Posts by PhilliePhan

pc runs fine for a while, but the longer it runs, the slower it gets before it eventually locks up.

You should probably try to rule out over-heating as an issue as well as what Judy suggests....

PP:)

well i burned the disk.. aNd slipped it into old deLL boy but nothing seems to be happening.. it just tried to start up and defaults to the same system32 corrupt error screen..??

Did you tap F12 and boot to CD?
No worries - sometimes DBAN has issues with compys that are having issues......
I just like it because it completely wipes a HD.

You can boot to Recovery Console with your XP CD and use the Format command at the command prompt.
I don't think a quick format is a good idea in the event there is HD damage.
Rather, just use Format C: ENTER

Then you'll be able to fresh install.

Have a look around the net - there are tons of "how to" guides that ought to be able to walk you through the process (wipe / install / update drivers and get patches/service packs etc....).

Best Luck :)
PP

i am so happy my screw ups could help you out..!!!

LOL!
You know what I mean. I enjoy refreshing my knowledge - now I'll be better suited to help the next person with the same problem....

since i have never done that before do i just use the xp start up disk to achieve that clean out or..?? I WILL most deffinately make sure there is proper protection on there.. even if i have to encase it in a super sized condom..!!! (if i even allow any internet access to it at all) :-/

HA!---> Anti-virus ( an oldie but goodie)

-- First, I'd start with Darik's Boot and Nuke to wipe the drive.
Then use your XP Disk to install the OS.
-- Then, you'll need all the service packs and patches, etc...
There ought to be a ton of guides on the net for this.

recommend the paid version of LwiRe or someplace all together, or not at all..??

I recommend the "not at all" option.
P2P circumvents the protections you have on your compy and opens it up to a world of hurt.
Much more dangerous these days than even a year ago.
A lot of security forums will not help people who use P2P because they feel they are wasting their time and that they will quickly be re-infected....

I generally don't harp on it - people are going …

Please excuse my naiveté: exactly what types of websites am I supposed to steer clear of to avoid contracting malware infections?

The obvious answer is: Any site dealing with Porn/Warez/Cracks.

In my experience, though, nothing is truly "safe." There are just varying degrees of safety.

Malware targets youngsters via sites set up for them because they don't know any better when asked to download something.

I can remember when wrestling sites were a prime source of infection.

I was browsing Philly.com a few weeks ago and clicked a seemingly legit link and was hit with a pop up for a rogue anti-malware app that produced a flash video of said app pretending to "scan" my computer for baddies.
A lot of people are infected that way when they download and install these rogues...

Heck - I've seen legitimate security websites hacked (html code injection, etc...) and people getting infected that way.

Forewarned is forearmed, I suppose.

Cheers :)
PP

Sorry this is such a long post, I have tried to give as much information as possible and hopefully someone may be able to help. My IT knowledge is limited but i have tried to be as specific as I can and appreciate any help. Thanks.

No worries - lots of info is good.

The thing is, I am not sure how much help we could be at this point. It sounds as if there is a lot of corruption to deal with + the upgrade.

It might be easier to reinstall Vista. Especially if you have already backed up your data.

Are you able to complete any of the scans requested in the linky below?
http://www.daniweb.com/forums/thread134865.html

PP:)

:| it worked..!!! . . .
WOW.. is all i can say..
you are most deffinately THE computer gOd.. *kaden bows in your presence* **giggLes**

offer you my first born perhaps..??

Happy to help :)
(I'll take the first born . . . . since you offered ;) )

Actually, I am happy I got to poke around with boot disks - It's been a while and I forgot the limitations of recovery console. It's always good to refresh one's knowledge....

Well.. i think i am most likely going to just wipe him clean.. especially if this is the best course of action.. i was going to retire old DeLL aNd get myself a better computer in March .... it was just my luck that it got corrupted before i had the chance to do that.. lol
*lesson learned*

That would be best if you are going to give the Dell away.
When you reinstall, make sure to get all the security programs (AV / Firewall etc... + All Windows Updates) installed before doing anything else.

Stay away from the P2P stuff.

Yeah - I know that prolly won't happen, but bear in mind that, with P2P, you are lowering your defenses and inviting all the bad sh!t onto your compy. You literally have no idea what is coming in and from where.
Not to mention that a poorly configured client could offer possibly unlimited access to your machine.....

Hate to …

Yeah - you should stay away from Limewire - as far as P2P goes it is one of the worst offenders we see....

-- That's a lot of files, but only 17GB....
I've got only 13000 files in my D&S folder.

-- Once you get the stuff you want to save on the External drive, you can scan it with your Kaspersky and see if anything turns up. So, if you're feeling lucky, you could copy other folders as well (pix & music, etc...).

Once all is transferred to your satisfaction, we can try to clean the ill computer. Or, you can just wipe the hard drive and reinstall Windows.
That would be easier and most effective, but you'd lose all your programs and data.

I have some work I need to wrap up, so I'll have to catch up with you later - probably Tuesday night (EST).

Let me know how the transfer shakes out and what you want to do with the ill compy.

Cheers :)
PP

sorry i didn't see you sitting on the 4th page..!!
*smackshead*

okay i do indeed see the docu/settings folder.. but when i right click to copy it doesn't give me the option to put it anyplace.. just to copy.. where is the external hd..?? i also see a pics folder for my fodos.. but i don't see the stories anyplace.. (they were on my desktop)

OK - When you used the Places Tab and selected Computer, it showed you four Icons.

The external hard drive is this one --> 500GB Hard Disk: Expansion Drive
RightClick the folders you want to copy and choose copy and then select the External Hard Drive Icon and paste....
Or, drag and drop might work.
Been a while since I tried any of this....;)

Heck, you could even copy the entire 60GB drive, but it'd be risky if it is infected.
Best the just stick with your documents and pictures.

-- If your stories are on the Desktop, then the Desktop Folder would be in Documents and Settings

PP:)

so is this success..??
aNd if so how now..??
what can i do to copy them (if that's what i am supposed 2do)
can i open the files listed or..??

Yeah - Great!

You should be able to do this the easy way. Just navigate to the Files/Folders that you want to save and Copy&Paste them to your external drives.

-- Do you see a "Documents and Settings" Folder?
If so, just copy the whole thing to your External Hard Drive (500GB Hard Disk: Expansion Drive).

Let me know if you can do that or if you are having problems.

PP:)

should it be taking this long..??

Hard to say - depends on a number of different factors.

With any luck, it'll give you access and you can just copy and paste the stuff you want the save to the external drives.

Otherwise, it's back to command line for a bit.

Either the drive will open or you'll get the error "cannot mount volume" - if you get that error, click Details and let me know what it says.

1st says: 60GB Hard Disk: 56 GB Filesystem
2nd says: 500GB Hard Disk: Expansion Drive
3rd says: Gigaware: 8.0GB Filesystem
4th says Filesystem

does that sound right..?? am i in the right place..??

Yeah - that's great . . . . . And now the moment of truth. It's either going to let us do this the easy way or the hard way..........

DoubleClick on the 60GB Hard Disk and let me know what happens. Either you will get access or an error message will pop up.

Let me know.

What's the best software to prevent malware infections? The best to detect infections? The best to eradicate them? The best single all-in-one product?

Wow . . . Is that ever a loaded question :)

I am going to give you a very unpopular answer - I kinda like a-squared.
It gets a lot of knocks for a high rate of false positives, but you'll get that with heuristic detections.

MBAM is excellent at removing active malware infections - it is one of the best in that regard, but it has its share of FPs..... Plus, since a lot of people follow stickie posts that tell them to "remove the baddies it finds," it can do some damage via FP (the atapi.sys fiasco, for example).
Still, MBAM is the best "remover," IMO - Warts and all.

PP:)

:) alright..!! is says the disk was created successfully..!!! Yay..!!

just let me know what to do next..

OK - Attach the Thumb Drive and the External Hard Drive to the ill computer.

Pop in the Ubuntu Live CD and boot to it and select the option to Try Ubuntu without any change to your computer

Good so far?

Then, click the Places tab and select Computer.
It should list all of the drives connected to your compy.

Let me know what they are.

PP:)

*fingers crossed as well and much tighter than yours..!!*

LOL!

Let me know when you're good to go.

i have started the dl on my new viao.. but what kind of cd do i use for this burn..??

A regular CD-R or a DVD will work.
It's a large distro, but should fit on a CD.

When burning ISOs, I use ImgBurn - it's one of those "can't do without it" freewares.....

With any luck, we can boot this up and it will recognize all of your drives - that way, we can get away from command line and just "point and click."
I'll keep my fingers crossed.......

PP:)

Yeah - it can be frustrating..... No worries:)

It looks like we won't be able to accomplish what we need to do via the Recovery Console.

We need a better option. Can you burn an ISO?
If so, download Ubuntu Live CD and burn it to a CD.

Let me know if you have any trouble.

PP:)

OK - I figured that was a bit of a long shot via recovery console.

Let's do this:

Remove the external Hard Drive.
Attach the USB thumb drive.

Boot to recovery console and at the command prompt, type the following in bold very carefully:

DIR <space> "%userprofile%\" >> E:\Peek.txt ENTER

DIR <space> "%userprofile%\Desktop" >> E:\Peek.txt ENTER

DIR <space> "%userprofile%\My Documents" >> E:\Peek.txt ENTER

Be sure to use the quotation marks - basically everything in bold needs to be typed.

Let me know if you have any error messages. If not, there will be a file called Peek.txt on the USB drive. Please post that for me.

Best Luck :)
PP

Does anyone know if you can never really be certain if you've succeeded in completely removing a rootkit? I'll reinstall the system and all my software if I really have to.

Most experts would tell you that, when cleaning rootkits, you should never assume you got all the baddies.
Essentially, outside of wiping the hard drive and re-installing OS, you can never "trust" that machine again......

If your usage involves a lot of sensitive data (online banking, etc...) it would be best to wipe and reinstall.
Yet another reason to remember to back up on a regular basis all the stuff you don't want to lose.

-- Personally, I do enjoy the challenge of trying to clean these infections. But, if it were my computer, I'd clean it (again for the challenge and my own edification) and then wipe the drive and reinstall.

Best Luck :)
PP

:?: another question.. i recently purchased a new SONY vaio with windows 7 on it.. i was reading something about an EasyTransferCable i can purchase which claims to move documents and photos and the like from your old computer transferring them onto the new one.. might this be another option..??

I am not sure that would work given the state of the ill compy.
I suppose you could try.

BTW - Do you have a USB thumb drive?

What I'd like to try is this:

Attach the external hard drive.
Attach a thumb drive, if you can.

--- Boot to Recovery Console and access the command prompt.
-- At the prompt, type:
CD <space> D:\ ENTER
CD <space> E:\ ENTER
CD <space> F:\ ENTER
CD <space> G:\ ENTER
CD <space> H:\ ENTER

Tell me the results.

Then, at the command prompt, type:
CD <space> "%userprofile%\desktop" ENTER

at the new command prompt, type: DIR ENTER
Locate the stories you want to save and let me know the names.
For example: My Story.doc

Then, at the command prompt, type:
CD <space> system~1\_resto~1 ENTER
Then, type: DIR ENTER

Let me know if there are any Restore Point Folders listed.
They will look like RP203 RP204 etc....
Basically, RP and a number.

Let me know if those exist and then exit out of Recovery Console and we'll go from there.

PP:)

is this something which will work as well perhaps..?????

I have no idea what that is - might have helped if the poster left some sort of explanation....

well i managed to get 2the recovery console.. after connecting the external hd usb,.. i tried typing in the command as you suggested only to get the following: 'the parameter is not valid try /? for help'
but when i type /? nothing happens..

There are a number of reasons for this - everything has to be done properly (+ there are spaces in the command that are hard to see) or the command will fail. The drive labels and the folder paths need to be exact.

--- Does your compy recognize the external hard drive?
--- What is its drive label? (C:\ , G:\, etc...)
--- Are you able to locate the folders with the files and pictures you want to copy? Do you know the paths for them?
Example: C:\Documents and Settings\My photos
That's just an example.
If you do not know the exact path, then we'll need to locate them.

as far as cooking with gas... is that something i can burn onto a disk and feed to the dell or..?? aNd if so which cd might i need to attempt that..

There are ISOs for Hiren's CD and others. If you are able to burn an ISO, then you can create these boot disks.
Hiren's and the …

how exactly do i access the area to copy my photos & such..?? Most of what i have read talks about typing "r" to start a recovery.. i am kinda lost now.. i mean after i get it up should i plug in my external hd or ???

Yeah - make sure your external hard drive is formatted properly and then connect it to the ill compy.

Once you are able to boot to recovery console, you will have access to a command prompt and basic DOS commands.

Then, say for instance the following:
External Hard Drive ----> G:\
Your photos are in a folder ---> C:\My Documents\My Photos

You then use the copy command to move them:

At the command prompt, type copy C:\My Documents\My Photos G:\My Photos ENTER

And that should do the trick.

There are other commands we can use as well to address some other issues.
Frankly, there are other bootable disks that would give us more options such as Hiren's Boot CD

If you are able to create that, then we'll be cooking with gas......

Cheers :)
PP

i have also purchased an external hard drive just in case i am able to access my photos and such.. lesson deffinately learned here..!!!
I am going to print this out (the Recovery Console Instructions) and take it home to be sure i can get thru every part of it.. I will check back here afterwards and await your reply..

Great!
Once you get recovery console running, there are a number of options that will be open to you. I think the first would be to carefully copy your photos and other data to the external drive. Don't copy any programs or files you didn't create yourself for the time being - gotta be sure they are not infected.
Your photos and documents should be fine.

Then we'll poke around and see if we can get the compy up and running.

Thank You Again..

Happy to help :)
PP

i was reading that purchasing some antivirus software may help.. I am not sure which kind to get aNd "if" it will even be of any help for my situation..

NO - that is not going to help at this point.

at this point i am looking into just taking it into GeekSquad.. as I don't know where else to turn..

That should be your last resort - I doubt they will do anything more than wipe your hard drive and reinstall Windows. You'll lose all your important data.

i am concerned with getting my files recovered mostly..
i am a photographer,.. also a writer,.. my life is locked in there,.. and unfortunately I was dumb enough to never back up anything I kept in there.. *sigh* so getting these items back is very important for me.. :(

Yup - always gotta back your stuff up! Lots of people learn the hard way - you're not the first and certainly won't be the last....

andplease let me know if you have any other questions or should need any further information..

We may be able to salvage your compy if you are able to do this:

Boot to the Recovery Console from your Windows XP CD

-- Let me know if you are able to do that and we'll see what we can do.

Best Luck :)
PP

also i tried to re-install XP with the Dell issued purple OS disk with no response..
can you help me..?? any suggestions..??

-- Can you explain more as to what you tried to do with XP Disk?
Did the drive recognize the disk? Did you try to boot to the XP Disk itself to access the recovery console?

-- Also, what happens when you try to boot to Safe Mode?

PP:)

Is there something kind of software I can get to repair my laptop or is it destroyed?

-- Do you have your Windows Disk?
You can use that or a bootable rescue disc (or burn an ISO of recovery console) to boot to recovery console and try the fixmbr command to fix your compy's master boot record.

If the Avira tool does not have this option, try http://www.hirensbootcd.net/

If you have your windows disk, then there are some repair options available to you if your system is not too badly compromised.

See if fixmbr returns it to a bootable state.

Best Luck :)
PP

a box come on and said it was going to run a virus scan. When he clicked the x it went ahead and ran the program anyway . . . .

I doubt anything actually "ran."

Most often, these "scans" are flash video made to look like a scanner has found a boatload of baddies.

Then, you are prompted to download an installer for a rogue anti-malware program to "remove" these non-existent baddies.

Sounds like your son shut everything down rather than DL and install the rogue app, so that is not a factor in the issues you are having now.

-- I agree with Judy about the cleaning, updating and defrag.

Just wanted to pop in and explain what your son encountered. A lot of people get infected this way.

Cheers :)
PP

I can't even get it to reboot and read a CD...

Hi Jo,

Sounds like quite a mess.

If you cannot get the machine to boot, I doubt there is much we can do to help.

-- Are you able to boot to Safe Mode? (Tap F8 upon restart)
-- Have you tried a bootable disk?

Without either of those options being available, your best option might be a repair shop.

Cheers :)
PP

This would be easier if we could get a CFScript to run properly, but we can do this manually.

Anyway, ran the online scan which picked up some things but didn't fix them. Should it have?

No - It is just a good scanner. We need to remove these manually.

FIRST:
Please Download ATF-Cleaner.exe by Atribune to the Desktop.

• Click on ATF-Cleaner to run it
• Where it says Select Files To Delete, Check the Select All Option
• Click Empty Selected > OK

If you use Firefox browser, do this also:

• Click Firefox at the top and choose Select All from the list.
• Click the Empty Selected button.
• NOTE : If you would like to keep your saved passwords, click No at the prompt.

If you use Opera browser, do this also:

• Click Opera at the top and choose Select All from the list.
• Click the Empty Selected button.
• NOTE : If you would like to keep your saved passwords, click No at the prompt.

Click Exit on the Main menu to close the program.

THEN:
You'll need to manually delete these:
C:\Documents and Settings\Ronnie\Local Settings\Application Data\Microsoft\Messenger\xkx-kerryn-xsx@hotmail.co.uk\ObjectStore\CustomEmoticons\PqRNSyrnii04hiFLA2FfqIm7QemA=.dt2
C:\Documents and Settings\Ronnie\Application Data\Microsoft\MSN Messenger\4145184867\CustomEmoticons\TFR1C.dat

These two may be false positives, but probably no harm in deleting them anyway just to be certain.

F:\OSO.exe --> If this is a thumb drive, you'll need to …

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon32.exe

You should probably post a DDS log as per the "Read Me" sticky post because it looks like MBAM missed this.....

Sorry for the late reply - I have zero Forum time at the moment.

It looks as though MBAM was able to remove some of the components of the baddie:

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\uvc7jk640c (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wab (Trojan.Dropper) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\spool\prtprocs\w32x86\00002941.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spool\prtprocs\w32x86\00006683.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ronnie\Application Data\Macromedia\Common\850600261.dll (Hijack.Sound) -> Quarantined and deleted successfully.

With those being removed along with the items you deleted, I am not sure what remains - let's have a fresh scan with Kaspersky's online scanner. With any luck, the malware has not been able to reconstitute itself.

Please run a scan with the Kaspersky Online Scanner 7.0
* Note that you may need to temporarily disable your Anti-virus program for the duration of this scan.

-- Accept the agreement and allow the scanner to load and update its definitions. This may take a few minutes.
-- After the program files are downloaded and the anti-virus database is successfully updated, please select the Scan section in the left part of the main program window.
-- Click My Computer to begin a complete scan of your computer, including critical areas.
-- Once the scan has finished, select the Reports section in the left part of the main program window. Click the Save report button in the report viewing window. The Saving window will open.

Hi there,
Thanks for your perseverance.
I only scanned the one file for now just to make sure the results are what you expect. I scanned .068, the results are below along with the peek.txt.
Is it ok for me to try and delete the Found files manually (I managed to delete .067 ok) and maybe try and do the same with the ones you highlighted in red.

All those in red are related baddies and need to go.

-- Try booting to Safe Mode and then open the command prompt and try all of the commands again and post the new C:\peek.txt.

I am surprised MBAM doesn't get this. You should also try updating MBAM to the latest definitions and running the Full Scan in Normal Windows boot.
Please post me that log.

Reboot after running MBAM.

This particular baddie should not be putting up such a fight....

Happy New Year :)
Pp

I think the following address might be wrong: del /f "C:\documents and settings\NetworkService\Application Data\Macromedia\Common\8506002619.exe" >>%systemdrive%\Peek.txt
Instead of networkService it should be ronnie.
Done a search but didn't delete it before your ok.

Your logs indicated the Network Service Folder. Are you certain it is not there?
- See if C:\peek.txt was created. If so, please post that for me.

I want to look at those C:\FOUND.* items. If my memory serves correctly, they are baddies.
Please upload them for analysis here --> http://virusscan.jotti.org/

Let me know what you find.

Cheers :)
pp

Have a Happy & Healthy New Year.

The same to you :)

You very likely have a rootkit that is preventing the running of these tools. There are ways to get around this and I'm certain your advisor at Malwarebytes can talk you through it. I would imagine they'll have you run GMER or another ARK tool to pinpoint the baddie.

Cheers :)
PP

Thanks for your response.

I generally recommend that, when you come across a suspicious file, you should upload it for analysis at either http://virusscan.jotti.org/en or http://www.virustotal.com/.

Let us know what you find.

Cheers :)
PP

The dos (headed c:\windows\system32\cmd.exe) is blank with the cursor flashing (if that's the correct expression).
Task manager showes it running but it's been a couple of hours with no change?

A batch file is the simplest of the simple - this one takes about 2-3 seconds to complete.

Works just fine on my XP box.

Try this - RightClick FixIt.bat and rename it FixIt.cmd and see if it will run properly.

If that fails, please try this:
Open a command prompt (START > RUN > type cmd > ENTER)
At the prompt, Copy & Paste each line in Red below one at a time and hit ENTER after each line (lines end with peek.txt).
(You could do it all at once, but I'd rather try line by line)

Please post the peek.txt and let me know if any errors occurred.

del /f "C:\FOUND.068" >>%systemdrive%\Peek.txt

del /f "C:\FOUND.067" >>%systemdrive%\Peek.txt

del /f "C:\documents and settings\Ronnie\Application Data\Macromedia\Common\8506002619.exe" >>%systemdrive%\Peek.txt

del /f "C:\documents and settings\Ronnie\Application Data\Macromedia\Common\850600261.dll" >>%systemdrive%\Peek.txt

del /f "C:\documents and settings\NetworkService\Application Data\Macromedia\Common\8506002619.exe" >>%systemdrive%\Peek.txt

reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v WAB /f >>%systemdrive%\Peek.txt

reg delete HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run /v WAB /f >>%systemdrive%\Peek.txt

dir /a /s "C:\Program Files\Kontiki" >>%systemdrive%\Peek.txt

dir /a /s "C:\Program Files\Kazaa Lite" >>%systemdrive%\Peek.txt

dir /a /s "C:\Program Files\BearShare Applications" >>%systemdrive%\Peek.txt

dir /a /s "C:\program files\ewido" >>%systemdrive%\Peek.txt

notepad %systemdrive%\Peek.txt

PP:)

OK Thanks for your help so far. Between you and MalwareBytes I got down to one evil Bug. I was able to get a program to create a bootable CD with McAfee on it. But their latest definition file didn't correct this rootkit problem. Hopefully noone else get this.

Having not seen any logs, I am 100% guessing, but you may have one of the MBR Rootkits that is going around.
No need to panic.
If you can boot to recovery console (via Windows disc or burn an ISO) and use the fixmbr command, that might help.
Chances are also good that a valid system file has been modified (I see a lot of atapi.sys modifications) and with any luck, combofix will address that.

But again, if somebody in another forum is guiding you through combofix run, it is best you stick with them to avoid conflicting instructions.

-- You may suggest to them to talk you through the running of GMER as well.....

Best Luck :)
PP

Hope I'm not doing something wrong.

I don't understand how you could possibly be doing anything wrong - not much to mess up :)

That is odd . . . No log pops up? Even if the batch file doesn't do anything, a log ought to pop up.

Based on the previous scanlogs, your machine is for the most part free of malware. Just a few minor cleanup items. So, I'm not sure what the problem could be in executing a simple batch file......

-- Were you able to uninstall combofix with no problems?

-- What does it say in the dos box when you run the batch file?

PP:)

Hi
I got a thread from a tech at malwarebytes and loaded. 1st scan had 155 threats, now I'm down to 1 which keeps restarting. It's a rootkit and I was told to run combofix. . . .

If you are being helped in another forum, you should continue there.
Less confusion that way.

Cheers :)
PP

Hi there,
I don't understand why it's not working.
Everything seem ok, I drag the .txt file over, the green bar shows then the program runs.

That should've worked.

No worries - let's do this:

Let's remove Combofix and the files/folders it created:
• Click Start > Run
• Type or Copy&Paste ComboFix /Uninstall into the Run box. (Be sure there is a space between the x and the / if you type it)
• Click OK

This will remove Combofix and it’s components from your machine.
It will also reset your clock, re-hide System and Hidden Files and hide File Extensions.
Last, but certainly not least, doing this will reset System Restore.

-- Then, please download the attached FixIt.zip and RightClick it and extract the FixIt.bat from the ZIP to the Desktop.
DoubleClick FixIt.bat to run it - should go really quickly.
A log will pop up upon completion - please post that for me.

PP:)

Well . . . For some reason this isn't working.

That last one should've worked.
We'll just go ahead and remove those remaining items manually. I'll put something together to do that as soon as I get a bit of time.

PP:)

Hi, hope this worked this time.
Command switches used :: c:\documents and settings\Ronnie\Desktop\CFScript.txt.url

Nope - Same problem.

RightClick on the attachment and choose to save it to the desktop as CFScript.txt
Then, please try again.

Hang in there - we'll get it :)

PP

Hi, here's my latest log.
Cheers.

Hi Ronnie,

That did not run properly. You must download the CFScript .txt file to the desktop. Once the actual file is on the desktop, then you drag that over the combofix icon to start combofix.

Let's try that step again. I will attach a new CFScript.

-- Please delete your copy of ComboFix and download a fresh one to your Desktop
-- Download the attached file CFScript.txt to your Desktop as well
-- Close ALL browser windows and then drag CFScript.txt into ComboFix.exe just like this.

-- Let Combofix run as before and post me that log.

Cheers :)
PP

Thank you again for your help, just one last question, what combo of free virus scanners/spyware scanners would you suggest? right now I have avg, and malewarebytes installed, along with advanced system care from iobit.

Happy to help :)

-- That's a very subjective question these days. There are a number of good tools out there and each has its legion of fans.

I think keeping MBAM on hand for "on demand" scanning is obviously a good idea.
Also, the Kaspersky Online Scan is good to use if you feel you need a "second opinion" to AVG.

There are many in the anti-malware community upset with Iobit for their alleged recent theft of Malwarebytes database and they would recommend removing Iobit. Personally, I have not looked too closely at Iobit to know how effective it is.....

I do like the "real-time" protection afforded by WinPatrol
Likewise, I think SpywareBlaster is a good tool.

I like the tools from a-squared as well, but seem to be in the minority there. I believe they offer solid protection, but the detractors cite a number of false positives generated by their real-time protection heuristics.
Frankly, MBAM has done much worse in FPs the last few months - so, like I say, recommendations can be subjective.

Best thing you can do is keep all your protective measures up to date with builds and definitions. Keep your Java and …

Shall I carry on with your requests in the meantime.?

Go ahead with the CFScript / Combofix step and we'll deal with the others later.

What's up on the AV front?

PP:)

Again thanks for all your help.

Happy to help :)

-- What does the tray icon look like? Do you know what it belongs to?

-- What is UMANIYETASOYU.DLL?
Can you locate it and see what it belongs to or upload it for analysis at http://virusscan.jotti.org/en
It is likely not active and fairly old to not show in any of the logs.

Not sure what the issue is with the Kaspersky scanner... Probably some sort of security or network setting.
This one's a puzzler since I cannot see anything in the logs.
What browser did you use?

PP:)

Error loading C:\Windows\TEMP\msxm192z.dll

If I am not mistaken, this is a WOW keylogger.
Looks like MBAM or another tool has removed it, hence the error when it tries to load.

-- Can you post your MBAM log?

Let's look to see if any other nasties remain:

-- Please run a scan with the Kaspersky Online Scanner 7.0
* Note that you may need to temporarily disable your Anti-virus program for the duration of this scan.

-- Accept the agreement and allow the scanner to load and update its definitions. This may take a few minutes.
-- After the program files are downloaded and the anti-virus database is successfully updated, please select the Scan section in the left part of the main program window.
-- Click My Computer to begin a complete scan of your computer, including critical areas.
-- Once the scan has finished, select the Reports section in the left part of the main program window. Click the Save report button in the report viewing window. The Saving window will open.
-- Name the file KAS 1 and choose to save it to the Desktop as a .txt file and then click the Save button.
Please post that for me.

THEN:

-- Download DDS by sUBs and save it to your Desktop
-- If your AV has a script blocker, please disable it
-- DoubleClick on dds.scr to run the tool

Hey Scott,

That last batch of logs looks OK.

I guess I was not seeing what I expected to see because it really wasn't there, LOL!
Sorry for making you do the extra scans.

How's the machine behaving?

PP:)

I did have 3 lines that included along the lines of wormrader etc etc....

Happy XMas to you as well :)

Everything seems to be rootkitted these days, so you need to be extra vigilant. Looks to me like you're doing a good job.

Cheers,
PP

At quick glance (and I mean very quick), those logs look OK.

If you want to double-check, you could try a scan with the Kaspersky Online Scanner 7.0
* Note that you may need to temporarily disable your Anti-virus program for the duration of this scan.

-- Accept the agreement and allow the scanner to load and update its definitions. This may take a few minutes.
-- After the program files are downloaded and the anti-virus database is successfully updated, please select the Scan section in the left part of the main program window.
-- Click My Computer to begin a complete scan of your computer, including critical areas.
-- Once the scan has finished, select the Reports section in the left part of the main program window. Click the Save report button in the report viewing window. The Saving window will open.
-- Name the file KAS 1 and choose to save it to the Desktop as a .txt file and then click the Save button.
Please post that for me - unless it's clean, of course.

If you like, there are also some rootkit scans you could try, but Kaspersky is pretty thorough....

Cheers :)
PP

Hi, thanks for your time.
Here's the log you requested

OK - That looks better. Still a few steps to do, though.

-- If your Norton has expired, you'll need to renew or replace it.
If you want a free alternative, uninstall Norton and replace it with Comodo Firewall + AV
But, you gotta have an up to date AV!

-- Is this folder still on your machine? --> c:\program files\ewido

-- I recommend uninstalling these as they pose security risks:
c:\\Program Files\Kontiki
c:\\Program Files\Kazaa Lite
c:\\Program Files\BearShare Applications

LASTLY:
-- Please delete your copy of ComboFix and download a fresh one to your Desktop
-- Download the attached file CFScript.txt to your Desktop as well
-- Close ALL browser windows and then drag CFScript.txt into ComboFix.exe just like this.

-- Let Combofix run as before and post me that log.

And . . . We'll go from there :)
PP