Avast WEBforum
Other => Viruses and worms => Topic started by: QNtas on March 06, 2012, 03:55:38 PM
-
My avast found 50 thousand virus and they all are Trojan. They located c:/users/public and C:\windows\explorer.exe, c/windows/win32/. And now that virus split up to recyclebin Then i am trying to put them to chest avast write that there are no free space and avast crashes. i try to clean up with malwarebyte' anti-malware and with OTS but it don't works. help me some one. ps. sory for not good english
-
My avast found 50 thousand virus and they all are Trojan.
holy cow.....and what malware name is avast giving ?
is it win32:malware-gen on all files detected ?
-
Hi,
I think we should give this a quick run and see what it shows. :)
Download CKScanner by askey127 from Here (http://"http://downloads.malwareremoval.com/CKScanner.exe") & save it to your Desktop. - Right-click and Run as Administrator CKScanner.exe then click Search For Files
- When the cursor hourglass disappears, click Save List To File
- A message box will verify the file saved
- Double-click the CKFiles.txt icon on your desktop then copy/paste the contents in your next reply
-
CKScanner - Additional Security Risks - These are not necessarily bad
c:\users\admin\desktop\torrentai\rise of nations rise of legends crack only.zip.torrent
c:\users\admin\downloads\rise of nations rise of legends crack only.zip
c:\users\admin\downloads\rise.of.nations.rise.of.legends-nocd crack\rise.of.nations.rise.of.legends cd3.daa
c:\windows\system32\slmgr.vbs.removewat
c:\windows\syswow64\slmgr.vbs.removewat
scanner sequence 3.EM.11.QVNAHR
----- EOF -----
-
Hi,
Were you able to find out what label that avast was giving those 50K infections?
-------------
Please run the
MGA Diagnostic Tool and post back the report it shall produce:- Download MGADiag (http://"http://go.microsoft.com/fwlink/?linkid=52012") to your desktop.
- Double-click on MGADiag.exe to launch the program
- Click "Continue"
- Ensure that the "Windows" tab is selected (it should be by default).
- Click the "Copy" button to copy the MGA Diagnostic Report to the Windows clipboard.
- Paste the MGA Diagnostic Report back here in your next reply.
---------
Then, run the following:
Please download and run WVCheck (http://"http://artellos.com/ccount/click.php?id=7").- Double-click WVCheck.exe.
- As indicated by the prompt, this program can take a while depending on your hard drive space.
- Once the program is done, copy the contents of the Notepad file as a reply.
-
i want to clean my computer, and i dont know how i can delete that win32:malware-gen virus
-
Hi,
Have you run the tools I posted for in post #4?
-
I cant find WVCheck.exe and dou you need that i post all what MGADiag show?
-
Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Code: 0
Cached Online Validation Code: N/A, hr = 0xc004f012
Windows Product Key: *****-*****-J8D7P-XQJJ2-GPDD4
Windows Product Key Hash: xgsndMkYdJsYmUng0qIJ/thx+HI=
Windows Product ID: 00371-868-0000007-85759
Windows Product ID Type: 1
Windows License Type: KMS Client
Windows OS version: 6.1.7601.2.00010100.1.0.048
ID: {CD8501CE-5651-4D06-8E5D-94A04213B30A}(1)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows 7 Professional
Architecture: 0x00000009
Build lab: 7601.win7sp1_gdr.110622-1506
TTS Error:
Validation Diagnostic:
Resolution Status: N/A
Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002
OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002
OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: B4D0AA8B-604-645_025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3
Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed
File Scan Data-->
File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\user32.dll[6.1.7600.16385], Hr = 0x800b0100
Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{CD8501CE-5651-4D06-8E5D-94A04213B30A}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-GPDD4</PKey><PID>00371-868-0000007-85759</PID><PIDType>1</PIDType><SID>S-1-5-21-107350918-4025844359-37358633</SID><SYSTEM><Manufacturer>Dell Inc.</Manufacturer><Model>Inspiron N5110</Model></SYSTEM><BIOS><Manufacturer>Dell Inc.</Manufacturer><Version>A07</Version><SMBIOSVersion major="2" minor="6"/><Date>20110718000000.000000+000</Date></BIOS><HWID>5D073607018400FE</HWID><UserLCID>0427</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>FLE Standard Time(GMT+02:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>
Spsys.log Content: 0x80070002
Licensing Data-->
Input Error: Can not find script file "C:\Windows\system32\slmgr.vbs".
Windows Activation Technologies-->
HrOffline: 0x00000000
HrOnline: N/A
HealthStatus: 0x0000000000000000
Event Time Stamp: N/A
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Not Registered - 0x80070005
HealthStatus Bitmask Output:
HWID Data-->
HWID Hash Current: OgAAAAMAAgABAAIAAQABAAAABAABAAEAonZi0RUndxYkUQaGKK0U0QqnnMbPDbzEGOpIPf5PaOsucw==
OEM Activation 1.0 Data-->
N/A
OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes, but no SLIC table
Windows marker version: N/A
OEMID and OEMTableID Consistent: N/A
BIOS Information:
ACPI Table Name OEMID Value OEMTableID Value
APIC DELL WN09
FACP DELL WN09
HPET DELL WN09
MCFG DELL WN09
SSDT TrmRef PtidDevc
SSDT TrmRef PtidDevc
SSDT TrmRef PtidDevc
SSDT TrmRef PtidDevc
SSDT TrmRef PtidDevc
OSFR DELL M08
-
Hi,
- Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
- Right-click and Run as Administrator on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
- When the window appears, underneath Output at the top change it to Minimal Output.
- Check the boxes beside LOP Check and Purity Check.
- In the Custom Scans section put the following:
netsvcs
- Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
- Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.
-
OTL logfile created on: 2012.03.06 22:24:47 - Run 1
OTL by OldTimer - Version 3.2.35.1 Folder = C:\Users\Admin\Desktop
64bit- Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7601.17514)
Locale: 00000427 | Country: Lithuania | Language: LTH | Date Format: yyyy.MM.dd
5,91 Gb Total Physical Memory | 3,52 Gb Available Physical Memory | 59,52% Memory free
11,82 Gb Paging File | 9,46 Gb Available in Paging File | 80,04% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 97,56 Gb Total Space | 28,56 Gb Free Space | 29,28% Space Free | Partition Type: NTFS
Drive D: | 498,51 Gb Total Space | 202,97 Gb Free Space | 40,71% Space Free | Partition Type: NTFS
Drive I: | 95,43 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS
Computer Name: ADMIN-PC | User Name: Admin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - C:\Users\Admin\Desktop\OTL.exe (OldTimer Tools)
PRC - D:\hamachi\hamachi-2-ui.exe (LogMeIn Inc.)
PRC - C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.)
PRC - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
PRC - C:\Program Files\AVAST Software\Avast\AvastUI.exe (AVAST Software)
PRC - D:\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
PRC - C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe (SweetIM Technologies Ltd.)
PRC - C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe (Renesas Electronics Corporation)
PRC - C:\Program Files (x86)\PowerISO\PWRISOVM.EXE (PowerISO Computing, Inc.)
========== Modules (No Company Name) ==========
MOD - C:\Program Files (x86)\Google\Chrome\Application\17.0.963.56\ppgooglenaclpluginchrome.dll ()
MOD - C:\Program Files (x86)\Google\Chrome\Application\17.0.963.56\pdf.dll ()
MOD - C:\Program Files (x86)\Google\Chrome\Application\17.0.963.56\avutil-51.dll ()
MOD - C:\Program Files (x86)\Google\Chrome\Application\17.0.963.56\avformat-53.dll ()
MOD - C:\Program Files (x86)\Google\Chrome\Application\17.0.963.56\avcodec-53.dll ()
MOD - C:\Program Files (x86)\Google\Chrome\Application\17.0.963.56\gcswf32.dll ()
MOD - C:\Program Files (x86)\NVIDIA Corporation\coprocmanager\detoured.dll ()
MOD - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF ()
MOD - C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveIntlResource.dll ()
========== Win32 Services (SafeList) ==========
SRV:64bit: - (avast! Antivirus) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe (AVAST Software)
SRV:64bit: - (FLEXnet Licensing Service 64) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe (Flexera Software, Inc.)
SRV:64bit: - (STacSV) -- C:\Program Files\IDT\WDM\stacsv64.exe (IDT, Inc.)
SRV:64bit: - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV:64bit: - (AppMgmt) -- C:\Windows\SysNative\appmgmts.dll (Microsoft Corporation)
SRV:64bit: - (AESTFilters) -- C:\Program Files\IDT\WDM\AESTSr64.exe (Andrea Electronics Corporation)
SRV - (Hamachi2Svc) -- D:\hamachi\hamachi-2.exe (LogMeIn Inc.)
SRV - (MBAMService) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
SRV - (AdobeARMservice) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
SRV - (Atheros Bt&Wlan Coex Agent) -- C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\Ath_CoexAgent.exe (Atheros)
SRV - (AtherosSvc) -- C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\AdminService.exe (Atheros Commnucations)
SRV - (nvUpdatusService) -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe (NVIDIA Corporation)
SRV - (Stereo Service) -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe (NVIDIA Corporation)
SRV - (npggsvc) -- C:\Windows\SysWow64\GameMon.des (INCA Internet Co., Ltd.)
SRV - (Autodesk Content Service) -- C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe ()
SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)
SRV - (clr_optimization_v2.0.50727_32) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
-
QNtas you can attach the log to save doing multiple posts ;D
-
Hey in that notepad file there is to many characters. and i need 4-5 posts to post one of them, so post it or do something else?
-
There are instructions on how to attach the log file about a quarter of the way down in this thread http://forum.avast.com/index.php?topic=53253.0
-
And there is function how to fix my problem or just how to attach log?
-
Hi,
This is how to attach a log to your post
To attach :
Press Reply
Attachments and other options
Attach:
Choose File
Locate the OTL log
Select the OTL log
-
Here it is
-
Hi QNtas,
Please download and run ERUNT (http://www.snapfiles.com/get/erunt.html) (Emergency Recovery Utility NT). This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed. **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.
----------
Run OTL.exe
- Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:Services
:OTL
PRC - C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe (SweetIM Technologies Ltd.)
IE:[b]64bit:[/b] - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
IE - HKLM\..\SearchScopes,DefaultScope = {EEE6C360-6118-11DC-9C72-001320C79847}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}: "URL" = http://search.sweetim.com/search.asp?src=6&st=1&q={searchTerms}&barid={1AC2C624-E9E9-11E0-80EA-CCAF785422B8}
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
IE - HKCU\..\URLSearchHook: {EEE6C35D-6118-11DC-9C72-001320C79847} - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgHelper.dll (SweetIM Technologies Ltd.)
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}: "URL" = http://search.sweetim.com/search.asp?src=6&st=1&q={searchTerms}&barid={1AC2C624-E9E9-11E0-80EA-CCAF785422B8}
FF:[b]64bit:[/b] - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF - HKCU\Software\MozillaPlugins\pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
O2 - BHO: (SweetIM Toolbar Helper) - {EEE6C35C-6118-11DC-9C72-001320C79847} - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.)
O3 - HKLM\..\Toolbar: (SweetIM Toolbar for Internet Explorer) - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.)
O3 - HKCU\..\Toolbar\WebBrowser: (SweetIM Toolbar for Internet Explorer) - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.)
O4 - HKLM..\Run: [SweetIM] C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe (SweetIM Technologies Ltd.)
O4 - HKCU..\Run: [TorrentRatioKeeper] "D:\Ratio\Torrent Ratio Keeper\TorrentRatioKeeper.exe" /s File not found
O8:[b]64bit:[/b] - Extra context menu item: Search the Web - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\resources\MenuExt.html ()
O8 - Extra context menu item: Search the Web - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\resources\MenuExt.html ()
O33 - MountPoints2\{f31eef06-223f-11e1-81b5-ccaf785422b8}\Shell - "" = AutoRun
O33 - MountPoints2\{f31eef06-223f-11e1-81b5-ccaf785422b8}\Shell\AutoRun\command - "" = J:\AutoRun.exe
O33 - MountPoints2\{f31eef13-223f-11e1-81b5-ccaf785422b8}\Shell - "" = AutoRun
O33 - MountPoints2\{f31eef13-223f-11e1-81b5-ccaf785422b8}\Shell\AutoRun\command - "" = J:\AutoRun.exe
O33 - MountPoints2\{f6ebead5-1390-11e1-8277-ccaf785422b8}\Shell - "" = AutoRun
O33 - MountPoints2\{f6ebead5-1390-11e1-8277-ccaf785422b8}\Shell\AutoRun\command - "" = G:\INSTALL.EXE
[65442 C:\Users\Public\Documents\*.tmp files -> C:\Users\Public\Documents\*.tmp -> ]
:Files
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[emptytemp]
[createrestorepoint]
[start explorer]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot when it is done
- Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
-------------------
In your next reply please post both of the logs that will be created by OTL when you are finished. :)
-
Hi QNtas,
Please download and run ERUNT (http://www.snapfiles.com/get/erunt.html) (Emergency Recovery Utility NT). This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed. **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.
----------
Run OTL.exe
- Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:Services
:OTL
PRC - C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe (SweetIM Technologies Ltd.)
IE:[b]64bit:[/b] - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
IE - HKLM\..\SearchScopes,DefaultScope = {EEE6C360-6118-11DC-9C72-001320C79847}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}: "URL" = http://search.sweetim.com/search.asp?src=6&st=1&q={searchTerms}&barid={1AC2C624-E9E9-11E0-80EA-CCAF785422B8}
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
IE - HKCU\..\URLSearchHook: {EEE6C35D-6118-11DC-9C72-001320C79847} - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgHelper.dll (SweetIM Technologies Ltd.)
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}: "URL" = http://search.sweetim.com/search.asp?src=6&st=1&q={searchTerms}&barid={1AC2C624-E9E9-11E0-80EA-CCAF785422B8}
FF:[b]64bit:[/b] - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF - HKCU\Software\MozillaPlugins\pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
O2 - BHO: (SweetIM Toolbar Helper) - {EEE6C35C-6118-11DC-9C72-001320C79847} - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.)
O3 - HKLM\..\Toolbar: (SweetIM Toolbar for Internet Explorer) - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.)
O3 - HKCU\..\Toolbar\WebBrowser: (SweetIM Toolbar for Internet Explorer) - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.)
O4 - HKLM..\Run: [SweetIM] C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe (SweetIM Technologies Ltd.)
O4 - HKCU..\Run: [TorrentRatioKeeper] "D:\Ratio\Torrent Ratio Keeper\TorrentRatioKeeper.exe" /s File not found
O8:[b]64bit:[/b] - Extra context menu item: Search the Web - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\resources\MenuExt.html ()
O8 - Extra context menu item: Search the Web - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\resources\MenuExt.html ()
O33 - MountPoints2\{f31eef06-223f-11e1-81b5-ccaf785422b8}\Shell - "" = AutoRun
O33 - MountPoints2\{f31eef06-223f-11e1-81b5-ccaf785422b8}\Shell\AutoRun\command - "" = J:\AutoRun.exe
O33 - MountPoints2\{f31eef13-223f-11e1-81b5-ccaf785422b8}\Shell - "" = AutoRun
O33 - MountPoints2\{f31eef13-223f-11e1-81b5-ccaf785422b8}\Shell\AutoRun\command - "" = J:\AutoRun.exe
O33 - MountPoints2\{f6ebead5-1390-11e1-8277-ccaf785422b8}\Shell - "" = AutoRun
O33 - MountPoints2\{f6ebead5-1390-11e1-8277-ccaf785422b8}\Shell\AutoRun\command - "" = G:\INSTALL.EXE
[65442 C:\Users\Public\Documents\*.tmp files -> C:\Users\Public\Documents\*.tmp -> ]
:Files
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[emptytemp]
[createrestorepoint]
[start explorer]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot when it is done
- Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
-------------------
In your next reply please post both of the logs that will be created by OTL when you are finished.
Is it also for windows 7? and 8? just incase if he has one of those
-
i have windows 7
-
Hi QNtas,
Go ahead and use the fix I provided.
-
i run it, but do i need run new scan same as before (just not check LOP Check and Purity Check) yes?
-
Yes...once done with the running the fix, please run a new scan same as before but not with LOP or Purity checked. :) There will be a log showing what was removed after the fix and then the log with the new information created with the new run.
-
Here it is
-
Hi,
Did you follow the instructions I provided in post 17? If you are having any problems running anything let me know. :)
-
yes i do and i download that ERUNT, but i dont know or i need to check Minimal output then I run fix. And what i need to write "custom/scan fixes" then I run scan .
-
Ok....in post 17 there is a code box with information that I provided. It starts with my quote below...but be sure to copy everything in the code box
Code: [Select]
:Services
:OTL
PRC - C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe (SweetIM Technologies Ltd.)
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}...
Now follow the instructions with the picture below.
(http://i1224.photobucket.com/albums/ee380/jeffce74/OTLinstructions.jpg)
When that scan is complete there will be a log made automatically. Save that for your next reply.
Run a new scan with OTL being sure that minimal is selected and that LOP and Purity are not selected this time. When that is finished there will be another log created. Save that as well for your next reply.
Please post, once done, both of the logs made by OTL.
-
Hi, I have problems with scan fix. then it complete program asked me to reboot system and do not open any log for me
-
Hi QNtas,
I apologize if my instructions have not been clear enough. :( Let's do this one step at a time.
In the picture I provided above, you can see the section labeled Custom Scans/Fixes?
I want you to copy/paste the information I provide below inside of the Code Box into the Custom Scans/Fixes box in OTL.
:Services
:OTL
PRC - C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe (SweetIM Technologies Ltd.)
IE:[b]64bit:[/b] - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
IE - HKLM\..\SearchScopes,DefaultScope = {EEE6C360-6118-11DC-9C72-001320C79847}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}: "URL" = http://search.sweetim.com/search.asp?src=6&st=1&q={searchTerms}&barid={1AC2C624-E9E9-11E0-80EA-CCAF785422B8}
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
IE - HKCU\..\URLSearchHook: {EEE6C35D-6118-11DC-9C72-001320C79847} - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgHelper.dll (SweetIM Technologies Ltd.)
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}: "URL" = http://search.sweetim.com/search.asp?src=6&st=1&q={searchTerms}&barid={1AC2C624-E9E9-11E0-80EA-CCAF785422B8}
FF:[b]64bit:[/b] - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF - HKCU\Software\MozillaPlugins\pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
O2 - BHO: (SweetIM Toolbar Helper) - {EEE6C35C-6118-11DC-9C72-001320C79847} - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.)
O3 - HKLM\..\Toolbar: (SweetIM Toolbar for Internet Explorer) - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.)
O3 - HKCU\..\Toolbar\WebBrowser: (SweetIM Toolbar for Internet Explorer) - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.)
O4 - HKLM..\Run: [SweetIM] C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe (SweetIM Technologies Ltd.)
O4 - HKCU..\Run: [TorrentRatioKeeper] "D:\Ratio\Torrent Ratio Keeper\TorrentRatioKeeper.exe" /s File not found
O8:[b]64bit:[/b] - Extra context menu item: Search the Web - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\resources\MenuExt.html ()
O8 - Extra context menu item: Search the Web - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\resources\MenuExt.html ()
O33 - MountPoints2\{f31eef06-223f-11e1-81b5-ccaf785422b8}\Shell - "" = AutoRun
O33 - MountPoints2\{f31eef06-223f-11e1-81b5-ccaf785422b8}\Shell\AutoRun\command - "" = J:\AutoRun.exe
O33 - MountPoints2\{f31eef13-223f-11e1-81b5-ccaf785422b8}\Shell - "" = AutoRun
O33 - MountPoints2\{f31eef13-223f-11e1-81b5-ccaf785422b8}\Shell\AutoRun\command - "" = J:\AutoRun.exe
O33 - MountPoints2\{f6ebead5-1390-11e1-8277-ccaf785422b8}\Shell - "" = AutoRun
O33 - MountPoints2\{f6ebead5-1390-11e1-8277-ccaf785422b8}\Shell\AutoRun\command - "" = G:\INSTALL.EXE
[65442 C:\Users\Public\Documents\*.tmp files -> C:\Users\Public\Documents\*.tmp -> ]
:Files
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[emptytemp]
[createrestorepoint]
[start explorer]
[Reboot]
Now, once the text is placed into the Custom Scans/Fixes box in OTL, I want you to press the Run Fix button.
OTL will start running automatically and I want you to let it run through to the end.
After OTL has been run, there will be a log that opens automatically either before or after the system reboots.
Please save that log and post it into your next reply.
Dont' worry about running OTL again yet...we will come back to that. :)
-
I do that but nothing. just write fix complete and shop table to reboot system. Do not open log file
-
Hi,
Sorry about the problems you are having with OTL.
----------
Download Combofix from either of the links below, and save it to your desktop.
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
**Note: It is important that it is saved directly to your desktop**
--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://"http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216")
--------------------------------------------------------------------
Right-Click and Run as Administrator on ComboFix.exe & follow the prompts. When finished, it will produce a report for you.
- Please post the C:\ComboFix.txt for further review.
-
that file combofix.txt use 2.45MB space on disc and i can post jus 190KB
-
Hi QNtas,
Please upload the file here >> http://www.mediafire.com/ and then post the link that is created. I can then download the file from there. :)
-
http://www.mediafire.com/?9dhr52p9prka8v1
-
Hi,
Good job getting that uploaded. Looks like ComboFix removed quite a bit. :)
-
yes but there are more i want remove them all :) thx for helping man
-
Hi QNtas,
- Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
ClearJavaCache::
DDS::
uStart Page = hxxp://home.sweetim.com
mStart Page = hxxp://home.sweetim.com
IE: Search the Web - c:\program files (x86)\SweetIM\Toolbars\Internet Explorer\resources\menuext.html
RegLock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{EEE6C35D-6118-11DC-9C72-001320C79847}"=-
[-HKEY_CLASSES_ROOT\clsid\{eee6c35d-6118-11dc-9c72-001320c79847}]
[-HKEY_CLASSES_ROOT\SweetIM_URLSearchHook.ToolbarURLSearchHook.1]
[-HKEY_CLASSES_ROOT\TypeLib\{EEE6C35F-6118-11DC-9C72-001320C79847}]
[-HKEY_CLASSES_ROOT\SweetIM_URLSearchHook.ToolbarURLSearchHook]
[-HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{EEE6C35B-6118-11DC-9C72-001320C79847}"=-
[-HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
[-HKEY_CLASSES_ROOT\SWEETIE.IEToolbar.1]
[-HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[-HKEY_CLASSES_ROOT\SWEETIE.IEToolbar]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"SweetIM"=-
- Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
(http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif)
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
- ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
- When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------
-
hi, that was fast scan :)
-
Hi QNtas,
Looking better. :)
Malwarebytes
I see that you have Malwarebytes already on your computer. Please open Malwarebytes, update it and then run a Quick Scan. Save the log that is created for your next reply.
----------
ESET Online Scanner:
Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here (http://"http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.htmll").
Vista users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.
- Please go here (http://"http://www.eset.com/onlinescan/") then click on: (http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS1.gif)
Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
- Select the option YES, I accept the Terms of Use then click on: (http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS2.gif)
- When prompted allow the Add-On/Active X to install.
- Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
- Now click on Advanced Settings and select the following:
- Scan for potentially unwanted applications
- Scan for potentially unsafe applications
- Enable Anti-Stealth Technology
- Now click on: (http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS3.gif)
- The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
- When completed the Online Scan will begin automatically.
- Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
- When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
- Now click on: (http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS4.gif)
- Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
- Copy and paste that log as a reply to this topic.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!
----------
In your next reply please post the logs made by Malwarebytes and ESET online scanner. :)
-
http://www.mediafire.com/?3cd5qkijn6knmbp
http://www.mediafire.com/?se7cj59kr4vy1yg
-
Hi,
We will have to hit this twice as there are a lot of entries that need to go. I notice that you had run ESET but I did not get a log for Malwarebytes. Please run that and post that log as well.
----------
- Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
File::
D:\autocad2012\acad2012m_x64.iso
D:\autocad2012\Crack\xf-a2012-32bits.rar
D:\autocad2012\Crack\xf-a2012-64bits.rar
D:\autocad2012\Crack\xf-adesk2012x64.exe
- Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
(http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif)
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
- ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
- When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------
-
hi, here it is :)
-
Hi,
Download TFC (http://oldtimer.geekstogo.com/TFC.exe) to your desktop
- Close any open windows.
- Right-click and Run as Administrator the TFC icon to run the program
- TFC will close all open programs itself in order to run,
- Click the Start button to begin the process.
- Allow TFC to run uninterrupted.
- The program should not take long to finish it's job
- Once its finished it should automatically reboot your machine,
- if it doesn't, manually reboot to ensure a complete clean
--------------
Once that has completed run a new scan with ESET and post that to your next reply. :)
-
Hi jeffce,
http://www.mediafire.com/?0s0g12g6j299087
-
Hi QNtas,
Please update Malwarebytes, run a Quick Scan and post that log into your next reply. :)
-
http://www.mediafire.com/?t1k9p4t1d14622g
-
Hi QNtas,
We are getting there slowly but surely.
Rerun Malwarebytes and remove everything that is found. Then post the newly made log
-
Hey if i remove what found then i cant create log file
-
?? Yes it will....it will just show that nothing is found...
-
No my Malwarebytes turn off then i push to remove all
-
i can scan it again and send you prnt SCrean
-
ok
-
Here it is that error and after that malwarebyte turn off
http://www.mediafire.com/?phlw6iy6blpff95
-
Hi,
Ok I see. That is because there are so many of them. Lets do this
Run OTL.exe
- Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:OTL
:Files
del trz*.tmp /f /q /c
:Commands
[purity]
[emptytemp]
[createrestorepoint]
[start explorer]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot when it is done
- Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
Once you have run the fix with OTL and ran the new scan there will be two logs I need in your next reply. The one showing what was removed and the one of the new OTL scan.
Once that is done update Malwarebytes again, run a Quick Scan, delete anything found and post the log created.
-
Here OTL logs but malware still not working same error
-
Hi,
Was there another log created by OTL after you ran the fix showing what was deleted.
-
Hey jeffce, i try to scan with malware and abort the it scans 10k virus. so result are http://www.mediafire.com/?j2tt30h60cto7js
(ps. srry for not good english) and OTL do not open log so i try it one more time and this time i gonna off all programs and just wait
-
Hi QNtas,
Run OTL.exe
- Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:Services
:OTL
O32 - AutoRun File - [2011.09.18 17:12:21 | 000,000,000 | ---D | M] - D:\autocad -- [ NTFS ]
O32 - AutoRun File - [2012.03.13 22:10:15 | 000,000,000 | ---D | M] - D:\autocad2012 -- [ NTFS ]
O32 - AutoRun File - [2011.09.18 17:49:44 | 000,000,000 | ---D | M] - D:\autocadd -- [ NTFS ]
:Files
ipconfig /flushdns /c
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot when it is done
- Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
----------
Run another scan with Malwarebytes. If anything is detected be sure to have it removed and post that log. :)
-
Here it is :)
-
Hi,
That Malwarebytes log looks good. How is your system running?
Run a new scan with ESET and post the log that is created to your next reply. :D
-
Hi, Jeffce srry for not writing so long i was haveing internet problems here it is that log. My system works normaly i think but why you laugh? :)
http://www.mediafire.com/?wxt19ifhbinrg0u
-
Hi QNtas,
Run OTL.exe
- Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:Services
:OTL
[2012.03.09 00:15:44 | 000,000,000 | ---D | C] -- C:\Users\Admin\AppData\Local\Loc.Mail.Bron.Tok
[2012.03.09 00:15:15 | 000,000,000 | ---D | C] -- C:\Users\Admin\AppData\Local\Ok-SendMail-Bron-tok
:Files
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[emptytemp]
[createrestorepoint]
[start explorer]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot when it is done
- Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
----------
Next...update Malwarebytes, run a quick scan and the remove any threats found. Once complete save the log created for your next post.
----------
In your next reply please post the logs made by OTL and Malwarebytes. :)
-
hi, somthing is wrong then i am trying to attach files so upload them
http://www.mediafire.com/?4zsmqdmagfpp2rg
http://www.mediafire.com/?bgh3yrzviydbabq
http://www.mediafire.com/?sziwu7o7ri8wftq
-
Uploading them is just fine. Many people seem to be having problems attaching files today so it isn't just you. :)
I will return as quick as I can. :)
-
It seems we have some entries that don't want to remove. >:(
Please delete the current version of Combofix.exe from your desktop and download a new version from here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your desktop.
Disable your AntiVirus and AntiSpyware applications.
Right-click and Run as Administrator on the Combofix.exe and follow the prombts on your display. When finish, it will create a C:\Combofix.txt. Please post this log for further review.
---------
-
here it is, and it started happening again. avast blocking the same virus and i located (c:/users/liberties/liberties.exe and c:/users/public/public.exe) something like that :) srry for not good english
http://www.mediafire.com/?7etfx5u9hwbrn4f
-
och srry (c:/users/public/libraries/libraries.exe)
-
Hi QNtas,
Thanks for letting me know. :)
----------
- Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
ClearJavaCache::
DirLook::
c:/users/liberties
c:/users/public
Folder::
c:\users\Admin\AppData\Local\Loc.Mail.Bron.Tok
c:\users\Admin\AppData\Local\Ok-SendMail-Bron-tok
- Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
(http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif)
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
- ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
- When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------
-
here it is
http://www.mediafire.com/?gbp1rr1x3rv2kx7
-
Nice!! Now open Malwarebytes, update it and run a Quick Scan then post the log into your next reply. :)
-
here you go
http://www.mediafire.com/?7et74fcx0cap5pa
-
I should have had you do this before but please run a new scan with ESET and post the log that is created. :)
-
Hi jeffce, ESET found big amount of viruses ;/ http://www.mediafire.com/?kyrono154g2o5pr
-
Hi,
Let's see about getting rid of those. :) When OTL runs this fix it may take quite some time to remove because there is a lot. :)
----------
Run OTL.exe
- Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:Services
:Files
C:\Users\Admin\Documents\Documents.exe
C:\Users\Admin\Documents\CAPCOM\DEVILMAYCRY4\DEVILMAYCRY4.exe
C:\Users\Admin\Documents\FIFA 12\FIFA 12.exe
C:\Users\Admin\Documents\FIFA 12\instance0\instance0.exe
C:\Users\Admin\Documents\My Games\Age of Empires 3\Age of Empires 3.exe
C:\Users\Admin\Documents\My Games\Age of Empires 3\AI\AI.exe
C:\Users\Admin\Documents\My Games\Age of Empires 3\campaign\campaign.exe
C:\Users\Admin\Documents\My Games\Age of Empires 3\RM\RM.exe
C:\Users\Admin\Documents\My Games\Age of Empires 3\Savegame\Savegame.exe
C:\Users\Admin\Documents\My Games\Age of Empires 3\Trigger\Trigger.exe
C:\Users\Admin\Documents\My Games\Age of Empires 3\Users\Users.exe
C:\Users\Admin\Documents\My Games\Rise Of Legends\Rise Of Legends.exe
C:\Users\Admin\Documents\My Games\Rise Of Legends\Mantas\Mantas.exe
C:\Users\Admin\Documents\My Games\Rise Of Legends\Mantas\Saves\AutoSaves\AutoSaves.exe
C:\Users\Admin\Documents\My Games\Rise Of Legends\Mantas\Saves\Game Setup Files\Game Setup Files.exe
C:\Users\Admin\Documents\My Games\Rise Of Legends\Mantas\Saves\Game Setup Files\CTW\CTW.exe
C:\Users\Admin\Documents\My Games\Skyrim\Skyrim.exe
C:\Users\Admin\Documents\My Games\Skyrim\Saves\Saves.exe
C:\Users\Admin\Documents\NFS Most Wanted\Mantas\Mantas.exe
C:\Users\Admin\Documents\OneNote Notebooks\Personal\Personal.exe
C:\Users\Admin\Documents\Outlook Files\Outlook Files.exe
C:\Users\Admin\Downloads\SoftonicDownloader_for_teamspeak.exe
C:\Users\Admin\Pictures\about.Brontok.A.html
C:\Users\Public\Public.exe
C:\Users\Public\trz3CE5.tmp
C:\Users\Public\Documents\Documents.exe
C:\Users\Public\Documents\trz46A6.tmp
C:\Users\Public\Documents\trz4753.tmp
C:\Users\Public\Downloads\Downloads.exe
C:\Users\Public\Downloads\trz4773.tmp
C:\Users\Public\Libraries\Libraries.exe
del C:\Users\Public\Libraries\trz*.tmp /f /q /c
del C:\Users\Public\Pictures\trz*.tmp /f /q /c
C:\Users\Public\Pictures\NVIDIA Corporation\3D Vision Experience\3D Vision preview pack 1\3D Vision preview pack 1.exe
del "C:\Users\Public\Pictures\NVIDIA Corporation\3D Vision Experience\3D Vision preview pack 1\trz*.tmp" /f /q /c
C:\Users\Public\Pictures\Sample Pictures\Sample Pictures.exe
del "C:\Users\Public\Pictures\Sample Pictures\trz*.tmp" /f /q /c
C:\Users\Public\Recorded TV\Recorded TV.exe
del "C:\Users\Public\Recorded TV\trz*.tmp" /f /q /c
C:\Users\Public\Recorded TV\Sample Media\Sample Media.exe
del "C:\Users\Public\Recorded TV\Sample Media\trz*.tmp" /f /q /c
C:\Users\Public\Videos\Sample Videos\Sample Videos.exe
C:\Windows\AutoKMS.exe
del C:\Windows\ShellNew\trz*.tmp /f /q /c
C:\Windows\SoftwareDistribution\DataStore\Logs\trzB77C.tmp
C:\Windows\SoftwareDistribution\DataStore\Logs\trzC716.tmp
del C:\Windows\temp\_avast_\unp*.tmp /f /q /c
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot when it is done
- Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
-
HI, i think it looks better :)
-
Hi QNtas,
Yes but I need to see a couple of things first. You had an infection with a specific worm and it went crazy in your system.
Was there a log created after you ran this last OTL fix showing what was removed? If so post that please.
----------
Run OTL.exe
- Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:Services
:OTL
IE:[b]64bit:[/b] - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes,DefaultScope = {EEE6C360-6118-11DC-9C72-001320C79847}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}: "URL" = http://search.sweetim.com/search.asp?src=6&st=1&q={searchTerms}&barid={1AC2C624-E9E9-11E0-80EA-CCAF785422B8}
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = lt
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 93 29 6A E5 03 08 CD 01 [binary data]
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}: "URL" = http://search.sweetim.com/search.asp?src=6&st=1&q={searchTerms}&barid={1AC2C624-E9E9-11E0-80EA-CCAF785422B8}
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF - HKCU\Software\MozillaPlugins\pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EEE6C35B-6118-11DC-9C72-001320C79847} - No CLSID value found.
[2 C:\Users\Public\Documents\*.tmp files -> C:\Users\Public\Documents\*.tmp -> ]
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot when it is done
- Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
--------------
Open Malwarebytes, update it and then run a new Quick Scan and save the log for your next reply.
-------------
Run a new scan with ESET online scanner and save that log for your next reply.
------------
In your next reply I need the logs created by OTL, Malwarebytes and ESET online scanner.
-
no log was created
-
Do you mean with ESET
-
you asked that (Was there a log created after you ran this last OTL fix showing what was removed? If so post that please. ) so there wont be created any log after i run OTL fix
-
Oh ok....
When you get the new OTL, Malwarebytes and ESET logs post those please.
-
sorry that tooks so long :) http://www.mediafire.com/?11iki185uv7lk8u
-
Hi,
Run OTL.exe
- Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:Services
:Files
C:\Users\Admin\Documents\Documents.exe
C:\Users\Admin\Documents\CAPCOM\DEVILMAYCRY4\DEVILMAYCRY4.exe
C:\Users\Admin\Documents\FIFA 12\FIFA 12.exe
C:\Users\Admin\Documents\FIFA 12\instance0\instance0.exe
C:\Users\Admin\Documents\My Games\Age of Empires 3\Age of Empires 3.exe
C:\Users\Admin\Documents\My Games\Age of Empires 3\AI\AI.exe
C:\Users\Admin\Documents\My Games\Age of Empires 3\campaign\campaign.exe
C:\Users\Admin\Documents\My Games\Age of Empires 3\RM\RM.exe
C:\Users\Admin\Documents\My Games\Age of Empires 3\Savegame\Savegame.exe
C:\Users\Admin\Documents\My Games\Age of Empires 3\Trigger\Trigger.exe
C:\Users\Admin\Documents\My Games\Age of Empires 3\Users\Users.exe
C:\Users\Admin\Documents\My Games\Rise Of Legends\Rise Of Legends.exe
C:\Users\Admin\Documents\My Games\Rise Of Legends\Mantas\Mantas.exe
C:\Users\Admin\Documents\My Games\Rise Of Legends\Mantas\Saves\AutoSaves\AutoSaves.exe
C:\Users\Admin\Documents\My Games\Rise Of Legends\Mantas\Saves\Game Setup Files\Game Setup Files.exe
C:\Users\Admin\Documents\My Games\Rise Of Legends\Mantas\Saves\Game Setup Files\CTW\CTW.exe
C:\Users\Admin\Documents\My Games\Skyrim\Skyrim.exe
C:\Users\Admin\Documents\My Games\Skyrim\Saves\Saves.exe
C:\Users\Admin\Documents\NFS Most Wanted\Mantas\Mantas.exe
C:\Users\Admin\Documents\OneNote Notebooks\Personal\Personal.exe
C:\Users\Admin\Documents\Outlook Files\Outlook Files.exe
C:\Users\Admin\Downloads\SoftonicDownloader_for_teamspeak.exe
C:\Users\Admin\Pictures\about.Brontok.A.html
C:\Users\Public\Public.exe
C:\Users\Public\trz3CE5.tmp
C:\Users\Public\Documents\Documents.exe
C:\Users\Public\Documents\trz46A6.tmp
C:\Users\Public\Documents\trz4753.tmp
C:\Users\Public\Downloads\Downloads.exe
C:\Users\Public\Downloads\trz4773.tmp
C:\Users\Public\Libraries\Libraries.exe
del C:\Users\Public\Libraries\trz*.tmp /f /q /c
del C:\Users\Public\Pictures\trz*.tmp /f /q /c
C:\Users\Public\Pictures\NVIDIA Corporation\3D Vision Experience\3D Vision preview pack 1\3D Vision preview pack 1.exe
del "C:\Users\Public\Pictures\NVIDIA Corporation\3D Vision Experience\3D Vision preview pack 1\trz*.tmp" /f /q /c
C:\Users\Public\Pictures\Sample Pictures\Sample Pictures.exe
del "C:\Users\Public\Pictures\Sample Pictures\trz*.tmp" /f /q /c
C:\Users\Public\Recorded TV\Recorded TV.exe
del "C:\Users\Public\Recorded TV\trz*.tmp" /f /q /c
C:\Users\Public\Recorded TV\Sample Media\Sample Media.exe
del "C:\Users\Public\Recorded TV\Sample Media\trz*.tmp" /f /q /c
C:\Users\Public\Videos\Sample Videos\Sample Videos.exe
C:\Windows\AutoKMS.exe
del C:\Windows\ShellNew\trz*.tmp /f /q /c
C:\Windows\SoftwareDistribution\DataStore\Logs\trzB77C.tmp
C:\Windows\SoftwareDistribution\DataStore\Logs\trzC716.tmp
del C:\Windows\temp\_avast_\unp*.tmp /f /q /c
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered. There will be a log created when it completes that I will need in your next reply. Reboot when it is done.
- Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
After OTL has run the fix there should be a log automatically created. Please post that and the OTL log that is made with your new scan.
-
After OTL has run the fix there no log created.
-
Hi QNtas,
When you are running these fixes are you being sure to press the Run Fix button and not the Run Scan button?
-
yes, and then i run it it show me cmd console
-
http://www.mediafire.com/?5mjia0ht7ci91b8
look
-
Hi QNtas,
We need to something a little bit different.
Please disable your Avast antivirus program for the time being as it seems that it is blocking our fix.
Reboot Your System in Safe Mode
- Restart the computer.
- As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
- Use the arrow keys to select the Safe mode menu item
- Press Enter.
----------
Run OTL.exe
- Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:Services
:Files
C:\Users\Admin\Documents\Documents.exe
C:\Users\Admin\Documents\CAPCOM\DEVILMAYCRY4\DEVILMAYCRY4.exe
C:\Users\Admin\Documents\FIFA 12\FIFA 12.exe
C:\Users\Admin\Documents\FIFA 12\instance0\instance0.exe
C:\Users\Admin\Documents\My Games\Age of Empires 3\Age of Empires 3.exe
C:\Users\Admin\Documents\My Games\Age of Empires 3\AI\AI.exe
C:\Users\Admin\Documents\My Games\Age of Empires 3\campaign\campaign.exe
C:\Users\Admin\Documents\My Games\Age of Empires 3\RM\RM.exe
C:\Users\Admin\Documents\My Games\Age of Empires 3\Savegame\Savegame.exe
C:\Users\Admin\Documents\My Games\Age of Empires 3\Trigger\Trigger.exe
C:\Users\Admin\Documents\My Games\Age of Empires 3\Users\Users.exe
C:\Users\Admin\Documents\My Games\Rise Of Legends\Rise Of Legends.exe
C:\Users\Admin\Documents\My Games\Rise Of Legends\Mantas\Mantas.exe
C:\Users\Admin\Documents\My Games\Rise Of Legends\Mantas\Saves\AutoSaves\AutoSaves.exe
C:\Users\Admin\Documents\My Games\Rise Of Legends\Mantas\Saves\Game Setup Files\Game Setup Files.exe
C:\Users\Admin\Documents\My Games\Rise Of Legends\Mantas\Saves\Game Setup Files\CTW\CTW.exe
C:\Users\Admin\Documents\My Games\Skyrim\Skyrim.exe
C:\Users\Admin\Documents\My Games\Skyrim\Saves\Saves.exe
C:\Users\Admin\Documents\NFS Most Wanted\Mantas\Mantas.exe
C:\Users\Admin\Documents\OneNote Notebooks\Personal\Personal.exe
C:\Users\Admin\Documents\Outlook Files\Outlook Files.exe
C:\Users\Admin\Downloads\SoftonicDownloader_for_teamspeak.exe
C:\Users\Admin\Pictures\about.Brontok.A.html
C:\Users\Public\Public.exe
C:\Users\Public\trz3CE5.tmp
C:\Users\Public\Documents\Documents.exe
C:\Users\Public\Documents\trz46A6.tmp
C:\Users\Public\Documents\trz4753.tmp
C:\Users\Public\Downloads\Downloads.exe
C:\Users\Public\Downloads\trz4773.tmp
C:\Users\Public\Libraries\Libraries.exe
del C:\Users\Public\Libraries\trz*.tmp /f /q /c
del C:\Users\Public\Pictures\trz*.tmp /f /q /c
C:\Users\Public\Pictures\NVIDIA Corporation\3D Vision Experience\3D Vision preview pack 1\3D Vision preview pack 1.exe
del "C:\Users\Public\Pictures\NVIDIA Corporation\3D Vision Experience\3D Vision preview pack 1\trz*.tmp" /f /q /c
C:\Users\Public\Pictures\Sample Pictures\Sample Pictures.exe
del "C:\Users\Public\Pictures\Sample Pictures\trz*.tmp" /f /q /c
C:\Users\Public\Recorded TV\Recorded TV.exe
del "C:\Users\Public\Recorded TV\trz*.tmp" /f /q /c
C:\Users\Public\Recorded TV\Sample Media\Sample Media.exe
del "C:\Users\Public\Recorded TV\Sample Media\trz*.tmp" /f /q /c
C:\Users\Public\Videos\Sample Videos\Sample Videos.exe
C:\Windows\AutoKMS.exe
del C:\Windows\ShellNew\trz*.tmp /f /q /c
C:\Windows\SoftwareDistribution\DataStore\Logs\trzB77C.tmp
C:\Windows\SoftwareDistribution\DataStore\Logs\trzC716.tmp
del C:\Windows\temp\_avast_\unp*.tmp /f /q /c
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot when it is done
- Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
----------
If there is a log created by OTL please post that. After you have run a new scan with OTL please post that as well. :)
-
do i need run OTL then my computer be in safe mode?
-
here it is. OLT fix created file
-
Hi QNtas,
I know this may seem like a lot of work and I appreciate your patience, but your system was heavily infected.
-----------------
Boot back into Safe Mode.
Run OTL.exe
- Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:Services
:OTL
[28 C:\Users\Public\Documents\*.tmp files -> C:\Users\Public\Documents\*.tmp -> ]
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot when it is done
- Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
Now run a new scan with Malwarebytes and ESET online scanner.
In your next reply please post the logs made by OTL, Malwarebytes and ESET online scanner. :)
-
hi, here is esethttp://www.mediafire.com/?c4el9knbvcke6ge
and here is OTL fix http://www.mediafire.com/?6iht43tbp21349f
and OTL hadn't created extras
-
Hi QNtas,
We are getting there but this is persistent.
Run a new scan with ESET. Make sure that Remove Found Threats is checked and press Start
Post the new log created when complete.
-
http://www.mediafire.com/?uszb10li7gotu8o
-
Hi QNtas,
Now that is what I wanted to see. :)
How is your system running?
-
Hi, i think good :) and no more virus left?
-
Hi,
no more virus left?
I believe that we are clear. :)
Let's get some updates on your system...
Please download JavaRa (http://raproducts.org/click/click.php?id=1) to your desktop and unzip it to its own
folder- Run JavaRa.exe (double-click for XP/right-click and Run as Administrator for Vista), pick the language of your choice and click Select. Then
click Remove Older Versions.
- Accept any prompts.
- Open JavaRa.exe (double-click for XP/right-click and Run as Administrator for Vista) again and select Search For Updates.
- Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest
Java Runtime Environment (JRE) version for your computer.
----------
When you get this complete let me know and we can get some cleanup done.
-
hey, i have instaled it :)
-
Providing there are no other malware related problems...
IT APPEARS THAT YOUR LOGS ARE NOW CLEAN :D SO LETS DO A COUPLE OF THINGS TO WRAP THIS UP!! :D
----------
The following will implement some cleanup procedures as well as reset System Restore points:
Click Start > Run and copy/paste the following text into the Run box as shown and click OK.
Combofix /Uninstall
(Note: There is a space between the ..X and the /U that needs to be there.)
(http://i1224.photobucket.com/albums/ee380/jeffce74/CF.jpg)
----------
Clean up with OTL:
- Double-click OTL.exe to start the program.
- Close all other programs apart from OTL as this step will require a reboot
- On the OTL main screen, press the CLEANUP button
- Say Yes to the prompt and then allow the program to reboot your computer.
----------
This infection appears to have been cleaned, but I can not give you any absolute guarantees. As a precaution, I would go ahead and change all of your passwords as this is especially important after an infection.
Any of the logs that you created for use in the forums or remaining tools that have not yet been removed can be deleted so they aren't cluttering up your desktop.
Here are some tips to reduce the potential for spyware infection in the future:
1. Make your Internet Explorer more secure - This can be done by following these simple instructions:
- From within Internet Explorer click on the Tools menu and then click on Options.
- Click once on the Security tab
- Click once on the Internet icon so it becomes highlighted.
- Click once on the Custom Level button.
- Change the Download signed ActiveX controls to Prompt
- Change the Download unsigned ActiveX controls to Disable
- Change the Initialize and script ActiveX controls not marked as safe to Disable
- Change the Installation of desktop items to Prompt
- Change the Launching programs and files in an IFRAME to Prompt
- Change the Navigate sub-frames across different domains to Prompt
- When all these settings have been made, click on the OK button.
- If it prompts you as to whether or not you want to save the settings, press the Yes button.
- Next press the Apply button and then the OK to exit the Internet Properties page.
2. Enable Protected Mode in Internet Explorer. This helps Windows Vista users stay more protected from attack by running Internet Explorer with restricted privileges as well as reducing the ability to write, alter or destroy data on your system or install malicious code. To make sure this is running follow these steps:- Open Internet Explorer
- Click on Tools > Internet Options
- Press Security tab
- Select Internet zone then place check next to Enable Protected Mode if not already done
- Do the same for Local Intranet, Trusted Sites and Restricted Sites and then press Apply
- Restart Internet Explorer and in the bottom right corner of your screen you will see Protected Mode: On showing you it is enabled.
3. Use and update an anti-virus software - I can not overemphasize the need for you to use and update your anti-virus application on a regular basis. With the ever increasing number of new variants of malware arriving on the scene daily, you become very susceptible to an attack without updated protection.
4. Firewall
Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a firewall in its default configuration can lower your risk greatly. A tutorial on firewalls can be found here[/color] (http://www.bleepingcomputer.com/forums/tutorial60.html). **There are firewalls listed in this tutorial that could be downloaded and used but I would personally only recommend using one of the following two below:
Online Armor Free (http://download.cnet.com/Online-Armor-Free/3000-10435_4-10426782.html)
Agnitum Outpost Firewall Free (http://download.cnet.com/Agnitum-Outpost-Firewall-Free/3000-10435_4-10913746.html)
5. Make sure you keep your Windows OS current. Windows XP users can visit Windows update (http://v4.windowsupdate.microsoft.com/en/default.asp) regularly to download and install any critical updates and service packs. Windows Vista/7 users can open the Start menu > All Programs > Windows Update > Check for Updates (in left hand task pane) to update these systems. Without these you are leaving the back door open.
6. Consider a custom hosts file such as MVPS HOSTS (http://www.mvps.org/winhelp2002/hosts.htm). This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers. For information on how to download and install, please read this tutorial by WinHelp2002 (http://www.mvps.org/winhelp2002/hosts.htm)
Note: Be sure to follow the instructions to disable the DNS Client service before installing a custom hosts file.
7. WOT (http://www.mywot.com/) (Web of Trust) As "Googling" is such an integral part of internet life, this free browser add on warns you about risky websites that try to scam visitors, deliver malware or send spam. It is especially helpful when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites. WOT has an add-on available for Firefox, Internet Explorer as well as Google Chrome.
8.Finally, I strongly recommend that you read TonyKlein's good advice So how did I get infected in the first place? (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Please reply to this thread once more if you are satisfied so that we can mark the problem as resolved.