Hello Family !
I have an Emachine W3653 with Vista on it.
The computer had some viruses and trogans on it so I ran Malwarebytes, SpyBot Search and Destroy and Super Anti Spyware, multiple times, until they all came up cleanwith no infections.
But for some reason, I can sit and watch the "cookies folder" , without having Internet Explorer opened up, and cookies keep popping up as I watch. I can clean out all the cookies and they just keep comming back, even though I don't go on line.
Also, Avast is popping up errors about blocking malicous URLs even when the computer is just sitting there.
I have also went on line and ran Trend Micro House Call, (online scanner) and it even came back with zero infections.
It seems as if something is hooked up to the internet and downloading good and bad cookies. In one minute it downloaded 11 cookies.
I'm stumped on what is doing this ! I have also downloaded all new updates for Maywarebytes, Spybot and Super AntiSpyware and ran them but I still come up with zero infections found, now.
Any and all help will be greatly appreciated in helping me figure out whats wrong with this desktop.
Thank you !
Recommended Answers
Jump to PostLooks ok to me. Go ahead and run Combofix and ignore the message re AV.
Jump to Post1. Please open Notepad Click Start , then Run
Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:
KillAll::
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000000
"AntiSpywareOverride"=dword:00000000
…
Jump to PostI am sure that Crunchie is going to take a look at this log to make sure all was done as it was supposed to, but I have a question, earlier you said this;
I have tried to get completely rid of the AT&T Internet Security so that I could use …
Jump to PostHave you rebooted the computer since the run and why do you want to go into the Control Panel?
Did you follow Crunchie's instructions exactly?
STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
This WOULD include Windows Defender.Did you drag …
Jump to PostIf you find that Avast won't allow you to install without being online then of course stop the install and follow the steps for going back online. Then download from the link and install.
All 86 Replies
Can you post the MBA-M logs when it found the infections? I need to see what all was found.
Ok, here are the 3 posts that have eveidence of the infections and then the next scan was clean and all the rest have been clean. Before I post the "logs", here is and example of what Avast is popping up and telling me every now and then......
-----------------------------------------------------------------------------------
"object 199.80.55.80/go.php?data=C%FnlhyxNh9nGqXr21HAWMXBM9Z2
URL;Mal
Action taken was "BLOCKED"
Process: C:\Windows\system32\svchost.exe
----------------------------------------------------------------------------------
Those keep popping up every now and then
Here are your logs that you requested.
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4052
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18975
11/22/2010 12:32:03 AM
mbam-log-2010-11-22 (00-32-03).txt
Scan type: Full scan (C:\|D:\|)
Objects scanned: 243624
Time elapsed: 51 minute(s), 36 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\ProgramData\17195494 (Rogue.Multiple) -> Quarantined and deleted successfully.
Files Infected:
(No malicious items detected)
#2 Log
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 5170
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18975
11/22/2010 11:49:01 AM
mbam-log-2010-11-22 (11-49-01).txt
Scan type: Full scan (C:\|D:\|)
Objects scanned: 271440
Time elapsed: 1 hour(s), 19 minute(s), 27 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Windows\temp\btwe\trzC23.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Windows\temp\hrou\trz4D93.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Windows\temp\tffq\trz8836.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Windows\temp\xffx\trzD7CD.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Windows\temp\yirx\trzACB4.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
Log #3
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 5173
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18975
11/22/2010 6:31:35 PM
mbam-log-2010-11-22 (18-31-35).txt
Scan type: Full scan (C:\|D:\|)
Objects scanned: 272903
Time elapsed: 1 hour(s), 0 minute(s), 26 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Windows\temp\cwru\trzB3EC.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Windows\temp\jihs\trz1DE.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Windows\temp\pitn\trz3982.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Windows\temp\ussj\trz23FA.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Windows\temp\wxyq\trz6697.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
I also wanted to tell ya that I get redirected alot when trying to search something on the Internet.
Here is the log you requested. Thank you for helping me !!!!
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:53:51 PM, on 11/23/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18975)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\hkcmd.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?ilc=1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://picture.vzw.com/activex/VerizonWirelessUploadControl.cab
O16 - DPF: {8C279F4E-917E-4CD2-8DF0-D9C73C0CE763} (ZPA_WheelOfFortune Object) - http://zone.msn.com/bingame/zpagames/zpa_wof.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/VistaMSNPUplden-us.cab
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Client Virtualization Handler (cvhsvc) - Authentium, Inc. - (no file)
O23 - Service: InstallDriver Table Manager (IDriverT) - Intel Corporation - (no file)
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - Integrated Technology Express, Inc. - (no file)
O23 - Service: Microsoft Office Diagnostics Service (odserv) - Unknown owner - (no file)
O23 - Service: AT&T Internet Security Suite Service (RPSUpdaterR) - Radialpoint, Inc. - (no file)
O23 - Service: AT&T Internet Security Suite AT&T Firewall (RP_FWS) - Radialpoint, Inc. - (no file)
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 3739 bytes
Some odd things about your log, you only have 3 auto starting programs for one thing. When did you turn off all the others and what were they?
I also note the AT&T Internet Security Suite Service listed in Services. When did you uninstall this and how? It contains and av program and a firewall.
This URL blocking, are you certain this is coming from Avast? Avast is an anti-virus program not a firewall which would normally be what would be blocking URLs.
Do you have your cookies set this way:
Accept 1st party cookies, Block 3rd Party cookies, Accept Session cookies.
I would like you to do the ESET Online Scanner.
http://www.eset.com/onlinescan/scanner.php?i_agree=14
* You will need to temporarily Disable your current Anti-virus program.
* Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt.
Post back with the log.
My cookies are set like this.....(MEDIUM)
Blocks 3rd party cookies that do not have a compact privacy policy
Blocks 3rd party cookies that save info that can be used to contact you without your explicit consent
Restricts 1rst-party cookies that save info that can be used to contact you without your implicit consent.
I have no clue what all I shut off because it was days ago.
I have tried to get completely rid of the AT&T Internet Security so that I could use Avast.
I'm very sure that Avast is blocking the URL'S. It pops up in the bottom right corner and says Avast on it. Pluse it looks exactly like all AVast pop ups but this one is with a red back ground.While I was sitting here writing this the Avast program blocked another URL. At the top of the little warning it says.....
Malicious URL blocked
Avast Network Shield has blocked a harmful site.
Object - 199.80.55.19/go.php?data=4d7%2F21Plce6Bt23UoTsPgmKK3zYXe1
Infection: URL;Mal
Action: Blocked
Process: C:\Windows\System32\svchost
----------------------------------------------------------------
The scan with Eset Online, is taking a while and has found 10 "THREATS" so far. As soon as it's done I will post the results.
My cookies are set like this.....(MEDIUM)
Blocks 3rd party cookies that do not have a compact privacy policy
Blocks 3rd party cookies that save info that can be used to contact you without your explicit consent
Restricts 1rst-party cookies that save info that can be used to contact you without your implicit consent.
Where do you have these settings? I have never seen any that are that explicit.
Is it this link below?
http://25yearsofprogramming.com/blog/2008/20080624.htm
You need to read everything on that page and I don't believe that you have.
First Party cookies:
If (and only if) the website already knows your name, email address, or any other information that personally identifies you, they might choose to store that information in their cookie (they usually don't), but since only they can read the cookie anyway, it doesn't matter. Furthermore, they only have that information if you gave it to them (such as by registering on their site), so you probably wanted them to have it.
I was speaking about IE:note my attachment which is the Advanced Setting spoken of on that link. All 1st party cookies are allowed. All 3rd party cookies are blocked.
Period. Session cookies allowed because those are the ones used for that specific browsing session which allows you to go page to page on various sites without losing your sign in or whatever is needed. Once you leave the website session cookies are deleted.
I always recommend using the Advanced settings.
The info I provided about cookie settings was from where ya open up "Internet Options", then click on the "Privacy" tab. There is a slider bar that runs verticaly and has the info that I provided earlier, beside the slider bar. For me to get to the place that you mentioned in your last reply, I had to click on "advanced". When I clicked on "advanced" I saw that the check-box that says " OVERRIDE AUTOMATIC COOKIE HANDLING" was not checked. So I went ahead and checked it. I set it up as the above pic. shows.
Here is the log frfom the Eset scan......
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3DTACTL.DLL.vir Win32/Adware.FunWeb application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL.vir a variant of Win32/Toolbar.MyWebSearch.B application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL.vir Win32/Adware.FunWeb application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL.vir Win32/Adware.FunWeb application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL.vir Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL.vir Win32/FunWeb application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR.vir Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.JAR.vir Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\Users\mae\AppData\Roaming\Bitrix Security\zyljxdtp30.dll a variant of Win32/AutoRun.Spy.Ambler.CF worm cleaned by deleting - quarantined
C:\Windows\System32\FastUv32.dll a variant of Win32/Wimpixo.AA trojan cleaned by deleting (after the next restart) - quarantined
Thank you agian for working with me !
Oh I am happy to help. Can I ask you when you ran Combofix and who told you do do so?
Combofix was run back on 9/8/2009. If I remember correctly, it was this site that I worked with when I ran it.
Combofix was run back on 9/8/2009. If I remember correctly, it was this site that I worked with when I ran it.
Don't believe so. I went back through all of your previous threads here. The only one with Combofix in 2009 was this one;
http://www.daniweb.com/forums/post781415.html#post781415
and you had run it before your opening post. Crunchie told you at that time, Combofix should not be on your computer unless someone has advised you to use it. He then told you to uninstall it and gave the specific instructions that must be used to do so. If these instructions had been followed then the Combofix would have been removed along with it's quarantine files. It obviously was either not removed, removed incorrectly at that time or it has been used since then because the files found and removed by the ESET scan, with the exception of two, were all Combofix quarantine files.
You also did not post the entire ESET scan log. We need to see the entire log, from top to bottom not just the infected files removed.
I reckon I didn't " remember correctly". Chances are that I didn't remove Combo Fix correctly, but I sure will !
I went into the Eset folder, found in Program files, and there was only one .txt file in there. Here is all that is on that file
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
esets_scanner_update returned -1 esets_gle=53251
If there is another file with more info on it, I can't find it. Do you want me to run the program again and get another scan log ?
No need for another log. Here are the instructions for UNINSTALLING Combofix, it must be Uninstalled NOT just deleted:
* Click START then RUN
* Now type ComboFix /Uninstall in the runbox and click OK. The space between the combofix and the /uninstall, it must be there.
When shown the disclaimer, Select "2"
Are you still getting these Avast warnings and the additional cookies?
I would like to see an Uninstall list generated by HiJackThis. To get this do the following:
Start HijackThis
Click on the Misc Tools button
Click on the Open Uninstall Manager button.
Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad into a reply
Ok, I will get this done ASAP tomorrow......gotta get some sleep.
I will let ya know if I get anymore Avast warnings.I have cleaned out ALL the cookies in the folder this morning. While typing this, I watched cookies just start showing up, even though I'm not on line. 33 cookies showed up in less than a minute. Some of them I know are bad, such as " Double Click". Also, Avast just blocked a Trogan Horse. Here is what the warning said.....
---------------------------------------------------------------------------------
TROJAN HORSE BLOCKED
Avast File System Shield has blocked a threat. No further action is required.
OBJECT: C:\Windows\temp\fgor\setup.exe
INFECTION: Win32:Downloader-EWO[Trj]
Action:
Process: C:\Windows\System32\svchost
---------------------------------------------------------------------------------
I have not had the computer online yet this morning. The cookies are now up to 44. Some of them are common sounding cookies such as Staefarm, Twitter, and Yahoo. Some of them look like junck advertisements !
Here is the HiJackThis Uninstall list you wanted......
Activation Assistant for the 2007 Microsoft Office suites
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.2
Adobe Shockwave Player
Auslogics Disk Defrag
Authentium AntiVirus SDK - 2
avast! Free Antivirus
Browser Address Error Redirector
CCleaner (remove only)
Compatibility Pack for the 2007 Office system
eMachines Connect
eMachines Recovery Center Installer
ESET Online Scanner v3
Eusing Free Registry Cleaner
Google Earth Plug-in
Google Update Helper
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Intel(R) Graphics Media Accelerator Driver
Java(TM) 6 Update 15
Java(TM) 6 Update 4
Java(TM) 6 Update 7
JSWPFCom
JSWPFGrade2
Malwarebytes' Anti-Malware
Media Player Utilities 5.15
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Client Profile
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Click-to-Run 2010
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Live Add-in 1.5
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Professional 2007
Microsoft Office Professional Edition 2003
Microsoft Office Project Professional 2003
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Visio Professional 2003
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Works
MP3 Player Utilities 4.18
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
OGA Notifier 2.0.0048.0
OpenOffice.org Installer 1.0
Oryte Games 1.11 Toolbar
PerfectDisk
Power2Go 5.0
PPSDKRedistributables
Radialpoint Security Services
Realtek High Definition Audio Driver
Revo Uninstaller 1.90
RPS Ad Blocker
RPS AntiFraud
RPS AntiSpyware
RPS AntiVirus
RPS App Detector
RPS AsRealtime
RPS Backup
RPS Burn
RPS Diagnostic Utility
RPS Firewall
RPS ParentalControl
RPS Performance Tool
RPS PopupBlocker
RPS Privacy Manager
RPS RpsCore
RPS Security Cleanup
RPS Zip
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2289158)
Security Update for 2007 Microsoft Office System (KB2289158)
Security Update for 2007 Microsoft Office System (KB2344875)
Security Update for 2007 Microsoft Office System (KB2344875)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2345035)
Security Update for Microsoft Office Excel 2007 (KB2345035)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office Outlook 2007 (KB2288953)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office PowerPoint Viewer (KB2413381)
Security Update for Microsoft Office PowerPoint Viewer (KB2413381)
Security Update for Microsoft Office Publisher 2007 (KB982124)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Security Update for Microsoft Office Word 2007 (KB2344993)
SpywareBlaster 4.4
Super Collapse 3
SUPERAntiSpyware
Update for 2007 Microsoft Office System (KB967642)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (KB2443839)
Windows Live ID Sign-in Assistant
Yontoo Layers Client 1.10.01
Right after I sent the "above " info to you, another Trojan popped up, with a little different name.
TROJAN HORSE BLOCKED
Avast File System Shield has blocked a threat. No further action is required.
OBJECT: C:\Windows\temp\jgow\setup.exe
INFECTION: Win32Downloader-EWO[Trj]
Action:
Process: C:\Windows\System32\svchost
While typing this, I watched cookies just start showing up, even though I'm not on line.Look, there is NO way you can get cookies on your machine unless the computer IS online with a browser is open.
How are you connected to the internet? If you are connected via broadband, dsl, wireless and have the computer powered up even if you don't have a browser OPEN the computer IS online unless you remove the connection cord if you have broadband/dsl, and with wireless you must manually Disconnect the connection. You CAN get more infections on there without a browser open but you CANNOT get cookies without a browser open to a web page.
You can't be posting here UNLESS you are online. And WHERE are you watching cookies show up? Please tell me how to do this as it makes no sense.
Sorry, I should have told you that I am writing to you on a different computer than the one that is having problems.
There IS a way that a computer can get cookies without having a browser open because the "problem computer" is doing it. There has to be a hidden program somewhere that is communicating with a site that is sending all these cookies ! I have not opened ANY browser today on the problem computer and it has recived 98 cookies......so far.
I created a shortcut to my " cookies" folder , on the desktop, so that I can open the cookies folder and see whats going on in there. That way I don't have to open up a bunch of folders every time I want to see whats in the cookie folder.
Since I have wrote you last, I have has 3 Advast pop ups, saying that it has blocked Trojans that are in my Temp folder.The latest one is.......\temp\avy\setup.exe
Please continue working with me. Thank you.
If the computer is connected any of the ways I stated above then it IS online even if you have no programs that you can actually see, like browsers that use the internet open. If you have it set to check for automatic updates for anything then that program is open in the background
Disconnect the computer.
Ok, I disconnected the DSL/LAN cable and now I'm not "online. I do swear to you that I have not opened a broswer window and yet the cookies just start popping up in the cookies folder.
Those are not really cookies. They are infected files that look like cookies. Empty EVERYTHING out of your cookie file.
Keep this computer OFFLINE until you are told to put it back online. You are going to have to do everything using a flash drive.
Do you have CCLEANER on that computer?
I have cleaned out all the cookies. There are 2 files in the cookie folder that I'm not sure if I should delete or not so please tell me. One of the files is called desktop.ini. The other file is called index.dat. Let me know if I should delete them also. I do have Ccleaner on the problem computer and I have flashdrives ready.
desktop.ini. - This hidden file is placed in every folder to tell the operating system how to display and customize the viewing of that specific folder
Index.dat are files hidden on your computer that contain all of the Web sites that you have ever visited. Every URL, and every Web page is listed there.
Delete them both.
Run CCleaner and make sure it is configured as show in my attachments. You will use the Windows Tab first, click Analyze and then click the Remove button once it lists everything.
Then do the same using the Applications tab.
Then close CCleaner.
Next I want you to Uninstall the following programs.
Authentium AntiVirus SDK - 2
avast! Free Antivirus
ESET Online Scanner v3
Eusing Free Registry Cleaner
RPS Ad Blocker
RPS AntiFraud
RPS AntiSpyware
RPS AntiVirus
RPS App Detector
RPS AsRealtime
RPS Backup
RPS Burn
RPS Diagnostic Utility
RPS Firewall
RPS ParentalControl
RPS Performance Tool
RPS PopupBlocker
RPS Privacy Manager
RPS RpsCore
RPS Security Cleanup
RPS Zip
AFTER you have done all of the above then we will begin again to clean up the computer. You had two anti virus programs on there, a big no-no. This is why I want all of them removed. Once things are clean then I will tell you how to reinstall Avast.
I stress again, LEAVE THE COMPUTER OFFLINE until we are finished and I tell you to plug the cord back in.
Judy
As I try to delete the file " index.dat", it won't let me. There is a warning/popup that keeps saying....
The action can't be completed because the file is open in another program
Close the file and try again.
I don't have anything else open. What should I do ?
I have uninstalled Avast Free Antivirus, Eset Online Scanner, and Eusing Free Registry Cleaner.
The rest of the programs you listed for me to uninstall are not listed in my Uninstall program.
I try my best to make sure I only have 1 antivirus program running at a time. When I checked the Uninstall list, there was only 1 program listed and that was Avast. I don't see any files related to Authentium AntiVirus SDK - 2
I wonder if that was some type of virus/trojan ???
As I try to delete the file " index.dat", it won't let me. There is a warning/popup that keeps saying....
The action can't be completed because the file is open in another program
Close the file and try again.
I don't have anything else open. What should I do ?
Boot to Safe Mode and remove it.
Do a file search on the computer for Authentium AntiVirus SDK - 2 and if you find it remove it. If you don't find it then it is a likely left over listing. Right Click the entry and delete it.
All those RPS things listed indicate another security program too. Remove those also.
Once you have done all this then I will give you another tool to put on the flash drive and take to the infected computer.
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.