C:\windows\system32\taskmon.exe

[paddyc]

ComboFix.txt Part 3

[paddyc]

Ltangelic,

Re the OTMoveIt3 log this was lost when I rebooted the computer after the hang up. The report on screen showed Process - explorer.exe killed then the 12 files moved as per the code input with exception of ppmate which was already deleted via the chest. Next heading was registry which was blank.

[paddyc]

Ltangelic,

Here is the RSIT log.txt part 1

[paddyc]

RSIT log.txt Part2

[paddyc]

RSIT Log.txt Part 3

[paddyc]

RSIT log.txt Part 4

[paddyc]

RSIT log.txt Part 5

[paddyc]

Ltangelic,

I have stayed up very late to get all of this finished as I am going away for a long weekend. I will not be back until Monday night and will try to catch up with you then. Enjoy your weekend and thank you for all the help you are giving me. Let's hope that there is a solution soon.

[Ltangelic]

Hey paddyc,

Important: It seems that you have cracks running on your computer. Please be aware that it is both illegal and dangerous to have cracks as many malwares are bundled with them, and this can compromise your computer security. Please follow my instructions carefully to remove the cracks on your computer.

Something isn't right about that taskmon.exe. Let's try uploading it to a virus scanner.

1) Run CFScript

1. Please open Notepad

• Click Start , then Run
• Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: [Select]

KillAll:

File::
C:\Documents and Settings\Paddy\My Documents\Netscape\Paddy Costello\37i28wl0.slt\Mail\pmcost mail\GFI24.com 
C:\Documents and Settings\Paddy\My Documents\Netscape\Paddy Costello\37i28wl0.slt\Mail\mail.jerseymail.co-1.uk\GFI24.com
C:\Documents and Settings\Paddy\My Documents\Thunderbird\Profiles\3mcpj5ys.default\Mail\mail.jerseymail.co-1.uk\GFI24.com 
C:\Documents and Settings\Paddy\My Documents\Thunderbird\Profiles\3mcpj5ys.default\Mail\mail.jerseymail.co.uk\GFI24.com
C:\Documents and Settings\Paddy\Application Data\Mozilla\Profiles\default\07i19gb4.slt\Mail\mail.jerseymail.co-1.uk\GFI24.com
C:\Documents and Settings\Paddy\Application Data\Mozilla\Profiles\P M Costello\1dlwid7r.slt\Mail\pmcost mail\GFI24.com 
C:\Documents and Settings\Paddy\Application Data\Mozilla\Profiles\P M Costello\1dlwid7r.slt\Mail\pop1.psilink.co.je\GFI24.com
C:\Documents and Settings\Paddy\Application Data\Thunderbird\Profiles\3mcpj5ys.default\Mail\mail.jerseymail.co.uk\GFI24.com
C:\DOCUME~1\PADDY\My Documents\Download Files\AnyDVD_All_Versions_Keygen,_Loader.zip
C:\DOCUME~1\PADDY\My Documents\Download Files\tmpgrnc\TMPGEnc DVD Author v1.5.11.37 KeyGen.exe
C:\DOCUME~1\PADDY\My Documents\Download Files\AnyDVD_All_Versions_Keygen,_Loader\AnyDVD_Crk.key
C:\DOCUME~1\PADDY\My Documents\Download Files\AnyDVD_All_Versions_Keygen,_Loader\AnyDVD_kg.exe
C:\DOCUME~1\PADDY\My Documents\Download Files\AnyDVD_All_Versions_Keygen,_Loader\AnyDVD_loader.exe
C:\DOCUME~1\PADDY\My Documents\Download Files\AnyDVD_All_Versions_Keygen,_Loader\tmg.nfo
C:\DOCUME~1\PADDY\My Documents\My Music\ABBA\The Definitive Collection Disc 2\12 The Visitors (Crackin' Up).mp3

Folder::
C:\Documents and Settings\Paddy\My Documents\Netscape\Paddy Costello\37i28wl0.slt\Mail\pop1.psilink.co.je\Inbox 
C:\Documents and Settings\Paddy\My Documents\Netscape\Paddy Costello\37i28wl0.slt\Mail\pop1.psilink.co.je\Inbox 
C:\Documents and Settings\Paddy\Application Data\Mozilla\Profiles\P M Costello\1dlwid7r.slt\Mail\pop1.psilink.co.je\Inbox 
C:\Documents and Settings\Paddy\Application Data\Mozilla\Profiles\P M Costello\1dlwid7r.slt\Mail\pop1.psilink.co.je\Inbox   
C:\DOCUME~1\PADDY\My Documents\Download Files\AnyDVD_All_Versions_Keygen,_Loader

Registry::
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below.  This will start ComboFix again.



5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

2) Upload file for analysis

Please ensure you can view hidden files and folders by doing the following:

• Go to Start>Control Panel and go under Appearances and Themes
  
• Click on Folder Options and go under View tab
  
• Ensure that "Show hidden files and folders" is selected and click Apply

NEXT

• Please go to VirSCAN.org FREE on-line scan service
  
• Copy and paste the following file path into  the  "Suspicious files to scan"box on the top of the page:
  
  
  • C:\windows\system32\taskmon.exe
    
• Click on the Upload button
  
• Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  
• Paste the contents of the Clipboard in your next reply.

3) Run runscanner

Please download Runscanner to your desktop and run it.

• When the first page comes up select Beginner Mode
  
• On the next page  select Save a binary .Run file (Recommended) then click Start full scan at the top.
  
• At this time Runscanner.exe may request access to the Internet through your firewall please allow it to do so, it will then run for two or three minutes.
  
• On completion it will ask for a location to save the file and a name. It will do this for both the .run file and the log file
  
• Call the .run file "Select a name" and save it to your desktop. You will see the .run file on your desktop. Upload that file here.

Next reply (please include):

Fresh RSIT log (please re-run RSIT)
ComboFix.txt
Runscanner log (please attach it)
Virscan results

[paddyc]

Ltangelic

Here is the ComboFix.txt

[paddyc]

ComboFix.txt Part 2

[paddyc]

ComboFix.txt part 3

[paddyc]

Ltangelic,

Virscan results = NIL

I ensured that the AVast warning was up and available. I did NOT delete the suspicious file. I did ensure that all hidden files were visible but VirScan could not find a file.

Virscan would not allow me to paste anything into it's file box nor would it let me type in the file name. When I did a browse it could not find the file listed.

This is what I have been saying all along that although Avast says it's there it does not appear in explorer - even when all hidden files are visible

[paddyc]

RSIT log part 1

[paddyc]

RSIT log part2