Avast WEBforum
Other => Viruses and worms => Topic started by: RONIN2010 on August 15, 2010, 04:01:55 AM
-
*edit.. Forgot to list:
OS: XP Home SP3
Browser: IE8, Firefox 3.5
AV: Avast Home 4.8, VPS 100814-1
Additional Scanners: Spybot S&D 1.6.2.46, MBAM 1.46 DB Ver. 4427
1. Detected during full scan of PC
2. Located in Temporary Internet Files/Content.IE5.
3. 04/04/2010, was the last time the file was modified, it was detected 08/14/2010.
4. File name is index[1].htm
5. A virus has been detected! Reported by Avast 4.8 scanner.
6. Scanned file again, which is in chest and same result.
7. Sent to Jotti, results are as follows:
[ArcaVir]
2010-08-15 Found nothing
[G DATA]
2010-08-15 JS:FakeAV-FL
[Avast! antivirus]
2010-08-14 JS:FakeAV-FL
[Ikarus]
2010-08-14 Found nothing
[Grisoft AVG Anti-Virus]
2010-08-14 Found nothing
[Kaspersky Anti-Virus]
2010-08-14 Found nothing
[Avira AntiVir]
2010-08-13 Found nothing
[ESET NOD32]
2010-08-14 Found nothing
[Softwin BitDefender]
2010-08-15 Found nothing
[Panda Antivirus]
2010-08-14 Found nothing
[ClamAV]
2010-08-15 Found nothing
[Quick Heal]
2010-08-14 Found nothing
[CPsecure]
2010-08-15 Found nothing
[Sophos]
2010-08-15 Found nothing
[Dr.Web]
2010-08-15 Found nothing
[VirusBlokAda VBA32]
2010-08-13 Found nothing
[Frisk F-Prot Antivirus]
2010-08-14 Found nothing
[VirusBuster]
2010-08-14 Found nothing
[F-Secure Anti-Virus]
2010-08-14 Found nothing
I'm not sure what to make of this.. I had a similar problem with another temp file that avast detected as a virus (JS:FakeAV-EI [trj]), same directory, with a name of index[2].htm, back in 04/14/2010, which was picked up on a full system scan. This file, along with the one mentioned above, is still quarantined in my chest. Just for a little background, here are the jotti results of that file:
[ArcaVir]
2010-08-15 Found nothing
[G DATA]
2010-08-15 Found nothing
[Avast! antivirus]
2010-08-14 JS:FakeAV-EI
[Ikarus]
2010-08-14 Found nothing
[Grisoft AVG Anti-Virus]
2010-08-14 Found nothing
[Kaspersky Anti-Virus]
2010-08-14 Found nothing
[Avira AntiVir]
2010-08-13 JS/FakeAlert.168219
[ESET NOD32]
2010-08-14 Found nothing
[Softwin BitDefender]
2010-08-15 Found nothing
[Panda Antivirus]
2010-08-14 Found nothing
[ClamAV]
2010-08-15 Found nothing
[Quick Heal]
2010-08-14 Found nothing
[CPsecure]
2010-08-15 Found nothing
[Sophos]
2010-08-15 Mal/FakeAvJs-A
[Dr.Web]
2010-08-15 Found nothing
[VirusBlokAda VBA32]
2010-08-13 Found nothing
[Frisk F-Prot Antivirus]
2010-08-14 Found nothing
[VirusBuster]
2010-08-14 Found nothing
[F-Secure Anti-Virus]
2010-08-14 Found nothing
I ran a malwarebytes scan and spybot scan and no additional results have turned up. I guess my question would be, are these files a possible false positive and if not, since they are temp files, can they safely be deleted? Thanks for any help, as it's greatly appreciated.
-
Hi
download 'HiJackThis 2.0.4' and save it in a separate folder, run a scan, save the log and delete all private
informations .
Post the log (copy and paste ) in your next reply.
Think about an update to vers. 5.0.594
Regards
Sarakael
-
JS:FakeAV-EI
JS is a javascript malware you can get from a infected website and this may be from a fake scan page or somthing
Web 2.0: Attack of the JavaScript malware
http://www.scmagazineus.com/web-20-attack-of-the-javascript-malware/article/113132/
can they safely be deleted?
yes
2. Located in Temporary Internet Files/Content.IE5.
TFC - Temp File Cleaner by OldTimer
http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/
TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.
-
Now that you have 20 posts, you no longer have to type your Signature in every post. Just go to PROFILE on the top of the main forum page > Modify Profile > Forum Profile Information > Signature. Enter information about your system like the Operating System (OS), RAM, browser, security software, what version/product of Avast and firewall you use and other items you wish to mention. See my signature or others as an example. This should make life a little easier. ;)
A few things I noticed in your post that will help increase your security:
1. Update your Firefox (FF) to the current version, which is 3.6.8
2. Update or do an uninstall/clean install of Avast to 5.0.594
3. See below for other recommendations
Jotti may not be as accurate/complete as Virus Total (VT), however Avast and G-Data use the same engine so this is considered one-hit. I would suggest that you update your Avast and MBAM definitions and run a Boot-time scan. I do not think you need to run a HiJackThis now scan at this time.
I would also suggest that you use NoScript and BetterPrivacy in FF, which will disable scripting and delete Flash LSO's (as well as other LSO's...you can read more about it in the add-on) for better security to help prevent this Java script malware.
Also make sure your MS Updates are current. Check your to make sure your software is current with free Secunia Software Inspector http://secunia.com/vulnerability_scanning/personal/ (http://secunia.com/vulnerability_scanning/personal/) since this is another way for malware to become vulnerable.
If you find that after doing the updates you still come out infected, please post and we will work with you on checking your machine for malware with other tools. Thank you.
Edit: typo
-
Thank you all for your recommendations, especially you SafeSurf. I completely forgot about the sig.. :-[ I'll start out today by doing a clean install of avast 5.0 and updating MBAM and FF. I have all my MS updates, which I just completed yesterday. I normally do not use IE but due to other people in my household, Que Sera Sera.. I also, will definitely look into the two add ons you were referring to, for FF. I'll run the boot time scan, once this is complete and post my results. Thank you also Pondus, for that JS article you pointed out! That does help shed a lot of light on just how malicious malware is getting. As for the temp files I've heard of TFC by Old Timer but I've grown quite fond of CCleaner. Thanks for the suggestion though!
-
Your welcome. :)
How to uninstall of Avast and CLEAN install:
1. Save a copy of newest version of Avast (5.0.594) for the version you need and save it to your HDD:
Free – http://files.avast.com/iavs5x/setup_av_free.exe (http://files.avast.com/iavs5x/setup_av_free.exe)
2. Download the Avast Uninstall Utility, aswClear5.exe http://www.avast.com/uninstall-utility (http://www.avast.com/uninstall-utility) and save it to your HDD (it has uninstall tools for both 4.0 and 5.0).
3. Disconnect from the Internet at this time.
4. Uninstall Avast through "Add/Remove Programs" through Control Panel if possible.
5. Boot into Safe Mode (http://Safe Mode) (hit F8 repeatedly) and run the Avast Uninstall Tool.
6. Reboot twice.
7. Clean your computer up (clean up cache, temporary Internet files, etc.) with CCleaner.
8. Install the newest version of Avast and reboot.
9. Get Internet access and update Avast definitions.
10. Register your copy or add the license key for Free -
http://www.avast.com/registration-free-antivirus.php (http://www.avast.com/registration-free-antivirus.php)
Let us know how things work out and I'll look forward to your next post. Thanks.
-
@RONIN2010
As for the temp files I've heard of TFC by Old Timer but I've grown quite fond of CCleaner. Thanks for the suggestion though!
TFC works a bit different, it will clean ALL and ONLY temp files, so very usefull when you have a bug located there.
CCleaner does not clean all temp files, but will also clean lots of other stuff...
on one of my systems TFC found 8mb of tempfiles after running CCleaner.... so i use both
-
Pondus is correct. I also use TFC to get rid of extra stuff left behind when I really want to clean out things. I normally use CCleaner regularly, but this gets a little bit extra out of your machine. Might be worth a try...a clean machine is a happy machine. ;)
-
Okay. I'll give it a go, can't hurt anything! I favor CCleaner for it's DOD-compliant deletion method. Other than that I don't really use it for much else, except for cleaning out browser caches and cookies. But I'll definitely give TFC a go and keep you all updated, either way. Thanks again!
-
Now you see why a forums signature comes in handy:
- You seem to like old software, firefox 3.6.8 is the latest version (unless your reporting of your firefox 3.5 is a typo) and closes a number of security vulnerabilities. avast is now at avast 5.0.594 and has been out for seven months, since your OS is supported by avast5 I would advise you download avast 5.0 and install that.
http://files.avast.com/iavs5x/setup_av_free.exe (http://files.avast.com/iavs5x/setup_av_free.exe)
- Registration avast5: How to register avast 5 free on page 8
http://files.avast.com/files/documentation/quick-start-guide-free-en-ww.pdf also see http://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=459 (http://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=459).
Since you have the latest version of MBAM I doubt that Spybot S&D will bring much to the party.
I would also suggest a visit to this site, which scans your system for out of date programs that have patches to close vulnerabilities, http://secunia.com/software_inspector/ (http://secunia.com/software_inspector/).
-
Hello all.
I have followed your directions to a "T" SafeSurf and have installed 5.0 and registered it. I am now running a boot scan.
And thank you Pondus for mentioning TFC, which is now one of my favorites. :) TFC, removed over roughly 2 Gigs of Temp files.. :o
David, you would be correct. The version I recorded was actually one of my FF themes. I do have 3.6.8. However.. I did notice a lot of nasty Java Toolkit plugins, that even Mozilla did not like. I decided to go ahead and remove FF and do a fresh install, installing the add ons SafeSurf had mentioned.
I've had a few hits on my boot scan and am currently only at 15% complete. Here are the hits I've received so far. All files have been moved to the chest. I will post the rest of the results, once the scan is complete. Thanks again all, for your patience and help.
C:\hp\bin\KillIt.exe is infected by Win32:KillApp-W [PUP]
File C:\Program Files\Gemteq\eGems\GemData\MyGems.gmd|>G90.rtf Error 42125 {ZIP archive is corrupted.}
File C:\Program Files\Microsoft Visual Studio\MSDN\2001OCT\1033\PERIOD99.CHM|>html\April99Win32.exe|>AutoPlay HTML.zip|>autorun.inf is infected by INF:AutuoRun-gen [Wrm]
File C:\System Volume Information\_restore{C3A256EC-F74E-4D1B-B627-40321DAD0241}\RP1162\A0194221.exe is infected by Win32:KillApp-W [PUP]
-
The HP on isn't a problem, as it is a tool (PUP = Potentially Unwanted Program), but tools can be used for good or evil and this on is part of the HP recovery partition. This tool is used to kill running applications and that is why it got flagged, but no action is required.
The same alert in the C:\System Volume Information\_restore almost certainly is related to this one if it has been moved or deleted, etc. then system restore would save it in a restore point, this you should let avast remove to the chest.
The archive is corrupted, is just a notification that for whatever reason avast can't unpack/scan it, so it believes it must be corrupt. Nothing you can or need to do about it.
I have no information about the April99Win32.exe file, which contains the AutoPlay HTML.zip file, which in turn contains the autorun.inf file (generally autorun.inf files are somewhat suspect as they would normally only be used in removable media).
I did find this article about it though, hope if rings a bell as to why it might be on your system and why avast doesn't like it, http://www.microsoft.com/msj/0499/win32/win320499.aspx (http://www.microsoft.com/msj/0499/win32/win320499.aspx).
-
The HP on isn't a problem, as it is a tool (PUP = Potentially Unwanted Program), but tools can be used for good or evil and this on is part of the HP recovery partition. This tool is used to kill running applications and that is why it got flagged, but no action is required.
The same alert in the C:\System Volume Information\_restore almost certainly is related to this one if it has been moved or deleted, etc. then system restore would save it in a restore point, this you should let avast remove to the chest.
The archive is corrupted, is just a notification that for whatever reason avast can't unpack/scan it, so it believes it must be corrupt. Nothing you can or need to do about it.
Thanks for responding David. I'll restore the KillIt.exe from the quarantine chest and leave the system restore point in the chest. Although I'll more than likely delete the system restore point from the chest, after all is said and done. As for the zip archive error I haven't used that app since I was in College, so I think I'll go ahead and uninstall that, as I no longer have a need for it.
I have no information about the April99Win32.exe file, which contains the AutoPlay HTML.zip file, which in turn contains the autorun.inf file (generally autorun.inf files are somewhat suspect as they would normally only be used in removable media).
I did find this article about it though, hope if rings a bell as to why it might be on your system and why avast doesn't like it, http://www.microsoft.com/msj/0499/win32/win320499.aspx (http://www.microsoft.com/msj/0499/win32/win320499.aspx).
I'm not entirely sure why or what this might be a result of, as it seems it could be anything. Games, software CD's, flash drives and a horrid USB adapter I used some time ago. But the autorun.inf should be on the storage media itself, correct? From what I could tell from the article, it seems like bad design on part of the engineers. But it would seem it's browser-related.
-
Well, it finished the boot scan. Only results were the 4 that were mentioned earlier:
C:\hp\bin\KillIt.exe is infected by Win32:KillApp-W [PUP]
File C:\Program Files\Gemteq\eGems\GemData\MyGems.gmd|>G90.rtf Error 42125 {ZIP archive is corrupted.}
File C:\Program Files\Microsoft Visual Studio\MSDN\2001OCT\1033\PERIOD99.CHM|>html\April99Win32.exe|>AutoPlay HTML.zip|>autorun.inf is infected by INF:AutuoRun-gen [Wrm]
File C:\System Volume Information\_restore{C3A256EC-F74E-4D1B-B627-40321DAD0241}\RP1162\A0194221.exe is infected by Win32:KillApp-W [PUP]
Not sure which action to take with the KillIt.exe file in the HP directory, as I moved it to the chest but it will not allow me to restore it, as it already exists? The system restore point, that contains mention of the KillIt.exe file I will likely delete from the chest, as long as that's a safe bet. However... The last file, "April99Win32.exe" I'm not sure which action to take with this one..
-
Not sure which action to take with the KillIt.exe file in the HP directory, as I moved it to the chest but it will not allow me to restore it, as it already exists? The system restore point, that contains mention of the KillIt.exe file I will likely delete from the chest, as long as that's a safe bet. However... The last file, "April99Win32.exe" I'm not sure which action to take with this one..
1. If the KillIt.exe file is in the Chest but also exists on your machine, you can delete it from the Chest.
2. The system restore file you can delete as well since you will not be able to use it anyway.
3. The April99Win32.exe I'd leave in the Chest for now.
Also, have you done an MS Update since your Boot-time scan to see if it picks up anything that is missing?
To clarify, you are now using Avast 5.0.594 now?Check your to make sure your software is current with free Secunia Software Inspector http://secunia.com/vulnerability_scanning/personal/ (http://secunia.com/vulnerability_scanning/personal/) since this is another way for malware to become vulnerable.
Do a quick check to see if any of your software needs to be updated as well. The PSI is more thorough than the OSI version (both are free).
-
1. If the KillIt.exe file is in the Chest but also exists on your machine, you can delete it from the Chest.
2. The system restore file you can delete as well since you will not be able to use it anyway.
3. The April99Win32.exe I'd leave in the Chest for now.
Will Do.
Also, have you done an MS Update since your Boot-time scan to see if it picks up anything that is missing?
To clarify, you are now using Avast 5.0.594 now?
Do a quick check to see if any of your software needs to be updated as well. The PSI is more thorough than the OSI version
I haven't checked my MS updates since the boot time scan, as I had to rush off to work but will do this, as well as run PSI the moment I'm home. I did DL PSI before I made any changes, just had to rush out the door. I will post my results, once complete. As for Avast, yes ma'am I'm running 5.0 and virus definitions are current.
-
You're headed in the right direction to improve your security. OK...keep us posted.
-
@ RONIN2010
be aware you won't get rid of it without diagnostic tools ;)
-
Sarakael,
Thank you for your input, but we've already been using diagnostic tools. It is not necessary at this point to use other tools, and if necessary we have a Certified Malware Expert on hand for this. Thank you. :)
-
SafeSurf !!
Certified Malware Expert ( rofl )
You'd better told it as I started here !
I ASKED FOR THAT !
Don't longer waste my time with guys like you
-
Hello All.
Just finished checking my MS updates and no critical updates are pending. However I am having an issue running PSI. I installed the app but cannot get it to scan. When I click "start scan" , it starts, jumps to 93%, then a pop-up appears, saying "scan aborted". I tried uninstalling, then reinstalling but same result.
-
Hello all.
Please disregard previous post.. I was able to get to get PSI to scan, after registering. Imagine that.. ::) However I seem to have opened a new can of worms with that app.. I've managed to get all programs updated except for one in particular. Adobe SVG Viewer 3.x. I updated this by uninstalling what was there and installing the current version and still can't get it to disappear from the threat list. Maybe due to the fact that it's at it's end-of-life? Also I deleted the system restore point that had the KillIt.exe mentioned, as well as deleted the KillIt.exe from the chest. What I would like to know however, is how can I keep this from coming up in future boot scans, when it hits this file? Other than that I'm running a MBAM scan just for extra measure, to make sure all is well. Thanks again so much for your help and patience.
-
@ Sarakael,
Certified Malware Expert ( rofl )
We do have someone here named Essexboy...see his post on the Sticky on the top of the Virus and Worms section of this forum, who has helped many people with malware removal. I am not implying that I am the certified expert. Thank you.
-
I ASKED FOR THAT !
you asked for what? (http://s45.radikal.ru/i107/1008/2c/d21111f480b6.gif)
Don't longer waste my time with guys like you
yeah go burn in hell
-
RONIN2010,
After you deleted the system restore, did you reboot? Then restart your system restore again?
If a program is at the "end of it's life" and there is no update for it with PSI, then we have no choice but to wait for an update or use a different software. Also, after you update a program there and reboot, some people rescan to make sure is successful.
You mentioned earlier that KillIt.exe is something that is in your machine being used by Hp, however David mentioned that Avast is detecting it as a PUP.
The HP on isn't a problem, as it is a tool (PUP = Potentially Unwanted Program), but tools can be used for good or evil and this on is part of the HP recovery partition. This tool is used to kill running applications and that is why it got flagged, but no action is required.
Perhaps David can offer more assistance with this.
Question: Do you by any chance have the Teatimer on for Spybot SD? Many have reported problems with this and Avast.
-
You shouldn't have to delete it as it is there to perform a legit function if it is in the HP recovery process which I suspect because of its location C:\HP\bin\ this also assume you have an HP system.
The HP on isn't a problem, as it is a tool (PUP = Potentially Unwanted Program), but tools can be used for good or evil and this on is part of the HP recovery partition. This tool is used to kill running applications and that is why it got flagged, but no action is required.
<snip>
However if you don't want to delete it then you would have to exclude it from on-demand scans, avast settings, exclusions.
-
RONIN2010,
After you deleted the system restore, did you reboot? Then restart your system restore again?
If a program is at the "end of it's life" and there is no update for it with PSI, then we have no choice but to wait for an update or use a different software. Also, after you update a program there and reboot, some people rescan to make sure is successful.
You mentioned earlier that KillIt.exe is something that is in your machine being used by Hp, however David mentioned that Avast is detecting it as a PUP.
The HP on isn't a problem, as it is a tool (PUP = Potentially Unwanted Program), but tools can be used for good or evil and this on is part of the HP recovery partition. This tool is used to kill running applications and that is why it got flagged, but no action is required.
Perhaps David can offer more assistance with this.
Question: Do you by any chance have the Teatimer on for Spybot SD? Many have reported problems with this and Avast.
Thanks David and SafeSurf for responding.
No ma'am. Actually I did not reboot after deleting the system restore point. Matter of fact I didn't even have system restore disabled. I did however restore the HP/Bin/KillIt.exe from the chest before I deleted the entry in the virus chest, per David's earlier instruction. Sorry I wasn't specific on that. And yes I have had problems in the past with Avast detecting Teatimer.exe as a virus. However I had submitted it to Avast, who released a patch, with this as an exclusion in 4.8. Haven't had any problems lately with it but since Spybot doesn't seem necessary at this point I'm likely going to remove it anyway.
-
You're welcome.
-
And yes I have had problems in the past with Avast detecting Teatimer.exe as a virus. However I had submitted it to Avast, who released a patch, with this as an exclusion in 4.8. Haven't had any problems lately with it but since Spybot doesn't seem necessary at this point I'm likely going to remove it anyway.
Sounds like a good idea considering the amount of people we've had here with problems with it. Let us know how things progress. Glad we can help. :)
-
Sounds like a good idea considering the amount of people we've had here with problems with it. Let us know how things progress. Glad we can help. :)
Yeah I'm starting to get that feeling lol. Spybot doesn't seem to be moving forward innovatively, in the last few years. I guess my last question would be, would you have any suggestions on what could be done about the file that was flagged as infected in my MSDN directory? "April99Win32.exe" Other than leaving it in the chest. I am a little curious as to why it keeps showing up on boot time scans, if this file has already been quarantined. My lack of knowledge regarding the quarantine process is speaking here.. :-[ That and since I did not disable system restore before I deleted the restore point that was in the chest, was it even removed? Thanks again for your help through all this, as you all have been very helpful and it's greatly appreciated!
-
I suspect it was in a system restore point. Try disabling it, then restore it. Clean your system (CCleaner and TLC). Reboot. Then do a boot-time scan and see if it returns or not...it shouldn't. If not, we have something else to work on. But for now...leave the April99Win32.exe in the Chest.
-
I will do just that. :)
-
The big question is where it keeps showing up ?
I doubt the alert is on the file in the chest, as the contents of the chest are encrypted and from the outside of the chest (check using windows explorer, see image), the file name are also changed, so it wouldn't be detecting the original file name but the name of the file in the chest from external view. These are just two of the methods to protect the chest from external access, etc.
-
RONIN2010,
I've asked Essexboy, our Certified Malware Expert, to take a look at your issue. Keep an eye for his post here in the thread as he may be instructing you to do things different from what we have been doing. Thank you.
-
Hi Ronin could you give me an update please
(http://www.geekstogo.com/misc/guide_icons/OTLI.gif) OTL - Download (http://oldtimer.geekstogo.com/OTL.exe) or alternative link here (http://www.itxassociates.com/OT-Tools/OTL.exe) and here (http://www.itxassociates.com/OT-Tools/OTL.com) to your desktop
- Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
- Select All Users
- Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%PROGRAMFILES%\Internet Explorer\*.dat
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
- Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Please Attach both logs
-
Hello all and thank you David and SafeSurf for all your help and time, it is much appreciated.
Hello Essexboy. I haven't changed anything since my last post. I go to work from 7pm-7am CST, so it's limited what I've been able to look into on my down-time. However I have DL'd OTL and am running the scan as per your instructions. I have someone who will be watching the scan at home, as it progresses. I will make sure to post both logs, once it is complete. Thanks for your time.
-
Scan has completed. The results of both logs are as follows:
-
Edit: Disabled URL's
Also I was just reviewing the OTL log and is this what I think it is?
O1 - Hosts: 127.0.0.1 hxxp://www.100sexlinks.com
O1 - Hosts: 127.0.0.1 hxxp://100sexlinks.com
I'm not savvy when it comes to understanding these reports, however judging by the context of these it seems pretty clear to me.. Does this mean, these are sites that have been visited? I have a 16 year old son who uses this PC and has access to my administrator account. I also have another account setup on the PC, for my wife and my mother who drops by and uses it occasionally. I know for a fact 2 can be excluded, if this is the case. I know this isn't your venue but this is now the 3rd time I've had to clean a virus from this PC (If there is a virus, this would make it 3). The 1st which was about a year and a half ago, was a porn popup virus that I had to get professionally removed. This was a result from him downloading various programs and visiting malicious sites, per the Tech. The second time I actually had to seek help from you guys. Now I'm here again.. Don't get me wrong, as you guys are fantastic and a great help but this is getting ridiculous. Other than banning my son's use of the computer altogether, as he has schoolwork and other things he has to use it for, is there a way I can block this type of activity? I tried finding ways but the only thing I can come up with is blocking all traffic on the internet altogether through my firewall. Sorry to jump off topic but if anyone has dealt with something like this I'd greatly appreciate your feedback as well.
-
The actually block those domains, so if there is any attempt to connect to those sites they are redirected to 127.0.0.1 (localhost), which is your local system and obviously nothing would be displayed and you wouldn't end up at that site.
essexboy will be back on the case later, he will be sleeping now as it is just after 2am in the UK right now.
-
The actually block those domains, so if there is any attempt to connect to those sites they are redirected to 127.0.0.1 (localhost), which is your local system and obviously nothing would be displayed and you wouldn't end up at that site.
essexboy will be back on the case later, he will be sleeping now as it is just after 2am in the UK right now.
Thanks David.
-
You're welcome, that's me for the night also, almost 3am.
-
You're welcome from me as well. :) Essexboy will help you greatly as you have some issues going on and he does wonderful work. Once everything is straightened out, he will also offer you some suggestions to prevent something like this from happening in the future. Feel free to ask him questions.
-
You're welcome, that's me for the night also, almost 3am.
Thanks David. You'd think I'd be familiar with timezones by now, due to it being a necessity in my line of work lol. But thanks for taking the time out of your day to help. I sure hope you guys get paid for this!
You're welcome from me as well. :) Essexboy will help you greatly as you have some issues going on and he does wonderful work. Once everything is straightened out, he will also offer you some suggestions to prevent something like this from happening in the future. Feel free to ask him questions.
Thank you and I will do just that. And I hope I don't sound like a broken record.. But in all honesty I like Avast's software but this forum and it's staff, have been the reason I've stuck with their software as long as I have. With the economy the way it is right now in the States and from the perspective of a parent and the only breadwinner in my household, the type of support you all take the time to provide, is very rare and very valuable. I notice a lot of people don't even take the time to thank you guys.. But from those who really do appreciate it, thank you.
-
You're welcome.
We (for the most part) are just avast users like yourself, trying to help other avast users, though there is input from time to time from the avast developers ;D
-
OK lets give this a whirl - On completion can you let me know what problems you are experiencing
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-2664475973-242872999-3650903500-1003\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-2664475973-242872999-3650903500-1003\..\Toolbar\ShellBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O33 - MountPoints2\{7c2ac3fc-9594-11db-b6f7-0010dcf478f7}\Shell\AutoRun\command - "" = G:\JDLightning\Windows\JDLightning.exe -- File not found
[2009/03/20 07:44:49 | 000,060,744 | ---- | M] () -- C:\WINDOWS\java\g2mdlhlpx.exe
[2009/04/25 19:56:51 | 000,000,040 | ---- | M] ()(C:\WINDOWS\System32\????????????????????4???????????????????????) -- C:\WINDOWS\System32\????????????????????4???????????????????????
[2009/04/25 19:56:51 | 000,000,040 | ---- | C] ()(C:\WINDOWS\System32\????????????????????4???????????????????????) -- C:\WINDOWS\System32\????????????????????4???????????????????????
[2009/04/25 19:17:52 | 000,061,224 | ---- | M] () -- C:\WINDOWS\java\GoToAssistDownloadHelper.exe
:Files
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
You're welcome.
We (for the most part) are just avast users like yourself, trying to help other avast users, though there is input from time to time from the avast developers ;D
Well, without you guys, there would be no medium between developer and the client, therefore nothing to develop. :)
OK lets give this a whirl - On completion can you let me know what problems you are experiencing
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-2664475973-242872999-3650903500-1003\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-2664475973-242872999-3650903500-1003\..\Toolbar\ShellBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O33 - MountPoints2\{7c2ac3fc-9594-11db-b6f7-0010dcf478f7}\Shell\AutoRun\command - "" = G:\JDLightning\Windows\JDLightning.exe -- File not found
[2009/03/20 07:44:49 | 000,060,744 | ---- | M] () -- C:\WINDOWS\java\g2mdlhlpx.exe
[2009/04/25 19:56:51 | 000,000,040 | ---- | M] ()(C:\WINDOWS\System32\????????????????????4???????????????????????) -- C:\WINDOWS\System32\????????????????????4???????????????????????
[2009/04/25 19:56:51 | 000,000,040 | ---- | C] ()(C:\WINDOWS\System32\????????????????????4???????????????????????) -- C:\WINDOWS\System32\????????????????????4???????????????????????
[2009/04/25 19:17:52 | 000,061,224 | ---- | M] () -- C:\WINDOWS\java\GoToAssistDownloadHelper.exe
:Files
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
Thanks Essexboy for replying. I think I got this right... Seems all the question marks in the script you asked me to run in OTL, prompted a whole lot of smileys instead in your reply.. :o But I think I sorted through that. I'm starting the scan now and will attach logs as requested, once complete.
-
Scans are complete. Only thing I experienced, other than the usual slowness, was when I rebooted after the files had been moved I could see hidden files on my desktop. They dissapeared after I opened OTL to run the quick scan though. Here are the logs:
-
I will rehide the hidden system files at the end ;D
Lets now run a defrag and see what problems remain
Download and run Puran Disc Defragmenter (http://www.puransoftware.com/Puran-Defrag-Download.html)
THEN
(http://img233.imageshack.us/img233/7729/mbamicontw5.gif) Please download Malwarebytes' Anti-Malware from Here (http://www.malwarebytes.org/mbam-download.php).
Double Click mbam-setup.exe to install the application.
- Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select "Perform Quick Scan", then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
-
Thanks Essexboy. I DL'd Puran an ran the defrag as you instructed. However, my computer locked up at 21% in the process. I had to hard boot and run the scan again. The scan completed the 2nd time and was successful. After defrag I updated and ran MBAM, with results attached in the log below:
-
Any improvement on the speed front ?
-
Unfortunately not. I removed a lot of unnecessary apps including a 2 GB app and have got my free space up to 65% on my HD but it's still running about the same, even after defrag.
-
Ok next box of tricks ;)
To try and ease the startup try this
Download Startup Control Panel here (http://www.mlin.net/StartupCPL.shtml)
Instal and you will find a startup icon in the control panel - run this
- In the HKLM tab, you may disable (be careful --> "disable") all the entries except your security software
- In the HKCU tab, you may disable all entries.
- In the StartUp tab, you may disable all entries.
Note : if you notice that some programs no longer run, you can enable them again by running Startup Control Panel, selecting the entry and choosing Run Now.
If you are in doubt with something, don't hesitate to ask ;)
-
Got it! There were no processes listed under the HKCU tab and only Secunia PSI, under the Startup tab. I do have a question though. In the HKLM/Run tab I have quite a few processes that seem like they might be necessary. I'm not entirely sure what's safe to disable and what's not exactly and was wondering if you might be able to shed some light. The ones that I know are safe to disable and not needed I've highlighted in bold, as I've already disabled those. Here is what I have in the HKLM/Run tab of StartupCP. The name of the processes are listed first, with their directory path underneath. :) Thanks again for your help Essexboy.
Adobe ARM
("C:\Program Files\Common Files\ADOBE\ARM\1.0\AdobeARM.exe")
Adobe Reader Speed Launcher
("C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe")
AlcxMonitor
(ALCXMNTR.EXE)
ATIPTA ATI Control Panel
(C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe)
Avast 5
(Security, definitely no disable)
COMODO Internet Security
(Security, definitely no disable)
Content Transfer WMDetector.exe
(C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe) Related to MP3 player
HotKeyCmds
(C:\Windows\System32\hkcmd.exe)
hpsysdrv
(c:\windows\system\hpsysdrv.exe)
Intellipoint
("C:\Program Files\Microsoft Intellipoint\ipoint.exe") Optical mouse
KBD
(C:\HP\KBD\KBD.exe)
LTMSG
(LTMSG.exe 7)
PS2
(C:\WINDOWS\system32\ps2.exe) Keyboard and mouse drivers??
QuickTime Task
("C:\Program Files\Quick Time\QTTask.exe" -atboottime)
Recguard
(C:\WINDOWS\SMINST\RECGUARD.EXE)
S3TRAY2
(S3tray2.exe)
StorageGuard
("C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r)
SunJavaUpdateSched
("C:\Program Files\Common Files\Java\Java Update\jusched.exe")
TkBellExe
(Real update scheduler "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot)
WCOLOREAL
("C:\Program Files\Coloreal\coloreal.exe")
-
Right then ;) Disable all bar these ones
Recguard - monitors the recovery partition
Avast 5
COMODO Internet Security
LTMSG - part of your modem
Unless you have the paid copy of Adobe it might be worth replacing that with Foxit PDF reader. Do you really need Real Player ?
Let me know your progress
-
Unless you have the paid copy of Adobe it might be worth replacing that with Foxit PDF reader. Do you really need Real Player ?
Which one are you referring to? The reader 9.0 or ARM? Reader I had to download from Adobe's site to satisfy Secunia PSI. Apparently I hadn't DL'd a patch and it forced me to update. However the patch wasn't successful and I ended up getting backwards on where I was in the progress of patching things and somehow managed to mess that and my flash player up.. :-\ So I ended up uninstalling all my adobe software and starting over from scratch. As for Real Player.. I "HATE" Real Player. That was installed by my wife lol. I have no problem getting rid of that!
-
Real player is a nightmare the only way to stop it starting with the system is to rename a file
Any improvement ?
-
I disabled the processes you mentioned and have noticed an improvement in speed with startup and opening applications. Albeit, it's not light speed but it definitely beats traveling at the speed of dialup, as I seem to have been doing for quite some time! Real player is gone. I did not hesitate on that one lol. Did you want me to disable the 2 adobe processes? I'm not sure what you mean by paid adobe. I thought reader has always been free? I checked their forums and from what I could tell ARM is an updater and I did see mention of Foxit Reader. Are there issues with Reader 9, other than Adobe?
Also I had a question regarding disabling Avast5 and Comodo in the HKLM tab. Does this only disable the GUI but still allow both to run in the background?
-
OK what I would suggest is that you uninstall Adobe and install Foxit reader http://www.filehippo.com/download_foxit/ it is free, small and fast. When you install it do not accept the toolbar and do not let it run at start
Leave both Avast and Commodo active along with LTMSG and Recguard the remainder can be disabled ;D
-
Sorry, misunderstood your post from earlier... It's been a long week :-[ I disabled all processes in Startup, except for the ones you mentioned and installed Foxit.
-
Give it another temporary file clean and defrag - and note any improvements
For the temp files use :
Clear Cache/Temp Files
Download TFC by OldTimer (http://oldtimer.geekstogo.com/TFC.exe) to your desktop
- Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
- It will close all programs when run, so make sure you have saved all your work before you begin.
- Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
- Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.
-
@ RONIN2010
get rid of Spybot S&D as it has become obsolete! ::)
MalwareBytes Anti-Malware (MBAM) is MUCH better.
-
@ RONIN2010
get rid of Spybot S&D as it has become obsolete! ::)
MalwareBytes Anti-Malware (MBAM) is MUCH better.
Actually I did. Somewhere along page 4 ;)
But you would be correct about MBAM!
Give it another temporary file clean and defrag - and note any improvements
PC just froze on defrag again, attempting to rerun Puran.
-
Get rid of Comodo Personal.
How much RAM does the system have ???
-
Get rid of Comodo Personal.
How much RAM does the system have ???
1 GB. Only about 50% total is being used. Doubt this is a memory issue.. More like a Puran doesn't like my PC issue. Out of 4 times running it, it's locked up my PC twice. Sometimes it runs and then sometimes it runs successfully. And why would I want to get rid of Comodo?
-
Get rid of Comodo Personal.
I'm curious and would like your input, as I've yet to have any issues with Comodo other than maybe it being a little more advanced.
-
Well a process of elimination is needed as I do not use Firefox 3.6.8 + BP nor NS nor WOT nor Comodo Personal nor Spybot S&D
-
Right, which I understand you're just trying to help and appreciate that. I also no longer use Spybot, just need to remove that from my sig. :) I'm also 100% certain Comodo is not the issue. But it seems that whatever the issue, it's revolving around Puran, within the first 15-30% of the defrag process. Which makes me wonder if it isn't a bad sector or a horribly fragmented or corrupted file on my hard drive.
-
Give it another temporary file clean and defrag - and note any improvements
Temp file cleanup was successful. 1st defrag froze my PC, 2nd defrag was successful. Speeds are the same. Not that that's a bad thing! :)
-
I would suggest that a chkdisc is the next option - full destructions here http://support.microsoft.com/kb/315265
-
I would suggest that a chkdisc is the next option - full destructions here http://support.microsoft.com/kb/315265
Done!
-
Were any errors found ?
I am running out of tricks at the moment to increase your speed :)
-
No errors found. I'm wondering if my system specs are just not adequate enough for Puran. I'm at a loss here. But thank you so much Essexboy, for helping me out. As long as there are no viruses I think I can live with the speed. Have for 7 years so far :'(
-
I haven't read all of this topic, but one of the most common problems with defrag tools is having insufficient free space on your hard disk for them to work.
If you have less than 15% free space on your hard disk you are looking at having problems with most defrag tools. You could try the windows defrag, whilst not as fast as puran, it may require less resources, but even windows defrag if you get below 15% free space I think it warns you.
-
Drive C: | 107.89 Gb Total Space | 63.90 Gb Free Space | 59.23% Space Free | Partition Type: NTFS
Not a problem here David ;)
So you are back to normal (whatever that is ) for your speed now ?
-
Yes, just a passing straw that I was frantically clutching at ;)
-
Been there done that ;D
-
Yes, just a passing straw that I was frantically clutching at ;)
No problem. Thanks for helping! :) And yep, your observation was correct. I'm able to run win defrag with no problems. Just seems to be the opposite with Puran.
Drive C: | 107.89 Gb Total Space | 63.90 Gb Free Space | 59.23% Space Free | Partition Type: NTFS
Not a problem here David ;)
So you are back to normal (whatever that is ) for your speed now ?
I believe so! Thank you for taking the time to help me out, again it is very much appreciated! ;D However do I need to do anything to patch up or re-hide hidden files?
-
Funny you should say that ;D
Also have you tried the Puran boot defrag ?
I will remove my tools now and give some recommendations, but I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean :thumbsup:
A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:Commands
[resethosts]
[purity]
[emptytemp]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep
We will now confirm that your hidden files are set to that, as some of the tools I use will change that
- Click Start.
- Open My Computer.
- Select the Tools menu and click Folder Options.
- Select the View Tab.
- Under the Hidden files and folders heading select Do not show hidden files and folders.
- Click Yes to confirm.
- Click OK.
(http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif) Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems
Upgrading Java:
- Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 21 (http://java.sun.com/javase/downloads/index.jsp).
- Click the "Download" button to the right.
- Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
- Click on Continue.
- Click on the link to download Windows Offline Installation (jre-6u21-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
- Close any programs you may have running - especially your web browser.
- Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
- Check any item with Java Runtime Environment (JRE or J2SE) in the name.
- Click the Remove or Change/Remove button.
- Repeat as many times as necessary to remove each Java version.
- Reboot your computer once all Java components are removed.
- Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u21-windows-i586-p.exe and select "Run as an Administrator.")
SPRING CLEAN
Download and run Puran Disc Defragmenter (http://www.puransoftware.com/Puran-Defrag-Download.html)
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes: - SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) to help prevent spyware from installing in the first place.
(http://img233.imageshack.us/img233/7729/mbamicontw5.gif) Malwarebytes (http://www.malwarebytes.org/mbam-download.php). Run weekly to keep your system clean
It is critical to have both a firewall and anti virus to protect your system and to keep them updated.
To keep your operating system up to date visit - Microsoft Windows Update (http://windowsupdate.microsoft.com)
To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ? (http://www.geekstogo.com/forum/topic/225044-preventing-malware-and-safe-computing/)
Keep safe :wave:
-
Phenomenal! ;D
Thanks again Essexboy! I will do just that.
Take care all and thanks for the awesome support.
-
My pleasure ;D
-
Also have you tried the Puran boot defrag ?
I was going to suggest this...the Puran boot defrag. I find that after doing the regular Puran defrag, then the boot defrag speeds up my system.
RONIN2010, let us know how things are going in few days after using your machine for a while.
Essexboy, than you again for all your help. :) :) :)
-
Also have you tried the Puran boot defrag ?
I was going to suggest this...the Puran boot defrag. I find that after doing the regular Puran defrag, then the boot defrag speeds up my system.
RONIN2010, let us know how things are going in few days after using your machine for a while.
Essexboy, than you again for all your help. :) :) :)
Yes ma'am I just caught that suggestion. Just got done, running a checkdisk+restart+defrag+restart via boot time scan in Puran and all went well, without a hitch. Definitely favoring this option! Thanks again ;D