Custom Search
Join the PC homebuilding revolution! Read the all-new, FREE 200-page online guide: How to Build Your Own PC!
NOTE: Using robot software to mass-download the site degrades the server and is prohibited. See here for more.
Find The PC Guide helpful? Please consider a donation to The PC Guide Tip Jar. Visa/MC/Paypal accepted.
Results 1 to 19 of 19

Thread: Recycle Bin Help

  1. #1
    Join Date
    May 2006
    Location
    Clydebank
    Posts
    72

    Recycle Bin Help

    Each time i start up my laptop the recycle bin shows something in it without me sending it there,

    RB6. tmp
    TMP File
    0KB

    and

    RB11.tmp
    TMP File
    0KB

    This has started over the last week or two, is their anything to worry over,

    Cheers lads.

  2. #2
    Join Date
    Jul 2002
    Location
    Minn
    Posts
    17,373
    Yes, that file has been determined to be bad - part of a computer infection... It probably means that a protection program is trying to deal with it, but that the main infection persists... Please post a HijackThis log so we can see what is going on...

    http://www.merijn.org/programs.php

    To run HJT, extract it to a permanent folder such as one you create like C:\HJT or the Desktop. Close all open windows and
    browsers and make sure that all programs are enabled if you use msconfig. Run it and Scan, then Save the log.
    When the log window appears, Right click to Copy it, open your browser and come here to Paste the entire log. Do
    not make any changes until it is checked since most items are either benign or essential to the computer. Make sure that WordWrap is turned off in Notepad
    and use as many posts as needed to paste it all here...
    Budfred ..... Caveat Emptor....

    Helpful links SpywareBlaster... HijackThis... ATF Cleaner...

    Post a complaint about malware here!!
    So how did I get infected in the first place??

    MS MVP 2006 and ASAP member since 2004...

    If you PM me for help, expect an irritated response... Post in the forum...

  3. #3
    Join Date
    May 2006
    Location
    Clydebank
    Posts
    72
    gfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 14:33:56, on 10/07/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Virgin Broadband\PCguard\fws.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\ltmoh\Ltmoh.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9 CE.EXE
    C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
    C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
    C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
    C:\Program Files\Virgin Broadband\PCguard\Rps.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
    C:\Program Files\Common Files\Command Software\dvpapi.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\ntl\broadband medic\bin\mpbtn.exe
    C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
    C:\Documents and Settings\thomas mccord\Local Settings\Temporary Internet Files\Content.IE5\PAOXC0TQ\HiJackThis_v2[1].exe
    C:\Program Files\Microsoft Works\wkswp.exe
    C:\Program Files\Microsoft Works\WkDStore.exe
    C:\Program Files\Microsoft Works\wkgdcach.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll
    O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Virgin Broadband\PCguard\FBHR.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\sw g.dll
    O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (file missing)
    O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (file missing)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [EPSON Stylus Photo RX420 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9 CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O6 "USB001" /M "Stylus Photo RX420"
    O4 - HKLM\..\Run: [EPSON Stylus Photo RX420 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9 CE.EXE /P40 "EPSON Stylus Photo RX420 Series (Copy 1)" /O6 "USB001" /M "Stylus Photo RX420"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [ppmate] C:\Program Files\PPMate\PPMate\ppmate.exe -autoplay
    O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
    O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {5EC7C511-CD0F-42E6-830C-1BD9882F3458} (PowerPlayer Control) - http://www.ppstream.com/bin/powerplayer.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1147680091709
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1166555483508
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\fws.exe

    --
    End of file - 7869 bytes

  4. #4
    Join Date
    Jul 2002
    Location
    Minn
    Posts
    17,373
    Your log looks okay and it is possible that the infection was killed by a program you have... However, I suggest you run this to get a better idea:

    1. Download this file - combofix.exe
    2. Double click combofix.exe & follow the prompts.
    3. When finished, it will produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall...
    Budfred ..... Caveat Emptor....

    Helpful links SpywareBlaster... HijackThis... ATF Cleaner...

    Post a complaint about malware here!!
    So how did I get infected in the first place??

    MS MVP 2006 and ASAP member since 2004...

    If you PM me for help, expect an irritated response... Post in the forum...

  5. #5
    Join Date
    May 2006
    Location
    Clydebank
    Posts
    72
    Thanks for the help Budfred, sorry i have not posted sooner.

    When i started my pc i got the same files in the recycle bin again

    Here is the new log

    "thomas mccord" - 2007-07-11 16:11:05 - ComboFix 07-07-10.1 - Service Pack 2


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\DOCUME~1\THOMAS~1\Desktop\internet.lnk
    c:\RECYCLER\RB25.tmp
    c:\RECYCLER\RB27.tmp
    c:\RECYCLER\RB4.tmp
    c:\RECYCLER\RB5.tmp


    ((((((((((((((((((((((((( Files Created from 2007-06-11 to 2007-07-11 )))))))))))))))))))))))))))))))


    2007-07-11 16:09 51,200 --a------ C:\WINDOWS\nircmd.exe
    2007-07-08 10:50 33,408 --a------ C:\WINDOWS\system32\drivers\freedom.sys
    2007-07-08 10:48 <DIR> d-------- C:\Program Files\Common Files\PestPatrol
    2007-07-08 10:48 <DIR> d-------- C:\Program Files\Common Files\Command Software
    2007-07-08 10:45 <DIR> d-------- C:\Program Files\Virgin Broadband
    2007-07-04 22:55 <DIR> d-------- C:\DOCUME~1\THOMAS~1\APPLIC~1\Virgin Broadband
    2007-07-04 22:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Virgin Broadband
    2007-06-15 21:33 <DIR> d-------- C:\DOCUME~1\THOMAS~1\APPLIC~1\Leadertech
    2007-06-11 04:18 <DIR> d-------- C:\Program Files\DivX


    (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))

    2007-07-10 13:37:26 3,168 ----a-w C:\DOCUME~1\THOMAS~1\APPLIC~1\wklnhst.dat
    2007-07-08 08:59:40 -------- d-----w C:\Program Files\ntl
    2007-07-06 13:16:20 -------- d--h--w C:\Program Files\InstallShield Installation Information
    2007-06-12 04:26:54 -------- d-----w C:\Program Files\Google
    2007-06-01 19:14:36 -------- d-----w C:\DOCUME~1\THOMAS~1\APPLIC~1\ppStream
    2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
    2007-04-27 18:07:48 79,384 ----a-r C:\WINDOWS\system32\avmontr.dll
    2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
    2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
    2007-04-16 21:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
    2007-04-16 21:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
    2007-04-16 21:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
    2007-04-16 21:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
    2007-04-16 21:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
    2007-04-16 21:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
    2007-04-16 21:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
    2007-04-16 21:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
    2007-04-16 21:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
    2007-04-16 21:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
    2006-01-12 20:38 63128 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3C060EA2-E6A9-4E49-A530-D4657B8C449A}]
    2007-01-24 18:51 49152 --a------ C:\Program Files\Virgin Broadband\PCguard\pkR.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{56071E0D-C61B-11D3-B41C-00E02927A304}]
    2007-01-24 18:51 135168 --a------ C:\Program Files\Virgin Broadband\PCguard\FBHR.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
    2007-03-14 03:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
    2007-06-11 16:51 2554944 -ra------ c:\program files\google\googletoolbar1.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
    2007-06-11 16:51 325048 --a------ C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\sw g.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A}]
    C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
    "SoundMan"="SOUNDMAN.EXE" [2004-12-22 10:09 C:\WINDOWS\SOUNDMAN.EXE]
    "AGRSMMSG"="AGRSMMSG.exe" [2004-02-21 05:00 C:\WINDOWS\AGRSMMSG.exe]
    "LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2003-04-29 06:08]
    "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-07-24 05:49]
    "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-07-24 05:49]
    "Motive SmartBridge"="C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\Mo tiveSB.exe" [2003-12-30 10:40]
    "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46]
    "ppmate"="C:\Program Files\PPMate\PPMate\ppmate.exe" [2006-11-23 02:45]
    "@"="" []
    "Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 16:17]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
    "Broadbandadvisor.exe"="C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2007-01-24 14:12]
    "PCguard"="C:\Program Files\Virgin Broadband\PCguard\Rps.exe" [2007-01-24 18:53]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2007-06-11 16:50]


    ************************************************** ************************

    catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-07-11 16:14:08
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    ************************************************** ************************

    Completion time: 2007-07-11 16:15:21
    C:\ComboFix-quarantined-files.txt ... 2007-07-11 16:14

    --- E O F ---

  6. #6
    Join Date
    Jul 2002
    Location
    Minn
    Posts
    17,373
    It is not clear what the infection is, although it appears that ComboFix recognized it enough to remove some files... This one is somewhat suspicious:

    C:\WINDOWS\system32\drivers\freedom.sys

    See if you can find it and check Properties to see if it is a program/company you recognize...

    Then I suggest running a couple more scans...

    http://www.atribune.org/ccount/click.php?id=1

    * Double-click ATF-Cleaner.exe to run the program.
    * Under Main choose: Select All
    * Click the Empty Selected button.

    If you use Firefox browser

    * Click Firefox at the top and choose:Select All
    * Click the Empty Selected button.
    * NOTE: If you would like to keep your saved passwords, please click
    * No at the prompt.

    If you use Opera browser

    * Click Opera at the top and choose: Select All
    * Click the Empty Selected button.
    * NOTE:If you would like to keep your saved passwords, please click No at the prompt.

    Click Exit on the Main menu to close the program.

    Then this:

    * Download Dr.Web CureIt to the desktop:
    ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
    • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
    • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
    • Once the short scan has finished, mark the drives that you want to scan.
    • Select all drives. A red dot shows which drives have been chosen.
    • Click the green arrow at the right, and the scan will start.
    • Click 'Yes to all' if it asks if you want to cure/move the file.
    • When the scan has finished, look if you can click next icon next to the files found:
    • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

      This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
    • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
    • Save the report to your desktop. The report will be called DrWeb.csv
    • Close Dr.Web Cureit.
    • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
    • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.


    And finish (for now) with this:

    * Click here to use the F-Secure Online Scanner
    • Then click the Start Scanning button below.
    • You should get a notification (bar on top) to install the activeX. Click on it and select to install the ActiveX.
    • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
    • In case you are having problems with installing the ActiveX/starting the scan, please read here.
    • Click the Full System Scan button.
    • It will start to download scanner components and databases. This can take a while.
    • The main scan will start.
    • Once the scan finished scanning, click the Automatic cleaning (recommended) button
    • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
    • The cleaning can take a while, so please be patient.
    • Then click the Show report button and copy and paste what's present under results in your next reply.


    Post all the logs in as many posts as it takes to fit them all in...
    Budfred ..... Caveat Emptor....

    Helpful links SpywareBlaster... HijackThis... ATF Cleaner...

    Post a complaint about malware here!!
    So how did I get infected in the first place??

    MS MVP 2006 and ASAP member since 2004...

    If you PM me for help, expect an irritated response... Post in the forum...

  7. #7
    Join Date
    May 2006
    Location
    Clydebank
    Posts
    72
    When i ran drweb.com it showed no viruses so i had nothing to paste

    When i ran F-secure it showed 4 malware found and cleaned, here is the results for F-secure

    Thursday, July 12, 2007 09:30:52 - 10:26:47
    Computer name: THOMAS-
    Scanning type: Scan system for viruses, rootkits, spyware
    Target: C:\


    --------------------------------------------------------------------------------

    Result: 4 malware found
    Possible Browser Hijack attempt (spyware)
    System (Disinfected)
    Tracking Cookie (spyware)
    System (Disinfected)
    System
    W32/Malware (virus)
    C:\PROGRAM FILES\NTL\BROADBAND MEDIC\BIN\DISAD.EXE (Submitted)

    --------------------------------------------------------------------------------

    Statistics
    Scanned:
    Files: 25971
    System: 4176
    Not scanned: 3
    Actions:
    Disinfected: 2
    Renamed: 0
    Deleted: 0
    None: 2
    Submitted: 1
    Files not scanned:
    C:\PAGEFILE.SYS
    C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
    C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{913259 03-4A0D-42E1-A46C-5882A639DB0D}.BIN

    --------------------------------------------------------------------------------

    Options
    Scanning engines:
    F-Secure Libra: 2.4.2, 2007-07-11
    F-Secure AVP: 7.0.171, 2007-07-12
    F-Secure Orion: 1.2.37, 2007-07-12
    F-Secure Blacklight: 1.0.64
    F-Secure Draco: 1.0.35, 0260-23-12
    F-Secure Pegasus: 1.19.0, 2007-06-10
    Scanning options:
    Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQX
    Use Advanced heuristics

  8. #8
    Join Date
    Jul 2002
    Location
    Minn
    Posts
    17,373
    Are those files still showing up?? How is your system running?? That may have taken out the bad files... Also, did you run ATF-Cleaner??
    Budfred ..... Caveat Emptor....

    Helpful links SpywareBlaster... HijackThis... ATF Cleaner...

    Post a complaint about malware here!!
    So how did I get infected in the first place??

    MS MVP 2006 and ASAP member since 2004...

    If you PM me for help, expect an irritated response... Post in the forum...

  9. #9
    Join Date
    May 2006
    Location
    Clydebank
    Posts
    72
    Yes each time i start up new ones are in the recycle bin

    My laptot is running the same as before i noticed these files

    ATF-cleaner i dont know what that is ,i hope/think i've followed everything you've told me to do

  10. #10
    Join Date
    Jul 2002
    Location
    Minn
    Posts
    17,373
    Quote Originally Posted by tamster View Post
    Yes each time i start up new ones are in the recycle bin

    My laptot is running the same as before i noticed these files

    ATF-cleaner i dont know what that is ,i hope/think i've followed everything you've told me to do
    ATF-Cleaner was the first tool listed in my earlier post with DrWebCureIt and F-Secure... Go ahead and run it and then run these:

    Download AVG Anti-Spyware from HERE
    • Install AVG Anti-Spyware
    • Double-click the icon on Desktop to launch AVG Anti-Spyware
    You will need to update AVG Anti-Spyware to the latest definition files.
    • On the top of the main screen click Shield and then [active] to change it to inactive
    • On the top of the main screen click Update and then Start Update.
    • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
    • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".


    Close ALL open Windows / Programs / Folders. Run AVG Anti-Spyware with it's updated definitions...it's important that all windows must be closed)

    * Click Scanner and then the Scan tab
    * Click Complete System Scan to begin scanning.

    Once the scan is complete do the following:
    * If you have any infections you will prompted, then select "Apply all actions"
    * Once finished, click the Save report button, then click Save Report As and save it to your Desktop. (make sure to remember where you saved that file, this is important).

    Close AVG Anti-Spyware and Reboot.

    and then:

    Please download SilentRunners from here:
    http://www.silentrunners.org/Silent%20Runners.zip
    Unzip it to the desktop and double-click on it. If you get any kind of warning message about scripts, please choose to allow the script to run. When the scan is finished, it will create a logfile on the desktop. Please post the entire contents of this logfile for me to see.

    Post the AVG-AS and Silent Runners log when you are done...
    Budfred ..... Caveat Emptor....

    Helpful links SpywareBlaster... HijackThis... ATF Cleaner...

    Post a complaint about malware here!!
    So how did I get infected in the first place??

    MS MVP 2006 and ASAP member since 2004...

    If you PM me for help, expect an irritated response... Post in the forum...

  11. #11
    Join Date
    May 2006
    Location
    Clydebank
    Posts
    72
    Budfred, i did do the AFT cleaner earlier on and it never showed any problems

    ---------------------------------------------------------
    AVG Anti-Spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 19:58:02 12/07/2007

    + Scan result:



    C:\WINDOWS\Downloaded Program Files\PSNetwork.dll -> Adware.Wsear : Cleaned with backup (quarantined).
    C:\WINDOWS\Downloaded Program Files\PowerPlayer.dll -> Adware.Wsear : Cleaned with backup (quarantined).


    ::Report end

    I have ran the silent runners program and for the life of me i cant find it anywhere (its not on the desktop) is it called "combofix-quarantined -files"
    and i am still getting the file in the recycle bin , it seems to be the same file now
    RB4.tmp
    TMP File
    0KB

  12. #12
    Join Date
    Jul 2002
    Location
    Minn
    Posts
    17,373
    ATF-Cleaner is not supposed to find anything to report, it just cleans out temporary folders...

    Is that the whole AVG-AS log??

    Silent Runners takes a long time to run and it is likely you closed it before fixing it... Let it run until it produces the log...
    Budfred ..... Caveat Emptor....

    Helpful links SpywareBlaster... HijackThis... ATF Cleaner...

    Post a complaint about malware here!!
    So how did I get infected in the first place??

    MS MVP 2006 and ASAP member since 2004...

    If you PM me for help, expect an irritated response... Post in the forum...

  13. #13
    Join Date
    May 2006
    Location
    Clydebank
    Posts
    72
    ent Runners.vbs", revision R50, http://www.silentrunners.org/
    Operating System: Windows XP SP2
    Output limited to non-default values, except where indicated by "{++}"


    Startup items buried in registry:
    ---------------------------------

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run \ {++}
    "CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
    "swg" = "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" ["Google Inc."]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run \ {++}
    "SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
    "AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"]
    "LtMoh" = "C:\Program Files\ltmoh\Ltmoh.exe" ["Agere Systems"]
    "SynTPLpr" = "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]
    "SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
    "Motive SmartBridge" = "C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.ex e" ["Motive Communications, Inc."]
    "Adobe Photo Downloader" = ""C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"" ["Adobe Systems Incorporated"]
    "ppmate" = "C:\Program Files\PPMate\PPMate\ppmate.exe -autoplay" ["www.ppmate.com"]
    "(Default)" = "(empty string)" [file not found]
    "Sony Ericsson PC Suite" = ""C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions" ["Sony Ericsson Mobile Communications AB"]
    "SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"" ["Sun Microsystems, Inc."]
    "Broadbandadvisor.exe" = ""C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN" ["Virgin Broadband"]
    "PCguard" = ""C:\Program Files\Virgin Broadband\PCguard\Rps.exe"" ["Virgin Broadband"]
    "!AVG Anti-Spyware" = ""C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized" ["GRISOFT s.r.o."]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\
    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
    \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
    {3C060EA2-E6A9-4E49-A530-D4657B8C449A}\(Default) = "Pop-Up Blocker BHO"
    -> {HKLM...CLSID} = "PopKill Class"
    \InProcServer32\(Default) = "C:\Program Files\Virgin Broadband\PCguard\pkR.dll" ["Radialpoint Inc."]
    {56071E0D-C61B-11D3-B41C-00E02927A304}\(Default) = "Form Filler BHO"
    -> {HKLM...CLSID} = "ZKBho Class"
    \InProcServer32\(Default) = "C:\Program Files\Virgin Broadband\PCguard\FBHR.dll" ["Radialpoint Inc."]
    {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "SSVHelper Class"
    \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll" ["Sun Microsystems, Inc."]
    {AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "Google Toolbar Helper"
    \InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
    {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "Google Toolbar Notifier BHO"
    \InProcServer32\(Default) = "C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\sw g.dll" ["Google Inc."]
    {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "EpsonToolBandKicker Class"
    \InProcServer32\(Default) = "C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll" [file not found]

    HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\
    "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
    -> {HKLM...CLSID} = "Display Panning CPL Extension"
    \InProcServer32\(Default) = "deskpan.dll" [file not found]
    "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
    -> {HKLM...CLSID} = "HyperTerminal Icon Ext"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
    "{2F603045-309F-11CF-9774-0020AFD0CFF6}" = "Synaptics Control Panel"
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\Program Files\Synaptics\SynTP\SynTPCpl.dll" ["Synaptics, Inc."]
    "{A5110426-177D-4e08-AB3F-785F10B4439C}" = "Sony Ericsson File Manager"
    -> {HKLM...CLSID} = "Sony Ericsson File Manager"
    \InProcServer32\(Default) = "C:\Program Files\Sony Ericsson\Mobile2\File Manager\fmgrgui.dll" ["Sony Ericsson Mobile Communications AB"]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks\
    <<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"
    -> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
    \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["GRISOFT s.r.o."]

    HKLM\Software\Microsoft\Windows\CurrentVersion\She llServiceObjectDelayLoad\
    "WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
    -> {HKLM...CLSID} = "WPDShServiceObj Class"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
    <<!>> igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]

    HKLM\Software\Classes\Folder\shellex\ColumnHandler s\
    {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
    -> {HKLM...CLSID} = "PDF Shell Extension"
    \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

    HKLM\Software\Classes\*\shellex\ContextMenuHandler s\
    AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
    -> {HKLM...CLSID} = "CContextScan Object"
    \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT s.r.o."]

    HKLM\Software\Classes\Directory\shellex\ContextMen uHandlers\
    AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
    -> {HKLM...CLSID} = "CContextScan Object"
    \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT

  14. #14
    Join Date
    May 2006
    Location
    Clydebank
    Posts
    72
    LM\Software\Classes\Directory\shellex\ContextMenuH andlers\
    AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
    -> {HKLM...CLSID} = "CContextScan Object"
    \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT s.r.o."]


    Group Policies {policy setting}:
    --------------------------------

    Note: detected settings may not have any effect.

    HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System\

    "DisableRegistryTools" = (REG_DWORD) hex:0x00000000
    {Prevent access to registry editing tools}

    HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\System\

    "shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
    {Shutdown: Allow system to be shut down without having to log on}

    "undockwithoutlogon" = (REG_DWORD) hex:0x00000001
    {Devices: Allow undock without having to log on}


    Active Desktop and Wallpaper:
    -----------------------------

    Active Desktop may be disabled at this entry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellState

    Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
    HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
    "Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Loca l Settings\Application Data\Microsoft\Wallpaper1.bmp"

    Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
    HKCU\Control Panel\Desktop\
    "Wallpaper" = "C:\Documents and Settings\thomas mccord\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


    Startup items in "thomas mccord" & "All Users" startup folders:
    ---------------------------------------------------------------

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    "Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
    "broadband medic" -> shortcut to: "C:\Program Files\ntl\broadband medic\bin\matcli.exe -boot" ["Motive Communications, Inc."]


    Winsock2 Service Provider DLLs:
    -------------------------------

    Namespace Service Providers

    HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\ {++}
    000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
    000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
    000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

    Transport Service Providers

    HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ {++}
    0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
    %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
    %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


    Toolbars, Explorer Bars, Extensions:
    ------------------------------------

    Toolbars

    HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
    "{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
    -> {HKLM...CLSID} = "&Google"
    \InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

    HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
    "{EE5D279F-081B-4404-994D-C6B60AAEBA6D}"
    -> {HKLM...CLSID} = "EPSON Web-To-Page"
    \InProcServer32\(Default) = "C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll" [file not found]
    "{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
    -> {HKLM...CLSID} = "&Google"
    \InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

    HKLM\Software\Microsoft\Internet Explorer\Toolbar\
    "{EE5D279F-081B-4404-994D-C6B60AAEBA6D}" = (no title provided)
    -> {HKLM...CLSID} = "EPSON Web-To-Page"
    \InProcServer32\(Default) = "C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll" [file not found]
    "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
    -> {HKLM...CLSID} = "&Google"
    \InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

    Extensions (Tools menu items, main toolbar menu buttons)

    HKLM\Software\Microsoft\Internet Explorer\Extensions\
    {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
    "MenuText" = "Sun Java Console"
    "CLSIDExtension" = "{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC}"
    -> {HKCU...CLSID} = "Java Plug-in 1.6.0_01"
    \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll" ["Sun Microsystems, Inc."]
    -> {HKLM...CLSID} = "Java Plug-in 1.6.0_01"
    \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll" ["Sun Microsystems, Inc."]

    {E2E2DD38-D088-4134-82B7-F2BA38496583}\
    "MenuText" = "@xpsp3res.dll,-20001"
    "Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

    {FB5F1910-F110-11D2-BB9E-00C04F795683}\
    "ButtonText" = "Messenger"
    "MenuText" = "Windows Messenger"
    "Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


    Running Services (Display Name, Service Name, Path {Service DLL}):
    ------------------------------------------------------------------

    AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["GRISOFT s.r.o."]
    DvpApi, dvpapi, ""C:\Program Files\Common Files\Command Software\dvpapi.exe"" ["Authentium, Inc."]
    PCguard Firewall, RP_FWS, "C:\Program Files\Virgin Broadband\PCguard\fws.exe" ["Radialpoint Inc."]


    Print Monitors:
    ---------------

    HKLM\System\CurrentControlSet\Control\Print\Monito rs\
    EPSON Stylus Photo RX420 Series 2KMonitor5E\Driver = "E_FLM9CE.DLL" ["SEIKO EPSON CORPORATION"]


    ----------
    <<!>>: Suspicious data at a malware launch point.

    + This report excludes default entries except where indicated.
    + To see *everywhere* the script checks and *everything* it finds,
    launch it from a command prompt or a shortcut with the -all parameter.
    + To search all directories of local fixed drives for DESKTOP.INI
    DLL launch points, use the -supp parameter or answer "No" at the
    first message box and "Yes" at the second message box.
    ---------- (total run time: 53 seconds, including 6 seconds for message boxes)

  15. #15
    Join Date
    May 2006
    Location
    Clydebank
    Posts
    72
    Budfred, ignore post 11 about combofix, i never realized that i had already done that

    Thanks for the time your taking over this

  16. #16
    Join Date
    Jul 2002
    Location
    Minn
    Posts
    17,373
    Quote Originally Posted by tamster View Post
    Budfred, ignore post 11 about combofix, i never realized that i had already done that

    Thanks for the time your taking over this
    I am not sure what you are saying here...

    Your log looks clean... I found at least one source that suggests those files could have been made by an antivirus and I am not familiar with the one you use, so that may be where they are coming from... If it is an infection, it seems to be a Hotbar item called SpamblockerUtility and I don't see any evidence that you have that other than those files... I suggest you clean out the Recycle Bin, go offline, turn off your antivirus (and set it to NOT load on reboot) and reboot... If the files are not created, it is a clue that the antivirus is the source... Turn the antivirus back on before going online... Let me know what you find...
    Budfred ..... Caveat Emptor....

    Helpful links SpywareBlaster... HijackThis... ATF Cleaner...

    Post a complaint about malware here!!
    So how did I get infected in the first place??

    MS MVP 2006 and ASAP member since 2004...

    If you PM me for help, expect an irritated response... Post in the forum...

  17. #17
    Join Date
    May 2006
    Location
    Clydebank
    Posts
    72
    Quote Originally Posted by Budfred View Post
    I am not sure what you are saying here...

    Your log looks clean... I found at least one source that suggests those files could have been made by an antivirus and I am not familiar with the one you use, so that may be where they are coming from... If it is an infection, it seems to be a Hotbar item called SpamblockerUtility and I don't see any evidence that you have that other than those files... I suggest you clean out the Recycle Bin, go offline, turn off your antivirus (and set it to NOT load on reboot) and reboot... If the files are not created, it is a clue that the antivirus is the source... Turn the antivirus back on before going online... Let me know what you find...
    Done as you have said , rebooted and NO files in the recycle bin

    I have uninstalled the anti-virus "PC Guard" that i as using (i was never comfortable with it anyways)" and installed AVG A/V i hope that's ok

    Thanks again Budfred for your time and patience, much appreciated

  18. #18
    Join Date
    Jul 2002
    Location
    Minn
    Posts
    17,373
    Well the good thing about it is that it helped you find some other infections that weren't showing up...

    Here is my prevention speech to help avoid future infection:

    This is a good time to set up protection against further attacks. Read the article linked below about "How did I
    get infected". You need an antivirus that is updated, a good firewall (a router firewall is not enough) and a
    spyware blocker like SpywareBlaster and also IE-Spyads. Using a different browser like FireFox with NoScripts is better than IE...
    All of these have good free versions available... be very cautious about any security software that advertises in popups or other intrusive ways, they are not only usually
    useless, but also often have malware in them....

    http://forums.spywareinfo.com/index.php?showtopic=60955
    Budfred ..... Caveat Emptor....

    Helpful links SpywareBlaster... HijackThis... ATF Cleaner...

    Post a complaint about malware here!!
    So how did I get infected in the first place??

    MS MVP 2006 and ASAP member since 2004...

    If you PM me for help, expect an irritated response... Post in the forum...

  19. #19
    Join Date
    May 2006
    Location
    Clydebank
    Posts
    72
    Again Budfred, many thanks for all your help, i'll be logging on to spywareinfo site right now

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •