Avast WEBforum
Other => Viruses and worms => Topic started by: AKatRT on October 15, 2010, 10:07:12 AM
-
After avast scan have the following threat warning show up:Win32:Enistery [Susp]
File name is: C:\Windows\Temp\TMPFE4E.tmp; but there are many files listed all with a different TMP identifyer.
When trying to move to chest, delete, repair, the result is: Error:System cannot find the file specified (2)
Have reran scans several times, every time with the same result.
can anyone help with this please? andre'
-
Try this
TFC - Temp File Cleaner by OldTimer
http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/
TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.
rescan with avast! and see if it is gone ?
also check for malware with
Malwarebytes Anti-Malware 1.46 http://filehippo.com/download_malwarebytes_anti_malware/
always run update before you scan so you have the latest database
click on the remove selected button to quarantine anything found
you may post the scan log here
Report the result...
-
Many thanks!!
Fantastically quick response and the right answer as well. The first solution mentioned - tfc - did the trick. Avast scan afterwards still identified the threat, however I was now able to move to chest.
Again, thank you!
-
Celebrated too early...... I normally put the machine in 'sleep' mode but when I shut down and restarted the problem recurred exactly as before. So the same problem is now back. I then ran the Malwarebytes option - it found nothing. By the way I ran Malwarebytes right after Avast re-identified the earlier problem at start-up. See log below for Malwarebytes scan.
Any other suggestions please to get rid of this porblem? Thanks.
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4853
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18975
10/16/2010 11:17:32 PM
mbam-log-2010-10-16 (23-17-32).txt
Scan type: Quick scan
Objects scanned: 147256
Time elapsed: 7 minute(s), 58 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detecte
-
you can try running some more cleaners if you want ?
SuperAntiSpyware 4.44.1000 http://filehippo.com/download_superantispyware/
Dr.Web CureIt http://www.freedrweb.com/cureit/?lng=en
How Do I Use Dr.Web CureIt!? http://www.freedrweb.com/cureit/how_it_works/
Norman Malware Cleaner http://www.norman.com/support/support_tools/58732/en-us
Norman and DrWeb is not installed, you save to desktop and run from there, when done you can just drag them to the bin
-
If none of the above work, then do this
Follow this guide form our expert malware remover Essexboy and post the log`s here
http://forum.avast.com/index.php?topic=53253.0
To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( OTL.Txt and Extras.Txt. )
-
Thanks again Pondus. Let me try all of that and see what happens. Will post the results.
-
Pondus, just to keep you posted, I continue to have issues but have not exhausted all of your suggestions. I thought I had things fixed and then I suddenly got a Windows Vista start-up problem. Could not get to the desktop window in vista due to a windows error messsage that said: "Microsoft Visual C++ Runtime Library -> This application has requested the runtime to terminate it in an unusual way. Please contact the application's support team for more information." Of course Microdoft does not help due to the OEM status of my package.Impossible to get past this error message. Have to then shut down, restart F8 (Toshiba laptop) and go to an earlier restore point, in order to get Vista running again and circumvent the error message. But every time I shut down and restart the problem recurs. I just ran Avast again and it gives the original virus detection problem. Now running Norman as per your suggestion. It'a pain. But like I said, not everything doen yet that you had suggested. Hope the Vista thing is not something "in addition to", but is related to the original virus threat. Thanks.
-
So, all done as suggested. MBAM and OTL logs are attached. I earlier ran all the suggested cleaners. Trojan.Blabkmailer.1680 was found and moved by DrWebCureIt. Problems persist: (1) Avast keeps finding the infected TEMP files as mentioned in the earlier post and remains unable to clean. (2) Windows Vista at start-up runs into the error message on Microsoft Visual C++ that is mentioned in the earlier post. I have done a repair on Visual C++ but appears to have no effect. Would appreciate help. Thanks. Andre'
-
Hi the log was saved in Unicode, could you save it in ANSI please
-
Thank you but would not know how unfortunately
-
Have a quick look at my picture, open the log then select save as and ensure that ANSI is selected
-
Finally, sorry, couldn't find the darn things anymore. Hopefully better now. Thanks!
-
A question - did you install windows remote management ?
Download ComboFix from one of these locations:
Link 1 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 2 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
- Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
- Double click on ComboFix.exe & follow the prompts.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
-
NO, did not install remote mgmt. Will do the combo fix now. Thanks.
-
Ok go to programmes and features and uninstall windows remote management
This can be done after combofix
-
Log attached. Am missing most icons in system tray at lower right - not sure what that means. Will try to do the remote mgmt now. During Combofix got error message: "PEV.cfxxe Corrupt File . The file directory C: is corrupt and unreadable. Please run the chkdsk utility".
-
Log attached. Am missing most icons in system tray at lower right - not sure what that means. Will try to do the remote mgmt now. During Combofix got error message: "PEV.cfxxe Corrupt File . The file directory C: is corrupt and unreadable. Please run the chkdsk utility".
-
Log attached. Am missing most icons in system tray at lower right - not sure what that means. During Combofix got error message: "PEV.cfxxe Corrupt File . The file directory C: is corrupt and unreadable. Please run the chkdsk utility".
Windows remote management was not listed as an installed program and so I did not uninstall.
-
What's with all the duplicate posts and attached combofix logs. If it is trying to bump the topic, essexboy, being in the UK, (after 1:15am here) will be in bed.
Have you tried what was suggested and run the chkdsk utility ?
I don't know if this is a function that can be called from combofix or if it has to be run from a windows command window (cmd).
If it requires essexboy's input he won't be back until tomorrow.
-
OK the log does not look to bad - could you check that the tray icons are not just hidden
Download and run Puran Disc Defragmenter (http://www.puransoftware.com/Puran-Defrag-Download.html), when installed select boot defrag with check disc. Once completed let me know of any remaining problems
-
All the duplicate messages were as a result of it initially not showing that the posts had been sent - it appeared the page would close right before the posts were sent. Then, later, all of a sudden they appeared. May be a problem at my end. No idea. But I didn't do it out of boredom (at time of night). Any event, then had to work today and just able to get back to machine.
-
I must appear retarded essexboy, but please, how do I know if they are hidden or how do I 'unhide' them? I have no clue.
I will get on with the other things you suggested now. Thanks.
-
Right click the taskbar and select properties. The first screenshot will appear, select customise
-
Then you will see this screen, this is where you show or hide icons
-
OK, looks like you have been able to do the unthinkable, I'm up and running and no more error messages from Visual. The icons came back after the defrag thing. I thank you! I'm left with two questions please:
1. Will I still see the problems in the temp files when I do an Avast scan you think? And if I do, and Avast can't move or repair, should I worry?
2. At one time, on Pondus' advise, we ran Superantispyware. When I try to remove that program (via windows control panel) I first get a message whether I also want to remove logs and quarantined items - if I say 'yes' to that the entire screen goes weird and feezes up and I have to force a shut down. What best to do with that? Leave it alone?
Thanks again essexboy!
Andre'
-
Reference Superantispyware - use Revo uninstaller on that http://www.revouninstaller.com/revo_uninstaller_free_download.html get the free version
For the temps set IE to clear all temp files on closing:
Go to internet options > Advanced > security and select clear files on browser closing
I will remove my tools now and give some recommendations, but I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean :thumbsup:
A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:Commands
[resethosts]
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
.
Click Start > Run and copy/paste the following bolded text into the Run box and click OK:
ComboFix /Uninstall
Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove. But it is a useful tool to keep
We will now confirm that your hidden files are set to that, as some of the tools I use will change that
- Click Start.
- Open My Computer.
- Select the Tools menu and click Folder Options.
- Select the View Tab.
- Under the Hidden files and folders heading select Do not show hidden files and folders.
- Click Yes to confirm.
- Click OK.
(http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif) Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems
Upgrading Java:
- Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 21 (http://java.sun.com/javase/downloads/index.jsp).
- Click the "Download" button to the right.
- Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
- Click on Continue.
- Click on the link to download Windows Offline Installation (jre-6u21-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
- Close any programs you may have running - especially your web browser.
- Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
- Check any item with Java Runtime Environment (JRE or J2SE) in the name.
- Click the Remove or Change/Remove button.
- Repeat as many times as necessary to remove each Java version.
- Reboot your computer once all Java components are removed.
- Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u21-windows-i586-p.exe and select "Run as an Administrator.")
.
To manually create a new Restore Point- Go to Control Panel and select System and Maintenance
- Select System
- On the left select Advance System Settings and accept the warning if you get one
- Select System Protection Tab
- Select Create at the bottom
- Type in a name i.e. Clean
- Select Create
Now we can purge the infected ones
- Go back to the System and Maintenance page
- Select Performance Information and Tools
- On the left select Open Disk Cleanup
- Select Files from all users and accept the warning if you get one
- In the drop down box select your main drive i.e. C
- For a few moments the system will make some calculations
- Select the More Options tab
- In the System Restore and Shadow Backups select Clean up
- Select Delete on the pop up
- Select OK
- Select Delete
You are now done
SPRING CLEAN
Download and run Puran Disc Defragmenter (http://www.puransoftware.com/Puran-Defrag-Download.html)
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes: - SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) to help prevent spyware from installing in the first place.
(http://img233.imageshack.us/img233/7729/mbamicontw5.gif) Malwarebytes (http://www.malwarebytes.org/mbam-download.php). Run weekly to keep your system clean
It is critical to have both a firewall and anti virus to protect your system and to keep them updated.
To keep your operating system up to date visit - Microsoft Windows Update (http://windowsupdate.microsoft.com)
To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ? (http://www.geekstogo.com/forum/topic/225044-preventing-malware-and-safe-computing/)
Keep safe :wave:
-
Thank you for all this. I'll get to that cleaning assignment this evening. Many, many thanks. I assume that with regard your last comment / recommendation on additional installations, I keep Avast as well.....considering your pedigree I'm assuming that; but if wrong, please drop me a line still. Owe you big time.
-
Absolutely - been using Avast now for donkeys years with nary an infection ;D
-
Right, thought so.......
-
There are several other free AV programmes - but I would not recommend AVG as it is a bit iffy in my experience
-
Struggling to find my way with the following instruction:
We will now confirm that your hidden files are set to that, as some of the tools I use will change that
•Click Start.
•Open My Computer.
•Select the Tools menu and click Folder Options.
•Select the View Tab.
•Under the Hidden files and folders heading select Do not show hidden files and folders.
•Click Yes to confirm.
•Click OK.
After I click start I see 'computer' in the panel which lists the drives but I don't see the follow-on steps you mention. Help?
-
Alternative method - go to control panel > folder options then follow the rest :
•Select the View Tab.
•Under the Hidden files and folders heading select Do not show hidden files and folders.
•Click Yes to confirm.
•Click OK.
-
Major problem when I did the Java correction thing. Download froze up, machine froze up. Internet connection gone. Had to restart and restore to previous point. Restore point was earlier step with revo uninstaller. Have internet back. But back to square one on the icons notification area. Power icon is greyed-out in the pop-up box and cannot be checked. Not visble either. Scare of my life. What to do to get a stable status going again please. Will leave the 'last steps' cleaning till later but would like to have that stable status. Can you help me with this please. Thanks.
-
Did a Java download of the latest version, simple button at the java download website, rebooted, and the power icon is back. But nervousness around what happened earlier remains. Gonna crash now, but would appreciate you giving it some thought please. Thanks.
-
Hah, I have repeated the entire process of cleaning you recommended once more (considering the restore point). Except for the Java thing of course. All appears to be ok. The java website under help has an action "uninstall older versions" but they they also note there may be dependencies with the older versions for certain components. Sounds scary to me. I have left it alone. I now have the latest java version installed (version 6, update 22). What do you think? Thanks.
-
That is a problem I come across with Java sometimes - it seems to throw a wobbly for no apparent reason. Hence I no longer have Java on my system
But leave as is, if you are feeling brave then you could try Javara http://raproducts.org/wordpress/ to remove the old java
So how are things now ?
-
Thanks. I don't feel so brave so I prefer the status quo. Let me run it for another day or so and I'd like to get back to you then.
-
;D
-
Nothing urgent, but by the way, that spywareblaster thing I find a bit more complex to set up and understand. Is there a brief guide anywhere available to understand it better? It seems to pre-set what it protects against. What if tomorrow some crazy develops a new virus - how does protection get implemented for that? Find it befuddling.....
-
Ah, I'm slow but perhaps this is it: I run spywareblaster for ongoing bad ActiveX protection, I run Avast for real-time protection, I run MBAM (at least) once a week to kill spyware. Am I close? This would appear more or less logical to me...... Thanks.
-
That is right Spyware blaster places a killbit in the registry which will stop known malware activeX files installing. Avast for front line protection and MBAM weekly as a rearguard action
-
Besides what essexboy has said - You don't run spywareblaster it is inert, it adds entries into the various browsers it supports, etc to block bad sites and activeX registry killbit, etc.
So all you do is periodically open spywareblaster, check for updates (they aren't very frequent), it downloads the new updates (very quick) and then you apply those new entries and close spywareblaster, job done.
-
Thank you Essexboy, thank you David R. All is well and stable (the PC that is). Things run slower than before but I assume that is a result of all the stuff I have running in the background now. I forgot to mention, via Google toolbar I also have Spyware Doctor running. But no more errors or crashes or freezes. Quite a relief! Thanks!
-
Spyware doctor running with google toolbar will take up some of your resources... Do you need it ? If you run MBAM weekly and keep your webshield up and running you should be relatively safe
-
Thank you, I'll mull it over. But again, we are up and running so I'm happy. No possibility of a donation to thank you for the help? I'd gladly comply! You guys are great. Otherwise I'll leave you in peace now and you can rescue others.
-
Just keep passing the news about avast to others who might benefit from it and the support you received.
Support is often something not considered when selecting your AV, until you have a problem that is ;D
-
So true and I will spread the word. You and your team colleagues are exceptional. Till the next time (but not for a while I hope.......). Thanks.
-
A final word. Perhaps of interest for future cases, the original symptom, the original threat detected by Avast, is still there when doing the Avast scan; and Avast continues to be unable to move, repair or delete. But I'm ignoring it hoping we have killed the threat somehow and Avast is simply 'confused'...... FYI.
-
A final word. Perhaps of interest for future cases, the original symptom, the original threat detected by Avast, is still there when doing the Avast scan; and Avast continues to be unable to move, repair or delete. But I'm ignoring it hoping we have killed the threat somehow and Avast is simply 'confused'...... FYI.
You are still getting alerts from Avast ? In that case I would assess that there is still something there
Download avz4.zip from here (http://z-oleg.com/avz4.zip)
- Unzip it to your desktop to a folder named avz4
- Double click on AVZ.exe to run it.
- Run an update by clicking the Auto Update button on the Right of the Log window: (http://i768.photobucket.com/albums/xx326/perplexus13/malware/avz-update-button.png)
- Click Start to begin the update
Note: If you recieve an error message, chose a different source, then click Start again
- Start AVZ.
- Choose from the menu "File" => "Standard scripts " and mark the "Advanced System Analysis with Malware removal mode enabled " check box.
(http://perplexus.geekstogo.com/avz-standardscripts-asa-removal.png)
- Click on the “Execute selected scripts”.
- Automatic scanning, healing and system check will be executed.
- A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
- It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
- All applications will work properly after the system restart.
When restarted
- Start AVZ.
- Choose from the menu "File" => "Standard scripts " and mark the “Advanced System Analysis " check box.
(http://i768.photobucket.com/albums/xx326/perplexus13/malware/avz-standardscripts.png)
- Click on the "Execute selected scripts".
- A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.
Attach both virusinfo_syscure.zip and virusinfo_syscheck.zip to your next post
-
Found out this morning that indeed all is not well. On start-up from sleep mode had a funny looking screen. And all of a sudden using my (HP) printer in wireless mode does not work anymore. Had to print via USB. Have to travel today but will do as you suggest as soon as I can and let you know. Thanks.
-
On the AVZ4, was unable to get the screens you show. Instead was able to get something called AVZ Antiviral Toolkit going. It is running a scan now. Hope this will amount to the same. Travelled to the planet's other hemisphere - thus struggling a bit with response timing. But continue to appreciate your help.
-
Sorry to "hijack" "lend" this thread, but is the Win32:Enistery virus dangerous? What kind of "virus" is it?
I got it in many of my *.tmp files on my harddrive in my Temp folder, but i started in "Safe mode" and deleted the whole contents in the temp folder on all the accounts on my computer. Then i ran Spyware doctor and it found a high grade Virus/Trojan which i deleted, in "Safe mode". So what "kind" of virus is this? Anything to worry about? Keylogger or what? Sorry again for posting... I Have a clean system now :D
I have win xp home sp3
-
On the AVZ4, was unable to get the screens you show. Instead was able to get something called AVZ Antiviral Toolkit going. It is running a scan now. Hope this will amount to the same. Travelled to the planet's other hemisphere - thus struggling a bit with response timing. But continue to appreciate your help.
OK looks like they changed the programme I will download a new copy and play
-
Ran AVZ4 once and it did not detect anything. Then I realized I could enhance the settings - and so I did. It has now been running again for a while and it appears to now find bad files. I will advise when the scan has completed.
-
Update -> scan still running, program got stuck during the night and runs a long time. Will advise.
-
Looks like it is quarantining stuff - but appears to take for ever.....
-
Had to abandon whatever AVZ4 was doing, system got bogged down. Until it came to a virtual standstill, it reported 'proces masking detected' and it reported quarantining due to 'suspicion of IM-Flooding'. I will try something else later and see if it will run at normal speed.
-
IM flooding means it has detected a stealth network connection
You can run this programme from safe mode
-
I ran a system analysis, But the log is in htm and I cannot upload.
-
Log attached now in txt. Hope this works.
-
Apparently it did work thsi time - attaching the file in txt format that is. Now I ran this analysis at the AVS recommended settings in normal mode - FYI.
-
I have ran the AVZ analysis one more time with the setting changed to 'all servers and drivers'. Log attached.
-
Running another AVZ search with the antiviral toolkit. Again lots of warnings about 'proces masking'. Will try to get a log this time.
-
The search scan again takes for ever, goes slow, whilst the system indicates it is quarantining files. I have paused the search scan (afetr some 10 hrs I guess - and it may take another 5 to finish is my estimation)and have attempted to attach the saved the log with the results up to now. However there is a forum error message indicating that the file is too large. What to do please? Thanks.
-
Could you upload to Mediafire (http://www.mediafire.com/) and post the sharing link.
-
http://www.mediafire.com/?8dsd72ax81vlkyy
The above is indicated as the sharing URL. Hope this is what is needed. Thanks.
I wanted to ask you still please, when I first started out with Pondus, there waa a malware detector (forgot which one now) that identified temp files. In my case it listed a bunch of files but not the temp files that avast had indicated where the problem was. So i did not delete any. Should I run that program again perhaps and this time delete all those temp files the malware detector lists? Just a thought. Thanks.
-
That did not look good as there are a lot of system processes masked
Download Dr Web from here http://www.freedrweb.com/?lng=en link on the top right of the page, tick the EULA and then download
It will download as an 8 digit file save it to your desktop
Restart in safe mode and run
Accept the enhanced version
Then run the quick scan
About halfway through you will be prompted to buy - just X the box closed
Once finished it will generate a log please attach that
Immediately that has finished I will need a fresh Combofix scan please
Download links
Link 1 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 2 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
-
Unable to post with attachment. Get timed out. Did upload instead. URL is http://www.mediafire.com/?bth4nlnxu49bf2i. Machine getting slower and slower. Ran Dr Web in safe mode with networking. It found no infections. I did not as yet run the combofix - should I if no infections were found and should I run in safe mode? Was unable to communicate with the forum from safe mode with networking. And still very slow to ommunicate. Am now back in normal mode. Also, during the Dr Web scan, Windows showed a threat message indicating that Hosts files had been modified. It asked me if I wanted to return to default for Hosts, and I accepted. Also, it appears as if something is preventing me or causing me to get hung up when trying to access certain websites (hotmial, yahoo, etc); I also wonder if something is trying to redirect me. The URL when I access hotmail is http://sn130w.snt130.mail.live.com/default.aspx?wa=wsignin1.0
Not sure whether that means anything, but can only access hotmail when this URL is showing. Cannot access hotmail via MSN web for example.
Please advise. Thanks.
By the way, somehow lost the sequence and a new post was started in error. I'm struggling here - sorry. Thanks.
-
Yes continue with the combofix run please - from safe mode if necessary
The link is to the windows live sign in page
-
@ AKatRT
Please Go to PROFILE then Modify Profile then Forum Profile Information then select your country in Please select your country: then update your Signature: with information like my signature as this helps the helpers offer pertinent advice.
It helps to know what timezone you are in. ;)
-
OK, will run combofix.
In the meantime I had tried to run a full scan with Dr Web but was taking ages.
YoKenny: Understand, but nothing is easy. I am currently in the US travel back to Europe on Monday. Am on the move a lot and at work all the time - and thus not always access to sick laptop. Sorry. Thanks. Andre'
-
I have attached combofix log (I hope) - cannot locate a program generated log; this one I saved and hopefully it works for you. Thanks for sticking with me Essexboy!
-
Attached another version I found of the combofix log but hopefully = same as I sent an hour or so earlier.
Also ran MBAM one more time. Log attached (2 versions saved - I hope with identical content - one I saved manually)
Thanks.
-
Hmmm this is weird - do you have the HTML file from AVZ ? If so could you upload that
At the moment I am seeing no malware of any description at all
-
Let me try and find that. Thanks.
-
Am working on the upload. Goes very, very slow. Thanks.
-
Is there an alternative to mediafire? Don't get beyond stage of 'engine loading'. So files had been uploaded by me earlier, but I can't access the URL info to send you the htm files. I'll keep trying.
-
http://www.mediafire.com/?axz99tpaq94534k
This is the link for the analysis AVZ.
I'll now run the search scan again for drive C - this took for ever last time and never finished, but let me see.
-
I have attached the most recent AVZ LOG. This time I ran with the application's default settings. Process masking is still identified - but the scan took a lot less time. Hope this helps. Thanks.
-
Ok it is spyware doctor masking the processes, although why it is doing that I have no idea
Is your system still running slow
I am wondering now if Avast is alerting on unencrypted data from spyware doctor
-
We have a diagnosis! Thank you. Why don't I start by removing the spyware doctor application? You agree?
-
Oh yes, your question, yes system still show in particular around IE. Very slow. In particular still when not the default home web page.
-
Good idea on spyware doctor as MBAM is better
For IE have you set it to clear caches when closed ?
Go to Control Panel > Internet Options > Advanced tab
Scroll down to the Security section
Place a tick in the "Empty temporary internet folder when browser is closed"
OK out
It might also be a reasonable practice to use TFC every day or so
Clear Cache/Temp Files
Download TFC by OldTimer (http://oldtimer.geekstogo.com/TFC.exe) to your desktop
- Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
- It will close all programs when run, so make sure you have saved all your work before you begin.
- Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
- Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.
-
Thank you. Yes, box was checked. If I may run something by you please. I notice that IE gets hung up whenever the avast icon (notification area below right) does not turn when clicking to go to a website - it remains static. Or vice versa, i.e. avast icon does not turn because IE is hung up, or whatever may be the root cause. When i open up avast it appears it is showing some activity - but still, it is something I have noted. Does this mean anything to you? Thanks.
-
The TFC did not do anything for IE speed. But I'll do as you suggest and run every now and then.
Is there anything in the internet settings that I might have where access to sites may be slowed? I have things set at medium high security. Thanks.
-
I ran a full avast scan. No threat found! Good news. Just a real pain that IE is working so slowly. I will be traveling from tomorrow Monday afternoon (UK time) through Tuesday (UK time). I will see if a different internet connection will do me some good. Can try that late on Tuesday. Will advkise then. Thanks.
-
Ok, I uninstalled the entire slate of google apps as well, and reinstalled parts that I use but not 'spyware doctor' (which can come as an add-on). The machine is faster. Not sure whether it is the google thing or perhaps a better internet connection (or both). Every now and then still something 'odd' happens, such as IE 'loosing' the webpage and instead showing some peculiar message. Also, I ran avast again, and again no threats found.
Would you be OK with me running things for a couple of days still and then letting you know? Would appreciate. Thank you.
-
For sure - with regards to addons I only use one as I find the rest a waste of space
-
Well, ran without problems for all these days, however when I wanted to do a windows back-up today, it didn't work. I initiatiet the back-up action, the window indicates that back-up is running, however subsequently it simply goes back to the original status and the action of backing up terminates. No idea how to fix this now. Andre'
-
Just for info, when accessing the problem reports feature in Windows, it would indicate that in the background problems have been occuring over the past period. But these problems (except for the odd IE close) have not been visible to me. Thanks.
-
Further info, a full scan by DrWebCureit found trojan.blackmailer virus. Moved to quarantine. Wonder why the problems persist and why avast is not picking it up?
-
Ran MBAM, ran TFC, in addition to Cureit; have spywareblaster installed, but problem not resolved. Windows Back-up not possible. Plse help. Thanks.
-
Was an error generated whilst doing the back up ?
-
No, no error message. The status window indicates the back-up is running but the usual status bar indicating progress is not visible. Then the back-up just terminates. Am on the road all day today - diificult to respond; but can work any suggestions you may still have tomorrow or late this evening. Thank you.
-
Are you backing up to your C or E drive ?
-
I'm backing up to CD Drive F.
-
What size is the CD and how large is the backup - as the disc may not be big enough
-
No idea, but that's not the problem I believe. The process is that back-up data is first generated and only later, after it has done that, it asks to insert the CD/DVD (DVD in my case). But this very first phase of data gathering / generation it does not seem able to properly initiate. Normallly a status bar prvides progress for this phase - now no status bar is visible. It does request however that the computer be plugged in - it won't run on battery powwer - and this the correct message that I would expect. Hope this info is of use. Thanks.
-
Could you locate the following log please %windir%\logs\windowsbackup\
Also is Avast running whilst you backup - as it may be reading files that are trying to backup
-
I looked for the log with IExplorer and with the search feature in the Start menu, and could not find.
I attempted back-up with Avast disabled and got no results. Just for info, in the past this had also not been an issue.
All bad news I guess?
-
I keep running virus checks and Avast keeps missing them and DrWebCureit keeps identifying viruses (but am not so sure it actually eliminates them - although it says it does). Again Trojan Blackmailer 1680 - now in C:\Documents and Settings\korporaal\DoctorWeb\Quarantine\NetDeviceManage0.exe. -> cure action ,plus then, C:\Documents and Settings\korporaal\DoctorWeb\Quarantine\NetDeviceManage0.exe -> cannot cure -> move to quarantine. Same actions for C:\Documents and Settings\korporaal\DoctorWeb\Quarantine\netdevicemanager.exe. Still running now.
-
They are all in the Dr Web quarantine folder - delete that and they will go
I will see if I can find a solution that does not require me to see the log
-
Thank you. I have attached the log just in case. Thanks for being willing to continue to try to get rid of this thing. Had been trying to send this earlier, yesterday, but Forum difficult to get on to and send a reply - slow, kept getting timed out.
Still having probems so will now try and send without the log.
-
That worked. With log attached does not work - so would have to upload log file. Let me know please if indeed you do require. Thanks.
-
For some funny reason, IE gets timed out / is very slow with a few particular websites. With others not at all.Not sure if this is related to the problems we're having.
-
For info, just had an IE 'Data Execution Prevention (DEP)' event.
-
@ AKatRT
Please go to PROFILE then Modify Profile then Forum Profile Information then select your country in Please select your country: then update your Signature: with information like my signature as this helps the helpers offer pertinent advice.
-
Something amiss here
Lets try an SFC
Go to start > All Programs > Accessories
Right Click Command Prompt and select run as administrator
When the prompt opens type the following bolded text and press enter
sfc /scannow (Note: There is a space between sfc and /scannow)
On completion reboot
-
Thanks. Don't want to pretend I have a clue, but I ran another program, spyware terminator, and it appears to have found lots of trojan related stuff. Just don't know how to get the log to you. Log can be copied to 'clipboard' but no idea where to find it then. It won't go with a post. Would like to share it with you.
-
If you copy it to clipboard, open a notepad and then select paste
-
here it is. thanks
-
just to further clarify, did not clean anything as yet. i suppose i would have to rerun the scan to clear or clean.
-
Well that programme does not like Google, dotnet, windows mobile, windows live mail, ATI and MS works
Nothing there as far as I could see was a legitimate detection.. Do you need to buy the programme to commence cleaning ?
-
Thanks. No, don't have to buy. But if not legitimate I'll just leave it for now I think. Or do you suggest I clean anyway? What happens there anyway, do the guys that try and sell these programs just throw in these trojan ids in the hope we'll ultimately buy their stuff?
I will do now what you said I should do -> SFC.
-
Did the Windows Protection thing as you suggested. Its message was that it found corrupt files and that it was unable to fix some of them. I rebooted. Still no back-up possible.
-
I located the CBS file (log) created by the SFC but access is denied. Do you need it and if so is there something else I could do?
-
Do you have the Vista repair console installed ? When you select F8 as if to go to safe mode is there an additional option on the menu to Repair my computer?
-
Yes, but I believe I tried that earlier. Before I made your life a challenge..... If I recall correctly it wants some prior restore point? At that time it did not work for me. I'll gladly try again - anything in particular still I should keep in mind when I go there?
-
Not really try the repair my computer option but do not go for a restore point, cancel that and go to the next stage
There is a step by step guide here http://www.bleepingcomputer.com/tutorials/tutorial148.html
-
Thanks. Will do that.
-
Avoided the restore point option and did start-up repair and windows memory check. The problems with backing-up persist. Anything else we can try you think?
-
The only thing I can think of at this stage would be a repair install - but that requires the discs
-
I have the discs. But how would that work then? Would we identify the 'broken' files upfront (through the logs) and then specifically repair those or would it involve some general operation? Thus far I have been trying to avoid going back to the ortiginal set-up and lose all the subsequent history and settings. But again, I have a set of initial system copy discs. And I have made bi-weekly copies (until the virus broke) of the created data as well. Thanks.
-
Ah so you have a recent image that you could restore - prior to the attack that is
-
Well now, let me make sure I understand. When I bought the laptop, Windows Vista was installed and the purchaser is urged to make a copy of the (virgin) system - I did that. Then, over time, I make weekly / bi-weekly back-ups through the Windows back-up system. But I only keep the latest back-up of course. Now, as I understand it, these latter back-ups copy the data that I have generated, but not the core system - but what do i know..... In any event, i have both. And I must admit that an amateur like me can only guess about that last back-up being before the attack and no virus being present. But I can perhaps do a virus check of the data on the disc pior to using the disc? Have to travel for some three hours now - just letting you know so you don't think i'm not engaged in resolving this. As I said before, busy life with lots of travel. Thanks.
-
Timing is not a problem as real life rules
Reading that an option would be to install the virgin system and then restore the last backup
-
Ok, sounds scary though, not possible to identify the back-up 'program file' from the virgin disc and just select and install that? Don't mean to be difficult but I remain worried settings and history will get lost in the shuffle of a complete install. Thanks.
-
I will check it out to confirm some data
-
How lack of bravery can motivate. I went to F8 start-up again and ran all the options that did not involve a complete reinstall or a prior restore point. Not sure what it all did and I also repeated the actions in your Nov 20 11:26 post. Behold, I ran a complete back-up just now and my IE appears in reasonably good health as well. So thank you once again!
Barely dare say it, but can I try and run again for a couple of days and let you know what the state of health is please?
Also, can I just ask you again please, do you believe I should stick with spyware terminator and have it clean what it reported, or do you suggest we leave things now for what they are. You were suspicious about how real the so called problems were that it supposedly found. I don't have to purchase the software in order to do the cleaning.
Thanks again!!!
-
All the files that spyware terminator found were legitimate - I would bin it. Use MBAM it is free- good and leader of the pack at the moment
(http://img233.imageshack.us/img233/7729/mbamicontw5.gif) Please download Malwarebytes' Anti-Malware from Here (http://www.malwarebytes.org/mbam-download.php).
Double Click mbam-setup.exe to install the application.
- Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select "Perform Quick Scan", then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
-
OK, thanks. Had already installed MBAM based on your earlier recommendation and will continue to use. Will delete spyware terminator.
-
'Tis best I feel ;D
-
Grateful you stuck with all these problems. Essex rocks as far as I'm concerned!
-
I owed you a final report. Everything OK. IE remains somewhat unstable at times, closes by itself etc, but I can live with that. So we're fine and we remain grateful for the great support.
I had one last question, that temp file cleaner we used, TFC by Oldtimer, can it still be downloaded from geekstogo? I'm not able to - the earlier page link provided by Pondus appears closed and I looked for it elsewhere in geekstogo but without success. Thought it may usefull to run that every now and then or have access to it in case of a future mishap.
Many thanks for everything.
-
For sure - it was removed from the start here topic as malware started moving system files to the temp files area so we did not clear the temps until we are happy
Clear Cache/Temp Files
Download TFC by OldTimer (http://oldtimer.geekstogo.com/TFC.exe) to your desktop
- Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
- It will close all programs when run, so make sure you have saved all your work before you begin.
- Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
- Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.
-
Thank you. Now what I did have last night was that it shut down windows and then prompted to start windows after which it went through a chkdsk procedure. It mumbled something about needing to address C: and NFTS and Vista and one of the discs needing to be checked for consistency. It ran the chkdsk utility indicating that it was recovering lost and orphaned files and that it was correcting errors. Seems to run normally again now. Should I worry? Thanks.
-
No that usually happens if the system does not shut down correctly - not a problem ;D
-
Ah, good, thank you. I suppose we're all stable here then. Indebted! Thanks!