Application cannot be executed. The file *** is infected.

[SuperDave]

I think that perhaps this might be a good time to burn my personal files to DVD?

That's not a bad idea to do at all times.
=================================

Download OTM by OldTimer to your desktop.

Note: If you are running on Vista, right-click on OTM.exe and choose Run As Administrator.

* Save it to your Desktop.
* Double-click OTM.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

Code: [Select]

:Processes
explorer.exe

:services

:reg

:files
c:\windows\Thumbs.db
c:\windows\system32\openglssd.sys 
c:\windows\sed.exe

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
* Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTM

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.
=========================================
You are down to 6.824 GiB on your hard drive. You should at least 15% free space on your harddrive. This can cause all kinds of problems. You would be wise to uninstall any un-needed programs or get another hard drive for storage
=================================
Add or Remove Programs

1. Click on the Windows Start button and click on the Control Panel
2. In the Control Panel window, double-click Add or Remove Programs icon.
3. When the Add or Remove Programs window has fully populated, check for
J2SE Runtime Environment 5.0 Update 6
URL Assistant
WebFldrs XP ( If you don't need it.)

=====================================

Download GMER Rootkit Detector and save it your desktop.
 
* Extract it to your desktop and double-click GMER.exe
* Make sure all of the boxes on the right of the screen are checked, EXCEPT for "Show All".
* Click the Rootkit tab and then Scan.
* Don't check the Show All box while scanning in progress!
* When scanning is finished click Copy.
* This copies the log to clipboard
* Post the log in your reply.

[Halogengirlie]

I think I  can remove some programs...  I have alot of spaced tied up in photos & videos... that I've backup up to disk...

If I got a remote drive and backed up my files to it... do I run the risk of reinfecting my computer when I go back to these items in the future?

[SuperDave]

Remember, you have to get to at least 12GiB of free space.
Backing up your files to a second hard drive is quite safe because they are mostly pictures, documents etc and most malware is not really interested in those things. Plus, you can also run scans on those files in your storage drives.

[Halogengirlie]

Ok cleared to 26 Gig clear.

Here is the log from the Old Timer



All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
c:\windows\Thumbs.db moved successfully.
c:\windows\system32\openglssd.sys moved successfully.
c:\windows\sed.exe moved successfully.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: Administrator
->Temp folder emptied: 16384 bytes
->Temporary Internet Files folder emptied: 32768 bytes
 
User: All Users
 
User: Default User
->Temp folder emptied: 16384 bytes
->Temporary Internet Files folder emptied: 32902 bytes
 
User: Lelia Goehring
->Temp folder emptied: 85367108 bytes
->Temporary Internet Files folder emptied: 14719581 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 48489622 bytes
 
User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 2690645 bytes
 
User: NetworkService
->Temp folder emptied: 66264 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 60529 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 33273 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 23963746 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 68173317 bytes
 
Total Files Cleaned = 233.00 mb
 
 
OTM by OldTimer - Version 3.1.9.0 log created on 02262010_212328
All processes killed
 
OTM by OldTimer - Version 3.1.9.0 log created on 02262010_212323

Files moved on Reboot...

Registry entries deleted on Reboot...

[Halogengirlie]

 I think that I ran the Old Timer Correctly... But I never got a chance to copy anything under the green bar, since the computer restarted itself.

[Halogengirlie]

J2SE Runtime Environment 5.0 Update 6  - This is in the add remove programs
URL Assistant- This is in the add remove programs
WebFldrs XP - I did not see this one in the add remove programs.

Should I remove these files (the Java and the URL)?

After that I will proceed with the rootkit. 

[SuperDave]

Yes. Please uninstall those programs and proceed.

[Halogengirlie]

Ok.. I uninstalled the programs we talked about in the last post.

I then went on to use the rootkit.

The rootkit looked like it completed... I then copied the information and then hooked up my internet cable... and clicked to start my browser (which refused to load).  The GMER froze and turned white,if I clicked on the desktop the comptuer would beep at me.  I waited for about 20 mins... then tried to Ctrl + Alt + Delete... the computer wouldn't let me do anything.  So I force rebooted it by holding down the power button.  When it came back up, I waited awhile for everything to load and tried again.  It ran for awhile and then gave me an error message "gmer.exe encounted a problem and needs to close."  I photographed the messages which I can pdf if it is helpful.

I rebooted again to try one more time... and the computer would not properly shut down... it hung up on the blue screen. I waited about 20 mins and then held down the power button.

I re-downloaded the software and tried a third time and watched carefully... it looks like the error message pops up when it scans \Device\00000096

Perhaps I should run this from Safe mode... or turn my anti-virus off first?? I'm not sure why I can't get it to run.

   

[Halogengirlie]

I did install an external back up drive yesterday... just an FYI since it is new software... and I think that my EA Games auto downloaded some update...

But my computer is not running very well... it took quite awile to get an internet browser to come up... and the computer just seems to be running and running... but nothing shows up under the task manager... and it doesn't like to shut down... just hangs on every command.

[SuperDave]

I'm checking with my mentor about what the next step will be. Sorry for the delay.

[SuperDave]

Copy (Ctrl +C) and paste (Ctrl +V) the text in the code box below to Notepad.

Code: [Select]

@echo off
Copy /y gmer.exe ark.exe
Start ark.exe

Save it into the gmer folder as  File name: ark.cmd
Save as type: All Files

Once done, double click ark.cmd to run it.

This should start GMER, follow the steps I have outlined earlier to save a log file, then post me the contents in your next reply.

[Halogengirlie]

"Save it into the gmer folder "

I had the gmer icon on my desktop... should I just save this to the desktop?  OR make a folder for the gmer?

Thanks!

[SuperDave]

The GMER icon is on your desktop but you should find GMER also on your C: drive.

[Halogengirlie]

I looked for a GMER Folder under C:

But this is what I found:

gmer.exe is located   c:\Documents and Settings\Lelia Goehring\Desktop
gmer.zip is located    c:\Documents and Settings\Lelia Goehring\Recent
gmer.zip is located   c:\Documents and Settings\Lelia Goehring\Desktop

Not sure which of these I should use for the new ark file

[SuperDave]

Ok. Delete GMER  and we'll try this tool.

Please download RootRepeal from GooglePages.com.

• Extract the program file to your Desktop.
• Run the program RootRepeal.exe and go to the Report tab and click on the Scan button.
  
  
  
• Select ALL of the checkboxes and then click OK and it will start scanning your system.
  
  
• If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
• When done, click on Save Report
  
• Save it to the Desktop.
• Please copy/paste the contents of the report in your next reply.

Please remove any e-mail address in the RootRepeal report (if present).