Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93125 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Need to get rid of Virtumonde and Win32.TDSS.rtk.

Started by Neo , Mar 09 2009 04:15 PM

  • This topic is locked This topic is locked
139 replies to this topic

#106 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 20 March 2009 - 05:16 PM

This topic has been reopened by request of the starter of this topic. Or it has been moved to the correct forum

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

    Advertisements

Register to Remove

#107 Tomk

Tomk

    Beguilement Monitor

  • Global Moderator
  • 20,451 posts

Posted 20 March 2009 - 05:36 PM

newbe17,

Download Rooter.exe to your desktop

  • Then doubleclick it to start the tool
  • A Notepad file containing the report will open, also found at %systemdrive%\Rooter.txt. Post that here

Also, please give me a new HijackThis log.
Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
 

#108 Neo

Neo

    Silver Member

  • Guests
  • PipPipPip
  • 374 posts

Posted 20 March 2009 - 08:55 PM

Tomk,
Hello and ty 4 ur time :) rooter log:

Microsoft Windows XP Home Edition (5.1.2600) Service Pack 3

C:\ [Fixed] - NTFS - (Total:69648 Mo/Free:820 Mo)
D:\ [Fixed] - FAT32 - (Total:6654 Mo/Free:1480 Mo)
E:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)
F:\ [Removable] (Total:0 Mo/Free:0 Mo)
G:\ [Removable] (Total:0 Mo/Free:0 Mo)
H:\ [Removable] (Total:0 Mo/Free:0 Mo)
I:\ [Removable] (Total:0 Mo/Free:0 Mo)

Fri 03/20/2009|20:58

----------------------\\ Processes..

--Locked-- [System Process]
---------- System
---------- \SystemRoot\System32\smss.exe
---------- \??\C:\WINDOWS\system32\csrss.exe
---------- \??\C:\WINDOWS\system32\winlogon.exe
---------- C:\WINDOWS\system32\services.exe
---------- C:\WINDOWS\system32\lsass.exe
---------- C:\WINDOWS\system32\Ati2evxx.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
--Locked-- oasrv.exe
---------- C:\WINDOWS\system32\Ati2evxx.exe
---------- C:\WINDOWS\Explorer.EXE
---------- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
---------- C:\Program Files\Alwil Software\Avast4\ashServ.exe
---------- C:\WINDOWS\system32\spoolsv.exe
---------- C:\Program Files\Java\jre6\bin\jqs.exe
---------- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
--Locked-- oacat.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\wdfmgr.exe
---------- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
---------- C:\WINDOWS\system32\wscntfy.exe
---------- C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
---------- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
---------- C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
---------- C:\Program Files\Java\jre6\bin\jusched.exe
---------- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
--Locked-- oaui.exe
---------- C:\WINDOWS\system32\ctfmon.exe
---------- C:\Program Files\Secunia\PSI\psi.exe
---------- C:\WINDOWS\System32\alg.exe
--Locked-- oahlp.exe
---------- C:\WINDOWS\ALCXMNTR.EXE
---------- C:\Program Files\Mozilla Firefox\firefox.exe
---------- c:\windows\system\hpsysdrv.exe
---------- C:\WINDOWS\system32\cmd.exe
---------- C:\Rooter$\RK.exe

----------------------\\ Search..

----------------------\\ ROOTKIT !!



1 - "C:\Rooter$\Rooter_1.txt" - Thu 03/12/2009| 2:37
2 - "C:\Rooter$\Rooter_2.txt" - Fri 03/20/2009|21:00

----------------------\\ Scan completed at 21:00

High Jack This log: ( Please send me something underlining some start up programs I don't need, that will speed up this pc, it's lagging pretty bad) Tom, this is REALLY WEIRD ... High Jack this has dissapeared off my desktop,off my pc, I couldnt even find it in program files, had to re-download it. On that same note, I had a program "suddenly appear" on my desktop 2 days ago that I never use anymore, something I used before I did a system restore. It hung out for a while, I told my wife about it, she came over to see I wasn't lying, and just b4 she got to where I was, the derned thing took off and dissapeared! (That was Adaware) Does this sound like anything youv'e ever heard before? I KNOW I didn't get rid of it, and my wife and my dog sure didn't,lol. Anyway, I better get this log done before this HJT decides it's time to fly off somewhere. It's the old version, have to get the newest one, sigh.. whats this hewlett packard boot optimizer anyways? does it need to b running on my system?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:53:57 PM, on 3/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Tall Emu\Online Armor\oacat.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Secunia\PSI\psi.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Tall Emu\Online Armor\oahlp.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...arm1=seconduser
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Secunia PSI.lnk = C:\Program Files\Secunia\PSI\psi.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1237323000500
O17 - HKLM\System\CCS\Services\Tcpip\..\{0064A5F4-20F9-40DD-8516-C7C7B21E6882}: NameServer = 207.65.4.25 216.153.94.101
O17 - HKLM\System\CS1\Services\Tcpip\..\{0064A5F4-20F9-40DD-8516-C7C7B21E6882}: NameServer = 207.65.4.25 216.153.94.101
O17 - HKLM\System\CS5\Services\Tcpip\..\{0064A5F4-20F9-40DD-8516-C7C7B21E6882}: NameServer = 207.65.4.25 216.153.94.101
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oacat.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe

--
End of file - 5936 bytes




newbe 17
Best
Wishes,

Neo

Posted Image

#109 Tomk

Tomk

    Beguilement Monitor

  • Global Moderator
  • 20,451 posts

Posted 20 March 2009 - 10:20 PM

newbe17,

Not seeing a problem. Let's get a deeper look.

Please download DDS and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds.scr to run the tool.
  • When done, DDS.txt will open.
  • Click Yes at the next prompt for Optional Scan.
  • Save both reports to your desktop.
---------------------------------------------------
  • Post the contents of the DDS.txt report in your next reply
  • Attach the Attach.txt report to your post by scroling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and the click UPLOAD.

Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
 

#110 Neo

Neo

    Silver Member

  • Guests
  • PipPipPip
  • 374 posts

Posted 20 March 2009 - 11:07 PM

Tomk, I have been very busy strengthening up my defenses against malware, even got the Secunia PSI, ran the scan, got all the fixes I needed and it gives my pc 100% rating. Now that I'm done with all that I'm certain I will b able to respond and do tasks much quicker. Here are the files you requested: DDS (Ver_09-03-16.01) - NTFSx86 Run by Compaq_Owner at 23:48:56.54 on Fri 03/20/2009 Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_12 ============== Pseudo HJT Report =============== uStart Page = hxxp://www.yahoo.com/ uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [@OnlineArmor GUI] "c:\program files\tall emu\online armor\oaui.exe" mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1237323000500 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab TCP: {0064A5F4-20F9-40DD-8516-C7C7B21E6882} = 207.65.4.25 216.153.94.101 Notify: AtiExtEvent - Ati2evxx.dll SEH: OA Shell Helper: {4f07da45-8170-4859-9b5f-037ef2970034} - c:\progra~1\tallem~1\online~1\oaevent.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\compaq~1\applic~1\mozilla\firefox\profiles\evspears@hifo.net\ FF - prefs.js: browser.startup.homepage - hxxps://login.yahoo.com/config/login_verify2?.intl=us&.src=ym FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll ============= SERVICES / DRIVERS =============== =============== Created Last 30 ================ 2009-03-20 16:08 <DIR> --d----- c:\docume~1\compaq~1\applic~1\Foxit 2009-03-20 16:08 <DIR> --d----- c:\program files\Foxit Software 2009-03-20 12:45 <DIR> --d----- c:\program files\Secunia 2009-03-19 22:30 <DIR> --d----- c:\docume~1\compaq~1\applic~1\OnlineArmor 2009-03-19 22:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\OnlineArmor 2009-03-19 22:29 29,384 a------- c:\windows\system32\drivers\OAmon.sys 2009-03-19 22:29 190,664 a------- c:\windows\system32\drivers\OADriver.sys 2009-03-19 22:29 28,872 a------- c:\windows\system32\drivers\OAnet.sys 2009-03-19 22:29 <DIR> --d----- c:\program files\Tall Emu 2009-03-19 22:29 <DIR> --d----- C:\OnlineArmor 2009-03-19 17:52 <DIR> --d----- c:\windows\system32\CatRoot_bak 2009-03-19 14:42 <DIR> --d----- c:\docume~1\compaq~1\applic~1\FreshDiagnose 2009-03-19 14:41 <DIR> --d----- c:\program files\FreshDevices 2009-03-18 21:52 459,264 -------- c:\windows\system32\dllcache\msfeeds.dll 2009-03-18 21:52 52,224 -------- c:\windows\system32\dllcache\msfeedsbs.dll 2009-03-18 21:52 267,776 -------- c:\windows\system32\dllcache\iertutil.dll 2009-03-18 21:52 383,488 -------- c:\windows\system32\dllcache\ieapfltr.dll 2009-03-18 21:52 63,488 -------- c:\windows\system32\dllcache\icardie.dll 2009-03-18 21:52 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe 2009-03-18 21:52 2,455,488 -------- c:\windows\system32\dllcache\ieapfltr.dat 2009-03-18 21:52 991,232 -------- c:\windows\system32\dllcache\ieframe.dll.mui 2009-03-18 21:52 6,066,688 -------- c:\windows\system32\dllcache\ieframe.dll 2009-03-18 18:09 <DIR> --d----- c:\program files\MSXML 4.0 2009-03-18 16:27 333,952 -------- c:\windows\system32\dllcache\srv.sys 2009-03-18 15:09 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys 2009-03-18 14:33 1,106,944 -------- c:\windows\system32\dllcache\msxml3.dll 2009-03-18 14:27 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe 2009-03-18 14:27 2,189,184 -------- c:\windows\system32\dllcache\ntoskrnl.exe 2009-03-18 14:27 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe 2009-03-18 14:27 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe 2009-03-18 13:59 203,136 -------- c:\windows\system32\dllcache\rmcast.sys 2009-03-18 13:15 <DIR> --d----- c:\program files\Messenger 2009-03-18 13:15 <DIR> --d----- c:\windows\system32\scripting 2009-03-18 13:15 <DIR> --d----- c:\windows\l2schemas 2009-03-18 13:15 <DIR> --d----- c:\windows\system32\en 2009-03-18 13:15 <DIR> --d----- c:\windows\system32\bits 2009-03-18 13:12 <DIR> --d----- c:\windows\ServicePackFiles 2009-03-18 13:02 <DIR> --d----- c:\windows\EHome 2009-03-18 03:13 331,776 -------- c:\windows\system32\dllcache\msadce.dll 2009-03-17 16:01 23,576 a------- c:\windows\system32\wuapi.dll.mui 2009-03-17 15:49 <DIR> --dsh--- c:\documents and settings\compaq_owner\UserData 2009-03-17 13:39 15,504 a------- c:\windows\system32\drivers\mbam.sys 2009-03-17 13:39 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-03-17 13:39 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware 2009-03-16 12:42 691,712 -------- c:\windows\system32\dllcache\inetcomm.dll 2009-03-16 12:27 337,408 -------- c:\windows\system32\dllcache\netapi32.dll 2009-03-16 12:17 272,128 -------- c:\windows\system32\dllcache\bthport.sys 2009-03-15 16:10 <DIR> --d----- C:\KAV 2009-03-15 09:41 <DIR> --d----- c:\documents and settings\compaq_owner\DoctorWeb 2009-03-14 23:54 <DIR> --d-h--- c:\windows\$hf_mig$ 2009-03-14 22:32 410,984 a------- c:\windows\system32\deploytk.dll 2009-03-14 16:12 <DIR> --d-h--- c:\windows\PIF 2009-03-13 18:21 <DIR> --d----- c:\program files\Full Tilt Poker.Net 2009-03-12 02:36 <DIR> --d----- C:\Rooter$ 2009-03-09 17:12 <DIR> --d----- c:\program files\Trend Micro 2009-03-05 19:00 <DIR> --d----- c:\windows\Speeditup Free ==================== Find3M ==================== 2009-03-19 18:51 8,704 a--sh--- c:\program files\Thumbs.db 2009-03-18 13:19 81,867 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat 2009-03-18 13:19 45,056 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\uninstallui\eHelpSetup.exe 2009-03-18 13:19 163,840 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\modemcheck.dll 2009-03-18 13:19 61,440 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\modemutil.dll 2009-03-18 13:19 44,032 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\scripts\devcon.exe 2009-03-18 13:19 40,960 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\ScDmi.dll 2009-03-18 13:19 32,768 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\uploadHSC.dll 2009-03-18 13:19 32,768 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\Scom.dll 2009-03-18 13:19 287,310 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\HPBasicDetection.dll 2009-02-09 06:13 1,846,784 a------- c:\windows\system32\win32k.sys 2009-02-09 06:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys 2009-01-16 21:35 3,594,752 -------- c:\windows\system32\dllcache\mshtml.dll 2006-09-04 18:02 11,682,968 a------- c:\program files\setupeng.exe 2006-09-03 15:37 11,746,992 a------- c:\program files\antivir_workstation_win7u_en_h.exe 2006-08-25 12:23 56,742 a------- c:\program files\vdl.dat 2006-08-25 10:30 452,719 a------- c:\program files\sarman.pdf ============= FINISH: 23:51:11.26 =============== I haven't had time enough to run another spybot scan to b sure about the Virtumonde, last time it scanned it was a boot time scan, said it found it and fixed it, but I'm not so sure.I'm reasonably sure it got the Win32.TDSS.rtk. newbe17 :popcorn:
Best
Wishes,

Neo

Posted Image

#111 Tomk

Tomk

    Beguilement Monitor

  • Global Moderator
  • 20,451 posts

Posted 20 March 2009 - 11:24 PM

newbe17,

I'm not seeing Vundo or TDSS. :unsure:


Please go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.

Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
 

#112 Neo

Neo

    Silver Member

  • Guests
  • PipPipPip
  • 374 posts

Posted 20 March 2009 - 11:54 PM

Tom, That takes me hours on dial up (kaspersky) I tried it the night I posted this thread, knowing that was what you would want me to do, it took over 8 hours and i was asleep when it finished and got booted while I was asleep and lost it - again. If I start it now, I'll have to go to bed soon, and insanity is doing the same thing over and over , expecting different results,lol. Isn't there anything else we can try? newbe17
Best
Wishes,

Neo

Posted Image

#113 Neo

Neo

    Silver Member

  • Guests
  • PipPipPip
  • 374 posts

Posted 20 March 2009 - 11:58 PM

Tom, This machine takes wayyyy to long for windows to boot up, I have wayyy to many processes going on and wayyy to many programs running at startup. I just don't know which ones to take off . I deleted a bunch of programs i never use, hoping it would somehow speed things up, but it seems the other way around. newbe17
Best
Wishes,

Neo

Posted Image

#114 Tomk

Tomk

    Beguilement Monitor

  • Global Moderator
  • 20,451 posts

Posted 21 March 2009 - 05:57 AM

newbe17,

Unfortunately, the only way I can tell what is going on with your computer is to see scan logs. When I can't get them, I can't tell much. Also when I get them, I need them to be intact. (The last DDS log you gave me is missing a section of information. I have no idea why you would edit it but it makes it extremely difficult to help you).

8 hr's is not a ridiculously long Kaspersky scan. 22 hrs is.

You don't seem to have a large number of running process.

You have very few startup entries.:
Hp boot optimizer
real player updater
Avast
Java
Quiktime loader
Online Armor

The infections you have alluded to are very serious. But I can't seem to find them on your machine. :wacko:

Please download gmer.zip from Gmer and save it to your desktop.

  • Right click on gmer.zip and select Extract All....
  • Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
  • Click on the Browse button. Click on Desktop. Then click OK.
  • Click Next. It will start extracting.
  • Once done, check (tick) the Show extracted files box and click Finish.
  • Double click on gmer.exe to run it.
  • Select the Rootkit tab.
  • On the right hand side, check all the items to be scanned, but leave Show All box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click on the Scan button.
  • When the scan is finished, click Copy to save the scan log to the Windows clipboard.
  • Open Notepad or a similar text editor.
  • Paste the clipboard contents into the text editor.
  • Save the Gmer scan log and post it in your next reply.
  • Close Gmer.
  • Open Command Prompt by going to Start > Run and type in cmd. Press Enter.
  • In Command Prompt, type in net stop gmer. Press Enter.
  • Type in exit to close Command Prompt.

Note: Do not run any programs while Gmer is running.
Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
 

#115 Neo

Neo

    Silver Member

  • Guests
  • PipPipPip
  • 374 posts

Posted 21 March 2009 - 09:52 AM

Tom, I did not "edit" anything. What I can not figure out is what would lead you to believe I would ever do anything knowingly to compromise the betterment of my own pc. :unsure: Maybe I overlooked a script block or something. :smack: I have nothing to hide, and would b more than happy to make certain no scripts are blocked - how do I do that with xp? I'm not sure. If you would please tell me how, ide b more than happy to redownload DDS and do another scan 4 ya newbe17
Best
Wishes,

Neo

Posted Image

    Advertisements

Register to Remove

#116 Tomk

Tomk

    Beguilement Monitor

  • Global Moderator
  • 20,451 posts

Posted 21 March 2009 - 10:06 AM

newbe17, I don't think you were knowingly compromising your PC. I couldn't come up with a way to accidentally not copy a portion of a log. The DDS log you posted is missing the last line of the header, plus all of the first section. Kind of weird. Not super important right now. The thing is, nothing is showing. Specifically nothing related to Vundo or TDSS. Ofter hidden rootkits are involved. Gmer is probably the best tool we have at uncovering hidden rootkits. Go ahead and post the Gmer log.
Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
 

#117 Neo

Neo

    Silver Member

  • Guests
  • PipPipPip
  • 374 posts

Posted 21 March 2009 - 10:50 PM

Hi Tom,
Here is the gmer file you requested and thank you very much :


GMER 1.0.15.14944 - http://www.gmer.net
Rootkit scan 2009-03-21 23:35:26
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwAllocateVirtualMemory [0xF6B38800]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwAssignProcessToJobObject [0xF6B38E20]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xF6A706B8]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwConnectPort [0xF6B372F0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwCreateFile [0xF6B457B0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xF6A70574]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwCreatePort [0xF6B36FA0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwCreateProcess [0xF6B34400]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwCreateProcessEx [0xF6B347D0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwCreateSection [0xF6B33F20]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwCreateThread [0xF6B357D0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwDebugActiveProcess [0xF6B362E0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwDeleteFile [0xF6B462C0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwDeleteKey [0xF6B44080]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xF6A70A52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xF6A7014C]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwEnumerateKey [0xF6B45750]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwEnumerateValueKey [0xF6B45780]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwLoadDriver [0xF6B382D0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwLoadKey [0xF6B44E20]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwOpenFile [0xF6B45ED0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xF6A7064E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xF6A7008C]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwOpenSection [0xF6B34190]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xF6A700F0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwProtectVirtualMemory [0xF6B38AB0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwQueryKey [0xF6B456F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xF6A7076E]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwQueueApcThread [0xF6B38FA0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwReplaceKey [0xF6B451C0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwRequestWaitReplyPort [0xF6B37E60]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xF6A7072E]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwResumeThread [0xF6B369B0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwSaveKey [0xF6B456D0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwSecureConnectPort [0xF6B376B0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwSetContextThread [0xF6B36100]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwSetInformationFile [0xF6B46580]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwSetSystemInformation [0xF6B36460]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xF6A708AE]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwShutdownSystem [0xF6B381D0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwSuspendProcess [0xF6B36B60]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwSuspendThread [0xF6B367E0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwSystemDebugControl [0xF6B36640]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwTerminateProcess [0xF6B35590]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwTerminateThread [0xF6B35F30]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwUnloadDriver [0xF6B384F0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwWriteVirtualMemory [0xF6B38C60]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2C7C 80504518 12 Bytes [A0, 6F, B3, F6, 00, 44, B3, ...]
.text ntkrnlpa.exe!ZwCallbackReturn + 2FB8 80504854 12 Bytes [60, 6B, B3, F6, E0, 67, B3, ...]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[164] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes CALL 7170003D
.text C:\Program Files\Tall Emu\Online Armor\oacat.exe[340] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\csrss.exe[344] KERNEL32.dll!FreeLibrary + 15 7C80AC83 4 Bytes CALL 716F003D
.text C:\WINDOWS\system32\winlogon.exe[368] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes CALL 716F003D
.text C:\WINDOWS\system32\services.exe[412] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes CALL 716F003D
.text ...
.text C:\WINDOWS\ALCXMNTR.EXE[892] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00960001
.text C:\WINDOWS\ALCXMNTR.EXE[892] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\ALCXMNTR.EXE[892] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\ALCXMNTR.EXE[892] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes CALL 7170003D
.text C:\WINDOWS\ALCXMNTR.EXE[892] ole32.dll!CoCreateInstanceEx 77500526 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\ALCXMNTR.EXE[892] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Tall Emu\Online Armor\oasrv.exe[988] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00B30001
.text C:\Program Files\Tall Emu\Online Armor\oasrv.exe[988] user32.dll!LoadStringW 7E419E36 6 Bytes JMP 5F0B001E
.text C:\Program Files\Tall Emu\Online Armor\oasrv.exe[988] user32.dll!LoadStringA 7E42C908 6 Bytes JMP 5F05001E
.text C:\WINDOWS\system32\Ati2evxx.exe[1012] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01520001
.text C:\WINDOWS\system32\Ati2evxx.exe[1012] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[1012] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[1012] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes CALL 716F003D
.text C:\WINDOWS\system32\Ati2evxx.exe[1012] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[1012] ole32.dll!CoCreateInstanceEx 77500526 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\Explorer.EXE[1068] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 024F0001
.text C:\WINDOWS\Explorer.EXE[1068] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\Explorer.EXE[1068] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\Explorer.EXE[1068] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes CALL 716F003D
.text C:\WINDOWS\Explorer.EXE[1068] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\Explorer.EXE[1068] ole32.dll!CoCreateInstanceEx 77500526 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\spoolsv.exe[1760] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes CALL 7170003D
.text C:\Program Files\Java\jre6\bin\jqs.exe[1948] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes CALL 7170003D
.text c:\windows\system\hpsysdrv.exe[2056] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 009E0001
.text c:\windows\system\hpsysdrv.exe[2056] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text c:\windows\system\hpsysdrv.exe[2056] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text c:\windows\system\hpsysdrv.exe[2056] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes CALL 7170003D
.text c:\windows\system\hpsysdrv.exe[2056] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text c:\windows\system\hpsysdrv.exe[2056] ole32.dll!CoCreateInstanceEx 77500526 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\wscntfy.exe[2184] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00B30001
.text C:\WINDOWS\system32\wscntfy.exe[2184] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\wscntfy.exe[2184] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\wscntfy.exe[2184] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\wscntfy.exe[2184] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\wscntfy.exe[2184] ole32.dll!CoCreateInstanceEx 77500526 6 Bytes JMP 5F100F5A
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[2372] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00C30001
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[2372] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[2372] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[2372] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes CALL 7170003D
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[2372] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[2372] ole32.dll!CoCreateInstanceEx 77500526 6 Bytes JMP 5F100F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[2420] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00E70001
.text C:\Program Files\Java\jre6\bin\jusched.exe[2420] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[2420] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[2420] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes CALL 7170003D
.text C:\Program Files\Java\jre6\bin\jusched.exe[2420] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[2420] ole32.dll!CoCreateInstanceEx 77500526 6 Bytes JMP 5F100F5A
.text C:\Program Files\Tall Emu\Online Armor\oaui.exe[2492] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 014F0001
.text C:\Program Files\Tall Emu\Online Armor\oaui.exe[2492] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes CALL 7170003D
.text C:\Program Files\Tall Emu\Online Armor\oaui.exe[2492] USER32.dll!LoadStringW 7E419E36 6 Bytes JMP 5F0B001E
.text C:\Program Files\Tall Emu\Online Armor\oaui.exe[2492] USER32.dll!LoadStringA 7E42C908 6 Bytes JMP 5F05001E
.text C:\Program Files\Tall Emu\Online Armor\oahlp.exe[2632] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00FE0001
.text C:\Program Files\Tall Emu\Online Armor\oahlp.exe[2632] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes CALL 7170003D
.text C:\Program Files\Tall Emu\Online Armor\oahlp.exe[2632] USER32.dll!LoadStringW 7E419E36 6 Bytes JMP 5F0B001E
.text C:\Program Files\Tall Emu\Online Armor\oahlp.exe[2632] USER32.dll!LoadStringA 7E42C908 6 Bytes JMP 5F05001E
.text C:\Documents and Settings\Compaq_Owner\Desktop\gmer.exe[2896] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00CE0001
.text C:\Documents and Settings\Compaq_Owner\Desktop\gmer.exe[2896] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\Documents and Settings\Compaq_Owner\Desktop\gmer.exe[2896] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\Documents and Settings\Compaq_Owner\Desktop\gmer.exe[2896] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes CALL 7170003D
.text C:\Documents and Settings\Compaq_Owner\Desktop\gmer.exe[2896] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\Documents and Settings\Compaq_Owner\Desktop\gmer.exe[2896] ole32.dll!CoCreateInstanceEx 77500526 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\ctfmon.exe[3136] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00C40001
.text C:\WINDOWS\system32\ctfmon.exe[3136] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\ctfmon.exe[3136] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\ctfmon.exe[3136] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\ctfmon.exe[3136] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\ctfmon.exe[3136] ole32.dll!CoCreateInstanceEx 77500526 6 Bytes JMP 5F100F5A
.text C:\Program Files\Secunia\PSI\psi.exe[3344] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00F20001
.text C:\Program Files\Secunia\PSI\psi.exe[3344] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Secunia\PSI\psi.exe[3344] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\Program Files\Secunia\PSI\psi.exe[3344] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes CALL 7170003D
.text C:\Program Files\Secunia\PSI\psi.exe[3344] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Secunia\PSI\psi.exe[3344] ole32.dll!CoCreateInstanceEx 77500526 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\System32\alg.exe[3532] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes CALL 7170003D
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[3828] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes CALL 7170003D

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [FA12C3B0] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [FA12C410] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [FA12C6C0] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [FA12C700] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [FA12C6C0] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [FA12C410] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [FA12C3B0] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [FA12C6C0] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [FA12C700] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [FA12C3B0] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [FA12C410] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[412] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002
IAT C:\WINDOWS\system32\services.exe[412] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \Driver\Tcpip \Device\Ip OAmon.sys (TDI Helper Driver/Tall Emu)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\Tcp OAmon.sys (TDI Helper Driver/Tall Emu)

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\Udp OAmon.sys (TDI Helper Driver/Tall Emu)

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\RawIp OAmon.sys (TDI Helper Driver/Tall Emu)

AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\IPMULTICAST OAmon.sys (TDI Helper Driver/Tall Emu)

AttachedDevice \FileSystem\Fastfat \Fat bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\ddcxz@DisplayName Security Driver
Reg HKLM\SYSTEM\ControlSet001\Services\ddcxz@Type 32
Reg HKLM\SYSTEM\ControlSet001\Services\ddcxz@Start 2
Reg HKLM\SYSTEM\ControlSet001\Services\ddcxz@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet001\Services\ddcxz@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet001\Services\ddcxz@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet001\Services\ddcxz@Description Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution.
Reg HKLM\SYSTEM\ControlSet001\Services\ddcxz\Parameters
Reg HKLM\SYSTEM\ControlSet001\Services\ddcxz\Parameters@ServiceDll C:\WINDOWS\system32\jfxfwse.dll
Reg HKLM\SYSTEM\ControlSet002\Services\dbthee@DisplayName Center Time
Reg HKLM\SYSTEM\ControlSet002\Services\dbthee@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\dbthee@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\dbthee@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\dbthee@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\dbthee@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\dbthee@Description Monitors system security settings and configurations.
Reg HKLM\SYSTEM\ControlSet002\Services\dbthee\Parameters
Reg HKLM\SYSTEM\ControlSet002\Services\dbthee\Parameters@ServiceDll C:\WINDOWS\system32\jfxfwse.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxpavymrmt.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\ControlSet004\Services\dbthee@DisplayName Center Time
Reg HKLM\SYSTEM\ControlSet004\Services\dbthee@Type 32
Reg HKLM\SYSTEM\ControlSet004\Services\dbthee@Start 2
Reg HKLM\SYSTEM\ControlSet004\Services\dbthee@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet004\Services\dbthee@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet004\Services\dbthee@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet004\Services\dbthee@Description Monitors system security settings and configurations.
Reg HKLM\SYSTEM\ControlSet004\Services\dbthee\Parameters
Reg HKLM\SYSTEM\ControlSet004\Services\dbthee\Parameters@ServiceDll C:\WINDOWS\system32\jfxfwse.dll
Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxpavymrmt.sys
Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys\modules

---- EOF - GMER 1.0.15 ----

should I keep gmer on my desktop or just delete the program?

newbe17
Best
Wishes,

Neo

Posted Image

#118 Tomk

Tomk

    Beguilement Monitor

  • Global Moderator
  • 20,451 posts

Posted 22 March 2009 - 12:12 AM

newbe17,

It appears that everything we removed before has been re-installed. :pullhair: Keep gmer becaue we're going to run it again.

Please download the OTMoveIt3 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :Processes
explorer.exe

:Services
ddcxz

:Reg
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ddcxz]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\dbthee]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\gaopdxserv.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\dbthee]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\gaopdxserv.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\ddcxz]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ddcxz]

:Files
c:\windows\system32\jfxfwse.dll
c:\windows\system32\drivers\gaopdxpavymrmt.sys

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Then, please run gmer again.
Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
 

#119 Neo

Neo

    Silver Member

  • Guests
  • PipPipPip
  • 374 posts

Posted 22 March 2009 - 10:27 AM

Tom, Hmmm.... I have seen infected files recreate themselves before, right before my eyes as I was manually deleting them, so this is not a shock to me. the culprit is usually sitting close by, not too far away. At least we have made huge strides as far as my pc's ability to open web sites and gain access to valuable tools, so your time and effort in the past in this case has not been a vein effort ;) Why didn't you just have me click the clean up button on old timer instead of "just " moving the files? It seems to me that cleaning them up would be more of a thorough process, wouldn't you agree? :unsure: There is also a seemingly very nice little tool I just recently found in my malwarebytes program called "file assassin". It is "supposed to" delete files that become locked onto my pc. Sounds VERY intriguing, doesn't it? :popcorn: Maybe you could just point them out to me, ( I don't recall how to get into those type of files ) and I could just pick'em off one at a time with my trusty file assassin ;) Anyway, Here is your log, and once again thank you for your time, Tom :) Oh, and one more thing, just to kinda set your mind at ease about a particular issue - I was copying and pasting using my mouse, right clicking and dragging over the text and then copying it to notepad, instead of simply right clicking in the text box and choosing the option to select all and then copying. I think that pretty much explains to both of us how the log I sent to you had some text missing from it ;) ========== PROCESSES ========== Process explorer.exe killed successfully. ========== SERVICES/DRIVERS ========== Service\Driver ddcxz not found. Service\Driver ddcxz not found. ========== REGISTRY ========== Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ddcxz\\ not found. Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\dbthee\\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\gaopdxserv.sys\\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\dbthee\\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\gaopdxserv.sys\\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\ddcxz\\ not found. Registry key HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ddcxz\\ deleted successfully. ========== FILES ========== File/Folder c:\windows\system32\jfxfwse.dll not found. File/Folder c:\windows\system32\drivers\gaopdxpavymrmt.sys not found. ========== COMMANDS ========== File delete failed. C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\etilqs_1jZBlGocWvxrUg5oIOJg scheduled to be deleted on reboot. User's Temp folder emptied. User's Temporary Internet Files folder emptied. User's Internet Explorer cache folder emptied. File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot. File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot. File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot. Local Service Temp folder emptied. Local Service Temporary Internet Files folder emptied. File delete failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be deleted on reboot. File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_55c.dat scheduled to be deleted on reboot. File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_79c.dat scheduled to be deleted on reboot. Windows Temp folder emptied. Java cache emptied. File delete failed. C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\evspears@hifo.net\Cache\_CACHE_001_ scheduled to be deleted on reboot. File delete failed. C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\evspears@hifo.net\Cache\_CACHE_002_ scheduled to be deleted on reboot. File delete failed. C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\evspears@hifo.net\Cache\_CACHE_003_ scheduled to be deleted on reboot. File delete failed. C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\evspears@hifo.net\Cache\_CACHE_MAP_ scheduled to be deleted on reboot. File delete failed. C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\evspears@hifo.net\urlclassifier3.sqlite scheduled to be deleted on reboot. File delete failed. C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\evspears@hifo.net\XUL.mfl scheduled to be deleted on reboot. FireFox cache emptied. Temp folders emptied. Explorer started successfully OTMoveIt3 by OldTimer - Version 1.0.9.0 log created on 03222009_103000 Files moved on Reboot... File C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\etilqs_1jZBlGocWvxrUg5oIOJg not found! C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat moved successfully. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat moved successfully. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat moved successfully. File C:\WINDOWS\temp\_avast4_\Webshlock.txt not found! C:\WINDOWS\temp\Perflib_Perfdata_55c.dat moved successfully. File C:\WINDOWS\temp\Perflib_Perfdata_79c.dat not found! C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\evspears@hifo.net\Cache\_CACHE_001_ moved successfully. C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\evspears@hifo.net\Cache\_CACHE_002_ moved successfully. C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\evspears@hifo.net\Cache\_CACHE_003_ moved successfully. C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\evspears@hifo.net\Cache\_CACHE_MAP_ moved successfully. C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\evspears@hifo.net\urlclassifier3.sqlite moved successfully. C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\evspears@hifo.net\XUL.mfl moved successfully. Please let me know in your next post what you think about all I've just said? Thanks again :) Newbe17 :thumbup:
Best
Wishes,

Neo

Posted Image

#120 Tomk

Tomk

    Beguilement Monitor

  • Global Moderator
  • 20,451 posts

Posted 22 March 2009 - 10:56 AM

newbe17, The cleanup button doesn't do what you think it does apparently. It cleans up the tools used. If you would have used cleanup, you wouldn't have made corrections to your system, you would have "cleaned" OTMoveIt3 off of it. FileAssasin is a very powerful file remover. However, we edited the registry which makes FileAssasin the wrong tool for the job. :) Copy/pasting the information in portions instead of all at once sure could account for missing information. :thumbup: Now, have you got a new gmer report?
Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
 

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·