Jump to content


Photo
- - - - -

TROJAN DOWNLOADER


  • This topic is locked This topic is locked
29 replies to this topic

#1 Milson

Milson

    Member

  • Members
  • PipPip
  • 16 posts
  • OS:Windows XP
  • AV:Stopzilla; Spyware-Doctor; emsisoft AV
  • HIPS:Windows
  • Other:see above

Posted 18 September 2011 - 07:51 PM

I seem to be going round in circles so I'll begin with the reports.

***********
Emsisoft Emergency Kit - Version 1.0
Last update: 18-Sep-11 8:01:16 PM

Scan settings:

Scan type: Smart Scan
Objects: Memory, Traces, Cookies, C:\WINDOWS\, C:\Program Files
Scan archives: Off
Heuristics: Off
ADS Scan: On

Scan start: 18-Sep-11 8:02:39 PM

C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t5xm74h0.default\cookies.sqlite:25 detected: Trace.TrackingCookie.ctix8.cheaptickets.com!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t5xm74h0.default\cookies.sqlite:132 detected: Trace.TrackingCookie.d1.openx.org!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t5xm74h0.default\cookies.sqlite:133 detected: Trace.TrackingCookie.d1.openx.org!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t5xm74h0.default\cookies.sqlite:134 detected: Trace.TrackingCookie.d1.openx.org!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t5xm74h0.default\cookies.sqlite:135 detected: Trace.TrackingCookie.d1.openx.org!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t5xm74h0.default\cookies.sqlite:136 detected: Trace.TrackingCookie.d1.openx.org!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t5xm74h0.default\cookies.sqlite:137 detected: Trace.TrackingCookie.d1.openx.org!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t5xm74h0.default\cookies.sqlite:138 detected: Trace.TrackingCookie.d1.openx.org!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t5xm74h0.default\cookies.sqlite:139 detected: Trace.TrackingCookie.d1.openx.org!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t5xm74h0.default\cookies.sqlite:140 detected: Trace.TrackingCookie.d1.openx.org!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t5xm74h0.default\cookies.sqlite:141 detected: Trace.TrackingCookie.d1.openx.org!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t5xm74h0.default\cookies.sqlite:226 detected: Trace.TrackingCookie.adsfac.net!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t5xm74h0.default\cookies.sqlite:453 detected: Trace.TrackingCookie.aj.600z.com!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t5xm74h0.default\cookies.sqlite:454 detected: Trace.TrackingCookie.aj.600z.com!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t5xm74h0.default\cookies.sqlite:761 detected: Trace.TrackingCookie.lycos.com!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t5xm74h0.default\cookies.sqlite:890 detected: Trace.TrackingCookie.loc1.hitsprocessor.com!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t5xm74h0.default\cookies.sqlite:1001 detected: Trace.TrackingCookie.mg.dt00.net!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t5xm74h0.default\cookies.sqlite:1002 detected: Trace.TrackingCookie.mg.dt00.net!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t5xm74h0.default\cookies.sqlite:1003 detected: Trace.TrackingCookie.mg.dt00.net!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t5xm74h0.default\cookies.sqlite:1004 detected: Trace.TrackingCookie.mg.dt00.net!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t5xm74h0.default\cookies.sqlite:1009 detected: Trace.TrackingCookie.doubleclick.net!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t5xm74h0.default\cookies.sqlite:1010 detected: Trace.TrackingCookie.doubleclick.net!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t5xm74h0.default\cookies.sqlite:1025 detected: Trace.TrackingCookie.reuters.com!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t5xm74h0.default\cookies.sqlite:1098 detected: Trace.TrackingCookie.myspace.com!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t5xm74h0.default\cookies.sqlite:1099 detected: Trace.TrackingCookie.myspace.com!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t5xm74h0.default\cookies.sqlite:1100 detected: Trace.TrackingCookie.myspace.com!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t5xm74h0.default\cookies.sqlite:1108 detected: Trace.TrackingCookie.www.buy!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t5xm74h0.default\cookies.sqlite:1162 detected: Trace.TrackingCookie.aol.com!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t5xm74h0.default\cookies.sqlite:1181 detected: Trace.TrackingCookie.pmetrics.performancing.com!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t5xm74h0.default\cookies.sqlite:1199 detected: Trace.TrackingCookie.about.com!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t5xm74h0.default\cookies.sqlite:1201 detected: Trace.TrackingCookie.about.com!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t5xm74h0.default\cookies.sqlite:1203 detected: Trace.TrackingCookie.about.com!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t5xm74h0.default\cookies.sqlite:1204 detected: Trace.TrackingCookie.about.com!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t5xm74h0.default\cookies.sqlite:1206 detected: Trace.TrackingCookie.about.com!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t5xm74h0.default\cookies.sqlite:1207 detected: Trace.TrackingCookie.about.com!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t5xm74h0.default\cookies.sqlite:1208 detected: Trace.TrackingCookie.about.com!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t5xm74h0.default\cookies.sqlite:1209 detected: Trace.TrackingCookie.about.com!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t5xm74h0.default\cookies.sqlite:1210 detected: Trace.TrackingCookie.about.com!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t5xm74h0.default\cookies.sqlite:1591 detected: Trace.TrackingCookie.www.googleadservices.com!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t5xm74h0.default\cookies.sqlite:1592 detected: Trace.TrackingCookie.www.googleadservices.com!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t5xm74h0.default\cookies.sqlite:1880 detected: Trace.TrackingCookie.webtrends!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t5xm74h0.default\cookies.sqlite:1924 detected: Trace.TrackingCookie.wt.o.nytimes.com!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t5xm74h0.default\cookies.sqlite:1977 detected: Trace.TrackingCookie.media!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t5xm74h0.default\cookies.sqlite:1978 detected: Trace.TrackingCookie.media!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t5xm74h0.default\cookies.sqlite:2189 detected: Trace.TrackingCookie.www.emjcd.com!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t5xm74h0.default\cookies.sqlite:2362 detected: Trace.TrackingCookie.thefreedictionary.com!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t5xm74h0.default\cookies.sqlite:2363 detected: Trace.TrackingCookie.thefreedictionary.com!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t5xm74h0.default\cookies.sqlite:2462 detected: Trace.TrackingCookie.www.hey.lt!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t5xm74h0.default\cookies.sqlite:2487 detected: Trace.TrackingCookie.bigmir.net!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t5xm74h0.default\cookies.sqlite:2488 detected: Trace.TrackingCookie.bigmir.net!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t5xm74h0.default\cookies.sqlite:2489 detected: Trace.TrackingCookie.bigmir.net!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t5xm74h0.default\cookies.sqlite:2490 detected: Trace.TrackingCookie.bigmir.net!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t5xm74h0.default\cookies.sqlite:2491 detected: Trace.TrackingCookie.bigmir.net!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t5xm74h0.default\cookies.sqlite:3857 detected: Trace.TrackingCookie.www.googleadservices.com!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t5xm74h0.default\cookies.sqlite:4460 detected: Trace.TrackingCookie.www.marketgid.com!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t5xm74h0.default\cookies.sqlite:4511 detected: Trace.TrackingCookie.www.marketgid.com!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t5xm74h0.default\cookies.sqlite:5623 detected: Trace.TrackingCookie.www.googleadservices.com!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t5xm74h0.default\cookies.sqlite:6771 detected: Trace.TrackingCookie.sales.liveperson.net!A2

Scanned

Files: 79241
Traces: 362097
Cookies: 2912
Processes: 38

Found

Files: 0
Traces: 0
Cookies: 58
Processes: 0
Registry keys: 0

Scan end: 18-Sep-11 8:46:29 PM
Scan time: 0:43:50
*********************
OTL Extras logfile created on: 18-Sep-11 9:09:49 PM - Run 1
OTL by OldTimer - Version 3.2.29.1 Folder = C:\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: dd-MMM-yy

1.87 Gb Total Physical Memory | 0.50 Gb Available Physical Memory | 26.81% Memory free
3.72 Gb Paging File | 2.23 Gb Available in Paging File | 59.87% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 98.64 Gb Total Space | 56.71 Gb Free Space | 57.50% Space Free | Partition Type: NTFS
Drive E: | 199.45 Gb Total Space | 133.68 Gb Free Space | 67.02% Space Free | Partition Type: NTFS

Computer Name: RAD152 | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox 4.0 Beta 12\firefox.exe (Mozilla Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.exe [@ = exefile] -- Reg Error: Key error. File not found
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox 4.0 Beta 12\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1"
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1"
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"ANTIVIRUSDISABLENOTIFY" = 0
"FIREWALLDISABLENOTIFY" = 0
"UPDATESDISABLENOTIFY" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\WINDOWS\system32\dpvsetup.exe" = C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation)
"C:\Program Files\TVUBroadcast\TVUBroadcast.exe" = C:\Program Files\TVUBroadcast\TVUBroadcast.exe:*:Enabled:TVU Broadcast Component
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox
"C:\Program Files\Skype\Plugin Manager\skypePM.exe" = C:\Program Files\Skype\Plugin Manager\skypePM.exe:*:Enabled:Skype Extras Manager
"C:\Program Files\Google\Google Earth\client\googleearth.exe" = C:\Program Files\Google\Google Earth\client\googleearth.exe:*:Enabled:Google Earth -- (Google)
"C:\Documents and Settings\Administrator\Local Settings\Temp\LMIR0001.tmp\lmi_rescue.exe" = C:\Documents and Settings\Administrator\Local Settings\Temp\LMIR0001.tmp\lmi_rescue.exe:*:Enabled:LogMeIn Rescue
"C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe" = C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe:*:Enabled:WebKit -- (Apple Inc.)
"C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe:*:Disabled:LimeWire
"C:\Program Files\AVG\AVG10\avgmfapx.exe" = C:\Program Files\AVG\AVG10\avgmfapx.exe:*:Disabled:AVG Installer


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}" = Adobe WinSoft Linguistics Plugin
"{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}" = YouTube Downloader 3.3
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{20D4A895-748C-4D88-871C-FDB1695B0169}" = Platform
"{20EAC554-95F9-4926-8D9A-C4FF3EC44C72}" = AVG 2011
"{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java™ 6 Update 26
"{26A24AE4-039D-4CA4-87B4-2F83216020F0}" = Java™ 6 Update 20
"{26A24AE4-039D-4CA4-87B4-2F83216022F0}" = Java™ 6 Update 22
"{28C2DED6-325B-4CC7-983A-1777C8F7FBAB}" = RealUpgrade 1.1
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{530241F4-D15B-4E0B-B3F3-47F83BC285AA}" = STOPzilla
"{695B13B2-7919-4EC5-8601-092F0D2DE069}" = AVG 2011
"{6A3F9D74-BB80-4451-8CA1-4B3A857F1359}" = Apple Application Support
"{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}" = Adobe Asset Services CS3
"{71A51A91-E7D3-11DB-A386-005056C00008}" = Vimicro USB2.0 UVC PC Camera
"{7770E71B-2D43-4800-9CB3-5B6CAAEBEBEA}" = RealNetworks - Microsoft Visual C++ 2008 Runtime
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{802771A9-A856-4A41-ACF7-1450E523C923}" = Adobe XMP Panels CS3
"{86D4B82A-ABED-442A-BE86-96357B70F4FE}" = Ask Toolbar
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90176341-0A8B-4CCC-A78D-F862228A6B95}" = Adobe Anchor Service CS3
"{901F0409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office 2003 Proofing Tools
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}" = Adobe CMaps
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AA59DDE4-B672-4621-A016-4C248204957A}" = Skype™ 5.5
"{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}" = PDF Settings
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.0)
"{B29B0066-547B-402c-9C0D-090E2F928A01}" = PANTECH PC USB Modem Software
"{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}" = Adobe Camera Raw 4.0
"{B3FED300-806C-11E0-A0D0-B8AC6F97B88E}" = Google Earth
"{B6CF2967-C81E-40C0-9815-C05774FEF120}" = Click to Call with Skype
"{BC30E5E7-047D-4232-A7E8-F2CB7CC7B2E0}_is1" = Emsisoft Anti-Malware
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C151CE54-E7EA-4804-854B-F515368B0798}" = AMD Processor Driver
"{C9E14402-3631-4182-B377-6B0DFB1C0339}" = QuickTime
"{CDC85536-A0EF-4401-82A6-25D8EFC7EFAC}" = VZAccess Manager
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D03482C5-9AD8-496D-B388-692AE04C93AF}" = Bonjour
"{E296E0ED-038F-4A5A-9513-642F2FA17A59}" = UM150 Firmware Updates
"{E592E668-89A9-4098-B70C-0C2D59FB15CA}" = UPSilon 2000
"{FE4270D7-A642-49C1-9A40-854DA3F13FB2}_is1" = Moyea FLV Player version: 2.0.2.96
"{FE58B892-3825-4610-A6A2-E6EFCA83BD97}" = Ulead PhotoImpact 10 ESD
"{FF11004C-F42A-4A31-9BCF-7F5C8FDBE53C}" = Adobe Setup
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe_719d6f144d0c086a0dfa7ff76bb9ac1" = Adobe Photoshop CS3
"AIMP2" = AIMP2
"Browser Defender_is1" = Browser Defender 3.0
"Evrsoft First Page 2006_is1" = Evrsoft First Page 2006
"Free Download Manager_is1" = Free Download Manager 3.0 - Prime Time Freeware Edition
"ie8" = Windows Internet Explorer 8
"InstallShield_{20D4A895-748C-4D88-871C-FDB1695B0169}" = VIA Platform Device Manager
"IP-TV_Player" = IP-TV Player 0.28.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox 7.0 (x86 en-US)" = Mozilla Firefox 7.0 (x86 en-US)
"Mozilla Thunderbird (6.0.2)" = Mozilla Thunderbird (6.0.2)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSNINST" = MSN
"Nero8280_Micro_is1" = Nero 8 Micro v8.2.8.0
"NVIDIA Drivers" = NVIDIA Drivers
"RealPlayer 12.0" = RealPlayer
"SnagIt6" = SnagIt 6
"Spyware Doctor" = Spyware Doctor 8.0
"The KMPlayer_is1" = KMPlayer 2.9.3.1430
"Time Stopper3.12" = Time Stopper
"UltraISO_is1" = UltraISO Premium V9.0
"Unlocker" = Unlocker 1.8.6
"USBGuard 5.1.0.15" = USBGuard 5.1.0.15
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 12-Jul-11 1:59:35 AM | Computer Name = RAD152 | Source = Rupsmon | ID = 116
Description = Send E-Mail Unsuccessfully

Error - 12-Jul-11 6:55:50 AM | Computer Name = RAD152 | Source = Rupsmon | ID = 116
Description = Send E-Mail Unsuccessfully

Error - 12-Jul-11 6:55:54 AM | Computer Name = RAD152 | Source = Rupsmon | ID = 116
Description = Send E-Mail Unsuccessfully

Error - 13-Jul-11 6:17:30 AM | Computer Name = RAD152 | Source = Application Hang | ID = 1002
Description = Hanging application soffice.bin, version 3.3.9556.500, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 13-Jul-11 6:17:31 AM | Computer Name = RAD152 | Source = Application Hang | ID = 1002
Description = Hanging application soffice.bin, version 3.3.9556.500, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 13-Jul-11 6:18:19 AM | Computer Name = RAD152 | Source = Application Hang | ID = 1001
Description = Fault bucket 00000009.

Error - 13-Jul-11 6:18:22 AM | Computer Name = RAD152 | Source = Application Hang | ID = 1001
Description = Fault bucket 00000009.

Error - 13-Jul-11 6:19:04 AM | Computer Name = RAD152 | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 6.0.0.4203, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 13-Jul-11 6:19:15 AM | Computer Name = RAD152 | Source = Application Hang | ID = 1001
Description = Fault bucket 00000009.

Error - 13-Jul-11 6:55:49 AM | Computer Name = RAD152 | Source = Rupsmon | ID = 116
Description = Send E-Mail Unsuccessfully

[ Application Events ]
Error - 12-Jul-11 1:59:35 AM | Computer Name = RAD152 | Source = Rupsmon | ID = 116
Description = Send E-Mail Unsuccessfully

Error - 12-Jul-11 6:55:50 AM | Computer Name = RAD152 | Source = Rupsmon | ID = 116
Description = Send E-Mail Unsuccessfully

Error - 12-Jul-11 6:55:54 AM | Computer Name = RAD152 | Source = Rupsmon | ID = 116
Description = Send E-Mail Unsuccessfully

Error - 13-Jul-11 6:17:30 AM | Computer Name = RAD152 | Source = Application Hang | ID = 1002
Description = Hanging application soffice.bin, version 3.3.9556.500, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 13-Jul-11 6:17:31 AM | Computer Name = RAD152 | Source = Application Hang | ID = 1002
Description = Hanging application soffice.bin, version 3.3.9556.500, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 13-Jul-11 6:18:19 AM | Computer Name = RAD152 | Source = Application Hang | ID = 1001
Description = Fault bucket 00000009.

Error - 13-Jul-11 6:18:22 AM | Computer Name = RAD152 | Source = Application Hang | ID = 1001
Description = Fault bucket 00000009.

Error - 13-Jul-11 6:19:04 AM | Computer Name = RAD152 | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 6.0.0.4203, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 13-Jul-11 6:19:15 AM | Computer Name = RAD152 | Source = Application Hang | ID = 1001
Description = Fault bucket 00000009.

Error - 13-Jul-11 6:55:49 AM | Computer Name = RAD152 | Source = Rupsmon | ID = 116
Description = Send E-Mail Unsuccessfully

[ System Events ]
Error - 18-Sep-11 8:12:22 AM | Computer Name = RAD152 | Source = Service Control Manager | ID = 7000
Description = The AVGIDSAgent service failed to start due to the following error:
%%3

Error - 18-Sep-11 8:12:35 AM | Computer Name = RAD152 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
is3srv

Error - 18-Sep-11 8:18:19 AM | Computer Name = RAD152 | Source = Service Control Manager | ID = 7000
Description = The AVG Firewall service failed to start due to the following error:
%%3

Error - 18-Sep-11 8:18:19 AM | Computer Name = RAD152 | Source = Service Control Manager | ID = 7000
Description = The AVG WatchDog service failed to start due to the following error:
%%3

Error - 18-Sep-11 8:18:19 AM | Computer Name = RAD152 | Source = Service Control Manager | ID = 7000
Description = The AVGIDSAgent service failed to start due to the following error:
%%3

Error - 18-Sep-11 8:18:31 AM | Computer Name = RAD152 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
is3srv

Error - 18-Sep-11 8:20:17 AM | Computer Name = RAD152 | Source = nvgts | ID = 262153
Description = The device, \Device\Scsi\nvgts1, did not respond within the timeout
period.

Error - 18-Sep-11 8:20:17 AM | Computer Name = RAD152 | Source = nvgts | ID = 262149
Description = A parity error was detected on \Device\Scsi\nvgts1.

Error - 18-Sep-11 8:20:24 AM | Computer Name = RAD152 | Source = nvgts | ID = 262153
Description = The device, \Device\Scsi\nvgts1, did not respond within the timeout
period.

Error - 18-Sep-11 8:20:24 AM | Computer Name = RAD152 | Source = nvgts | ID = 262149
Description = A parity error was detected on \Device\Scsi\nvgts1.
**********************************
*********************************
Here is my original comment: - -

Here is the actual problem as written:

I have been trying out programs for some time now and yours has come the closest to resolving my problem - but not quite there.

For weeks I have been receiving a Trojab Downloader, which has only been seen by "Stopailla", but then I have to delete it manually.

Because of the nature of this threat it has tobe BLOCKED from entering the computer in the first place - not just removed and I cannot seem to fins a program which does this (although some actually claim to do so!).

The offender is:
TrojanDL.Fraudload/BHyC/wrwlwwEkDFLJu469w - or there may be more than just one.

Milson


< End of report >
************************

#2 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12294 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Online Armor
  • Other:WinPatrol Plus

Posted 19 September 2011 - 11:45 PM

Using Add or Remove Programs in the Control Panel; uninstall the following:
Java(TM) 6 Update 20
Java(TM) 6 Update 22
 
Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
    :OTL
    O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll File not found
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - Reg Error: Value error. File not found
    O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\PROGRA~1\AVASTS~1\Avast\aswWebRepIE.dll File not found
    O2 - BHO: (Reg Error: Value error.) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - c:\program files\stopzilla!\sziebho.dll File not found
    O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\PROGRA~1\AVASTS~1\Avast\aswWebRepIE.dll File not found
    O3 - HKLM\..\Toolbar: (no name) - {AF3D7884-B142-414E-943D-75D8D54E1FFF} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
    O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Low Rights present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\control panel present
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\restrictions present
    O20 - Winlogon\Notify\TPSvc: DllName - (TPSvc.dll) -  File not found
    O33 - MountPoints2\{7c49ecf8-c8e1-11e0-867b-0025b3758c44}\Shell - "" = AutoRun
    O33 - MountPoints2\{7c49ecf8-c8e1-11e0-867b-0025b3758c44}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{7c49ecf8-c8e1-11e0-867b-0025b3758c44}\Shell\AutoRun\command - "" = L:\PTKSETUP.EXE /AUTORUN
    O33 - MountPoints2\{7c49ecf8-c8e1-11e0-867b-0025b3758c44}\Shell\configure\command - "" = L:\PTKSETUP.EXE
    O33 - MountPoints2\{7c49ecf8-c8e1-11e0-867b-0025b3758c44}\Shell\install\command - "" = L:\PTKSETUP.EXE
    O33 - MountPoints2\{b5c87906-138a-11e0-a7af-806d6172696f}\Shell - "" = AutoRun
    O33 - MountPoints2\{b5c87906-138a-11e0-a7af-806d6172696f}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{b5c87906-138a-11e0-a7af-806d6172696f}\Shell\AutoRun\command - "" = K:\setup.exe
    [8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
    @Alternate Data Stream - 88 bytes -> C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf:SummaryInformation
    @Alternate Data Stream - 199 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
    @Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:430C6D84
    @Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4
    @Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
    
    :Commands
    [Purity]
    [EmptyTemp]
    [EmptyFlash]
    [ResetHosts]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Attach the new log produced by OTL (C:\_OTL).
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
Kevin Zoll [Customer Support]
Emsisoft Team - www.emsisoft.com
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Messege (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#3 Milson

Milson

    Member

  • Members
  • PipPip
  • 16 posts
  • OS:Windows XP
  • AV:Stopzilla; Spyware-Doctor; emsisoft AV
  • HIPS:Windows
  • Other:see above

Posted 20 September 2011 - 03:44 PM

This did not work.

I uninstalled the two Java updates.

I ran the OLT program and the comment came up that the C:/ .....Hosts ... file could not be created.

It advised me not to interrupt the program as it was creating (recreating?) the Hosts file.

It obviously froze and I had to crash the system to get out of it.

I ran it a second time. The same thing happened. After 15 minutes I checked the Windows Task Mgr to see what was running - ZERO!! So it had indeed frozen again and I had to crash the system to get out of it.

Not making any progress!!

#4 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12294 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Online Armor
  • Other:WinPatrol Plus

Posted 20 September 2011 - 10:59 PM

Use this OTL fix instead:

:OTL

O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll File not found

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - Reg Error: Value error. File not found

O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\PROGRA~1\AVASTS~1\Avast\aswWebRepIE.dll File not found

O2 - BHO: (Reg Error: Value error.) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - c:\program files\stopzilla!\sziebho.dll File not found

O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\PROGRA~1\AVASTS~1\Avast\aswWebRepIE.dll File not found

O3 - HKLM\..\Toolbar: (no name) - {AF3D7884-B142-414E-943D-75D8D54E1FFF} - No CLSID value found.

O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.

O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Low Rights present

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present

O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\control panel present

O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\restrictions present

O20 - Winlogon\Notify\TPSvc: DllName - (TPSvc.dll) -  File not found

O33 - MountPoints2\{7c49ecf8-c8e1-11e0-867b-0025b3758c44}\Shell - "" = AutoRun

O33 - MountPoints2\{7c49ecf8-c8e1-11e0-867b-0025b3758c44}\Shell\AutoRun - "" = Auto&Play

O33 - MountPoints2\{7c49ecf8-c8e1-11e0-867b-0025b3758c44}\Shell\AutoRun\command - "" = L:\PTKSETUP.EXE /AUTORUN

O33 - MountPoints2\{7c49ecf8-c8e1-11e0-867b-0025b3758c44}\Shell\configure\command - "" = L:\PTKSETUP.EXE

O33 - MountPoints2\{7c49ecf8-c8e1-11e0-867b-0025b3758c44}\Shell\install\command - "" = L:\PTKSETUP.EXE

O33 - MountPoints2\{b5c87906-138a-11e0-a7af-806d6172696f}\Shell - "" = AutoRun

O33 - MountPoints2\{b5c87906-138a-11e0-a7af-806d6172696f}\Shell\AutoRun - "" = Auto&Play

O33 - MountPoints2\{b5c87906-138a-11e0-a7af-806d6172696f}\Shell\AutoRun\command - "" = K:\setup.exe

[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

@Alternate Data Stream - 88 bytes -> C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf:SummaryInformation

@Alternate Data Stream - 199 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2

@Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:430C6D84

@Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4

@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8

:Commands

[Purity]

[EmptyTemp]

[EmptyFlash]

[Reboot]


Kevin Zoll [Customer Support]
Emsisoft Team - www.emsisoft.com
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Messege (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#5 Milson

Milson

    Member

  • Members
  • PipPip
  • 16 posts
  • OS:Windows XP
  • AV:Stopzilla; Spyware-Doctor; emsisoft AV
  • HIPS:Windows
  • Other:see above

Posted 21 September 2011 - 04:21 PM

Done.

Your system need a bit of 'fine-tuning' - - it takes quite some time before the space below "Reply to this Topic" becomes usable

No option to "attach" file found so copied below ................

All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{53707962-6F74-2D53-2644-206D7942484F}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8E5E2654-AD2D-48bf-AC2D-D17F00898D06}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8E5E2654-AD2D-48bf-AC2D-D17F00898D06}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E3215F20-3212-11D6-9F8B-00D0B743919D}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E3215F20-3212-11D6-9F8B-00D0B743919D}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{8E5E2654-AD2D-48bf-AC2D-D17F00898D06} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8E5E2654-AD2D-48bf-AC2D-D17F00898D06}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{AF3D7884-B142-414E-943D-75D8D54E1FFF} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AF3D7884-B142-414E-943D-75D8D54E1FFF}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\control panel\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Low Rights\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\restrictions\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\control panel\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\restrictions\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\TPSvc\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7c49ecf8-c8e1-11e0-867b-0025b3758c44}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7c49ecf8-c8e1-11e0-867b-0025b3758c44}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7c49ecf8-c8e1-11e0-867b-0025b3758c44}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7c49ecf8-c8e1-11e0-867b-0025b3758c44}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7c49ecf8-c8e1-11e0-867b-0025b3758c44}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7c49ecf8-c8e1-11e0-867b-0025b3758c44}\ not found.
File L:\PTKSETUP.EXE /AUTORUN not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7c49ecf8-c8e1-11e0-867b-0025b3758c44}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7c49ecf8-c8e1-11e0-867b-0025b3758c44}\ not found.
File L:\PTKSETUP.EXE not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7c49ecf8-c8e1-11e0-867b-0025b3758c44}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7c49ecf8-c8e1-11e0-867b-0025b3758c44}\ not found.
File L:\PTKSETUP.EXE not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b5c87906-138a-11e0-a7af-806d6172696f}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b5c87906-138a-11e0-a7af-806d6172696f}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b5c87906-138a-11e0-a7af-806d6172696f}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b5c87906-138a-11e0-a7af-806d6172696f}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b5c87906-138a-11e0-a7af-806d6172696f}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b5c87906-138a-11e0-a7af-806d6172696f}\ not found.
File K:\setup.exe not found.
File/Folder C:\WINDOWS\*.tmp not found.
File/Folder C:\WINDOWS\System32\*.tmp not found.
Unable to delete ADS C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf:SummaryInformation .
ADS C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:430C6D84 deleted successfully.
Unable to delete ADS C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4 .
Unable to delete ADS C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8 .
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 272678 bytes
->Temporary Internet Files folder emptied: 306210 bytes
->Java cache emptied: 31485 bytes
->FireFox cache emptied: 52956330 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 1062 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 33664 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 53831574 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 24064 bytes

Total Files Cleaned = 103.00 mb


[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Default User

User: LocalService

User: NetworkService

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.29.1 log created on 09212011_175659

Files\Folders moved on Reboot...
File\Folder C:\WINDOWS\temp\bfytk5jb.vbt not found!
File\Folder C:\WINDOWS\temp\mxpmzji5.vbt not found!
C:\WINDOWS\temp\z3zwpr9j.vbt moved successfully.

Registry entries deleted on Reboot...

#6 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12294 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Online Armor
  • Other:WinPatrol Plus

Posted 21 September 2011 - 04:32 PM

You are using the quick reply at the bottom of the forum page. Click the More Reply Option button and you can attach files.

How are things running?
Kevin Zoll [Customer Support]
Emsisoft Team - www.emsisoft.com
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Messege (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#7 Milson

Milson

    Member

  • Members
  • PipPip
  • 16 posts
  • OS:Windows XP
  • AV:Stopzilla; Spyware-Doctor; emsisoft AV
  • HIPS:Windows
  • Other:see above

Posted 21 September 2011 - 08:19 PM

Basically no change. The variety of obvious interferences continues, led by that one Trojan Downloader (the corrected name is Trojan.DL.Fraudload!EkDFLJu4bSw ) which allows a freeflow of viruses into the computer. I am still removing it manually at least once per hour.

I have also noticed that your program finds almost nothing at all now.

Would there be a good reason for this? It found a number of threats initially, but that suddenly ceased.

#8 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12294 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Online Armor
  • Other:WinPatrol Plus

Posted 23 September 2011 - 03:25 AM

Download ComboFix from one of these locations:

Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop

Link 1
Link 2

* IMPORTANT !!! Save Combo-Fix to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    See HERE for help
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, ComboFix will produce a log.

Note:
1. Do not mouseclick combofix's window while it's running. That may cause it to stall!
2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

 
Attach logs for:
  • ComboFix (C:\combofix.txt)
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
Kevin Zoll [Customer Support]
Emsisoft Team - www.emsisoft.com
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Messege (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#9 Milson

Milson

    Member

  • Members
  • PipPip
  • 16 posts
  • OS:Windows XP
  • AV:Stopzilla; Spyware-Doctor; emsisoft AV
  • HIPS:Windows
  • Other:see above

Posted 24 September 2011 - 10:40 AM

Delayed a bit because of difficulties at times in connecting with internet.

Program has been downloaded and will continues this afternoon.

Lack of finding threats, that I referred to above, may be because it is BLOCKING threats (other than this important one!), as I see confirmation of blocks come up in blue boxes.

#10 Milson

Milson

    Member

  • Members
  • PipPip
  • 16 posts
  • OS:Windows XP
  • AV:Stopzilla; Spyware-Doctor; emsisoft AV
  • HIPS:Windows
  • Other:see above

Posted 24 September 2011 - 11:25 AM

Scan completed.

#11 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12294 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Online Armor
  • Other:WinPatrol Plus

Posted 24 September 2011 - 05:51 PM

Read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Double-click on TDSSKiller.exe to run the application, then on Start Scan.

    Posted Image
  • If an infected file is detected, the default action will be Cure, click on Continue.

    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue.

    Posted Image
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.

    Posted Image
  • If no reboot is require, click on Report. A log file should appear. Save the log somewhere where you can find it.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.(Version)_(Date)_(Time)_log.txt".
  • Attach the TDSSKiller log.

Kevin Zoll [Customer Support]
Emsisoft Team - www.emsisoft.com
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Messege (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#12 Milson

Milson

    Member

  • Members
  • PipPip
  • 16 posts
  • OS:Windows XP
  • AV:Stopzilla; Spyware-Doctor; emsisoft AV
  • HIPS:Windows
  • Other:see above

Posted 25 September 2011 - 09:47 AM

Report attached.

#13 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12294 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Online Armor
  • Other:WinPatrol Plus

Posted 27 September 2011 - 12:58 AM

Download avz4.zip from here
  • Unzip it to your desktop to a folder named avz4
  • Double click on AVZ.exe to run it.
  • Run an update by clicking the Auto Update button on the Right of the Log window: Posted Image
  • Click Start to begin the update
Note: If you receive an error message, chose a different source, then click Start again
  • After the update, from the "File" menu, choose "Standard Scripts"
  • Put a check next to item 2: Advanced System Investigation
  • Click Execute selected scripts
  • At the next prompt, click the OK button
  • Let the scan run and click "OK" when the completion prompt pops up
  • Now Close out of the Standard Scripts window, and exit AVZ
  • Navigate to the avz4 folder and locate the folder LOG
  • Inside the LOG folder you will find virusinfo_syscheck.htm, virusinfo_syscheck.htm and virusinfo_syscheck.zip
  • Attach the Compressed file, virusinfo_syscheck.zip, to your next reply.

Kevin Zoll [Customer Support]
Emsisoft Team - www.emsisoft.com
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Messege (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#14 Milson

Milson

    Member

  • Members
  • PipPip
  • 16 posts
  • OS:Windows XP
  • AV:Stopzilla; Spyware-Doctor; emsisoft AV
  • HIPS:Windows
  • Other:see above

Posted 27 September 2011 - 03:45 PM

This does not appear to be working.

After "OK at next prompt" there appears "ERROR No restore operation has been selected" and no action after that.

#15 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12294 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Online Armor
  • Other:WinPatrol Plus

Posted 29 September 2011 - 12:16 AM

OK, run a scan with OTL and attach the resulting log.
Kevin Zoll [Customer Support]
Emsisoft Team - www.emsisoft.com
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Messege (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#16 Milson

Milson

    Member

  • Members
  • PipPip
  • 16 posts
  • OS:Windows XP
  • AV:Stopzilla; Spyware-Doctor; emsisoft AV
  • HIPS:Windows
  • Other:see above

Posted 29 September 2011 - 10:13 AM

New log attached

#17 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12294 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Online Armor
  • Other:WinPatrol Plus

Posted 30 September 2011 - 12:36 AM

The OTL log did not attach. Please try again.
Kevin Zoll [Customer Support]
Emsisoft Team - www.emsisoft.com
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Messege (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#18 Milson

Milson

    Member

  • Members
  • PipPip
  • 16 posts
  • OS:Windows XP
  • AV:Stopzilla; Spyware-Doctor; emsisoft AV
  • HIPS:Windows
  • Other:see above

Posted 30 September 2011 - 06:20 PM

Trying again ....................

#19 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12294 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Online Armor
  • Other:WinPatrol Plus

Posted 30 September 2011 - 11:44 PM

OTL did not run properly.

Download avz4.zip from here
  • Unzip it to your desktop to a folder named avz4
  • Double click on AVZ.exe to run it.
  • Run an update by clicking the Auto Update button on the Right of the Log window: Posted Image
  • Click Start to begin the update
Note: If you receive an error message, chose a different source, then click Start again
  • After the update, from the "File" menu, choose "Standard Scripts"
  • Put a check next to item 2: Advanced System Investigation
  • Click Execute selected scripts
  • At the next prompt, click the OK button
  • Let the scan run and click "OK" when the completion prompt pops up
  • Now Close out of the Standard Scripts window, and exit AVZ
  • Navigate to the avz4 folder and locate the folder LOG
  • Inside the LOG folder you will find virusinfo_syscheck.htm, virusinfo_syscheck.htm and virusinfo_syscheck.zip
  • Attach the Compressed file, virusinfo_syscheck.zip, to your next reply.

Kevin Zoll [Customer Support]
Emsisoft Team - www.emsisoft.com
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Messege (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#20 Milson

Milson

    Member

  • Members
  • PipPip
  • 16 posts
  • OS:Windows XP
  • AV:Stopzilla; Spyware-Doctor; emsisoft AV
  • HIPS:Windows
  • Other:see above

Posted 01 October 2011 - 12:23 PM

If you look at previous correspondence you will see that this was done already.

It was redone just now with exactly the same response!

NO restore operation is selected.

#21 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12294 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Online Armor
  • Other:WinPatrol Plus

Posted 01 October 2011 - 02:29 PM

OK. let's switch tools.

Download and Run Scan with GMER

We will use GMER to scan for rootkits.
  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      Alternate Zip Mirror 2
      Alternate Zip Mirror 3
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • Double click Posted Image or Posted Image on your desktop. If you are using Vista, please right-click and select run as administrator
  • When you have done this, close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Allow the gmer.sys driver to load if asked.
If it detects rootkit activity, you will receive a prompt to run a full scan. Click NO.

  • In the right panel, you will see several boxes that have been checked. Please UNCHECK the following:
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show all (Don't miss this one!)
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Attach the GMER log.
If GMER doesn't work in Normal Mode try running it in Safe Mode

Note: Do Not run any program while GMER is running
*Note*: Rootkit scans often produce false positives. Do NOT take any actions on <--- ROOKIT entries
Kevin Zoll [Customer Support]
Emsisoft Team - www.emsisoft.com
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Messege (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#22 Milson

Milson

    Member

  • Members
  • PipPip
  • 16 posts
  • OS:Windows XP
  • AV:Stopzilla; Spyware-Doctor; emsisoft AV
  • HIPS:Windows
  • Other:see above

Posted 01 October 2011 - 10:13 PM

scanned

#23 Milson

Milson

    Member

  • Members
  • PipPip
  • 16 posts
  • OS:Windows XP
  • AV:Stopzilla; Spyware-Doctor; emsisoft AV
  • HIPS:Windows
  • Other:see above

Posted 01 October 2011 - 10:15 PM

LOG

#24 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12294 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Online Armor
  • Other:WinPatrol Plus

Posted 02 October 2011 - 12:22 AM

Going back through your logs, to get a better handle on what is going on, I noticed something:
AVG 2011
Emsisoft Anti-Malware
Spyware Doctor 8.0
STOPzilla
This is complete overkill. You are duplicting defense layers and most of these need to be uninstalled. Emsisoft Anti-malware is the only program you need of the 4. Having all these installed will impact heavily on system resources and will cause conflicts.

 
We are going to attempt cleaning up a few more things using OTL.

Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
    :OTL
    DRV - (aswSnx) -- C:\WINDOWS\System32\drivers\aswSnx.sys (AVAST Software)
    @Alternate Data Stream - 199 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
    @Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:430C6D84
    
    :Files
    c:\windows\system32\drivers\aswSnx.sys
    c:\windows\avastSS.scr
    
    :Commands
    [Purity]
    [EmptyTemp]
    [EmptyFlash]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Attach the new log produced by OTL (C:\_OTL).
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
Kevin Zoll [Customer Support]
Emsisoft Team - www.emsisoft.com
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Messege (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#25 Milson

Milson

    Member

  • Members
  • PipPip
  • 16 posts
  • OS:Windows XP
  • AV:Stopzilla; Spyware-Doctor; emsisoft AV
  • HIPS:Windows
  • Other:see above

Posted 02 October 2011 - 10:57 AM

AVG was uninstalled some time ago but it proved difficult to remove. The vendor finally supplied a program to uninstall it.

However I still find inexplicable traces of both AVG and Avast.

Stopzilla is esential as it is the ONLY program finding TrojanDownloaders. However, I have to manually delete - and am running it every hour or so. Not satisfactory.

Spyware Doctor is supposed to find TrojanDownloaders but seems to find only Trojans. It is the Malware program.

Both these are fully paid programs.

I then still get messages that I have no "Anti-virus" program and have been trying all kinds of programs in the meantime. Currently it is yours. It is pretty good except that it does not deal with TrojanDownloaders and will be uninstalled if no progress is made.

The scan last night took over two hours. Maybe existing scans should be deleted as it is probably duplicating the scan.

I shall do the next scan now.

#26 Milson

Milson

    Member

  • Members
  • PipPip
  • 16 posts
  • OS:Windows XP
  • AV:Stopzilla; Spyware-Doctor; emsisoft AV
  • HIPS:Windows
  • Other:see above

Posted 02 October 2011 - 11:46 AM

The computer is comparably VERY slow these days and this morning I had a blue screen and a shutdown.

Often have to crash the system to make progress, especially after a threat is reported.

New scan attached.

#27 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12294 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Online Armor
  • Other:WinPatrol Plus

Posted 02 October 2011 - 12:25 PM

Emsisoft Anti-Malware provides protection across the entire spectrum of Malware. STOPzilla is not essential for protecting your computer. The company that sells STOPzilla has an extremely poor reputation. Spyware Doctor is a discontinued product and is no longer supported by GFI. In my experience Spyware Doctor has made every system, that I have ever installed it on, unstable.

Uninstall both of them. You want a program specifically for protection against Trojans, then get Malwarebytes' Anti-Malware.

Run the AVG Uninstaller:
32-bit: http://download.avg....6_2011_1322.exe
64-bit: http://download.avg....4_2011_1322.exe

Attach a fresh log from OTL after doing the above.
Kevin Zoll [Customer Support]
Emsisoft Team - www.emsisoft.com
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Messege (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#28 Milson

Milson

    Member

  • Members
  • PipPip
  • 16 posts
  • OS:Windows XP
  • AV:Stopzilla; Spyware-Doctor; emsisoft AV
  • HIPS:Windows
  • Other:see above

Posted 02 October 2011 - 03:11 PM

Scan attached.

Does it make sense to you, when the problem is TROJAN,DOWNLOADER, to uninstall the ONLY program that has shown that it can detect it?

I trid out Malwarebytes' Anti-Malware which from the advertising appeared fully functional, but after three days without success I wrote to the vendor, only to be told "Buy it and you will have no more problems" ....!!

I need proof.

#29 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12294 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Online Armor
  • Other:WinPatrol Plus

Posted 02 October 2011 - 10:45 PM

Malwarebytes is fully functional, the only thing that isn't part of the free version is resident protection. It is used extensively on, non-vendor, malware removal forums.

The problem is not TROJAN.DOWNLOADER, the problem is STOPZilla. STOPZilla is complete garbage, they have a very poor reputation for a reason.

You can take my adivse and uninstall both Spyware Doctor and STOPZilla, or continue to be plagued by system performance issues.
Kevin Zoll [Customer Support]
Emsisoft Team - www.emsisoft.com
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Messege (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#30 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12294 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Online Armor
  • Other:WinPatrol Plus

Posted 04 October 2011 - 09:58 PM

Thread Closed

Reason:
Unresolved

PM either ShadowPuterDude, SpySentinel, or JeanInMontana to have this thread reopened.

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread.
Kevin Zoll [Customer Support]
Emsisoft Team - www.emsisoft.com
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Messege (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users