30 replies to this topic

[OtterTF]

Tom, I need to take a break from this... Seems that somewhere during these processes that my Nikon program has quit working as it had previously. Photographs are very important to my business, so this problem is troubling to me. BEFORE, when I inserted a photo card into the E drive, the drive automatically opened with the option to transfer photos to a folder on Nikon. NOW, they do not... I have to download manually from the E drive via My Computer. Therefore, after modifying the photo, I have to save it manually. And then the  "deleted" original *which I sometimes have to use later* is permanently gone (unless I forever keep gobs of photos on E-drives). The deleted photos do NOT show in my Recycle Bin so there is no way for me to access them again if necessary within the required "six months.".

 

I only delete items in the Bin after six months from payment... but now it is Empty. hmmm, and won't hold my photos now.

[Tomk]

OK... there are several issues there:

 

#1.  I know nothing about the Nikon program so I don't know what can currently be the problem.

 

#2.  The automatically running of programs on flash drives is a "dangerous" process which is why Microsoft terminated this process on each operating system since xp.  Several years ago Microsoft recommended that xp users disable this - and several security tools (including ones we run) do this.  However, triggering a program to run (such as an audio file triggering windows media player) is still acceptable and should continue to work.  It's been awhile but if your issue is the former (autoplay not working), I don't recommend it but I can probably help.  If your issue is the latter (not triggering your program) - then this is something I haven't seen before and I'd have to do so more research to see if I can offer reasonable advice.

 

#3.  The empty recycle bin.  Many (if not the majority) of security tools will delete your temporary files as a matter of course.  The reasons for this is are multple:  that a multitude of malware hides there,  trojans often open there before executing, and (in theory) temp files are relatively worthless and should systematically expire anyway.  The recycle bin "saves" deleted file information in temp files so usually when temp files are deleted... the recycle bin is emptied.  It doesn't always work in XP, but it may be possible to restore them using a restore point prior to my having you run tools.

 

#4.  Deleted photos don't go to recycle bin.  Again... I've never seen this.  Are you sure?  Perhaps they do go to the recylce bin but then I had you run a tool and they went away again?  Is that possibly what you are seeing?

[OtterTF]

Thanks for your responses, Tom. I could be using the wrong terminology in describing the problems (or not fully understanding your terms), but anyway this laptop is a "dated" hand-me-down and the Nikon camera/program is circa 2002... I can probably re-install the program to get the editing function back but for now will just do it the slow way. The Nikon program installs from a disk onto the computer; after taking photos, the card is inserted into a "compact flash" (reader?) and then stuck into hole in side of laptop. There is a "ding" and then window pops up asking if I want to transfer photos. I click on Transfer, and then all the photos are transferred to a file in a Nikon folder on My Pictures. I can modify the image, rename it, save the new image, and then delete the original. The deleted original then goes into Recycle Bin. 

Is that the same process as the "automatically running of programs on flash drives" that is dangerous?

If running some of the malware/security tools automatically empties the recycle bin, I can just make a new folder with a different name and stick the photos I'm not using (but need to keep) in that one.

 

 

Is there anything else we can do to speed up this computer? Still very slow loading pages, even non-internet ones, and also getting the "program not responding" message very often when trying to close out.

[Tomk]

I guess it is similar... but not actually the same thing.  The "dangerous" activity is programs automatically running from the removable device.  What you are doing is not automatically running a program.  You system just recognizes that there are pictures on the cf card and asks if you want to run your photo editing program.  This isn't "dangerous".

 

It sounds like you are talking about Nokia pc suite.  As far as I know this program is still available.  However, I don't believe that anything we did should have changed the way it functions.  Also, the issue that you seem to be having sounds like it is the computer not recognizing that you installed the flash card, rather than the program not doing what it should.  I'll try to do some research and get back to you.

 

We can try running a couple of programs that remove common junk files.  This can sometimes speed things up.... but I'd like to see combofix run on your system, when you get a chance, to see if it can find something more nefarious.

 

Please download Junkware Removal Tool to your desktop.

• Shutdown your antivirus to avoid any conflicts.
• Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7/8, double-click on XP.
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Post the contents of JRT.txt into your next reply message
• When completed make sure to re-enable your antivirus

Please download AdwCleaner by Xplode and save to your Desktop.

• Double click on AdwCleaner.exe to run the tool.
  Vista/Windows 7/8 users right-click and select Run As Administrator
• Click on the Scan button.
• AdwCleaner will begin...be patient as the scan may take some time to complete.
• When it's done you'll see: Pending: Please uncheck elements you don't want removed.
• Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
• Look over the log especially under Files/Folders for any program you want to save.
• If there's a program you may want to save, just uncheck it from AdwCleaner.
• If you're not sure, post the log for review. (all items found are adware/spyware/foistware)
• If you're ready to clean it all up.....click the Clean button.
• After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
• Copy and paste the contents of that logfile in your next reply.
• A copy of that logfile will also be saved in the C:\AdwCleaner folder.

[OtterTF]

Here's the log from JRT:

(What is the difference between an anti-virus program and a firewall? I disabled the anti-virus function on MS Security Essentials, but couldn't see how to disable the firewall... and will that affect the JRT log, etc?)

 

****************

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Junkware Removal Tool (JRT) by Thisisu

Version: 6.1.0 (01.07.2014:1)

OS: Microsoft Windows XP x86

Ran by User on Sun 01/26/2014 at 11:59:54.37

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

 

 

~~~ Services

 

 

 

~~~ Registry Values

 

Successfully deleted: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\dw7

 

 

 

~~~ Registry Keys

 

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\escort.escortiepane

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\escort.escortiepane.1

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\protector_dll.protectorbho

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\protector_dll.protectorbho.1

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\{CFDAFE39-20CE-451D-BD45-A37452F39CF0}

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\escort.dll

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\escortapp.dll

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\escorteng.dll

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\escortlbr.dll

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\esrv.exe

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\yontooieclient.dll

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{FE9271F2-6EFD-44B0-A826-84C829536E93}

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{FFB9ADCB-8C79-4C29-81D3-74D46A93D370}

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{4D5132DD-BB2B-4249-B5E0-D145A8C982E1}

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{706D4A4B-184A-4434-B331-296B07493D2D}

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{8BE10F21-185F-4CA0-B789-9921674C3993}

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{94C0B25D-3359-4B10-B227-F96A77DB773F}

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{B0B75FBA-7288-4FD3-A9EB-7EE27FA65599}

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{B173667F-8395-4317-8DD6-45AD1FE00047}

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{B32672B3-F656-46E0-B584-FE61C0BB6037}

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{C2434722-5C85-4CA0-BA69-1B67E7AB3D68}

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{C2996524-2187-441F-A398-CD6CB6B3D020}

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{E047E227-5342-4D94-80F7-CFB154BF55BD}

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{E3F79BE9-24D4-4F4D-8C13-DF2C9899F82E}

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{E77EEF95-3E83-4BB8-9C0D-4A5163774997}

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{FD8F79A0-D2E2-4FA2-AEAF-393EAC8064F7}

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\TypeLib\{D372567D-67C1-4B29-B3F0-159B52B3E967}

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\speedypc software

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2EECD738-5844-4A99-B4B6-146BF802613B}

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{98889811-442D-49DD-99D7-DC866BE87DBC}

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2EECD738-5844-4A99-B4B6-146BF802613B}

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{98889811-442D-49DD-99D7-DC866BE87DBC}

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\babylon

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\speedypc software

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\systweak

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\tarma installer

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\babylon.dskbnd

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\babylon.dskbnd.1

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\bbylnapp.appcore

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\bbylnapp.appcore.1

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\bbylntlbr.bbylntlbrhlpr

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\bbylntlbr.bbylntlbrhlpr.1

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\prod.cap

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\speedupmypc

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\yontooieclient.api

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\yontooieclient.api.1

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\yontooieclient.layers

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\yontooieclient.layers.1

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\babylontoolbar

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{e55e7026-ef2a-4a17-aaa7-db98ea3fd1b1}

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\4B2468513CA2D6943A1A233CD3F88CE7

 

 

 

~~~ Files

 

 

 

~~~ Folders

 

Successfully deleted: [Folder] "C:\Documents and Settings\User\Application Data\babylontoolbar"

Successfully deleted: [Folder] "C:\Documents and Settings\User\Application Data\drivercure"

Successfully deleted: [Folder] "C:\Documents and Settings\User\Application Data\inboxdollars"

Successfully deleted: [Folder] "C:\Documents and Settings\User\Application Data\systweak"

Successfully deleted: [Folder] "C:\Documents and Settings\User\Local Settings\Application Data\wajam"

Successfully deleted: [Folder] "C:\Program Files\babylontoolbar"

Successfully deleted: [Folder] "C:\Program Files\coupons"

Successfully deleted: [Folder] "C:\Program Files\yontoo"

 

 

 

~~~ FireFox

 

Successfully deleted: [File] C:\user.js

Successfully deleted: [File] C:\Documents and Settings\User\Application Data\mozilla\firefox\profiles\lx37whw3.default\user.js

 

 

 

~~~ Chrome

 

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Google\Chrome\Extensions\dhkplhfnhceodhffomolpfigojocbpcb

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Google\Chrome\Extensions\jpmbfleldcgkldadpdinhjjopdfpjfjp

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Google\Chrome\Extensions\niapdbllcanepiiimjjndipklodoedlc

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Scan was completed on Sun 01/26/2014 at 12:04:15.43

End of JRT log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[OtterTF]

Here is the AdwCleaner log:

****

# AdwCleaner v3.017 - Report created 26/01/2014 at 12:06:38

# Updated 12/01/2014 by Xplode

# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)

# Username : User - USER-PC

# Running from : C:\Documents and Settings\User\My Documents\Downloads\AdwCleaner.exe

# Option : Scan

 

***** [ Services ] *****

 

 

***** [ Files / Folders ] *****

 

File Found : C:\Program Files\Mozilla Firefox\user.js

 

***** [ Shortcuts ] *****

 

 

***** [ Registry ] *****

 

Key Found : HKCU\Software\Microsoft\Babylon

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}

Key Found : HKLM\SOFTWARE\Classes\CLSID\{7E84186E-B5DE-4226-8A66-6E49C6B511B4}

Key Found : HKLM\SOFTWARE\Classes\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}

Key Found : HKLM\Software\Classes\Installer\Features\6207E55EA2FE71A4AA7ABD89AEF31D1B

Key Found : HKLM\Software\Classes\Installer\Products\6207E55EA2FE71A4AA7ABD89AEF31D1B

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{E55E7026-EF2A-4A17-AAA7-DB98EA3FD1B1}

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\BabylonToolbar

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Wajam

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}

Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\6207E55EA2FE71A4AA7ABD89AEF31D1B

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CNXT_MODEM_PCI_VEN_8086&DEV_24x6&SUBSYS_542214F1

Key Found : HKLM\Software\Uniblue

Key Found : HKLM\Software\Uniblue\DriverScanner

 

***** [ Browsers ] *****

 

-\\ Internet Explorer v8.0.6001.18702

 

Setting Found : HKCU\Software\Microsoft\Internet Explorer\Main [Start Page] - hxxps://mail.google.com/mail/?shva=1#inbox

 

-\\ Mozilla Firefox v17.0.1 (en-US)

 

[ File : C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\lx37whw3.default\prefs.js ]

 

Line Found : user_pref("browser.startup.homepage", "hxxps://mail.google.com/mail/u/0/?shva=1#inbox");

Line Found : user_pref("extentions.y2layers.defaultEnableAppsList", "Buzzdock,Buzzdock,");

Line Found : user_pref("extentions.y2layers.installId", "dd994682-8015-46d8-93d2-f491d999d46b");

 

-\\ Google Chrome v32.0.1700.76

 

[ File : C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]

 

Found : homepage

 

*************************

 

AdwCleaner[R0].txt - [2916 octets] - [26/01/2014 12:06:38]

 

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [2976 octets] ##########

[Tomk]

You did fine.  Firewall is not typically a problem for our tools.

 

The firewall is like the moat around the castle.  It keeps "things" from being able to access your computer - without permission.  Firewalls can be set up to allow certain programs.   This is like lowering ordering that the drawbridge be lowered every time the sentry recognizes them - without gaining specific approval for this visit.

 

Your antivirus is like the security check at the airport.  Once you've gained admittance, the "security check" gives you a cursory look over to see if you look suspicious, takes a quick peak inside your luggage, and checks your ID to see if you are on any "no fly" lists.  These "no fly" lists are known as definitions.  This is why you need a Anti-virus program that updates daily so that you list can be updated to the most current known "bad guys".

 

Your anti spyware program is like your neighborhood watch.  It keeps an eye on what is going on.  It looks for something out-of-the-ordinary.  It perhaps is a little like the NSA as it watches to see if the programs make "suspicious calls home".  These calls home can be inviting nefarious friends to the party, or they could be reporting your habits so that ads can "target" what is hoped to be your preferences.

 

Anti-Malware (like Malwarebytes') does the work of the anti-spyware program as well as it looks for many "issues" that anti-virus might pick up (like a few worms, and many trojans) but might not have been active when they went through the security point so they were missed.

 

The programs you just ran look for misc. known garbage and foistware.  These are programs that typically install. without your permission, when you are installing a program you really wanted.  These take the form of adware, toolbars, and sometimes hijacking of your searches.  Typically this type of program does not "destroy" your system, but they steal resources for their use so that you can't use them.  This makes your system lethargic and draggy.  Sometimes it's even worse because the parasite program is poorly written and it "scrambles" something in your operating system - an unintended consequence.  By the way... anti-spyware/anti-malware programs look for these also... but there are so many out there that often I will have people run Mbam, JRT, and AdwCleaner.  Three programs that target the same thing... and each seems to get part of them.

 

Now... I'd like you to run one more scan for me before I declare that you issue is not malware related.  Be prepared that this scan will take hours.

 

ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.
 

• Please go here then click on:
  

  Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
  All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

• Select the option   YES, I accept the Terms of Use then click on:
• When prompted allow the Add-On/Active X to install.
• Make sure that the option Remove found threats is NOT checked, and the option Scan archives is  checked.
• Now click on Advanced Settings and select the following:

• • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology
• Now click on:
• The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
• When completed the Online Scan will begin automatically.
• Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
• When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
• Now click on:
• Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
• Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!
 

 

[OtterTF]

ESET log:

*****

ESETSmartInstaller@High as downloader log:

Can not read file from internet.ESETSmartInstaller@High as downloader log:

Can not read file from internet.# version=8

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6920

# api_version=3.0.2

# EOSSerial=329ad32d401654488e7efce900f08524

# engine=16805

# end=finished

# remove_checked=false

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2014-01-27 03:40:05

# local_time=2014-01-26 08:40:05 (-0700, Mountain Standard Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=5892 16777213 88 94 5653063 46420708 0 0

# scanned=42721

# found=9

# cleaned=0

# scan_time=2387

sh=E90684A7D9D2D3AB8428AEBCCA964E077F34DF44 ft=1 fh=a9cc839b9994eecc vn="Win32/DownloadAdmin.G application" ac=I fn="C:\Program Files\Efficient Calendar Free\cbsidlm-tr1_6-Efficient_Calendar_Free-10920848.exe"

sh=E90684A7D9D2D3AB8428AEBCCA964E077F34DF44 ft=1 fh=a9cc839b9994eecc vn="Win32/DownloadAdmin.G application" ac=I fn="C:\Program Files\Efficient Diary\cbsidlm-tr1_6-Efficient_Diary-10910951.exe"

sh=6DFCA434D960FE1DE95CC52ADF6309433F7A98DB ft=1 fh=5999566e15da64a2 vn="a variant of Win32/InstallCore.AG application" ac=I fn="C:\Program Files\Mozilla Firefox\mozilla-firefox-toDownload.exe"

sh=B859E1E3C5F38DA8EA82D4940325EC60B19FF339 ft=1 fh=30f7fbf806dee4f1 vn="a variant of Win32/Adware.Yontoo.B application" ac=I fn="C:\_OTL\MovedFiles\01132014_124940\C_Documents and Settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll"

sh=48EF8B4E06E0F1D3C06C4D6E1EA2B6CE48AA5231 ft=1 fh=ac26df35aa8ade69 vn="a variant of Win32/Adware.Yontoo.B application" ac=I fn="C:\_OTL\MovedFiles\01132014_124940\C_Documents and Settings\All Users\Application Data\Tarma Installer\{C049526F-B3EB-4151-9B11-B11F00F53A96}\_Setupx.dll"

sh=EA1EBDB943C969B4CD95AE3FAFE1AEA70346CE25 ft=0 fh=0000000000000000 vn="Win32/Adware.Yontoo application" ac=I fn="C:\_OTL\MovedFiles\01132014_124940\C_Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\lx37whw3.default\extensions\plugin@yontoo.com.xpi"

sh=C713AEBAC012D367E2819D402ABE8C1CAD660329 ft=1 fh=c71c00115c3de7a7 vn="a variant of Win32/Toolbar.Montiera.F application" ac=I fn="C:\_OTL\MovedFiles\01132014_124940\C_Program Files\BabylonToolbar\BabylonToolbar\1.6.9.12\BabylonToolbarTlbr.dll"

sh=A926D4F53F5F88FC341687644C74C2FFB5A9795A ft=1 fh=c71c001150ef7ade vn="a variant of Win32/Toolbar.Escort.A application" ac=I fn="C:\_OTL\MovedFiles\01132014_124940\C_Program Files\BabylonToolbar\BabylonToolbar\1.6.9.12\bh\BabylonToolbar.dll"

sh=564160696ED3A767BEB3A5B77DA5107F05EBCBA4 ft=1 fh=62fd1985c73163e4 vn="a variant of Win32/Adware.Yontoo.A application" ac=I fn="C:\_OTL\MovedFiles\01132014_124940\C_Program Files\Yontoo\YontooIEClient.dll"

[Tomk]

There are two programs of concern there. They are Efficient Calendar and Efficient Diary.

 

Those are not the "normal" files I would expect to see with them.  Your files start with cbsidlm-tr1_6, which I don't know what is or where it might come from.  Perhaps CBS interactive?  I've heard that somehow they are associated with Cnet downloads.

 

What can you tell me about them?

 

Win32/DownloadAdmin.G can be related to Auleron which is a data stealer.

 

Let's check them out:

 

Please scan the following files
 

• Please go to VirusTotal

• Copy and paste this into the File Name box.

C:\Program Files\Efficient Calendar Free\cbsidlm-tr1_6-Efficient_Calendar_Free-10920848.exe

 

• .Click Scan it button.
• This will scan the file. Please be patient.
• If you get a message saying File has already been analyzed: click Reanalyze file now.
• Once scanned, copy and paste the link to the results page in your next reply.

 

Then do the same thing with this file:

 

C:\Program Files\Efficient Diary\cbsidlm-tr1_6-Efficient_Diary-10910951.exe

 

 

[OtterTF]

I think that I did download them from CNet even though they have their own website: efficientsoftware.net. After telling a friend about it, she warned me that I should be careful downloading from Cnet. However, as far as performance goes, I have been happy with the Diary and the Calendar, and do not have to be online to use it but I might have picked up something by downloading it. This particular version is free; there is a Pro version available with more bells & whistles.

*****

https://www.virustot...sis/1390807336/

 

https://www.virustot...sis/1390807924/

 

Yikes. 

[Tomk]

Ok... here's my best guess at what is going on:

 

I'm thinking that Cnet has teamed with CBS Interactive (who have signed your file even though the program is not theirs) on the installer of the program.  This installer has a "preinstallation" component - which is what is being flagged.  This is probably "phoning home" to tell someone that you are installing the program.

 

McAfee says that it is really just a possibly unwanted program... in other words, it is a program that installed along with the the program you really wanted.  They say it's a low risk.  I'm guessing that there is probably some low grade tracking going on.

 

The bottom line is it is probably not a big risk.  It's your choice.  If it is something you want to keep... then OK.  If you want to get rid of it... let me know and we'll nuke it.

[Tomk]

Are you still with me?

[OtterTF]

I am now. Lost access to internet at home Tues morning, and spent the afternoon/evening in the ER. Responses here might be sporadic until the situation clears up, but yes, I am still with you on this issue.

 

About this low-risk unwanted program... Do I HAVE to have it on my laptop in order to use the Cnet download? If I don't need it, let's get rid of it. Can you identify which one it is?

[Tomk]

Goodness... what happened to send you to the ER?  Whatever it was, anything on your computer is secondary to your health.

 

The issue of the low risk "contamination" are contained in the executables for Efficient Diary and Efficient Calendar.  The files have been "patched" with a "bug" known as DownloadAdmin.G.  This is considered malware because, first off, you didn't ask for it to install.  You just wanted the diary and the calendar.  Secondly, it appears that it may "phone home" with some information.  My belief is that the information it sends "home" is simply that you installed the program.  I found no record of anything more nefarious than that.  It sounds like you would like to use both of the programs.  I do not know for sure, but I believe that the files would be "clean" if you downloaded them directly from the developer.  http://www.efficient...et/download.htm

 

If I remove the "infection" the programs currently on your machine will not work.  However, I believe the risk to be small.

[Tomk]

I understand that you might be involved in "real life" issues.  If you come back to this topic... you can PM me to open.