Avast WEBforum

Other => General Topics => Topic started by: Busymama62 on December 12, 2010, 05:38:35 AM

Title: 113577url.cptgt.com
Post by: Busymama62 on December 12, 2010, 05:38:35 AM
We keep getting pop ups.  Some are web page commercials so to speak, some are audio where there is audio but no visual pop up.  Several times I have gotten a page that wants me to choose to remove a virus, the name of this page is 113577url.cptgt.com.  I have done a boot scan twice, the first time things were found and we did choose to delete because it said they could not be repaired.  Please help, we really cannot afford to put the laptop back in the shop right now.
Thanks!
Linda
Title: Re: 113577url.cptgt.com
Post by: CharleyO on December 12, 2010, 07:45:31 AM
***

Try using the free version of malwarebytes antimalware and see what it finds.
Download it, install it, update it, and then run a Full scan.
Let it fix what it finds and post the resulting log here.
You can get it at the link below.

http://www.malwarebytes.org/mbam.php


***
Title: Re: 113577url.cptgt.com
Post by: Busymama62 on December 12, 2010, 11:01:23 PM
I already have Malwarebytes and have run a full scan twice.  Both times it says that nothing was found!  I did another avast scan this am and it found some files but I could not do anything with them because every choice said this is a window folder are you sure....No I am not sure, I do not want to remove necessary files/folders.  I will run another Malwarebytes and see if it finds anything.

Updated Malwarebytes and ran another scan.  It found no infected files.
Title: Re: 113577url.cptgt.com
Post by: essexboy on December 12, 2010, 11:11:55 PM
Hi I would like to look at two areas on your computer - these programmes are purely analysis for now

Please download MBRCheck.exe (http://ad13.geekstogo.com/MBRCheck.exe) to your desktop.
(http://i677.photobucket.com/albums/vv132/RPMcMurphy_album_photos/mbrcheck.png)


.
THEN

Download OTL (http://oldtimer.geekstogo.com/OTL.exe)  to your Desktop
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT




Title: Re: 113577url.cptgt.com
Post by: Pondus on December 12, 2010, 11:44:48 PM
Quote
I will run another Malwarebytes and see if it finds anything.
did you update it before you scanned ?.......lots of people forget to do that and scan with a very old database!
Title: Re: 113577url.cptgt.com
Post by: Busymama62 on December 13, 2010, 02:42:56 AM
Quote
I will run another Malwarebytes and see if it finds anything.
did you update it before you scanned ?.......lots of people forget to do that and scan with a very old database!

I did update this last time.  I guess I was thinking Malwarebytes did automatic updates, but it does not. 
Title: Re: 113577url.cptgt.com
Post by: Busymama62 on December 13, 2010, 02:48:59 AM
Hi I would like to look at two areas on your computer - these programmes are purely analysis for now

Please download MBRCheck.exe (http://ad13.geekstogo.com/MBRCheck.exe) to your desktop.
  • Be sure to disable your security programs (http://forums.whatthetech.com/index.php?showtopic=96260)
  • Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[/list]

I will try this afterwhile.  Fixing supper right now.  It is funny.  The few minutes that I have been online checking out the forum posts regarding my issue, I have had 3 windows to pop up and all three are Avast windows.
Title: Re: 113577url.cptgt.com
Post by: nsm0220 on December 13, 2010, 03:52:01 AM
Busymama62 have you used a boot cd to fix this if try gdata boot cd https://www.gdatasoftware.co.uk/support/main-subjects/upgrade-service/download.html
Title: Re: 113577url.cptgt.com
Post by: Busymama62 on December 13, 2010, 04:38:46 AM
Busymama62 have you used a boot cd to fix this if try gdata boot cd https://www.gdatasoftware.co.uk/support/main-subjects/upgrade-service/download.html

No I have not.  Going to show my ignorance here...does a boot cd, remove all you installed programs?
Title: Re: 113577url.cptgt.com
Post by: DavidR on December 13, 2010, 04:53:31 AM
No the idea of the GData boot CD (and other such anti-virus boot CDs) is to clean the malware outside of windows, so that you can get at it whilst it isn't running in windows, where it might have protective measure working to protect against its removal..
Title: Re: 113577url.cptgt.com
Post by: nsm0220 on December 13, 2010, 04:58:40 AM
Busymama62 have you used a boot cd to fix this if try gdata boot cd https://www.gdatasoftware.co.uk/support/main-subjects/upgrade-service/download.html

No I have not.  Going to show my ignorance here...does a boot cd, remove all you installed programs?

if its a rouge,virus,malware,or other stuff yes.but if you have clean programs it will not remove them.   
Title: Re: 113577url.cptgt.com
Post by: Busymama62 on December 13, 2010, 05:02:09 AM
MBRCheck, version 1.2.3
(c) 2010, AD
Here is what came up.  You said for me to download OTL next.  Where do I find OTL.  According to the following results there is an issue.  I did turn my Avast back on to log on to post this and Avast poped up the window Avast has blocked a threat, no further action needed.  I will do the OTL scan once I have it downloaded.  Do I turn off my Avast to run it?  Thank you very much!!!

Well I am having to delete part of this text file.  I hope I leave what you need to see.

Command-line:         
Windows Version:      Windows XP Home Edition
Windows Information:      Service Pack 3 (build 2600)
Logical Drives Mask:      0x0000003c

Kernel Drivers (total 185):
                                   0xBA7A7000 \SystemRoot\System32\Drivers\Null.SYS
  0xBA5C4000 \SystemRoot\System32\Drivers\Beep.SYS
  0xBA458000 \SystemRoot\System32\drivers\vga.sys
  0xBA5C6000 \SystemRoot\System32\Drivers\mnmdd.SYS
  0xBA5C8000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
  0xBA460000 \SystemRoot\System32\Drivers\Msfs.SYS
  0xBA468000 \SystemRoot\System32\Drivers\Npfs.SYS
  0xBA5A4000 \SystemRoot\system32\DRIVERS\rasacd.sys
  0xA94C8000 \SystemRoot\system32\DRIVERS\ipsec.sys
  0xA946F000 \SystemRoot\system32\DRIVERS\tcpip.sys
  0xBA308000 \SystemRoot\System32\Drivers\aswTdi.SYS
  0xA941F000 \SystemRoot\system32\DRIVERS\netbt.sys
  0xA93FD000 \SystemRoot\System32\drivers\afd.sys
  0xBA318000 \SystemRoot\system32\DRIVERS\netbios.sys
  0xA9332000 \SystemRoot\system32\DRIVERS\rdbss.sys
  0xB9D27000 \??\C:\WINDOWS\system32\drivers\OsaFsLoc.sys
  0xA92C2000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
  0xB9DE3000 \SystemRoot\System32\Drivers\Fips.SYS
  0xA929C000 \SystemRoot\system32\DRIVERS\ipnat.sys
  0xB9DD3000 \SystemRoot\system32\DRIVERS\wanarp.sys
  0xA9275000 \SystemRoot\System32\Drivers\aswSP.SYS
  0xBA478000 \SystemRoot\System32\Drivers\Aavmker4.SYS
  0xBA480000 \SystemRoot\system32\DRIVERS\usbccgp.sys
  0xB9CFA000 \SystemRoot\system32\DRIVERS\usbscan.sys
  0xBA488000 \SystemRoot\system32\DRIVERS\usbprint.sys
  0xBA490000 \SystemRoot\system32\DRIVERS\HPZius12.sys
  0xBA498000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
  0xB9DB3000 \SystemRoot\system32\DRIVERS\HPZid412.sys
  0xB9CF6000 \SystemRoot\system32\DRIVERS\HPZipr12.sys
  0xB9DA3000 \SystemRoot\System32\Drivers\Cdfs.SYS
  0xB9CF2000 \SystemRoot\system32\DRIVERS\hidusb.sys
  0xB9D93000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
  0xBA4A0000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
  0xB9CEE000 \SystemRoot\system32\DRIVERS\mouhid.sys
  0xA91E5000 \SystemRoot\System32\Drivers\dump_atapi.sys
  0xBA5CA000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
  0xBF800000 \SystemRoot\System32\win32k.sys
  0xA9517000 \SystemRoot\System32\drivers\Dxapi.sys
  0xBA4A8000 \SystemRoot\System32\watchdog.sys
  0xBF000000 \SystemRoot\System32\drivers\dxg.sys
  0xBA698000 \SystemRoot\System32\drivers\dxgthk.sys
  0xBF020000 \SystemRoot\System32\ialmdnt5.dll
  0xBF012000 \SystemRoot\System32\ialmrnt5.dll
  0xBF041000 \SystemRoot\System32\ialmdev5.DLL
  0xBF075000 \SystemRoot\System32\ialmdd5.DLL
  0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
  0xA91C9000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
  0xA90C5000 \SystemRoot\system32\DRIVERS\ndisuio.sys
  0xA8F26000 \SystemRoot\System32\Drivers\aswMon2.SYS
  0xA8CC9000 \SystemRoot\system32\DRIVERS\mrxdav.sys
  0xA8CB4000 \SystemRoot\system32\drivers\wdmaud.sys
  0xA937D000 \SystemRoot\system32\drivers\sysaudio.sys
  0xBA7EF000 \??\C:\WINDOWS\system32\drivers\epm-psd.sys
  0xA8A48000 \??\C:\WINDOWS\system32\drivers\epm-shd.sys
  0xA8C81000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
  0xBA604000 \??\C:\WINDOWS\system32\drivers\osaio.sys
  0xBA71B000 \??\C:\WINDOWS\system32\drivers\osanbm.sys
  0xA8798000 \SystemRoot\system32\DRIVERS\srv.sys
  0xA82F7000 \SystemRoot\System32\Drivers\HTTP.sys
  0xA924D000 \SystemRoot\System32\Drivers\aswRdr.SYS
  0x7C900000 \WINDOWS\System32\ntdll.dll

Processes (total 39):
       0 System Idle Process
       4 System
     288 C:\WINDOWS\System32\SMSS.EXE
     344 CSRSS.EXE
     368 C:\WINDOWS\System32\winlogon.exe
     412 C:\WINDOWS\System32\services.exe
     424 C:\WINDOWS\System32\LSASS.EXE
     572 C:\WINDOWS\System32\svchost.exe
     632 svchost.exe
     712 C:\WINDOWS\System32\svchost.exe
     792 svchost.exe
     840 svchost.exe
     920 C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    1156 C:\WINDOWS\System32\spoolsv.exe
    1656 svchost.exe
    1868 C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    1912 C:\WINDOWS\Explorer.EXE
    1960 C:\WINDOWS\System32\svchost.exe
    1984 C:\Program Files\Java\JRE6\BIN\JQS.EXE
     144 C:\Program Files\Common Files\Motive\McciCMService.exe
     172 C:\WINDOWS\System32\svchost.exe
     188 C:\WINDOWS\System32\svchost.exe
     272 C:\Program Files\CyberLink\Shared Files\RichVideo.exe
     316 C:\WINDOWS\System32\svchost.exe
     564 C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    1672 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    1808 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    1816 C:\Program Files\Alwil Software\Avast5\AvastUI.exe
    1744 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    2104 C:\WINDOWS\Bbstore\DSS\dssagent.exe
    2156 C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    2172 C:\WINDOWS\System32\ctfmon.exe
    2400 C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
    2508 C:\Program Files\Messenger\msmsgs.exe
    2680 alg.exe
    2792 C:\Program Files\HP\Digital Imaging\BIN\hpqtra08.exe
    3000 C:\WINDOWS\System32\svchost.exe
    3152 C:\Program Files\HP\Digital Imaging\BIN\hpqste08.exe
     304 C:\Documents and Settings\OWNER\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`c8073000  (FAT32)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000004`e51df800  (FAT32)

PhysicalDrive0 Model Number: ST9402112A, Rev: 3.06    

      Size  Device Name          MBR Status
  --------------------------------------------
     37 GB  \\.\PhysicalDrive0   Unknown MBR code
            SHA1: 6A37CCD118436B688B51F6BD4C2B47A895EBDF7F


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!
Title: Re: 113577url.cptgt.com
Post by: Pondus on December 13, 2010, 09:32:26 AM
Quote
You said for me to download OTL next.  Where do I find OTL
You click the red " OTL " in Essexboy`s post, and the download will start


To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( OTL.Txt and Extras.Txt. )
Title: Re: 113577url.cptgt.com
Post by: Busymama62 on December 13, 2010, 04:36:15 PM

Download OTL (http://oldtimer.geekstogo.com/OTL.exe)  to your Desktop
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT

In the Extras report there are several errors.  I would imagine one is from where we have 2 printers installed but only one hooked up at this time.

[/list]
Title: Re: 113577url.cptgt.com
Post by: TxKimberly on December 13, 2010, 06:55:42 PM
Hello everyone! After having beat my head against this very same problem for three days, I have joined this forum for the express purpose of telling you how to resolve it. I would like to take credit for it, but I'd have to admit that I failed to resolve it and had to sit here this morning while my IT department worked my PC remotely to do it.
I'm sorry, but I didn't catch the names of the assorted things that they found but I DID catch the name of the sharware programs they used:
Hitman Pro 3.5 (This is the program that found the damned thing!)
SuperAntiSpyware Free Edition

All of the following failed to find or resolve the issue:
 - Symantec Corp edition
 - MalwareBytes (This really surprised me as I love this program and
   it's saved me a lot in the past)
 - Spyware Doctor from PC Tools
 - Spybot S & D

I've looked in the history for the program (Which I convinced them to leave with me) and it shows that it found and deleted the following:
"C:\Windows\System32\wmiapi.Dll"
I'm not positive that this was "the" problem but offer you the information as an FYI.

Again, they were moving pretty fast so I didn't get all the details I know you would like, but my IT folks confirmed that it was the Hitman Pro software that found and killed the virus itself.
One of these two programs (Hitman Pro 3.5 and SuperAntiSpyware Free Edition) also found and removed a trojan downloader on my removable external drive. Sorry but I didn't catch which program found that downloader.

Clearly I'm not a IT expert and I'm not going to be able to provide any more details than this, but I can tell you for sure that I had exactly the same problem described here and my IT folks used Hitman Pro 3.5 and SuperAntiSpyware Free Edition to find and resolve. I think they are both shareware.

Good luck!


Title: Re: 113577url.cptgt.com
Post by: essexboy on December 13, 2010, 10:07:22 PM
Quote
"C:\Windows\System32\wmiapi.Dll"
This is a legitimate file, unfortunately I have had to repair a few non booting systems that Hitmanpro fixed


Run OTL
THEN

Download ComboFix from one of these locations:


Link 1 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 2 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)


* IMPORTANT !!! Save ComboFix.exe to your Desktop


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


(http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif)


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

(http://img.photobucket.com/albums/v706/ried7/whatnext.png)


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.
Title: Re: 113577url.cptgt.com
Post by: Busymama62 on December 14, 2010, 12:05:17 AM
Quote
"C:\Windows\System32\wmiapi.Dll"
This is a legitimate file, unfortunately I have had to repair a few non booting systems that Hitmanpro fixed


Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    ] button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN

Download ComboFix from one of these locations:

Fxing to download ComboFix, I apparently am unable to turn off the Malwarebytes
Title: Re: 113577url.cptgt.com
Post by: Busymama62 on December 14, 2010, 12:24:42 AM
When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

[/quote]

Attached is the combofix log file.  Also, now I am getting a Rootkit Blocked message from Avast.
Title: Re: 113577url.cptgt.com
Post by: Busymama62 on December 14, 2010, 04:02:12 AM
Well, after running the ComboFix and posting the file here, I was checking email and my facebook.  All of a sudden the screen went blue with lots of writing that was to much to read and the computer did an automatic shut down and restart.  Of course that was a "Blue Screen Error"  I was prompted, once the computer loaded after doing the automatic scan, I did follow the prompts and sent a report to MS.  The MS site suggested I remove recent programs that have been installed.  I figure I need to wait untill we know this is resovled for sure before I remove ComboFix, MBR check and OTL.  The only thing I have noticed is that my "gmail" link on my favorites bar quit working so I went ahead and deleted it.  So far we have not had any more pop ups.  But we will see.  Over the weekend there would be times that for several hours we would not get any of the pop ups.

I want to say that I appreciate each and every one of you and your helping me with this issue.  I wish I had thought to check the Avast Forum with the Desktop before it got to bad, but alas, I can not even conncet to the internet with it.  So it will eventually make it to the local shop.
Title: Re: 113577url.cptgt.com
Post by: nsm0220 on December 14, 2010, 06:12:52 AM
can you go into safe mode Busymama62
Title: Re: 113577url.cptgt.com
Post by: yongsua on December 14, 2010, 06:19:53 AM
No the idea of the GData boot CD (and other such anti-virus boot CDs) is to clean the malware outside of windows, so that you can get at it whilst it isn't running in windows, where it might have protective measure working to protect against its removal..

How about Dr web cure IT?It won 100% for its detection in 2008.Do you recommend it?
Title: Re: 113577url.cptgt.com
Post by: nsm0220 on December 14, 2010, 06:26:28 AM
gdata is better than dr.web
Title: Re: 113577url.cptgt.com
Post by: yongsua on December 14, 2010, 04:30:24 PM
gdata is better than dr.web

I meant Dr web live cd not dr web cure IT.Sorry.I know gdata got better detection but it also contain many false posititves too.
Title: Re: 113577url.cptgt.com
Post by: essexboy on December 14, 2010, 09:39:34 PM
What error do you get when you try to connect ?

Go to Control Panel and select Internet Options
Select the Connections TAB
Select LAN settings button
Ensure there is no tick in the Proxy Server box
Select OK and restart Internet explorer

Title: Re: 113577url.cptgt.com
Post by: Busymama62 on December 14, 2010, 09:54:54 PM
What error do you get when you try to connect ?

Go to Control Panel and select Internet Options
Select the Connections TAB
Select LAN settings button
Ensure there is no tick in the Proxy Server box
Select OK and restart Internet explorer

I will try this afterwhile.  I will have to basically hook everything up.  It has been several months since we used the desktop.  I know it was hijacked or something.  Problems just got worse and worse and I could not even retrieve MS Word documents.  I will certainly try what you suggest, the laptop is apparently fixed!!! Praise the Lord and Thank you to you and the others!   It has been about 18 hours and no pop ups audio or webpages so I feel like all the things we did worked.  I guess I should go ahead and delete the OTL, MBR and Combofix now.
Title: Re: 113577url.cptgt.com
Post by: essexboy on December 14, 2010, 10:08:18 PM
If you run OTL and hit the cleanup button they will discappear  ;D
Title: Re: 113577url.cptgt.com
Post by: Busymama62 on December 15, 2010, 03:25:08 AM
What error do you get when you try to connect ?

Go to Control Panel and select Internet Options
Select the Connections TAB
Select LAN settings button
Ensure there is no tick in the Proxy Server box
Select OK and restart Internet explorer

This does not look good at all....I booted the computer and gave it plenty of time to load everything.  When I IE a window popped up that said "Open with" and had a list. Then I went to control panel like you suggested and clicked IE and a window came up saying  C:\WINDOWS\system32\rundll32.exe    Application not found.  So I went back to the IE link and let the "Open with" window pop up and chose IE..A browser window opens and quickly closes then 2 smaller windows pop up one "File Download Security Warning."  Do you want to run or save and a "File Download" that says getting file info.  Would not copy over existing IE file.  I tried makeing a new file named iexplorer2.  Window said complete but still would not open.  My Panda software has expired, and If I could have gotten online the first thing I would have done would have been to download AVAST.  I tried to open Word and Excel and both times I got a window saying "Application not found"
Title: Re: 113577url.cptgt.com
Post by: essexboy on December 15, 2010, 09:07:30 PM
OK this is a different system - correct ?

Download Combofix from any of the links below. You must rename it before saving  rename it to Gotcha before saving it to your desktop.

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)


==================================
(http://www.hdrcgb.org.uk/g2g/Cfix_Gotcha.exe.jpg)

Double click on the renamed ComboFix.exe & follow the prompts.
Title: Re: 113577url.cptgt.com
Post by: Busymama62 on December 15, 2010, 10:53:00 PM
OK this is a different system - correct ?

Download Combofix from any of the links below. You must rename it before saving  rename it to Gotcha before saving it to your desktop.

Yes this is a different system.  I can not download combofix.  I can not even connect to the internet with that computer.
Title: Re: 113577url.cptgt.com
Post by: essexboy on December 15, 2010, 11:06:16 PM
Can you download to a USB drive and then copy to the sick system ?
Title: Re: 113577url.cptgt.com
Post by: Busymama62 on December 15, 2010, 11:43:14 PM
Can you download to a USB drive and then copy to the sick system ?

Hmmm.  That is a great idea!!!!!  I will give it a try!
Title: Re: 113577url.cptgt.com
Post by: essexboy on December 15, 2010, 11:44:41 PM
Ok I am off to bed now but I will look tomorrow evening when I get home
Title: Re: 113577url.cptgt.com
Post by: Busymama62 on December 16, 2010, 04:01:46 AM
Ok I am off to bed now but I will look tomorrow evening when I get home

I hope that you sleep very well.  I am just now where I can try to do the download.
Title: Re: 113577url.cptgt.com
Post by: Busymama62 on December 16, 2010, 05:00:28 AM
OK this is a different system - correct ?

 
    When finished, it will produce a report for you. 
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.
Attached is the log file.  Thank you Essexboy for all of your help.  You have been GREAT!
Title: Re: 113577url.cptgt.com
Post by: essexboy on December 16, 2010, 08:35:16 PM
OK that took out some bad boys, Combofix appeared to be able to connect as it installed the recovery console

I will now look at the remainder of the system and see where the hiccup is on the network

Download OTL (http://oldtimer.geekstogo.com/OTL.exe)  to your Desktop
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT




Title: Re: 113577url.cptgt.com
Post by: Busymama62 on December 16, 2010, 11:06:28 PM
OK that took out some bad boys, Combofix appeared to be able to connect as it installed the recovery console

I will now look at the remainder of the system and see where the hiccup is on the network

Wow!  I was able to connect to the internet with this system!  The reports are attached.  Do I need to wait untill we are completly finished with the fixes etc. before downloading Avast?
Title: Re: 113577url.cptgt.com
Post by: essexboy on December 16, 2010, 11:17:21 PM
Patience is a virtue grasshopper  ;D

Checking the logs now
Title: Re: 113577url.cptgt.com
Post by: essexboy on December 16, 2010, 11:29:13 PM
I will remove Panda as well for you so that it does not interfere with Avast. Once done connect to the net and download Avast.  Then let me know what problems you are having   

Run OTL
Title: Re: 113577url.cptgt.com
Post by: Busymama62 on December 17, 2010, 12:46:51 AM
I will remove Panda as well for you so that it does not interfere with Avast. Once done connect to the net and download Avast.  Then let me know what problems you are having   

I did downoald Avast!!!  Feels so good to have that on the desktop.  I am attaching the latest log file for you to see.  For some reason on the desk top the reply nor Quote links appear so I had to put the log file on memory stick and then from the lap top attach it.
Title: Re: 113577url.cptgt.com
Post by: Busymama62 on December 17, 2010, 04:21:36 AM
I will remove Panda as well for you so that it does not interfere with Avast. Once done connect to the net and download Avast.  Then let me know what problems you are having   

I just got finished "playing around" on the desk top.  So far I have not had any issues.  Malewarebytes opened without a problem, I opened quite a few word files, Adobe files, photo files, even my Bejeweled game.  I had no problems at all.  It appears from my end that things are now fine.  I will see what the report tells you. 

Essexboy, I want to thank you so very much for all of your help.  It has been such a hassel using the laptop for everything.  We run a business from home and there were a lot of files that I could not access on the desk top and all of those files seem fine.
Title: Re: 113577url.cptgt.com
Post by: essexboy on December 17, 2010, 09:20:15 PM
Hi unfortunately you saved the file as Unicode, could you resave as ANSI please  ;D

What problems are you experiencing now ?
Title: Re: 113577url.cptgt.com
Post by: DavidR on December 17, 2010, 09:38:56 PM
You might want to add that little note "save the log file as ANSI file format please" to your boiler plate script. It would save you al lot of time ;D

Are you still using editpad lite as that makes a reasonable fist of reading it in Unicode format ?
Title: Re: 113577url.cptgt.com
Post by: Busymama62 on December 17, 2010, 10:05:33 PM
Hi unfortunately you saved the file as Unicode, could you resave as ANSI please  ;D

What problems are you experiencing now ?

Not haveing any problems yet.  I guess I need to set the desktop up to use full time and see if I have any problems.  Will do that once I send this post. 

I have saved the file again, but I chose "text document"  I did not have an option that said ANSI.
Title: Re: 113577url.cptgt.com
Post by: essexboy on December 17, 2010, 10:09:36 PM
Yup - I think I will do that David - ta

When you open OTL could you go to File.. Save as...
And in the save box set it as below

Title: Re: 113577url.cptgt.com
Post by: Busymama62 on December 17, 2010, 11:15:50 PM
Yup - I think I will do that David - ta

When you open OTL could you go to File.. Save as...
And in the save box set it as below



I see what I did I used word pad not note pad.  Here is the log file in ANSI format.
Title: Re: 113577url.cptgt.com
Post by: essexboy on December 17, 2010, 11:21:15 PM
OK lets now turbo charge your computer  ;D

Looking at that I am a happy bunny  :)

I will remove my tools now and give some recommendations, but I would like you to run for 24 hours or so and come back if you have any problems

 Now the best part of the day ----- Your log now appears clean  :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset  System Restore points:

Run OTL
.
Click Start > Run  and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Run OTL and hit the cleanup button.  It will remove all the programmes we have used plus itself.  MBAM can be uninstalled via control panel add/remove along with ERUNT.  But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

(http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif)   Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. 

Upgrading Java:
.

SPRING CLEAN
 
Download and run Puran Disc Defragmenter (http://www.puransoftware.com/Puran-Defrag-Download.html)
I would recommend a boot defrag and disc check for the first run

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes: (http://img233.imageshack.us/img233/7729/mbamicontw5.gif)
Malwarebytes (http://www.malwarebytes.org/mbam-download.php).  Run weekly to keep your system clean
[/list]
It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit To learn more about how to protect yourself while on the internet read our little guide  How did I get infected in the first place ? (http://www.geekstogo.com/forum/topic/225044-preventing-malware-and-safe-computing/)
Keep safe  :wave:
Title: Re: 113577url.cptgt.com
Post by: Busymama62 on December 17, 2010, 11:27:41 PM
OK lets now turbo charge your computer  ;D

Looking at that I am a happy bunny  :)

Thank you so much!!!!   I will get started on the list you have given me.  I am the HAPPY BUNNY!  We have been using the laptop for all of our computer needs for over 6 months!!!  It is just unhandy.  I even had to set up the dual monitor type system on the lap top because the laptop screen is going bad.  It is so much easier to use a full size key board etc.  Thanks again!  I hope that you have a Very Merry Christmas.  I wish you were in our area so we could give you a free carpet cleaning for your time.
Title: Re: 113577url.cptgt.com
Post by: essexboy on December 17, 2010, 11:31:13 PM
Let me know how it turns out for you  ;D
Title: Re: 113577url.cptgt.com
Post by: Busymama62 on December 17, 2010, 11:52:20 PM
.
Click Start > Run  and copy/paste the following bolded text into the Run box and click OK:

Apparently we did not use Combofix on this system.  I have Malewarebytes and had it before this last problem, when the hijack, worm, virus or whatever hit this system the first thing it did was damage the Malwarebytes and Panda so that they would not open and run.

I am proceeding to the next step after the combofix step.
Title: Re: 113577url.cptgt.com
Post by: essexboy on December 18, 2010, 12:17:52 AM
Ooops I forgot - we renamed it, no matter OTL will remove it  ;D
Title: Re: 113577url.cptgt.com
Post by: Busymama62 on December 18, 2010, 12:41:53 AM
Title: Re: 113577url.cptgt.com
Post by: essexboy on December 18, 2010, 11:19:45 AM
Take the windows one - you do not have 64 bit  ;D
Title: Re: 113577url.cptgt.com
Post by: Busymama62 on December 18, 2010, 04:36:04 PM
Thank you!  I just downloaded the new Java to my desk top.  I went to add/remove programs and the only Java showing up is Java 6 Update 7.  Did we remove my older Java with the last OTL by any chance?

Will be back later this morning and will wait untill I hear from you before I do install this Java, I do not want to mess anything up.
Title: Re: 113577url.cptgt.com
Post by: essexboy on December 18, 2010, 05:06:37 PM
Uninstall Java 7 and then install 23
Title: Re: 113577url.cptgt.com
Post by: Busymama62 on December 19, 2010, 01:03:58 AM
I think everything went fine with the Puran Boot Defrag and disc check.  If the computer did anything upon restart I could not tell it.  I had to unlock the computer for it to finish booting, would that have affected anything?

I assume it would be a good idea to download the Puran to the lap top also.  I will ck the version of Java on the lap top first.

The only thing I have noticed is a couple of times upon shut down a window has popped up but I have only gotten part of it written down.   "DW20.EXE......."  and in the window "Failed to initalize......
Title: Re: 113577url.cptgt.com
Post by: Busymama62 on December 19, 2010, 05:12:06 AM
It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

The Article "How did I get infected in the first place suggests these firewalls.  Which do you think is the best? Thank you!  Three good ones that are freeware are OnlineArmor, Outpost Firewall Free, and Sunbelt Personal Firewall.

Title: Re: 113577url.cptgt.com
Post by: essexboy on December 19, 2010, 01:35:53 PM
Aye get Puran for the laptop as it is really good

DMW is part of windows error reporting if it continually comes up then just turn off error reporting

As for firewalls I believe outpost is near the top at the moment - I use AIS  ;D

You'll be an expert soon  :)
Title: Re: 113577url.cptgt.com
Post by: YoKenny on December 19, 2010, 01:51:45 PM
You'll be an expert soon  :)

Maybe able to go to PROFILE then Modify Profile then Forum Profile Information then select your country in Please select your country: then update your Signature: with information like my signature as this helps the helpers offer pertinent advice.
Title: Re: 113577url.cptgt.com
Post by: Busymama62 on December 19, 2010, 03:50:29 PM
You'll be an expert soon  :)

Thank you Essexboy and YoKenny!  I had forgotten to go back to my profile and make some edits. 

I will put Puran on the laptop either later today or tomorrow.  We have a pretty busy day today.  Also, I will be speaking to my husband about him using Firefox now instead of IE.  I have been using Firefox mainly for two sites I go to, so it would be  no problem to use Firefox for all internet things.  I noticed that my Firefox shows as having Java 6.0.23, I guess I need to remove it and download the newer version.  I had thought it would be an automatic thing. 

Title: Re: 113577url.cptgt.com
Post by: essexboy on December 19, 2010, 04:06:34 PM
6.0.23 is the correct version - when you installed the java update it automatically did FF as well  ;D