1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Slow PC and fake virus warnings PC #2

Discussion in 'Malware and Virus Removal Archive' started by palljim23, 2010/01/01.

Page 2 of 2
  1. 2010/02/27
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Ok :)...
     
    broni,
    #21
  2. 2010/03/07
    palljim23

    palljim23 Inactive Thread Starter

    Joined:
    2010/01/01
    Messages:
    67
    Likes Received:
    0
    Any update on what I need to do with this PC?

    Thank you
     
    palljim23,
    #22


  3. to hide this advert.

  4. 2010/03/07
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Kaspersky's scan?
     
    broni,
    #23
  5. 2010/03/11
    palljim23

    palljim23 Inactive Thread Starter

    Joined:
    2010/01/01
    Messages:
    67
    Likes Received:
    0
    --------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER 7.0: scan report
    Tuesday, March 9, 2010
    Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
    Kaspersky Online Scanner version: 7.0.26.13
    Last database update: Sunday, March 07, 2010 22:06:01
    Records in database: 3731822
    --------------------------------------------------------------------------------

    Scan settings:
    scan using the following database: extended
    Scan archives: yes
    Scan e-mail databases: yes

    Scan area - My Computer:
    C:\
    D:\
    E:\
    F:\
    G:\
    H:\
    I:\
    J:\
    Z:\

    Scan statistics:
    Objects scanned: 242786
    Threats found: 5
    Infected objects found: 14
    Suspicious objects found: 0
    Scan duration: 05:06:05


    File name / Threat / Threats count
    C:\hp\recovery\wizard\fscommand\AppRecoveryLink_ret.exe Infected: Trojan-Spy.Win32.Agent.beaf 1
    C:\hp\recovery\wizard\fscommand\CDLogic_ret.exe Infected: Trojan-Spy.Win32.Agent.bdzz 1
    C:\hp\recovery\wizard\fscommand\CreatorLink_ret.exe Infected: Trojan-Spy.Win32.Agent.beaf 1
    C:\hp\recovery\wizard\fscommand\RecordnowLink_ret.exe Infected: Trojan-Spy.Win32.Agent.beaf 1
    C:\hp\recovery\wizard\fscommand\RestoreLink_ret.exe Infected: Trojan-Spy.Win32.Agent.beaf 1
    C:\hp\recovery\wizard\fscommand\RTCDLink_ret.exe Infected: Trojan-Spy.Win32.Agent.beaf 1
    C:\hp\recovery\wizard\fscommand\RunLink_ret.exe Infected: Trojan-Spy.Win32.Agent.beaf 1
    C:\hp\recovery\wizard\fscommand\SysRecoveryLink_ret.exe Infected: Trojan-Spy.Win32.Agent.beaf 1
    C:\hp\recovery\wizard\fscommand\WizardLink_ret.exe Infected: Trojan-Spy.Win32.Agent.beaf 1
    C:\WINDOWS\Web\Wallpaper\welcome\AWhelper.dll Infected: not-a-virus:AdWare.Win32.WebHancer.x 1
    Z:\Music\Lance\installm19.exe Infected: not-a-virus:AdWare.Win32.WurldMedia.j 1
    Z:\CC_D\Lisa & Lance\installm19.exe Infected: not-a-virus:AdWare.Win32.WurldMedia.j 1
    Z:\CC_G\_JIM\_JIM\installm19.exe Infected: not-a-virus:AdWare.Win32.WurldMedia.j 1
    Z:\CC_G\_JIM\_JIM\Morph20.exe Infected: not-a-virus:AdWare.Win32.WurldMedia.a 1

    Selected area has been scanned.
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:00:31 AM, on 3/11/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16981)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\LSI SoftModem\agrsmsvc.exe
    C:\WINDOWS\arservice.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\ARPWRMSG.EXE
    C:\Program Files\DISC\DiscUpdateMgr.exe
    C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
    C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\WINDOWS\System32\svchost.exe
    C:\HP\KBD\KBD.EXE
    C:\WINDOWS\ALCXMNTR.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    c:\windows\system\hpsysdrv.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Java\jre6\bin\java.exe
    c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
    C:\Program Files\Microsoft Security Essentials\msseces.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
    O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
    O4 - HKLM\..\Run: [DISCover] C:\Program Files\DISC\DISCover.exe
    O4 - HKLM\..\Run: [DiscUpdateManager] C:\Program Files\DISC\DiscUpdateMgr.exe
    O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
    O4 - HKLM\..\Run: [regcmdcons] c:\hp\bin\cloaker.exe c:\hp\bin\cmdcons.cmd
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
    O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [Logitech Vid] "C:\Program Files\Logitech\Logitech Vid\vid.exe" -bootmode
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')
    O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
    O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://*.trymedia.com (HKLM)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - LSI Corporation - C:\Program Files\LSI SoftModem\agrsmsvc.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE

    --
    End of file - 8493 bytes
     
    palljim23,
    #24
  6. 2010/03/11
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please download OTM

    • Save it to your desktop.
    • Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
    • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code:
    :Processes

:Services

:Reg

:Files
C:\hp\recovery\wizard\fscommand\AppRecoveryLink_ret.exe 
C:\hp\recovery\wizard\fscommand\CDLogic_ret.exe 
C:\hp\recovery\wizard\fscommand\CreatorLink_ret.exe 
C:\hp\recovery\wizard\fscommand\RecordnowLink_ret.exe 
C:\hp\recovery\wizard\fscommand\RestoreLink_ret.exe 
C:\hp\recovery\wizard\fscommand\RTCDLink_ret.exe 
C:\hp\recovery\wizard\fscommand\RunLink_ret.exe 
C:\hp\recovery\wizard\fscommand\SysRecoveryLink_ret.exe 
C:\hp\recovery\wizard\fscommand\WizardLink_ret.exe 
C:\WINDOWS\Web\Wallpaper\welcome\AWhelper.dll 
Z:\Music\Lance\installm19.exe 
Z:\CC_D\Lisa & Lance\installm19.exe 
Z:\CC_G\_JIM\_JIM\installm19.exe 
Z:\CC_G\_JIM\_JIM\Morph20.exe
      
:Commands
[purity]
[resethosts]
[emptytemp]
[Reboot]
    • Return to OTM, right click in the Paste Instructions for Items to be Movedwindow (under the yellow bar) and choose Paste.
    • Click the red Moveit! button.
    • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTM and reboot your PC.

    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
     
    broni,
    #25
  7. 2010/03/13
    palljim23

    palljim23 Inactive Thread Starter

    Joined:
    2010/01/01
    Messages:
    67
    Likes Received:
    0
    All processes killed
    ========== PROCESSES ==========
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    C:\hp\recovery\wizard\fscommand\AppRecoveryLink_ret.exe moved successfully.
    C:\hp\recovery\wizard\fscommand\CDLogic_ret.exe moved successfully.
    C:\hp\recovery\wizard\fscommand\CreatorLink_ret.exe moved successfully.
    C:\hp\recovery\wizard\fscommand\RecordnowLink_ret.exe moved successfully.
    C:\hp\recovery\wizard\fscommand\RestoreLink_ret.exe moved successfully.
    C:\hp\recovery\wizard\fscommand\RTCDLink_ret.exe moved successfully.
    C:\hp\recovery\wizard\fscommand\RunLink_ret.exe moved successfully.
    C:\hp\recovery\wizard\fscommand\SysRecoveryLink_ret.exe moved successfully.
    C:\hp\recovery\wizard\fscommand\WizardLink_ret.exe moved successfully.
    C:\WINDOWS\Web\Wallpaper\welcome\AWhelper.dll moved successfully.
    File/Folder Z:\Music\Lance\installm19.exe not found.
    File/Folder Z:\CC_D\Lisa & Lance\installm19.exe not found.
    File/Folder Z:\CC_G\_JIM\_JIM\installm19.exe not found.
    File/Folder Z:\CC_G\_JIM\_JIM\Morph20.exe not found.
    ========== COMMANDS ==========
    C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
    HOSTS file reset successfully

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: HP_Administrator

    User: HP_Administrator.YOUR-4DACD0EA75
    ->Temp folder emptied: 142629595 bytes
    ->Temporary Internet Files folder emptied: 3963173 bytes
    ->Java cache emptied: 12251858 bytes
    ->Google Chrome cache emptied: 71217228 bytes
    ->Flash cache emptied: 45679 bytes

    User: LocalService
    ->Temp folder emptied: 66016 bytes
    ->Temporary Internet Files folder emptied: 16786 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 14082 bytes

    User: NetworkService
    ->Temp folder emptied: 40216 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 225480 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 220.00 mb


    OTM by OldTimer - Version 3.1.10.0 log created on 03132010_174757

    Files moved on Reboot...
    File C:\Documents and Settings\HP_Administrator.YOUR-4DACD0EA75\Local Settings\Temp\hsperfdata_HP_Administrator\4048 not found!
    C:\Documents and Settings\HP_Administrator.YOUR-4DACD0EA75\Local Settings\Temporary Internet Files\Content.IE5\XBW9PBKW\011948938270[1].htm moved successfully.
    C:\Documents and Settings\HP_Administrator.YOUR-4DACD0EA75\Local Settings\Temporary Internet Files\Content.IE5\XBW9PBKW\L[1].htm moved successfully.
    C:\Documents and Settings\HP_Administrator.YOUR-4DACD0EA75\Local Settings\Temporary Internet Files\Content.IE5\XBW9PBKW\p-01-0VIaSjnOLg[1].gif moved successfully.
    C:\Documents and Settings\HP_Administrator.YOUR-4DACD0EA75\Local Settings\Temporary Internet Files\Content.IE5\Q7RR41YD\info[1].htm moved successfully.
    C:\Documents and Settings\HP_Administrator.YOUR-4DACD0EA75\Local Settings\Temporary Internet Files\Content.IE5\Q7RR41YD\pngbehavior[1].htc moved successfully.
    C:\Documents and Settings\HP_Administrator.YOUR-4DACD0EA75\Local Settings\Temporary Internet Files\Content.IE5\Q5WD8N41\free-virus-scanner[1].htm moved successfully.
    C:\Documents and Settings\HP_Administrator.YOUR-4DACD0EA75\Local Settings\Temporary Internet Files\Content.IE5\PC1BEOEQ\ads[1].htm moved successfully.
    C:\Documents and Settings\HP_Administrator.YOUR-4DACD0EA75\Local Settings\Temporary Internet Files\Content.IE5\PC1BEOEQ\p-01-0VIaSjnOLg[1].gif moved successfully.
    C:\Documents and Settings\HP_Administrator.YOUR-4DACD0EA75\Local Settings\Temporary Internet Files\Content.IE5\BFV06QXG\89906-active-slow-pc-fake-virus-warnings-pc-2-a-2[1].htm moved successfully.
    C:\Documents and Settings\HP_Administrator.YOUR-4DACD0EA75\Local Settings\Temporary Internet Files\AntiPhishing\A0AB7674-8D67-4F4D-B5E1-96FAEADFB79D.dat moved successfully.

    Registry entries deleted on Reboot...
     
    palljim23,
    #26
  8. 2010/03/13
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please download OTC to your desktop. It'll remove most tools and logs we used so far. If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

    • Double-click OTC.exe to run it. (Vista and 7 users, please right click on OTC and select "Run as an Administrator ")
    • Click on the CleanUp! button and follow the prompts.
    • You will be asked to reboot the machine to finish the Cleanup process, choose Yes. If it doesn't ask you to reboot, restart computer manually.
    • After the reboot all the tools we used should be gone.
    • The tool will delete itself once it finishes.

    ===================================================================

    Verify your Java version here: http://www.java.com/en/download/installed.jsp
    Update, if necessary.
    Uninstall all previous Java versions, through Add\Remove (Programs & Features in Vista).

    =================================================================


    Your computer is clean :)

    1. Turn off System Restore:

    - Windows XP:
    1. Click Start.
    2. Right-click the My Computer icon, and then click Properties.
    3. Click the System Restore tab.
    4. Check "Turn off System Restore ".
    5. Click Apply.
    6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
    7. Click OK.
    - Windows Vista:
    1. Click Start.
    2. Right-click the Computer icon, and then click Properties.
    3. Click on System Protection under the Tasks column on the left side
    4. Click on Continue on the "User Account Control" window that pops up
    5. Under the System Protection tab, find Available Disks
    6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C: ")
    7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
    8. Click OK

    2. Restart computer.

    3. Turn System Restore on.

    4. Make sure, Windows Updates are current.

    [SIZE= "4"]5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately![/SIZE]

    6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    7. Run defrag at your convenience.

    8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    9. Please, let me know, how is your computer doing.
     
    broni,
    #27
  9. 2010/03/13
    palljim23

    palljim23 Inactive Thread Starter

    Joined:
    2010/01/01
    Messages:
    67
    Likes Received:
    0
    It seems to be running fine now. Thank you so much for your help and patience during this process.
     
    palljim23,
    #28
  10. 2010/03/13
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    You're very welcome :)
    Happy computing :)
     
    broni,
    #29
Page 2 of 2

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...