwork please let me know, I will be more than happy to help you with it. You have been great. Same goes for Crunchie. Just to say thanks. I would at least like to do a Christmas Card design for you. :)

That is good news indeed! And, a very generous thank-you offer to boot!
Generally, I am happy if people "pay it forward" and do a good turn for somebody else in need. I figure that eventually it'll work its way back to me :)

I'd like to run a couple more tools to check for lingering malware and then we can move on to making sure everything is updated and put some additional protective measure in place.

-- Please Update your MBAM (update tab) and then run the Full Scan and have it remove all it finds.
Post the log for me.

-- Then, please download GMER Rootkit Scanner:
http://www.gmer.net/download.php

-- DoubleClick the .exe file and, if asked, allow the gmer.sys driver to load.
-- If you receive a warning about Rootkit Activity and GMER asks if you want to run a scan, Click NO

-- Make sure the Rootkit/Malware Tab is selected (Top Left of GMER GUI)
Along the Right Side of the GMER GUI there will be a number of checked boxes. Please Uncheck the following:
- Sections
- Drives or Partitions other than your Systemdrive (usually C:\)
- Show All (be sure this one remains Unchecked)

-- Then, click the Scan Button
Allow the scan as long as it needs and then click the save button and name the log GMER – 1.log and save it to where you can easily find it and post it for me.

***Disconnect from the internet and do not run any other programs while GMER is scanning. Temporarily disable any real-time anti-spyware or anti-virus protection so they do not interfere with the running of GMER.
DO NOT take any action for any found items until I can have a look.

-- Lastly please do the ESET Scan (step #9) in the linky below and post that log as well.

http://www.daniweb.com/forums/thread134865.html

PP:)

Malwarebytes' Anti-Malware 1.41
Database version: 3210
Windows 6.0.6002 Service Pack 2

11/21/2009 8:49:44 PM
mbam-log-2009-11-21 (20-49-44).txt

Scan type: Full Scan (C:\|)
Objects scanned: 316111
Time elapsed: 1 hour(s), 17 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

only a couple of strange things now is that I keep having to reinstall programs. I try to open a program and it comes up and says this is only for an installed program. Reinstalled Microsoft office Friday I think and painter x again today, for the 4th time so far, I think, and the cursor is jumping around while I type again. :( Following the remainder of your directions now.

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-11-21 22:27:05
Windows 6.0.6002 Service Pack 2
Running: tvx8cmf2.exe; Driver: C:\Users\Auberey\AppData\Local\Temp\kgryypob.sys

---- System - GMER 1.0.15 ----

SSDT A7C372F4 ZwCreateThread
SSDT A7C372E0 ZwOpenProcess
SSDT A7C372E5 ZwOpenThread
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys ZwTerminateProcess [0x8CFA00B0]

INT 0x51 ? 85C92BF8
INT 0x62 ? 85C92BF8
INT 0x72 ? 84078BF8
INT 0x82 ? 84078BF8
INT 0xA2 ? 85C92BF8
INT 0xB2 ? 85C92BF8

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [806986D2] \SystemRoot\System32\Drivers\spwa.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [80698040] \SystemRoot\System32\Drivers\spwa.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [806987FC] \SystemRoot\System32\Drivers\spwa.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [806980BE] \SystemRoot\System32\Drivers\spwa.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8069813C] \SystemRoot\System32\Drivers\spwa.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [806A8048] \SystemRoot\System32\Drivers\spwa.sys

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[1904] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73FE7817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1904] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [7403A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1904] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73FEBB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1904] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73FDF695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1904] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73FE75E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1904] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73FDE7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1904] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74018395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1904] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [73FEDA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1904] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73FDFFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1904] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73FDFF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1904] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73FD71CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1904] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [7406CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1904] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [7400C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1904] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73FDD968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1904] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73FD6853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1904] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73FD687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1904] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73FE2AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 84A0E1F8
Device \FileSystem\fastfat \FatCdrom 86657500
Device \Driver\volmgr \Device\VolMgrControl 8407A1F8
Device \Driver\netbt \Device\NetBT_Tcpip_{0AD67A1E-902B-4DB9-876E-7B2FF7001D94} 872911F8
Device \Driver\usbuhci \Device\USBPDO-0 85BB11F8
Device \Driver\usbuhci \Device\USBPDO-1 85BB11F8
Device \Driver\usbuhci \Device\USBPDO-2 85BB11F8
Device \Driver\usbuhci \Device\USBPDO-3 85BB11F8
Device \Driver\usbehci \Device\USBPDO-4 85BAE1F8
Device \Driver\volmgr \Device\HarddiskVolume1 8407A1F8
Device \Driver\netbt \Device\NetBT_Tcpip_{E1C2A72B-9DEE-4DDD-B40A-9BFBD8DB3849} 872911F8
Device \Driver\volmgr \Device\HarddiskVolume2 8407A1F8
Device \Driver\cdrom \Device\CdRom0 85C4A1F8
Device \Driver\volmgr \Device\HarddiskVolume3 8407A1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 84A0D1F8
Device \Driver\atapi \Device\Ide\IdePort0 84A0D1F8
Device \Driver\atapi \Device\Ide\IdePort1 84A0D1F8
Device \Driver\atapi \Device\Ide\IdePort2 84A0D1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 84A0D1F8
Device \Driver\netbt \Device\NetBt_Wins_Export 872911F8
Device \Driver\Smb \Device\NetbiosSmb 872901F8
Device \Driver\iScsiPrt \Device\RaidPort0 85C1F1F8
Device \Driver\usbuhci \Device\USBFDO-0 85BB11F8
Device \Driver\usbuhci \Device\USBFDO-1 85BB11F8
Device \Driver\usbuhci \Device\USBFDO-2 85BB11F8
Device \Driver\usbuhci \Device\USBFDO-3 85BB11F8
Device \Driver\usbehci \Device\USBFDO-4 85BAE1F8
Device \FileSystem\fastfat \Fat 86657500

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\cdfs \Cdfs 869641F8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792

---- EOF - GMER 1.0.15 ----

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=1f641c9b381f4a418a2d939f1b97b45a
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-11-05 03:53:02
# local_time=2009-11-04 10:53:02 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=5892 16776573 100 100 0 93997415 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=196917
# found=0
# cleaned=0
# scan_time=3294
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=1f641c9b381f4a418a2d939f1b97b45a
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-11-05 01:01:57
# local_time=2009-11-05 08:01:57 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=5892 16776573 100 100 0 94030234 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=196139
# found=0
# cleaned=0
# scan_time=3410
# version=7
# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=1f641c9b381f4a418a2d939f1b97b45a
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-11-06 02:54:45
# local_time=2009-11-05 09:54:45 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=5892 16776573 100 100 0 94080213 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=194134
# found=0
# cleaned=0
# scan_time=3399
# version=7
# iexplore.exe=7.00.6000.16386 (vista_rtm.061101-2205)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=1f641c9b381f4a418a2d939f1b97b45a
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-11-22 05:06:14
# local_time=2009-11-22 12:06:14 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 1317881 1317881 0 0
# compatibility_mode=1026 16777214 0 2 803423 803423 0 0
# compatibility_mode=1797 16775165 100 100 0 35190502 0 0
# compatibility_mode=5892 16776637 100 100 0 95468790 0 0
# compatibility_mode=8192 67108863 100 0 553726 553726 0 0
# scanned=201566
# found=0
# cleaned=0
# scan_time=5112

only a couple of strange things now is that I keep having to reinstall programs. I try to open a program and it comes up and says this is only for an installed program.

That's odd - can you give me the exact error message? Definitely need to see that before I can make any suggestions.

On the plus side, those other logs look good, so I think you are OK as far as malware goes.
Not sure about the system instability - that can be chalked up to any number of things, not the least being the malware and all of the (powerful) tools we have run during the course of this process.

Let me know about the error messages - I'd like to get that sorted before we start adding and removing any programs.

PP:)

Had I been using my brain when it happened I would have written it down, but I have reinstalled so many times now, I just thought, Argggg!!!! and reinstalled again. Today they are all opening, though not running without being a little buggy. An error box with a red circle and an x through it opened and said pretty much that the shortcut was only meant for an installed program. I needed to work so I reinstalled again. Sorry. :( Wish I had thought to write it down precisely but I was kinda frustrated and needing to get some things done. Seems to effect Corel painter the most often, office worked one day then the next day, which was right after the reinstall of acrobat I think, it would not open and it was the same error message for both programs. Previously when I had to reinstall painter it just would not open. I hate to say maybe it will happen again and I can give you the exact message then, but it probably will. But it could be weeks. There was no error # or anything though, just that the program was not installed. The word program not working seemed to be related to the office pro somehow ending up on my system. Could that have happened by downloading paperwork from someone who used Office pro? I downloaded paperwork from my son's sped teacher last week, she may use the pro version rather than the home version that I use. Wow, this is like the never ending computer issue.

So I made the system freeze up and I finally just had to manually shut it down and restart it, this may have been my fault, I was trying to work with a high rez image back and forth between painter and photoshop, I really know better but was trying to work quickly. I'm beginning to think it's just an out of date beast. This is what it gave me after restarting.

Logon (yes it was one word not two) process has failed to create the security options dialog
Failure-Security Options

then:
Display Driver igfx stopped responding and has successfully recovered.

as I said this was most likely my fault, I should know better, I was trying to push her beyond her limits I think... Seems to be working ok now. Cursor is not jumping right now and it seems to be working smoothly for the moment. All the programs will open for now. I think I need to get a new external hard drive, just in case, that way if I have to wipe it I don't have to rely on disks and my zip drive. Do you have any recommendations?

So I made the system freeze up. . . . .as I said this was most likely my fault, I should know better, I was trying to push her beyond her limits I think...

I think you are right - probably pushing a bit hard + Vista needs a good deal of RAM.

I think I need to get a new external hard drive, just in case, that way if I have to wipe it I don't have to rely on disks and my zip drive. Do you have any recommendations?

I am partial to Seagate (and Newegg, for that matter):
Seagate FreeAgent Desk 640GB USB 2.0 Silver External Hard Drive

Let me go over your thread and see what we need to add/update or remove in the way of security apps, etc...
I am taking on some extra work before the holidays, so posting will be spotty - please bear with me....

PP:)

thank you as always, and I totally understand:) what do you think about the new 1TB Seagate? Is it worth it, if it's big enough I can supposedly use it as a scratch disk for my drawing programs. I actually priced the one you posted this weekend and was trying to decide between it and the larger one.

thank you as always, and I totally understand:) what do you think about the new 1TB Seagate? Is it worth it, if it's big enough I can supposedly use it as a scratch disk for my drawing programs. I actually priced the one you posted this weekend and was trying to decide between it and the larger one.

I have never had a problem with Seagate - have five of them and three are at least 5 years old and still as good as new.....
Haven't looked too much at the big drives, though, so I couldn't say about the TB.....

-- I think as far as protection goes, you ought to be OK with Avira as your AV. Just keep it updated.

I imagine Windows Defender is onboard, so that will give some "real-time" protection.

If you keep your SpybotSD updated and use the "immunize" feature, that will help. An alternative would be SpywareBlaster.

Keep your MBAM on hand for "on demand" scanning, as needed. Be sure to update it before scanning.

I would also suggest a decent Firewall - ZoneAlarm has an easy learning curve and is OK.
Comodo might be a better choice, but if you don't want their AV as well, you have to de-select it at install.
Or, you could remove Avira and go with the complete Comodo Suite.
Whatever you want to do.

Also, you should update your Java and remove all older versions.
http://www.java.com/en

Before I forget, let's remove Combofix and the files/folders it created:

• Click Start > Run
• Type or Copy&Paste Combofix /u into the Run box. (Be sure there is a space between the x and the / if you type it)
• Click OK

This will remove Combofix and it’s components from your machine.
It will also reset your clock, re-hide System and Hidden Files and hide File Extensions.
Last, but certainly not least, doing this will reset System Restore.

Hope things are running OK now - Let me know if not.
Will be here off and on over the holiday.

Happy Thanksgiving :)
PP

It still came up and said that AVG was running, not sure what to do about that, I still have a file but it doesn't come up if I try to uninstall it. Everything seems to be running pretty smoothly except that I still have the typing issue when typing on-line. Just in case we are done or about done, this is me http://puddleofcrumbs.blogspot.com/ in case you change your mind about a Christmas card or graphic. It was a genuine offer and I really don't mind at all. Happy Thanksgiving! If there is anything else I need to do just let me know. And thank you, thank you, thank you for all your help, and you too Crunchie! Will work on the other items listed this weekend.

what is the best way to delete the older versions of Java?

what is the best way to delete the older versions of Java?

Just go into Add / Remove Programs and remove to old one - I think I saw only one old version.

It still came up and said that AVG was running, not sure what to do about that, I still have a file but it doesn't come up if I try to uninstall it.

What file?

Download Bill James’ RegSrch

Extract it to your Desktop and DoubleClick regsrch.vbs
-- if your AV has script blocking, you’ll need to allow this to run
When the dialog box opens, type AVG and Click OK.
-- Then, run it again and search for Grisoft.

-- You’ll need to save the logs that popup in Wordpad and then submit them for me.

Everything seems to be running pretty smoothly except that I still have the typing issue when typing on-line.

So, it's just online?
Does the problem occur in both Firefox and IE now?

Just in case we are done or about done, this is me http://puddleofcrumbs.blogspot.com/ in case you change your mind about a Christmas card or graphic.

I think we are about done - I'd like to take a whack at that AVG remnant and see if we can deduce the typing issue, though.

-- Wow, those look great! I especially like the penguin.
What sort of children's book are you writing?
I do a good deal of writing myself - though time is hard to come by these days...

PP:)

Just go into Add / Remove Programs and remove to old one - I think I saw only one old version.

I had tried this but it doesn't show up in my programs list, neither version does, sorry I should have said this before.

What file?

it is in the programs file and didn't go away when we uninstalled the nonworking program earlier on, this may have been done when I was working with Crunchie. If I open the task manager and check processes I don't see it running but when we removed combofix it said that it was.
I uninstalled the Avira yesterday and installed the combo of the Comodo. Not only because I thought it would be easier to have one program for both, but also because I couldn't find a way to set the scan times on the Avira and it would scan in the middle of the day while I was trying to work and slow things down.

You’ll need to save the logs that popup in Wordpad and then submit them for me.

it's very long so I am attaching it, if you'd prefer that I paste it let me know.
It gave me an error when I ran the second one for Grisoft

cannot export C:\Users\Auberey\AppData\Local\Temp\RegTemp.tmp
error opening file

then in a second box

code 800A0035
Microsoft VBScript runtime error
there may be a disk or file system error

So, it's just online?
Does the problem occur in both Firefox and IE now?

I haven't used word lately and have only been typing online, but yes, in Firefox too now. It doesn't always happen which is what is so strange. It's not happening this morning. But yesterday it was driving me crazy. Maybe it is a keyboard issue? I can live with it, it's just frustrating and I wanted to make sure it wasn't related to anything we've been working to resolve.

Wow, those look great! I especially like the penguin.
What sort of children's book are you writing?
I do a good deal of writing myself - though time is hard to come by these days...

thanks so much, I write picture books, typically for ages 4-8, not published yet, but if you want to see it email me and I will send you a link :) If you want to use the penguin let me know and I can send you a file you can print if you'd like. You can also send a png, or jpg as an email card. Or I'll do something new for you, it only takes a day or two.
I've been writing Childrens books for years and never doing anything with them, once the kids were mostly grown I decided it was time to pursue it in earnest. So we'll see. We also do the whole BBQ thing, competitions, we have a cookbook, rubs, stuff like that. If you had rather have some rub or a cookbook let me know. We are working on a new cookbook also. Here is my hubby's forum http://addictedtobbq.proboards.com/index.cgi, I think the link to the books is there, not sure though.

So what do you write? It's hard to find the time for me too, but life is short and if it's something you really want to do and love to do, you just have to make the time. :)

I think we are about done - I'd like to take a whack at that AVG remnant and see if we can deduce the typing issue, though.

I'm sure you will be glad to be done with the worlds longest post and never ending issue!;) As always, thanks so much for your time and knowledge.

I had tried this but it doesn't show up in my programs list, neither version does, sorry I should have said this before.

It shows in your DDS Attach log:
iTunes
Java(TM) 6 Update 15
Junk Mail filter update

Any trouble installing the updated version?

it is in the programs file....

No worries - we can deal with that. Did you try to delete it in Safe Mode?
We can just remove the associated reg keys and then pull it out - hopefully with no problems...

it's very long so I am attaching it, if you'd prefer that I paste it let me know.
It gave me an error when I ran the second one for Grisoft

Attaching is fine - actually preferable in this case.
Please try again for "Grisoft" - Let me know if any trouble.

I haven't used word lately and have only been typing online, but yes, in Firefox too now . . . . Maybe it is a keyboard issue? I can live with it, it's just frustrating and I wanted to make sure it wasn't related to anything we've been working to resolve.

Honestly, these types of problems are rarely (directly) due to malware. Sometimes they are a resulting annoyance due to system instability after a malware infestation - but that is rare.

Usually it is a keyboard/mouse or driver issue.
Are you able to try a different keyboard?

If you want to use the penguin let me know and I can send you a file you can print if you'd like. You can also send a png, or jpg as an email card. . . .

That would be nice :)
Once we wrap this thread up, I'll PM you my email.

So what do you write?

I do a little bit of everything.
I have a 2 year Engineering degree as well as a B.A. in English.
I freelance a bit doing editing and technical writing for extra cash.

I am currently working on an updated screen adaptation of Ivan Turgenev's Fathers and Sons as well as some short fiction.

It's hard to find the time for me too, but life is short and if it's something you really want to do and love to do, you just have to make the time. :)

I am starting to realize that, the older I get :)

I'm sure you will be glad to be done with the worlds longest post and never ending issue!;) As always, thanks so much for your time and knowledge.

Happy to help!
This is one of the things I like about posting here at Daniweb - I am free to pursue these types of threads. A lot of other forums will simply see to it that your scanlogs are malware-free and then, if you have any other issues, you are on your own or they'll send you to a different forum.
I try to deliver "full service." LOL!

PP:)

Any trouble installing the updated version?

nope

It shows in your DDS Attach log:
iTunes
Java(TM) 6 Update 15
Junk Mail filter update

so what is a safe way to delete it without messing anything up, Vista is weird about deleting things even with the windows uninstaller tool, tried it in safe mode too, still didn't show up under the uninstaller. I knew it was there because I found it, just wasn't sure the best way to uninstall without messing something else up. Same issue with the AVG thing. Just not wanting to make a mess.

Are you able to try a different keyboard?

I'll try this in the morning with my son's keyboard, I don't have an external one anymore, we've just been using laptops for a while now. I'm saving for a new desktop.

Once we wrap this thread up, I'll PM you my email

great:)

I do a little bit of everything.
I have a 2 year Engineering degree as well as a B.A. in English.
I freelance a bit doing editing and technical writing for extra cash.

I am currently working on an updated screen adaptation of Ivan Turgenev's Fathers and Sons as well as some short fiction.I do a little bit of everything.

wow! very impressive

if you have any other issues, you are on your own or they'll send you to a different forum.
I try to deliver "full service." LOL!

which is why I was so happy to find Daniweb and that you and Crunchie were/are so willing to help.

ok going to close everything up and try the Grisoft again, I've been redoing my website all day. yuk!

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "Grisoft" 11/29/2009 8:21:51 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_USERS\S-1-5-21-4215972033-1050644244-1932678965-1000\Software\Microsoft\Windows\CurrentVersion\Applets\Wordpad\Recent File List]
"File1"="C:\\Users\\Auberey\\Documents\\regedit for Grisoft.txt"

wow! very impressive

Well . . . Unfortunately it is not very lucrative at the moment :)

which is why I was so happy to find Daniweb and that you and Crunchie were/are so willing to help.

Luckily for you, we are not nearly as overwhelmed as some other forums.
I have a friend who runs a popular forum and they are currently running 3-4 days between replies. At that pace, this thread would take a year to complete :)

Let's do this for the old Java:

Please download JavaRa.zip to your Desktop and Extract it to its own folder.

-- Make sure ALL browsers are CLOSED.
-- DoubleClick on JavaRa.exe to run it and then select your language of choice.
-- Click Remove Older Versions.
-- Follow the prompts and a log will pop up. You can post this if you wish.

PP:)

[HKEY_USERS\S-1-5-21-4215972033-1050644244-1932678965-1000\Software\Microsoft\Windows\CurrentVersion\Applets\Wordpad\Recent File List]
"File1"="C:\\Users\\Auberey\\Documents\\regedit for Grisoft.txt"

Is that the whole thing?

I figured there'd be more - no worries if not.

PP:)