Starbuck

Hi wireddj Sorry but the help system doesn't work like that. Everytime you run extra scans they one of us doesn't ask for.... you change everything and confusion sets in. Plus reading the reports isn't a 10 minute job, it does take time. If 2 helpers are using their time to go through your reports, it's wasting both helpers time. Please decide who is helping you and let me and the other helper know.

Hi wireddj It's ok, i had those results in the 1st report. I see that you ran ComboFix this morning :mad: Let me have the combofix.txt that was produced. You'll find a copy at: C:\ComboFix.txt Double click on OTL.exe to run it. Copy the lines in the codebox below. (make sure that :Otl is on the first line ) :Otl O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found. O2 - BHO: (no name) - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - No CLSID value found. O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - Reg Error: Value error. File not found O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found. O2 - BHO: (no name) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - No CLSID value found. O4 - HKCU..\Run: [startServiceEFFDME] C:\Users\Demented Blaster\AppData\Local\EFFDME\StartService.exe File not found O4 - HKLM..\RunOnce: [] File not found O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Low Rights present O15 - HKCU\..Trusted Domains: auioz.info ([]https in Trusted sites) O15 - HKCU\..Trusted Domains: kuaiche.com ([software] http in Trusted sites) O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.) O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - Reg Error: Key error. File not found O20 - Winlogon\Notify\klogon: DllName - Reg Error: Value error. - Reg Error: Value error. File not found O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found @Alternate Data Stream - 1210 bytes -> C:\Users\Demented Blaster\AppData\Local\f6k50JBrcNI:kst0Lb9K4A2lxGI1Wc6pE @Alternate Data Stream - 1200 bytes -> C:\Users\Demented Blaster\AppData\Local\qRbi6T2jAIurL:8oJ7sQ0MUdpqZKg1NpE3Ige2vK1 @Alternate Data Stream - 1175 bytes -> C:\Users\Demented Blaster\AppData\Local\kZr1vxHtCGqPRaJ:p3zeBxP6gllwy2p27IXj3vXWw @Alternate Data Stream - 1152 bytes -> C:\ProgramData\Microsoft:kup8QuWpb8r19NndbbDRSg35AFl @Alternate Data Stream - 1050 bytes -> C:\ProgramData\Microsoft:YnfShpa3CkvakXlJcB3jvN2e2TH :commands [emptytemp] [purity] [RESETHOSTS] [EMPTYFLASH] Return to OTL, right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste. http://img.photobucket.com/albums/v708/starbuck50/new%20forum/scan-fix.png Click the red Run Fix button. http://img.photobucket.com/albums/v708/starbuck50/runfixbutton.png OTL will reboot your system once the fix has completed. After the reboot, you may need to double click OTL to launch the program and retrieve the log. Copy and paste the contents of the OTL log that comes up after the fix in your next reply. if you lose the report, there will be a copy here: C:\_OTL\MovedFiles In your next reply, please submit: Combofix.txt Otl fix report Thanks.

please try and calm down. All of us 'helpers' have full time jobs and help here in our spare time. I'm currently working away from home, but have taken a look at your report. The reason you only had the main.txt was that you have run OTL twice. OTL only gives the 2 reports on a 1st run (by default) unless run differently. As you have run OTL previously you will have to run it again using these instructions: Double click on OTL.exe to run it. Under Extra Registry section, select Use SafeList. Don't check the boxes beside 'LOP Check' and 'Purity Check' this time. Click on Run Scan at the top left hand corner. When done, two Notepad files will open. Please post the contents of these 2 Notepad files in your next reply. Add them both as attachments if they are too large. There are problems showing in the main.txt that we need to address, but i need both reports to make a full diagnosis. Thanks

Just to elaborate on what BeeCeeBee has suggested: Try one or both of these and see if your connection comes back. Click Start...Run... Type in (or copy and paste) ipconfig /flushdns then click the 'enter' key. You'll get a confirmation that the flush was successful. remember that there is a space between the g and the / FOR CONNECTION PROBLEMS : Click on Start... Control Panel, select the 'Network and Internet Connections' category or double click on Network Connections, depending on which View you are using. Then right click on your default connection, usually 'local area connection' for cable and dsl, and left click on properties. Double-click on the 'Internet Protocol' (TCP/IP) item. Write down the settings in case you should need to change them back. Select the radio dial that says 'Obtain DNS servers automatically'. Press OK twice to get out of the properties screen and reboot if it asks. If it does not prompt you to reboot go ahead and reboot manually. If that doesn't get it, try this one: Go to Start ... Run and type in cmd A dos Window will appear. Type in the dos window: netsh winsock reset Click on the 'enter' key. Reboot your system to complete the process.

Hi and http://fc05.deviantart.com/fs38/f/2009/001/9/d/Welcome_by_Artush.gif It's good to see you here.

Cheers Nev. The more people that know of it, the better.

On the heels of a worm that was installing backdoors on Windows systems via Yahoo Instant Messenger comes a new worm that is even more sophisticated in its social engineering and payload, security firm Bkis said on Friday. The malware arrives via instant message through Yahoo or Skype with any one of a number of messages, including "Does my new hair style look good? bad? perfect?" or "My printer is about to be thrown through a window if this pic won't come out right. You see anything wrong with it?" Bkis wrote in a blog post. http://img.photobucket.com/albums/v708/starbuck50/SkypeWorm.png The message includes a link to a Web page that looks like it leads to a JPEG, or image file. When the link is clicked on, the browser displays an interface that looks like the RapidShare Web hosting site and offers up a ZIP file for download. The extracted file is actually an executable file with a .com extension. The malware, which Bkis has detected as "W32.Skyhoo.Worm," disappears if the computer does not have Skype or Yahoo Messenger installed. It automatically sends messages with varying content and malicious links to contacts in the victim's IM list and automatically injects a malicious link in e-mail messages and Word or Excel files that the user is composing, Bkis said. The worm also connects to an IRC server to receive remote commands, blocks antivirus software, uses a rootkit technique to hide its files and processes and automatically copies itself onto USB drives to spread, according to Bkis. Source: New version of Yahoo IM worm hits Skype too | InSecurity Complex - CNET News

Hi Yockie, Like RandyL says, thank you for those kind words. Helping you wasn't a problem at all, sometimes comments like yours makes this job worthwhile. Thank you again. What RandyL is getting at ( i think) is that some manufacturers don't actually supply installation discs .... they put a copy of the OS on to a hidden partition on the computer. You then reinstall from this OS image. So giving the information as asked for, may be beneficial to you.

Hi wireddj Depending on the malware, anything is possible. Especially If the drives are using the same operating system. This is why most anti virus/anti malware programs will scan all your drives. A lot of malware nowadays is root-kitted, this means that the malware is hidden from a lot of scanners. SAS and MBAM should be able to detect a lot of rootkits. Once you have run the OTL program, i'll take a look, then maybe we'll run a dedicated rootkit scan. But let's see the results first. If SAS and MBAM remove anything, let me have those results as well. Thanks.

There is definitely some underlying issues on the system. Without getting the fix to run or any of the other scans, we're going to be struggling. It's a pity you don't have the Operating disc ... this would have made life a lot easier. A repair install may have sorted out the problems without losing any of the data stored on the system. I'd suggest starting to backup any data you require from the system and then possibly acquiring an operating disc and reformatting the whole disc. At least this way you will have a nice clean start. Sorry i couldn't have been of more help.

Hi Yockie, we'll have to stop meeting like this.... people will talk. http://fc06.deviantart.com/fs4/i/2004/250/7/1/ROFL_by_b4sti.gif Ok, good news and bad news. The good news.... the scan report is a lot smaller now and the date is correct. The bad news...... the fix didn't run successfully before. Let's go for this again: Double click on OTL.exe to run it. Copy the lines in the codebox below. (make sure that :Otl is on the first line ) :Otl PRC - C:\Program Files\securus\SecurusClient\securusn.exe () MOD - C:\Program Files\securus\SecurusClient\support.dll () SRV - (AntiVirService) -- File not found SRV - (AntiVirSchedulerService) -- File not found DRV - (avipbb) -- C:\WINDOWS\system32\drivers\avipbb.sys (Avira GmbH) DRV - (avgntflt) -- C:\WINDOWS\system32\drivers\avgntflt.sys (Avira GmbH) DRV - (ssmdrv) -- C:\WINDOWS\system32\drivers\ssmdrv.sys (Avira GmbH) O4 - HKLM..\Run: [avgnt] H:\Personal Data\Avira\AntiVir Desktop\avgnt.exe File not found O4 - HKLM..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe File not found O4 - HKLM..\Run: [securus Network Client] C:\Program Files\securus\SecurusClient\securusn.exe () O4 - HKLM..\Run: [uSBScan.exe] H:\Personal Data\USBScan\USBScan.exe File not found O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab (Reg Error: Key error.) O16 - DPF: {41564D57-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab (Reg Error: Key error.) O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.) O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38173.1592361111 (Reg Error: Key error.) O33 - MountPoints2\{d1473aa9-1fd4-11dc-9ead-4d6564696130}\Shell\AutoRun\command - "" = F:\InstallTomTomHOME.exe -- File not found [2010/04/03 13:43:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.GMS-3IBDCJ3IZYP\Application Data\Avira [2009/12/17 20:43:34 | 000,124,784 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys [2009/12/17 20:43:33 | 000,060,936 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys [2009/12/17 20:43:33 | 000,051,992 | ---- | C] (AVIRA GmbH) -- C:\WINDOWS\System32\drivers\avgntdd.sys [2009/12/17 20:43:33 | 000,022,360 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntmgr.sys [2009/12/17 20:43:24 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\ssmdrv.sys [2009/12/17 20:42:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Avira [2009/12/03 13:56:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\McAfee [2008/04/16 17:08:15 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Symantec Shared :Files C:\Program Files\securus :commands [emptytemp] [purity] [EMPTYFLASH] Return to OTL, right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste. http://img.photobucket.com/albums/v708/starbuck50/new%20forum/scan-fix.png Click the red Run Fix button. http://img.photobucket.com/albums/v708/starbuck50/runfixbutton.png OTL will reboot your system once the fix has completed. After the reboot, you may need to double click OTL to launch the program and retrieve the log. Copy and paste the contents of the OTL log that comes up after the fix in your next reply. if you lose the report, there will be a copy here: C:\Program Files\_OTL\MovedFiles (based on your header)

Hi wireddj, If the scan seems to get stuck, try leaving it for awhile. This program doesn't work like Windows' wants it to.... so sometimes it seems to get stuck, but isn't. If it doesn't complete..... just run it again, only this time don't add the extra scans. You shouldn't have a problem then.

Ok, go back in to normal mode and let me have the fresh OTL report. Thanks.

Ok, i see what you mean now about the black screen. Btw: Dr Web won't run properly in normal mode.

those look like typical safe mode screens. It does load like that. Are you in safe mode now?

The first program will actually stop everything from running when i does the scan. So if there's anything bad going on... it'll stop it. It will then reboot your system to ensure that all temp files have been removed. The second will run in safe mode, but like i say it will give us a better report if run in normal mode. Typical scan should take no longer than about 3 - 4 mins.

Let's have a better look at your system. If you can run these programs in normal mode it will give us a much better report. Hi Step 1 Download TFC by OldTimer to your desktop Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator). It will close all programs when run, so make sure you have saved all your work before you begin. Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion. Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean. Step 2 Download OTL to your desktop. if you have problems, try this download link: OTL Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted. When the window appears, underneath Output at the top change it to Minimal Output. Check the boxes beside LOP Check and Purity Check. . http://img.photobucket.com/albums/v708/starbuck50/new/newOtl2.png Now copy the lines in the codebox below. netsvcs msconfig %SYSTEMDRIVE%\*.exe /md5start eventlog.dll scecli.dll netlogon.dll cngaudit.dll sceclt.dll ntelogon.dll logevent.dll iaStor.sys nvstor.sys atapi.sys IdeChnDr.sys viasraid.sys AGP440.sys vaxscsi.sys nvatabus.sys viamraid.sys nvata.sys nvgts.sys iastorv.sys ViPrt.sys eNetHook.dll ahcix86.sys KR10N.sys nvstor32.sys ahcix86s.sys nvrd32.sys symmpi.sys adp3132.sys /md5stop %systemroot%\*. /mp /s %systemroot%\system32\*.dll /lockedfiles %systemroot%\Tasks\*.job /lockedfiles %systemroot%\system32\drivers\*.sys /lockedfiles CREATERESTOREPOINT right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste. http://img.photobucket.com/albums/v708/starbuck50/new%20forum/scan-fix.png . Click the Run Scan button. http://img.photobucket.com/albums/v708/starbuck50/runscan.png Do not change any settings unless otherwise told to do so. The scan wont take long. When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL. Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them with your next reply. In your next reply, please submit: Both reports from OTL Thanks.

Thanks for that. I'll move this thread to the 'Malware Removal' forum, it'll be easier to deal with there.

Nooo, i just like the idea of a challenge ;) Yep, no need looking for an invisible file. :D Step 1 Plan 'c': Download this program and then transfer it to the bad system: Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page. Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet. Reboot your computer into SAFE MODE using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". Use the ENTER key to make your selection. Then choose your normal account. Scan with DrWeb-CureIt as follows: Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear. Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it. Once the short scan has finished, Click Options > Change settings Choose the "Scan tab" and UNcheck "Heuristic analysis" Back at the main window, click "Select drives" (a red dot will show which drives have been chosen) Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start. When done, a message will be displayed at the bottom advising if any viruses were found. Click "Yes to all" if it asks if you want to cure/move the file. When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable". (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured) Next, in the Dr.Web CureIt menu on top, click file and choose save report list. Save the DrWeb.csv report to your desktop. Exit Dr.Web Cureit when done. Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot. After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report) Note: Some sites don't allow .csv files to be posted. If this is the case here, the report may need to be renamed to Dr.Web.txt in order to post it on the forum. During the scan, a pop-up window may open asking for full version purchase. Simply close the window by clicking on the X in the upper right corner. Step 2 Let me have a fresh OTL report so that i can see if the files where removed or not. start OTL ..... just click the scan button. It'll probably only produce the main.txt .... that's all i need. In your next reply, please submit: Dr Web scan report New OTL main.txt Thanks.

Hi wireddj Could you let me have the scan reports for these programs, so that i can take a look at what was removed. SuperAntiSpyware: To retrieve the removal information after reboot, launch SUPERAntispyware again.Click Preferences, then click the Statistics/Logs tab. Under Scanner Logs, double-click SUPERAntiSpyware Scan Log. If there are several logs, click the current dated log and press View log. A text file will open in your default text editor. Please copy and paste the Scan Log results in your next reply.[*]Click Close to exit the program. MalwareBytes: start MBAM. click on the 'Logs' tab. The reports are date stamped.... double click on the one that removed items. It will open in Notepad, just copy and paste the results in your next reply. Thanks.

What i meant was, that instead of doing a search for the file..... just take a look at the 'C' drive contents and see if the file is there. if not.... 'Plan 'C' :p

Ok, if CF has finished, it should have put the report on your screen. If it didn't, you should find a copy at: C:\ComboFix.txt

On very rare occasions it has taken about 3 - 4 hours.... but this is very rare. What is the screen saying? Has it scanned and rebooted the system? Is it saying that it's preparing the log report?

http://fc06.deviantart.com/fs4/i/2004/250/7/1/ROFL_by_b4sti.gif a sense of humour always helps when working with pc's. A CF scan can take anything from a couple of minutes to about half an hour.... depending on the system. I have confidence that we'll get some sort of report.

Then we move on to 'plan c' :)