Computer Hope
Software => Computer viruses and spyware => Topic started by: jkolak on December 08, 2009, 05:28:13 PM
-
I'm not sure if I belong here because I don't know if I have malware or simple system corruption.
I have many of the symptoms of malware, in fact, the symptoms are very similar to System Security. I have erratic internet connectivity in which some processes can access the internet and browsers can't, or sometimes can and sometimes can't, or can connect for about 5 seconds and then get cut off. Anti-virus and anti-malware programs refuse to install. On boot up I'm told I have no firewall installed when Windows Firewall is on. System Restore repeatedly tells me it cannot create a restore point. Windows Update works sporadically. Access to shared documents on the other network computers is also sporadic. USB drives plugged in are not recognized, so getting utilities mentioned here onto the system has been difficult. Occasionally I get an error that there are insufficient system resources to connect to the network or access a folder on the local drive. Chrome keeps reporting files are corrupted and asks to run chkdsk. The hard drive hashes constantly, which I don't know if it is Windows trying to fix itself, or indexing, or malware bot activity. A google search on the connectivity irregularities brought me to a Computer Hope thread that directed me here:
http://www.computerhope.com/forum/index.php?PHPSESSID=7314ab665cc151c420ed5557e162ee5a&/topic,46313.0.html
Here are the results of trying to apply the steps:
Step A - Anti-virus. Unfortunately I got caught up in the expiration of AVG Free on Dec 1. As the deadline approached, I couldn't get an update I suppose because of heavy server traffic, and then I read a review that recommended Avast, so I figured I would just uninstall AVG and get Avast. I installed Avast just as the problems were starting to hit. Then when I read a forum post that solved connectivity by uninstalling Avast, I did that. It actually worked. I had good connections after that. But then I was trapped because the situation had deteriorated to the point that I was no longer able to install any programs, so I have not been able to install any Anti-virus at all. The ones that use the Windows Installer report that the installer is unavailable, and the ones that use their own installer exit with errors. What I can report is that While Avast was installed I did get one clean scan saying no threats detected. I also discovered that my installation of AVG on another computer was able to scan over the network and it also reported no threats detected.
So that makes me wonder if it is just plain corruption and not malware. So this is a good time to explain how I got to this stage. I have an early full install of Windows XP Pro from the initial release with no Service Packs. It has been updated over the years through all the service packs. But recently it has been getting quite slow, which I know is a symptom of malware, but I didn't expect malware firewalled behind a router and Windows Firewall on SP3. But I did read that XP tends to grind to a halt after running several years, so I visited some sites on the topic and applied some recommended system tweaks, particularly to the cache and turned off paging. When I rebooted it corrupted my hard drive and I started getting file corruption error messages from applications like the Google Chrome web browser.
So I wanted to do a Windows Repair from the installation disk, but I had read of errors from starting with the first edition and upgrading up through the service packs, so I downloaded the MSDN Technet distribution of WinXP Pro SP3 which passed all the MS published files hashes, and I used it to launch a system repair. Unfortunately, when it rebooted it would not allow me to log in, saying that it needed to be activated before logging in, and asked me if I wanted to activate now. Clicking Yes led to watching the hard drive light flash for hours, and even overnight without doing anything. So the only thing I could think of was to run the WPA crack. I know - dangerous unknown software. But I figured it was probably a legitimate offering from the hacker community, and if not, I figured the anti-malware programs would take care of it.
Well, that got me in, but I wasn't satisfied as it patched the binary file directly and Windows Explorer reported it as a corrupt file, and the patch seemed to interfere with other aspects MS functionality, including Windows Update. So I thought instead I would try a repair from my original old installation disk. That was a mistake. After rebooting, the computer would boot to a black screen and just hang. So fumbling back and forth with repeated repair attempts from both disks, I was amazed when I accidentally had the SP3 disk in the drive for an original disk repair, and when the installation prompted me for the Windows CD because of files not found, when I put it in, the installation was successful. Apparently the SP3 set up some initialization work that enabled the old original disk to complete installation.
Of course I expected trouble from this combination of Windows editions, but gradually as the system rebooted itself and updated itself, it got healthier and healthier. During this period I discovered System File Checker, and ran it a few times from the original disk to keep things flowing, and after SP3 successfully installed, I did the same with the XP Pro SP3 installer disk.
So, if System File Checker is supposed to get my installation in order, the mixed edition issues I was afraid of should have been straightened out, right? And if AVG, Avast, and Malwarebyte's Anti-Malware are reporting the system as clean, what is the problem?
So on to the next steps.
Step 1 - Add or Remove Programs. I didn't see anything unusual or from the list, but removed anything I wasn't absolutely sure I had put on myself.
Step 2 - House Cleaning - I had been running Glary Utilities instead of CCleaner. Both report the same behavior. About 1100 or 1200 registry errors on the first pass, and again 9 to 20 errors on the second pass. Both report the errors as corrected, but they always come back. First I thought malware was preventing writing the repairs, but after seeing that CCleaner reports on them, I've decided they are unimportant as they are mostly missing .dlls. This brings up another point. When I repaired with the old system disk, the old HD drivers were not compatible with my drive and it immediately launched a check disk and reported that it was recovering all of my orphaned files. When finished I no longer had my third E: partition, an extended partition from D:. Disk Manager reported the correct size for D: and reported what was E: as unallocated space. This caused an initial panic, but a Linux Live CD could see it fine, and as Windows slowly updated itself and straightened itself out, it was able to see it correctly too. Nevertheless, my current symptoms still report file corruption after all the SFCs and chkdsk repairs, so I wonder again, malware or system corruption. And again, maybe hard drive failure? I doubt it as the drive is only one year old and SMART reports itself as healthy.
Step 3 - Super Anti-Spyware - Unfortunately this one also refuses to install, stating that Windows Installer is not available.
Step 4 - MBAM - Reports no malicious items detected.
Step 5 - Update Your Java - Ran all the utilities here, current version already installed, old versions removed.
Step 6 - Hijack This - Log is submitted. Application installation error messages also seemed informative and are submitted separately.
Step 7 - Self-help Tool - Log report here: http://www.computerhope.com/cgi-bin/process.pl?o=872131
I remember looking at HJT many years ago, but without an interpreter like this excellent tool, the results were not meaningful to me. Interesting call on vistadrive.exe. It has been on my computer 2 years. I had thought it was just one of those customizing tweaks people add on to XP to make it behave like Vista. After reviewing all of the results, I feel satisfied that malware is not the cause of my problem. I think more to look at the "Missing" section on line 3. I don't understand why so many things are missing from the system when I have run System File Checker so many times. I wonder if running it more would restore these things, or if they really are present, but Registry doesn't know it. I'm afraid that continually running SFC will just put me into a loop where the CD restores old versions and Windows Update replaces them with new ones.
I should add that I have performed all of the fixes recommended by the Self-help Tool.
Thanks,
John
[Saving space, attachment deleted by admin]
-
Hello jkolak and welcome to Computer Hope Forum. My name is Superdave but you can just call me SD. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.
1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.
Looking over your log it seems you don't have any Anti-virus software.
Before we continue, download and install a free Anti-virus.
Remember to only install one Anti-virus!
1) Avast! Home Edition (http://www.majorgeeks.com/Avast_Home_Edition_d1968.html)
2) AVG Free Edition (http://www.majorgeeks.com/download.php?det=886)
3) Avira AntiVir Personal (http://www.majorgeeks.com/AntiVir_Personal_Edition_7_d955.html)
4) Microsoft Security Essentials for Windows Vista\Windows 7 (http://majorgeeks.com/Microsoft_Security_Essentials_for_Windows_VistaWindows_7_d6242.html) - 64 bit Download (http://majorgeeks.com/downloadget.php?id=6242&file=5&evp=9112d44b71f157fc5d7fcd7724b088ca)
4-a) Microsoft Security Essentials for Windows XP (http://majorgeeks.com/Microsoft_Security_Essentials_for_Windows_XP_d6243.html)
5) Comodo Antivirus (http://www.majorgeeks.com/Comodo_AntiVirus_d5109.html) (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" if you choose this one)
6) PC Tools AntiVirus Free Edition (http://www.majorgeeks.com/PC_Tools_AntiVirus_Free_Edition_d5469.html)
It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.
I also noticed that you are running a P2P program(BitTorrent). While this program may be safe, the files you download with it are a major source of infections of all kinds. I strongly recommend that you uninstall it.
Download Disable/Remove Windows Messenger (http://www.majorgeeks.com/DisableRemove_Windows_Messenger_d2327.html) to the desktop to remove Windows Messenger.
Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.
Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.
Exit out of MessengerDisable then delete the two files that were put on the desktop.
Open HijackThis and select open misc. tools section select open process manager select C:\WINDOWS\VistaDrive\VistaDrive.exe and select kill process.
Select Main Menu and select open misc tools section again. Select Delete an NT service. Copy and paste the line in the code box into the open space and click OK
WudfSvc
Click Main Menu. Select Do a system scan only
Place a check mark next to the following entries: (if there)
O1 - Hosts: 66.98.148.65 auto.search.msn.com
O1 - Hosts: 66.98.148.65 auto.search.msn.es
O2 - BHO: (no name) - {0BD44AB1-76A7-4E05-92F4-4B065FE72BD6} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O3 - Toolbar: (no name) - {94A5C93F-BD18-4C46-B777-C94C145C3CAB} - (no file)
O4 - HKLM\..\Run: [VistaDrive] C:\WINDOWS\VistaDrive\VistaDrive.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Windows Driver Foundation - User-mode Driver Framework (WudfSvc) - Unknown owner - hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,
65,00,6d,00,33,00,32,00,5c,00,73,00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,
6b,00,20,00,57,00,75,00,64,00,66,00,53,00,65,00,
72,00,76,00,69,00,63,00,65,00,47,00,72,00,6f,00,75,00,70,00,00,00 (file missing)
Important: Close all open windows except for HijackThis and then click Fix checked.
Once completed, exit HijackThis.
Download ComboFix by sUBs from one of the below links. Be sure to save it to the Desktop.
link # 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link # 2 (http://subs.geekstogo.com/ComboFix.exe)
Close any open web browsers (Firefox, Internet Explorer, etc) before starting ComboFix.
Temporarily disable your anti-virus, and any anti-spyware real-time protection before performing a scan. Click this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of security programs that should be disabled and how to disable them.
Vista users Right-click combofix.exe and select Run as Administrator and follow the prompts.
Double-click combofix.exe and follow the prompts.
When finished, ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.
NOTE: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.
Remember to re-enable your anti-virus and anti-spyware protection when ComboFix is complete.
-
Thanks SD. I read another thread where you helped someone, so I am glad you are working on mine.
1) Alvira installed. 57 warnings found, but no list provided.
2) Windows Messenger removed.
3) Vista Drive already deleted from Windows folder.
4) Delete an NT Service. Error message - service is enabled or running. Disable it first using HJT or services.msc. Proceding to next step.
5) Mark items for HJT fix: Windows Messenger no longer appears in 09. All other items marked for fix as instructed.
After fix applied, retrying Step 4. Same error message appears re: WudfSvc. Rebooting to clear service. Try HJT again, same error.
Try to disable WudfSvc again in services.msc. HJT removal of WudfSvc now successful.
6) ComboFix. Running the program gives this error message:
"ComboFix is offline.
Please visit http://download.bleepingcomputer.com/subs/combofix.html"
This site has moved to this location: http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Nothing on this page says anything about this message. Just for fun I also used "Run as Administrator" like the Vista people, but the error message is the same.
If this error means ComboFix is unable to access the internet, I should mention that currently the computer is working reasonably well with IE, and file sharing across the network is hit-and-miss. Downloading through IE has not been working, so I have to download utility programs you recommend through another computer and copy to the affected computer through the router (and back again to send logs). Sometimes I have to re-run the Network Creation wizard and Repair Connection before I can transfer the files.
I did see that warnings are posted in the Avira report. Number of warnings now up to 270. Log attached.
Thanks,
John
[Saving space, attachment deleted by admin]
-
Yes, ComboFix was taken off-line two days ago. If you don't mind, I would like to wait until it comes back on-line to run that program. I'll notify you when it is ready to run.
I also noticed that you are running a P2P program (BitTorrent). While this program may be safe, the files you download are a major cause of a lot of infections and I strongly recommend that you uninstall it.
Could you please go to Start, Control panel and click on Add/Remove programs and check to see if there are any programs like Norton or Symantec. Please advise me and I will send you a tool to remove them.
-
Sure. I'd like to run ComboFix. The system has improved with the steps we have taken, but there are still problems. Minor hard disk corruption frequently reported. IE behavior erratic. Chrome will not reinstall. (Firefox seems to work well though.) Insufficient system resource error frequent, from opening a network location to saving a file in OpenOffice. Hard drive hashes constantly even after turning off indexing.
I did remove BitTorrent last time but forgot to report it.
I had Norton Systemworks 2003 on my computer ever since 2003. Over the years I kept hearing bad things about it, but having no other tool to see if my OS was working right, I continued to use it. Last week after getting Glary Utilities I noticed it had most of the Systemworks functionality, so I decided to uninstall Systemworks. A few years ago I had heard that Systemworks itself is as bad as a virus and had to be uninstalled with the Symantec removal tool at their website, so I googled that and used it the other day to remove it.
The issue of anti-malware software on my system had me somewhat concerned due to the failure of the AVG9 install and apparent incomplete removal of Avast. Monitoring HJT for system changes, I noticed a couple of AVG processes still running, so I removed them with HJT and manually deleted both the AVG and Avast directories from Program Files. MBAM seems to not be an online monitor, so I have not done anything with it. So I think my system is ready for ComboFix. I have also turned off Windows Firewall. Avira is does not seem to be monitoring because there is nothing in the system tray, but Windows Security Center recognizes it's presence and does not report it as being offline. Maybe I need to adjust something?
-
Hello John. ComboFix is back on-line. You can run this scan.
Download ComboFix by sUBs from one of the below links. Be sure to save it to the Desktop.
ComboFix (http://download.bleepingcomputer.com/sUBs/Beta/KittyFix.exe)
Close any open web browsers (Firefox, Internet Explorer, etc) before starting ComboFix.
Temporarily disable your anti-virus, and any anti-spyware real-time protection before performing a scan. Click this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of security programs that should be disabled and how to disable them.
Vista users Right-click combofix.exe and select Run as Administrator and follow the prompts.
Double-click combofix.exe and follow the prompts.
When finished, ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.
NOTE: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.
Remember to re-enable your anti-virus and anti-spyware protection when ComboFix is complete.
-
No luck on ComboFix. It never gets past the screen where it says the process is normally 10 minutes. The hard drive runs a lot for about 5 minutes. Then it settles down into its usual behavior of about one hard drive light flash per second with a low key light in between the flashes. That is what it did when XP would not boot. I let ComboFix run like this once for about 8 hours, then again for 2. Then I checked the instructions and saw that it was supposed to give stages progress, so obviously this is not working.
-
Hi John. This is a beta version of ComboFix that was supposed to help until they get the other back on-line. Ok. Let's try this:
ESET Online Scan
Scan your computer with the ESET FREE Online Virus Scan (http://eset.com/onlinescan)
* Click the ESET Online Scanner button.
* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
* Double click on the esetsmartinstaller_enu.exe icon on your desktop.
* Place a check mark next to YES, I accept the Terms of Use.
* Click the Start button.
* Accept any security warnings from your browser.
* Leave the check mark next to Remove found threats and place a check next to Scan archives.
* Click the Start button.
* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
* When the scan completes, click List of found threats.
* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
* Click the <<Back button then click Finish.
In your next reply please include the ESET Online Scan Log
Also, please give me another HJT log.
-
Hi SD! This is an absolutely amazing and educational process! I might have to sign up for training when this is done. I ran ESET and it came up clean. Log attached.
While I was retrying ComboFix over and over, a few times I got an error message saying that something was preventing the registry from being written to or backed up. That was one of the early symptoms that got me thinking malware. Then one time I happened to have Task Manager running when IE and Networking started acting up again, and I noticed the CPU usage was a 100% for a long time. Process manager was showing 13% System and 87% to Networking Service. So I removed Avira and used msconfig to disable most of the non-Microsoft items that I knew what they were and didn't need.
Then I ran ComboFix again and it ran to completion this time. I am amazed at how much is in the report. This has profound implications too. It means that AVG, Avast, and ESET all agreed there was no problem, yet ComboFix found a lot. All those numbered dll's are one of the similarities to System Security that also got me thinking malware, even though the symptoms are not exactly the same as System Security. Avira did find one numbered .exe file though. I see even msconfig.exe was deleted. Does that mean malware substituted a changed version of itself for the real one? And why are My Documents.url and My Music.url on the deletions? Does malware work through that too?
Well, my questions could go on and on. Clearly a lot of the report is only status information for you to examine, and other parts of it are clearly above my head and ability to understand them, but it is really quite interesting.
In spite of the tremendous amount of work done by ComboFix, I am still not symptom free. Actually I had used msconfig to turn everything back on to give you a full HJT log, but networking was working better before when I transferred the ComboFix and ESET logs to the other computer. Now I get the Insufficient System Resources error again when I try to open the shared folder. Maybe a software conflict in startup programs? Or a malware process was turned off?
Hmmm... Now trying to save the HJT log from Notepad gives an Insufficient System Resources message. Last time it did that the system hung and never recovered, as well as starting a flurry of intense HD activity that ran so long it scared me into sending the shutdown signal to power off. This time, while I was waiting to see if the shared folder would open on the problem computer, I wanted to attach the other two logs that had already been copied to the good computer. Here the good computer could not even open the sharing folder on it's own hard drive, Explorer also being hung up for a long time. Maybe just a conflict of two computers trying to access the folder at the same time, but if it's malware, I hope the bad computer isn't able to infect the good computer simply by transferring log files and utility programs across the LAN. Well, eventually after several retries the bad computer stopped giving the error message and was able to open the sharing folder to transfer the HJT log.
Rebooting again after disabling all the unnecessary startup items, running Task Manager, I noticed 4 copies of svchost.exe running - two by System and two by Network Service. I wonder if that is a cause of contention and the source of my networking difficulties. Hard drive light never goes off, though. Still same behavior - always dimly lit with a medium brightness pulse every second - not bright like when the drive is really doing something important. CPU usage staying at 0% now.
Don't mean to bore you. Just hoping that a description of my symptoms will help you diagnose the situation.
That's about all I can think of for now.
Thanks
John
[Saving space, attachment deleted by admin]
-
Hello jkolak. I noticed that still don't have any Anti-Virus program on your computer as discussed in Reply #1. Before we continue, I want you to install one of those free AV's because every moment you spend on-line puts you at risk of more infections and more cleaning. I also noticed that you are running a P2P program (Bittorrent) on your computer. This program may, by itself, be safe but the files you download are a major source of infections. I strongly urge you to uninstall it.
Open HijackThis and select Do a system scan only
Place a check mark next to the following entries: (if there)
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Unknown owner - C:\Program Files\Avira\AntiVir Desktop\sched.exe (file missing)
O23 - Service: Avira AntiVir Guard (AntiVirService) - Unknown owner - C:\Program Files\Avira\AntiVir Desktop\avguard.exe (file missing)
Important: Close all open windows except for HijackThis and then click Fix checked.
Once completed, exit HijackThis.
Please get me another HJT log when all this is finished.
-
Hi SD,
Well, per reply #2, step 1, Avira was installed, and per reply 8, paragraph 2, it was removed as suspect in preventing ComboFix from running. After running ComboFix and transferring logs to the other computer, Avira was reinstalled.
Also, per reply 4, paragraph 2, BitTorrent was removed in Reply 2 between Steps 1 and 2. Googling msconfig controlled files, I see DNA is part of BitTorrent, so I removed it now.
HJT log attached.
Thanks,
John
[Saving space, attachment deleted by admin]
-
Hello John. I would like you to do this for me:
Please go to Jotti's malware scan (http://virusscan.jotti.org/)
(If more than one file needs scanned they must be done separately and logs posted for each one)
* Copy the file path in the below Code box:
C:\WINDOWS\system32\NOTEPAD.EXE
* At the upload site, click once inside the window next to Browse.
* Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
* Next click Submit file
* Your file will possibly be entered into a queue which normally takes less than a minute to clear.
* This will perform a scan across multiple different virus scanning engines.
* Important: Wait for all of the scanning engines to complete.
* Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.
I would like to see a new log of ComboFix. Since CF only has a shelf life of 10 days, it will be necessary to delete the one you now have and download a new one. You don't have uninstall your Avira; just disable it until the scan is done.See below for instructions how to do this.
Download ComboFix by sUBs from one of the below links. Be sure to save it to the Desktop.
link # 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
link #2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Close any open web browsers (Firefox, Internet Explorer, etc) before starting ComboFix.
Temporarily disable your anti-virus, and any anti-spyware real-time protection before performing a scan. Click this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of security programs that should be disabled and how to disable them.
Vista users Right-click combofix.exe and select Run as Administrator and follow the prompts.
Double-click combofix.exe and follow the prompts.
When finished, ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.
NOTE: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.
Remember to re-enable your anti-virus and anti-spyware protection when ComboFix is complete.
-
Hi SD,
Here is Jotti's link:
http://virusscan.jotti.org/en/scanresult/99b19e4aff4267e
599165e0e582931889f63126a/cba6158945c1b30f0131861f661d8d83d66248e9
New ComboFix installed and logs for it and HJT attached. Anti-malware software re-enabled.
Thanks
[Saving space, attachment deleted by admin]
-
Hello John. The logs look clean. One more scan, if you please. Please let me know how your computer is running.
ESET Online Scan
Scan your computer with the ESET FREE Online Virus Scan (http://eset.com/onlinescan)
* Click the ESET Online Scanner button.
* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
* Double click on the esetsmartinstaller_enu.exe icon on your desktop.
* Place a check mark next to YES, I accept the Terms of Use.
* Click the Start button.
* Accept any security warnings from your browser.
* Leave the check mark next to Remove found threats and place a check next to Scan archives.
* Click the Start button.
* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
* When the scan completes, click List of found threats.
* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
* Click the <<Back button then click Finish.
In your next reply please include the ESET Online Scan Log
-
Hi SD,
ESET did not detect any threats, so I guess that is why it did not offer to save a log. So, instead, I copied the screen text for you and uploaded it as ESET.txt.
On the subject of ESET, while scanning, it triggered Avira upon opening KaraPlayer.exe which belongs to All in One Karaoke. This program has been on my computer since March 2008 and has never been noted by any anti-virus program until I switched to Avira last month. At first I just assumed it was a false positive because the message displayed was not a detection, but rather a caution that the program was packed with an unusual compression scheme (PCK / Yoda Prot). I just figured since the program is from Thailand that they are using different programming styles from what we are used to in the states. But since Avira keeps nagging about it, tonight I decided to look it up on Microsoft's Malware Encyclopedia. While the encyclopedia did not have a listing for the file, the scheme mentioned above yielded a list of nasties which must be associated with it some way, perhaps using the method. The worrisome thing was that the symptoms listed were similar to mine.
In spite of this, I did not think this program was the source of my problem because I don't think I have run the program since I got it nearly two years ago. Also, when I thought I might lose my data last month, I transferred it to my wife's computer. She invited her parents over to our house to sing on Christmas Day and her computer shows no adverse effects from using the program.
As a further check, I visited the publisher's website and downloaded it from there. The file fetched from there was 25KB smaller than the file on my computer. That worried me initially, so I took a closer look at file information and found both versions were made within two hours of each other. Therefore, it seems unlikely that it got into the hands of a hacker and was released with a trojan within two hours. It looks more like an in-house change at the last minute on release day. Of course, the publisher itself could be supplying it with malware, but again, it has not shown any symptoms in the past, or on my wife's computer at the present time. Also, it seems every Karaoke DJ in town is using the same software, so you would think there would be problems if an unsafe program was that widely used. I thought I'd run Jotti's Malware on both versions of the file. They are here:
KaraPlayer 1st version:
http://virusscan.jotti.org/en/scanresult/ba5804431c4fc962cb2f84ca2e82875917cce506
KaraPlayer 2nd Version:
http://virusscan.jotti.org/en/scanresult/ce0e1fd190508d84af563d1e74320f9919eb0ddf
I didn't pay much attention to the issue of false positives in the past. I just assumed AV publishers had their signature lists and that they just worked. A random match of data bits that match seemed too small a chance to worry about. But I've been following the CNET reviews of security software recently, and I noticed for the first time that the percentage of false positives is a rating factor. Also, upon installing Avira last month, I was surprised at their candor concerning the chances of false positives with respect to the sensitivity settings chosen. In fact, it is the first program I have ever seen with sensitivity settings.
My first concerns about false positives came about a year or two ago when our 12 year old boy started playing Ghost Online on his computer. I would think this is a legitimate game because you have to go to 7-11 to buy cards for game time, but it scanned as a virus by AVG, and then again by Avira. Here's Jotti's report:
GhostSoul_NP.exe
http://virusscan.jotti.org/en/scanresult/7c9689475ae5a153cf3b0c8acdbee8539f2b00bb
So, showing 8 out of 20 scanners giving a positive result, it shows that AV labs aren't sharing their results. I ran the .exe to see what it was. It is the file downloader that fetches updates and changes to the game. So I don't know if this is a what they are detecting as a trojan downloader and only indicates a false positive. Another of his games, Talesrunner, shows a detection too. Again, this is a game we have to go to the store to buy game time for:
Talesrunner:
http://virusscan.jotti.org/en/scanresult/6f747123b34113ef7db96c5158c3221a7dec39fc
Well, I'm getting off topic. Again, neither of these games are on my computer, and his computer shows no malware symptoms, but tying the topic of false positives with my possible false positive on KaraPlayer, I would appreciate it if you or your mentor have any experience or knowledge about false positives and these 3 programs that you could share with me.
So, to get back to the question of how my computer is running, I can say I have been very gratified to see my computer come back to life and slowly see symptoms mitigate and things start behaving correctly. For example, earlier I reported that Firefox was fine, but IE could not be used reliably. Now IE seems to be behaving well. Of course, with 25 years of using computers, I have learned from the days before malware was around that hardware and software don't need any help from malware to misbehave. It's just that when going through a malware crisis like I have had here that I am more sensitive to things that are going wrong. So I have just a couple of issues I would like to report.
First is that SuperAntiSpyware hangs regularly. The registry scans are running about 6400 items. When it gets around 6100 to 6200 items through it, it hangs and gives a dialog box encountering an unexpected error and invites me to submit my email address before shutting down. Actually, it used to just freeze until I discovered Safe Mode scanning. Then it successfully completed a scan and found a registry key for Trojan.FakeAlert-IEBT which was repaired. Now I can scan in regular mode, but it still gives the unexpected error every time. It turns out the file name is always the same, but the key number changes. The key is WMPNetworkSvc. What I have learned is that if I run a Quick Scan first, it scans successfully, and then I can run a complete scan, and it won't hang on the unexpected error anymore (but, again, only if I run the quick scan first). There is never anything detected anymore other than tracking cookies.
The second item is that I ran a Kaspersky Online Scan as well last week, which is a Java Script application. First, I had a Java "error on page" message on the lower left hand IE window. On retrying, it successfully continued, but hung again on a message about downloading definition updates. This time the entire taskbar froze and the hard drive activity light took off at a furious pace. Well, for all I know it was just verifying what files were needed, and maybe even continuing with the scan, but without the screen updating the status, I was worried. I keep the Task Manager open so I can see what is happening, but clicking on Task Manager tabs, menus, and buttons did not have any effect, so I reset the computer after about 3 minutes of that. Scans came back clean, but I thought I should report this behavior.
I haven't wanted to try any of my applications programs until we are clear on the scanners and browsers in case there is a risk of further infection or corruption.
That's about it for now. Thanks for hanging in there with me.
[Saving space, attachment deleted by admin]
-
Fresh HJT log attached.
Thanks for all you do.
John
[Saving space, attachment deleted by admin]
-
Hello John. I'm sorry I never got back to you sooner. Very busy. If there are no other issues, it's time for some cleanup. You can uninstall HJT, ESET but you can keep SAS and MBAM. Update them and run them about once a week depending on your on-line browsing.
--------------------------------------------------------------------------------
Clean out your temporary internet files and temp files.
Download TFC by OldTimer (http://oldtimer.geekstogo.com/TFC.exe) to your desktop.
Double-click TFC.exe to run it.
Note: If you are running on Vista, right-click on the file and choose Run As Administrator
TFC will close all programs when run, so make sure you have saved all your work before you begin.
* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.
Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.
---------------------------------------------------------------------------------------------
* Click START then RUN - Vista users press the Windows Key and the R keys for the Run box.
* Now type Combofix /uninstall in the runbox
* Make sure there's a space between Combofix and /Uninstall
* Then hit Enter
* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.
----------------------------------------------------------------------------------------------
Use the Secunia Software Inspector (http://secunia.com/software_inspector) to check for out of date software.
•Click Start Now
•Check the box next to Enable thorough system inspection.
•Click Start
•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------
Go to Microsoft Windows Update (http://windowsupdate.microsoft.com/) and get all critical updates.
----------
I suggest using WOT - Web of Trust (http://www.mywot.com/). WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.
SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer (http://www.bleepingcomputer.com/forums/tutorial49.html) from Spyware and Malware
* If you don't know what ActiveX controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. (http://www.safer-networking.org/en/spybotsd/index.html) Guide: Use Spybot's Immunize Feature (http://www.bleepingcomputer.com/tutorials/tutorial43.html#immunize) to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ (http://www.safer-networking.org/en/faq/index.html)
Check out Keeping Yourself Safe On The Web (http://evilfantasy.wordpress.com/2008/05/20/keeping-yourself-safe-on-the-web/) for tips and free tools to help keep you safe in the future.
Also see Slow Computer? It may not be Malware (http://evilfantasy.wordpress.com/2008/05/24/slow-computer-it-may-not-be-malware/) for free cleaning/maintenance tools to help keep your computer running smooth.
Safe Surfing!
-
Do you have an XP CD?
If so, place it in your CD ROM drive and follow the instructions below:
- Click on Start > Run and type sfc /scannow then press Enter (note the space between scf and /scannow)
- Let this run undisturbed until the window with the blue progress bar goes away
SFC - Which stands for System File Checker, retrieves the correct version of the file from %Systemroot%\System32\Dllcache or the Windows installation source files, and then replaces the incorrect file.
----------
Create An Uninstall List
* Start HijackThis
* Click on the Open the Misc Tools section
* Click on the Open Uninstall Manager button.
* Click on the Save list button and specify where you would like to save this file and click Save.
* When you press Save button a notepad will open with the contents of that file.
* Copy and paste that list in your reply.
.
----------
Also let us know how things are now.
-
Hi EF,
Thanks for stopping by my thread. I appreciate all you and SD you for me.
After running SFC, I've spent the last 48 hours verifying the operability of my installed applications so I can give a better quality report.
It's good you asked about the uninstall report. I was going in that direction anyway because I needed to check for additional program corruption. At the beginning of the thread I reported problems with Google Chrome being corrupted, as well as frequent dirty disk Chkdsk generations.
I don't know if this was a consequence of my infection or doing a repair install with an old XP disk (I forgot I had upgraded to a larger SATA drive).
I actually verified every program on the Start Menu. You don't really appreciate how much MS has bundled in until you start going through all of them.
Most of the programs all ran. Four programs had errors, but reinstalling got them running again. Three more had errors, but I didn't care about them anymore and just uninstalled them. Two or three more programs showed up in the wrong folder in the Start Menu. These entries were just deleted.
I've had some uninstallable situations in Add/Remove programs in the past, but with the issue of drive corruption, I decided to tackle this issue with Revo. By the way, Revo and Winamp both gave this error on installation, but both programs seem to run okay anyway:
"The procedure entry point IsThreadDesktopComposited could not be located in the dynamic link library USER32.dll"
I'm surprised the HJT scan does not show an entry for JAVA(TM) 6 Update 7 that shows up in my Add/Remove Programs. It won't delete in there, and Revo can't get it either.
I wondered if there was some cross-corruption between the two JAVA's, and since we had the Kaspersky issue in Reply # 14, I decided to run Kaspersky again. I guess that scanner is just problematic anyway from what I hear. It halted and fussed, but eventually I got a good scan out of it again. Didn't repeat the freeze and HDD flurry like before.
So I wanted to track the issue of SAS halting on the "Unexpected error". It did halt once or twice on my, but I haven't been able to get it to duplicate that behavior anymore. Maybe it's because I uninstalled WMP. But I also uninstalled before the new halts. The reason I uninstalled WMP is that it wouldn't run because of an error message that the version number encountered was different from the version number expected.
So, I'm thinking I'm getting out of the woods here, but one of the programs that was corrupted along with Chrome back in the beginning was Download Accelerator Plus, and it is one that had to be reinstalled to get it running again - and so I was alarmed at my SAS test scan to find Trojan.Agent /Gen pop up. I'm thinking, "Oh no, don't tell me it's that Karaplayer.exe. Or maybe on of the OEM programs I never run because I tested everything today." When finished, it turned out to be SBSEARCH.DLL - from Download Accelerator Plus. Looking at the keys, it's the browser hijack changing the home page and default search to SpeedBit Search.
Well, I've noticed that before, and it really annoyed me, but I don't consider it real malware. It's been on CNET for 10 weeks, in the top 20 for a while, and now at # 36. CNET certifies everything as "Safe, Tested and Spyware Free". So I guess it just depends on where you draw the line at Malware. Sure, done without my permission for the purpose of commercial gain, but I don't think it is in the same league as the things that were done to harm my computer in this thread.
So I removed DAP and reinstalled to see if I had just missed unchecking a box to decline the hijack, but there was nothing, and on rescanning it reappeared. So I let SAS remove it again, but haven't removed DAP again. So I hope I am safe now.
So, additional duplications in my Add/Remove list are 2 copies of Google Earth and 3 copies of C++ Redistributable. I also see that Neroxml is on the HJT list, but not in my Add/Remove list. I just removed Nero as one of the programs that needed to be reinstalled.
That's all I can think of for now. Logs posted below. Any thoughts on the possible false positives in Reply # 14?
Thanks again.
-------------------------
HJT Uninstall Log
Sansa Media Converter
7-Zip 4.57
ACDSee 9 Photo Manager
Adobe Acrobat 4.0
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Atheros Communications Inc.(R) L2 Fast Ethernet Driver
Avira AntiVir Personal - Free Antivirus
Bentley Publishers - eBahn®
Bonjour
Canon MP Navigator EX 1.0
Canon MX310 series
Canon My Printer
Canon Utilities Easy-PhotoPrint EX
Canon Utilities Solution Menu
DivX Codec
DivX Web Player
ESET Online Scanner v3
FLAC 1.2.1b (remove only)
Free Video Converter V 2.5
FurthurNET 1.7.5
Google Earth
Google Earth
Google Update Helper
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB961118)
Intel(R) Graphics Media Accelerator Driver
iTunes
Java(TM) 6 Update 18
Malwarebytes' Anti-Malware
MemTurbo
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla Firefox (3.0.16)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
neoDVDstandard4
neroxml
Nokia Connectivity Cable Driver
OpenOffice.org 3.1
Opera 10.10
PeaZip 2.3a
Personal Ancestral File 5
Picasa 3
PIXMA Extended Survey Program
Presto! PageManager 7.15.16
QuickTime
RealPlayer
Realtek High Definition Audio Driver
Revo Uninstaller Pro 2.0.5
Roland Virtual Sound Canvas 3.2
Samsung ML-4500 Series Driver
ScanSoft OmniPage SE 4
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB975467)
Serif 3DPlus 2.0
Serif DrawPlus 4.0
Serif PagePlus SE 1.0
Serif PhotoPlus 6.0
SiSoftware Sandra Lite 2009
SpeedBit Video Accelerator
Spybot - Search & Destroy
Stella 2.6.1
SUPERAntiSpyware Free Edition
Switch Sound File Converter
ThaiSoftware Dictionary V3.0
The KMPlayer (remove only)
Ulead VideoStudio 10
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
VC80CRTRedist - 8.0.50727.762
VCRedistSetup
Winamp
Windows Essentials Media Codec Pack 1.0
Windows Live OneCare safety scanner
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format Runtime
WinRAR archiver
WOT for Internet Explorer
XP_Key_Changer 2.0.0
Xvid 1.2.1 final uninstall
XviD MPEG-4 Codec
---------------------------------
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 01/24/2010 at 02:08 AM
Application Version : 4.33.1000
Core Rules Database Version : 4510
Trace Rules Database Version: 2322
Scan type : Complete Scan
Total Scan Time : 00:05:04
Memory items scanned : 506
Memory threats detected : 0
Registry items scanned : 5420
Registry threats detected : 22
File items scanned : 0
File threats detected : 1
Trojan.Agent/Gen
HKLM\Software\Classes\CLSID\{F4F10C1D-87C7-404A-B4B3-000000000000}
HKCR\CLSID\{F4F10C1D-87C7-404A-B4B3-000000000000}
HKCR\CLSID\{F4F10C1D-87C7-404A-B4B3-000000000000}
HKCR\CLSID\{F4F10C1D-87C7-404A-B4B3-000000000000}\InprocServer32
HKCR\CLSID\{F4F10C1D-87C7-404A-B4B3-000000000000}\InprocServer32#ThreadingModel
HKCR\CLSID\{F4F10C1D-87C7-404A-B4B3-000000000000}\ProgID
HKCR\CLSID\{F4F10C1D-87C7-404A-B4B3-000000000000}\Programmable
HKCR\CLSID\{F4F10C1D-87C7-404A-B4B3-000000000000}\TypeLib
HKCR\CLSID\{F4F10C1D-87C7-404A-B4B3-000000000000}\VersionIndependentProgID
HKCR\SearchHook.SrchHook.1
HKCR\SearchHook.SrchHook.1\CLSID
HKCR\SearchHook.SrchHook
HKCR\SearchHook.SrchHook\CLSID
HKCR\SearchHook.SrchHook\CurVer
HKCR\TypeLib\{95EFB171-F3DF-4BEC-9EF7-829A800203E6}
HKCR\TypeLib\{95EFB171-F3DF-4BEC-9EF7-829A800203E6}\1.0
HKCR\TypeLib\{95EFB171-F3DF-4BEC-9EF7-829A800203E6}\1.0\0
HKCR\TypeLib\{95EFB171-F3DF-4BEC-9EF7-829A800203E6}\1.0\0\win32
HKCR\TypeLib\{95EFB171-F3DF-4BEC-9EF7-829A800203E6}\1.0\FLAGS
HKCR\TypeLib\{95EFB171-F3DF-4BEC-9EF7-829A800203E6}\1.0\HELPDIR
C:\PROGRA~1\DAP\SBSEARCH.DLL
HKU\S-1-5-21-682003330-492894223-1957994488-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F4F10C1D-87C7-404A-B4B3-000000000000}
HKU\S-1-5-21-682003330-492894223-1957994488-1003\Software\Microsoft\Internet Explorer\URLSearchHooks#{F4F10C1D-87C7-404A-B4B3-000000000000}
-
Remove the old version(s)
Download JavaRa (http://majorgeeks.com/JavaRA_d5982.html)
* Unzip the file and open the JavaRa.exe
* Click Remove Older Versions
* JavaRa will search for and remove any outdated version of Java and remove any that are found.
* Click Additional Tasks
* Place a check next to Remove Useless JRE Files and click Go
* Exit JavaRa
* Delete the JavaRa files from the desktop
----------
Open Malwarebytes' Anti-Malware.
* Click the Update tab.
* Click Check for Updates
* If an update is found, it will download and install.
* Click the Scanner tab.
* Select Perform Quick Scan, then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy & Paste the entire report in your next reply.
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.
----------
Download Dial-a-Fix (http://majorgeeks.com/Dial-a-fix_d4899.html) by djlizard, save it to the desktop then extract it to it's own folder.
- Open the folder and run Dial-a-fix.exe
- 2 windows will open. Close the one in the background labeled Restrictive Policies
- Check the box in section 1, Empty temp folders.
- Check the box in section 2, Fix Windows Installer.
- Check the box in section 3, Fix Windows Update.
- Check the box in section 4, labeled SSL/HTTPS/Cryptography. The 4 boxes under it should be pre-checked
- Check all boxes in section 5, labeled Registration Center.
- Click Go
- OK any error messages if received, but write them down and post them here.
- Restart the computer when done.
.
How is the computer running now?
-
JavaRa removed more registry keys, but JAVA(TM) 6 Update 7 (133MB) persists in the Add/Remove programs list. I can't find it anywhere. Lots of Java folders around the system, but none this size, or that look like they don't belong where they are, so I have attached this log below as well. There's a dozen blank logs at the end because it took me a while to figure out that it was appending to the log rather than creating a new one each run.
MBAM gave a clean scan, but it couldn't connect to update, asking me to report to them an Error Code 732 (0,0). I had this happen last month, and they sent me a list of possible causes, one of which was server congestion due to their upgrade release. The problem went away, so I figured that was it. I was thinking along the same lines tonight, but this also harks back to the original issues I had while still infected, i.e., erratic connectivity. In fact, just yesterday I was thinking how much smoother the internet was working when it started acting up again. The reason I mention this is that MBAM was able to update after running Dial-a-Fix. So I wonder if some of the malware damage was still waiting to be repaired. It is interesting to go through this process and learn that while Windows has some self-repair capabilities, some of these things require special tools. MS might be well to follow forums like this and upgrade their self-repair capabilities, or hire developers of these special tools. Clean MBAM log attached below.
Dial-a-Fix ran as expected. I have attached the list of error messages below. Since this post, and this thread, deal with corruption issues, I should address the three error possibilities reported: 1 - Corruption, 2 - Not DLL Install-able, 3 - Not registerable. Since some of these errors may pertain to Windows Update, before assuming corruption, I should address the possibility that "Not registerable" could be happening because Windows has locked files because I have not dealt with the WGA issue. Product key registration failed because of the mismatch between the product key type and the Windows CD type (Retail - Full - No SP versus MSDN - Upgrade - SP3). I thought it best not to address this until we are finished because last time I had an issue like this, I had to call MS on the 800 number. I did not want to commit to this until we were sure this repair is finished and successful. If you would like me to take care of this at this time, I will. My next step in this regard was to try to use a Key Changer in order to see if it would accept my product key now that the installation is finished and stable.
Otherwise, networking on the LAN seems improved over yesterday. Yesterday the other XP computer (Athlon) on the LAN could not even see this computer, and from the beginning of this thread I have had difficulty opening SharedDocs on the other computer to transfer back and forth all the tools and logs used in this thread. Today I checked all the computers and can summarize them as follows. The computer being treated in this thread is the Celeron:
From
Celeron to Athlon XP - Smooth
Celeron to Q6600 Vista - Slower, but works.
Celeron to P4 Vista - Blank password issue.
Q6600 Vista to Celeron - Password mismatch issue - won't tell me how to resolve it.
P4 Vista and Athlon XP to Celeron - both have the same error message as follows:
"SharedDocs is not accessable. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions. Access is denied."
In the Properties tab, both of the following boxes are checked:
- Share this folder on the network and
- Allow network users to change my files
In other issues, Revo and Winamp both continue to give the same error when run, but both programs still seem to run okay anyway:
"The procedure entry point IsThreadDesktopComposited could not be located in the dynamic link library USER32.dll"
Also, running my program checks yesterday, I noticed in System Information -> Hardware Resources -> Conflicts/Sharing that there are 6 listings, 2 Memory and 4 IRQ. 5 are double shares, IRQ 10 has 6 shares, but in Device Manger, all report no conflicts. So I suppose BIOS or Windows is managing sharing. It seems a bit much. Should I do something about it? Reset ESCD Config in BIOS?
Should duplicate Google Earth and C++ entries be removed?
My overall subjective feeling about how the computer is doing is that it has come a long way since where it was, even running better than before the infection, now that it is cleaner and healed. It has reminded of how I felt when I first got it - about how much faster it felt than the Athlon 2500 I used before - which surprised me, because when I first got the Athlon with XP way back when, it was not far from being state of the art at the time, and I was really proud of how fast it performed. So with this Celeron running at the same MHz, I was surprised how much faster it felt, and then I started to learn about increases in FSB speeds over the years, and etc. So I really feel good now about the system. It has that "smooth as butter" feeling when clicking on things and interacting with the internet that it hasn't had for a long time.
That's all I can think of for now.
Thanks.
Logs follow:
JavaRa 1.15 Removal Log.
Report follows after line.
------------------------------------
The JavaRa removal process was started on Tue Dec 08 14:19:45 2009
Found and removed: C:\Program Files\Java\jre1.6.0_04
Found and removed: C:\Program Files\Java\jre1.6.0_05
Found and removed: C:\Program Files\Java\jre1.6.0_07
Found and removed: C:\Program Files\Java\jre1.6.0_13
Found and removed: C:\Documents and Settings\COMPUTER\Application Data\Sun\Java\jre1.6.0_04
Found and removed: C:\Documents and Settings\COMPUTER\Application Data\Sun\Java\jre1.6.0_11
Found and removed: C:\Documents and Settings\COMPUTER\Application Data\Sun\Java\jre1.6.0_12
Found and removed: C:\Documents and Settings\COMPUTER\Application Data\Sun\Java\jre1.6.0_13
Found and removed: C:\Documents and Settings\COMPUTER\Application Data\Sun\Java\jre1.6.0_14
Found and removed: C:\Documents and Settings\COMPUTER\Application Data\Sun\Java\jre1.6.0_15
Found and removed: SOFTWARE\Classes\Installer\Features\8A0F842331866D117AB7000B0D610004
Found and removed: SOFTWARE\Classes\Installer\Features\8A0F842331866D117AB7000B0D610005
Found and removed: SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D610004
Found and removed: SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D610005
Found and removed: SOFTWARE\Classes\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D610004
Found and removed: SOFTWARE\Classes\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D610005
Found and removed: SOFTWARE\Classes\JavaPlugin.160_04
Found and removed: SOFTWARE\Classes\JavaPlugin.160_05
Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.6.0_04
Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.6.0_05
Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.6.0_04
Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.6.0_05
Found and removed: SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
Found and removed: SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D610004
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D610005
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ACBB9B2318A96D117A58000B0D610004
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ACBB9B2318A96D117A58000B0D610005
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D610004
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D610005
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0160040}
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0160050}
Found and removed: Software\Classes\JavaPlugin.160_04
Found and removed: Software\Classes\JavaPlugin.160_05
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}
Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1
Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_02
Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_03
Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_04
Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2
Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2.0_01
Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.6.0_04
Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.6.0_05
Found and removed: Software\JavaSoft\Java2D\1.6.0_04
Found and removed: Software\JavaSoft\Java2D\1.6.0_05
Found and removed: Software\JavaSoft\Java Runtime Environment\1.6.0_05
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}
Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.6.0_07
Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.6.0_07
Found and removed: SOFTWARE\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500}
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ACBB9B2318A96D117A58000B0D610007
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D610007
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0160070}
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_04\
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_05\
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_04\bin\
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_05\bin\
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_07\bin\
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Program Files\Common Files\Java\Update\Base Images\jre1.6.0.b105\patch-jre1.6.0_04.b12\
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Program Files\Common Files\Java\Update\Base Images\jre1.6.0.b105\patch-jre1.6.0_05.b13\
JavaRa 1.15 Removal Log.
Report follows after line.
------------------------------------
The JavaRa removal process was started on Tue Dec 08 14:20:20 2009
------------------------------------
Finished reporting.
JavaRa 1.15 Removal Log.
Report follows after line.
------------------------------------
The JavaRa removal process was started on Tue Dec 08 14:20:40 2009
------------------------------------
Finished reporting.
JavaRa 1.15 Removal Log.
Report follows after line.
------------------------------------
The JavaRa removal process was started on Fri Jan 22 03:15:23 2010
Found and removed: C:\Documents and Settings\COMPUTER\Application Data\Sun\Java\jre1.6.0_17
Found and removed: SOFTWARE\Classes\Installer\Features\8A0F842331866D117AB7000B0D610004
Found and removed: SOFTWARE\Classes\Installer\Features\8A0F842331866D117AB7000B0D610005
Found and removed: SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D610004
Found and removed: SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D610005
Found and removed: SOFTWARE\Classes\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D610004
Found and removed: SOFTWARE\Classes\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D610005
Found and removed: SOFTWARE\Classes\JavaPlugin.160_04
Found and removed: SOFTWARE\Classes\JavaPlugin.160_05
Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.6.0_04
Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.6.0_05
Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.6.0_04
Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.6.0_05
Found and removed: SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
Found and removed: SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D610004
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D610005
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ACBB9B2318A96D117A58000B0D610004
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ACBB9B2318A96D117A58000B0D610005
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D610004
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D610005
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0160040}
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0160050}
Found and removed: Software\Classes\JavaPlugin.160_04
Found and removed: Software\Classes\JavaPlugin.160_05
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}
Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1
Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_02
Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_03
Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_04
Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2
Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2.0_01
Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.6.0_04
Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.6.0_05
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}
Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.6.0_07
Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.6.0_07
Found and removed: SOFTWARE\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500}
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ACBB9B2318A96D117A58000B0D610007
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D610007
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0160070}
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Program Files\Common Files\Java\Update\Base Images\jre1.6.0.b105\patch-jre1.6.0_04.b12\
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Program Files\Common Files\Java\Update\Base Images\jre1.6.0.b105\patch-jre1.6.0_05.b13\
------------------------------------
Finished reporting.
JavaRa 1.15 Removal Log.
Report follows after line.
------------------------------------
The JavaRa removal process was started on Sun Jan 24 20:19:04 2010
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}
------------------------------------
Finished reporting.
JavaRa 1.15 Removal Log.
Report follows after line.
------------------------------------
The JavaRa removal process was started on Sun Jan 24 20:21:04 2010
------------------------------------
Finished reporting.
JavaRa 1.15 Removal Log.
Report follows after line.
------------------------------------
The JavaRa removal process was started on Sun Jan 24 20:28:22 2010
------------------------------------
Finished reporting.
JavaRa 1.15 Removal Log.
Report follows after line.
------------------------------------
The JavaRa removal process was started on Sun Jan 24 20:29:04 2010
------------------------------------
Finished reporting.
JavaRa 1.15 Removal Log.
Report follows after line.
------------------------------------
The JavaRa removal process was started on Sun Jan 24 20:34:17 2010
------------------------------------
Finished reporting.
JavaRa 1.15 Removal Log.
Report follows after line.
------------------------------------
The JavaRa removal process was started on Sun Jan 24 20:47:23 2010
------------------------------------
Finished reporting.
JavaRa 1.15 Removal Log.
Report follows after line.
------------------------------------
The JavaRa removal process was started on Sun Jan 24 20:48:17 2010
------------------------------------
Finished reporting.
JavaRa 1.15 Removal Log.
Report follows after line.
------------------------------------
The JavaRa removal process was started on Sun Jan 24 20:49:55 2010
------------------------------------
Finished reporting.
JavaRa 1.15 Removal Log.
Report follows after line.
------------------------------------
The JavaRa removal process was started on Sun Jan 24 20:50:18 2010
------------------------------------
Finished reporting.
JavaRa 1.15 Removal Log.
Report follows after line.
------------------------------------
The JavaRa removal process was started on Sun Jan 24 20:54:13 2010
------------------------------------
Finished reporting.
JavaRa 1.15 Removal Log.
Report follows after line.
------------------------------------
The JavaRa removal process was started on Sun Jan 24 20:54:35 2010
------------------------------------
Finished reporting.
JavaRa 1.15 Removal Log.
Report follows after line.
------------------------------------
The JavaRa removal process was started on Sun Jan 24 20:57:20 2010
------------------------------------
Finished reporting.
JavaRa 1.15 Removal Log.
Report follows after line.
------------------------------------
The JavaRa removal process was started on Sun Jan 24 20:57:55 2010
------------------------------------
Finished reporting.
Malwarebytes' Anti-Malware 1.44
Database version: 3626
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512
1/24/2010 10:59:34 PM
mbam-log-2010-01-24 (22-59-34).txt
Scan type: Quick Scan
Objects scanned: 141336
Time elapsed: 5 minute(s), 16 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Dial-a-fix
Error -2147467259 was encountered while trying to unregister C:\WINDOWS\system32\msxml3.dll. The error text is: Unspecified Error.
Dial-a-fix currently has no suggestions for this error code. Please email [email protected] with a copy of the lop pane and any details you can provide about this error.
Error 127: C:\WINDOWS\system32\iesetup.dll is not registerable or the file is corrupted. Your version of iesetup.dll is: 8.00.6001.18702. Please contact [email protected] so that an exception can be made for your version of this file.
Error 127: C:\WINDOWS\system32\iesetup.dll is not DLLInstall-able or the file is corrupted. Your version of iesetup.dll is: 8.00.6001.18702. Please contact [email protected] so that an exception can be made for your version of this file.
Error 127: C:\WINDOWS\system32\imgutil.dll is not registerable or the file is corrupted. Your version of imgutil.dll is: 8.00.6001.18702. Please contact [email protected] so that an exception can be made for your version of this file.
Error 127: C:\WINDOWS\system32\inseng.dll is not registerable or the file is corrupted. Your version of inseng.dll is: 8.00.6001.18702. Please contact [email protected] so that an exception can be made for your version of this file.
Error 127: C:\WINDOWS\system32\inseng.dll is not DLLInstall-able or the file is corrupted. Your version of inseng.dll is: 8.00.6001.18702. Please contact [email protected] so that an exception can be made for your version of this file.
Error 127: C:\WINDOWS\system32\mshtml.dll is not registerable or the file is corrupted. Your version of mshtml.dll is: 8.00.6001.18702. Please contact [email protected] so that an exception can be made for your version of this file.
Error 127: C:\WINDOWS\system32\mshtml.dll is not DLLInstall-able or the file is corrupted. Your version of mshtml.dll is: 8.00.6001.18702. Please contact [email protected] so that an exception can be made for your version of this file.
Error 127: C:\WINDOWS\system32\msrating.dll is not registerable or the file is corrupted. Your version of msrating.dll is: 8.00.6001.18702. Please contact [email protected] so that an exception can be made for your version of this file.
Error 127: C:\WINDOWS\system32\occache.dll is not registerable or the file is corrupted. Your version of occache.dll is: 8.00.6001.18702. Please contact [email protected] so that an exception can be made for your version of this file.
Error 127: C:\WINDOWS\system32\occache.dll is not DLLInstall-able or the file is corrupted. Your version of occache.dll is: 8.00.6001.18702. Please contact [email protected] so that an exception can be made for your version of this file.
Error 127: C:\WINDOWS\system32\pngfilt.dll is not registerable or the file is corrupted. Your version of pngfilt.dll is: 8.00.6001.18702. Please contact [email protected] so that an exception can be made for your version of this file.
Error 127: C:\WINDOWS\system32\webcheck.dll is not registerable or the file is corrupted. Your version of webcheck.dll is: 8.00.6001.18702. Please contact [email protected] so that an exception can be made for your version of this file.
Error 127: C:\WINDOWS\system32\webcheck.dll is not DLLInstall-able or the file is corrupted. Your version of webcheck.dll is: 8.00.6001.18702. Please contact [email protected] so that an exception can be made for your version of this file.
-
Delete An Uninstall Entry
- Start HijackThis
- Click on the Open the Misc Tools section
- Click on the Open Uninstall Manager button.
- Highlight the entry you want to remove. JAVA(TM) 6 Update 7
- Click Delete this entry
.
----------
You may need to check with Mozilla on the other errors. https://support.mozilla.com/en-US/forum/1/478629
For the remaining Windows issues, slow transfers and passwords start a new topic in the Windows forum. I'm pretty sure the malware is gone. We can run another scan for a double check if you like.
Download, update and run a-squared Free edition (http://majorgeeks.com/a-squared_Free_edition_d4281.html)
At the main menu, click Scan Now, there will be 4 options, choose Deep Scan and then click Scan
* If malware is found, click the button Remove Selected Malware
* If malware is found, select all found and click Quarantine selected objects
* Click Save Report. Save the report to somewhere convenient, such as your desktop
* Add the report as an attachment in your next post.
-
JAVA(TM) 6 Update 7 does not appear in the HJT Uninstall Manager. Since JavaRa removed so much on the 2nd and 3rd runs, this issue is no longer a concern to me. I was afraid that a Java exploit was preventing its removal, but it appears JavaRa reports that there is no longer anything left on the HDD of this version of Java.
So I see the Revo/Winamp error message is a system-wide thing, not application specific. I should have known since it occurs on two unrelated applications.
The Mozilla thread was inadvertently closed by someone, but was reopened here:
https://support.mozilla.com/en-US/forum/1/401389
Since the Mozilla thread is speculative, you might prefer to refer people to the Microsoft solution instead:
http://support.microsoft.com/kb/969155
It concerns a Vista file accidentally installed in XP by some MS applications. The solution is just to delete it.
So it's not a malware issue, so it is no longer of concern. The solution fixed both Winamp and Revo on my computer.
As for the a-squared scan, the scan results really have me thinking about what this experience is teaching me about false positives. As I mentioned in Reply # 14,
I didn't pay much attention to the issue of false positives in the past. I just assumed AV publishers had their signature lists and that they just worked. A random match of data bits that match seemed too small a chance to worry about. But I've been following the CNET reviews of security software recently, and I noticed for the first time that the percentage of false positives is a rating factor. Also, upon installing Avira last month, I was surprised at their candor concerning the chances of false positives with respect to the sensitivity settings chosen. In fact, it is the first program I have ever seen with sensitivity settings.
That together with what I learned from my Jotti's scans, also in Reply #14, and reviews of AV products at the Virus Bulletin web site, has me realizing that every anti-malware product has a small percentages of false positives, and therefore, mathematically, or statistically speaking, the more different brands of scanners you expose your system to, the more you are exposing yourself to the chance of a false positive.
The reason I bring up this issue here is because of the items found by a-squared.
The tracking cookies - that's fine. I delete them every chance I get.
The inprocserver32 tracing detection - there is a big discussion of this on the Kaspersky forum:
http://forum.kaspersky.com/lofiversion/index.php/t48032.html
to the point of one post even accusing Emsisoft of false positives in the free edition to drive sales of the the paid edition. Whether or not that's an overreaction, the entire thread discussion shows there is not a consensus as to whether or not these keys should be deleted.
Next there is Presto Pagemanager. This is off my Installation Disk that came with my Canon printer/scanner.
Next is the Setup.exe for one of the Serif applications downloaded from the Serif webite.
And then comes All in One Karaoke again (from Reply # 14 again). But this time it's not Karaplayer, it's NickWin.exe.
When I installed Avira, it offered me 3 levels of scanning sensitivity and advised that the chance of false positives increased with the higher settings. Because this infection had me so worried, I chose the highest sensitivity anyway. Yet Avira did not pick of any of these files. Maybe it's because it is only an anti-virus and a-squared is a specialized tool. But the overall feeling I get is that a-squared is the most sensitive with a higher chance of reporting false positives.
So my problem is that I do not have enough experience and judgement to evaluate this log to feel qualified to decide for myself whether to allow a-squared to remove these findings. The more you learn, the more you realize how much you don't know, so I can appreciate someone with your level of knowledge marking your profile experience level as "Beginner". So I have not allowed a-squared to remove these results so I can get your input first. I know one behavior of malware is to insert itself into other executable files on the system, so I don't know for sure what I should do.
All for now.
Thanks
[Saving space, attachment deleted by admin]
-
You can safely let a2 remove those.
I believe that the malware is gone. Any further issues will need to be addressed in the proper forum.
-
That's really good to hear. It has been so stressful going through this malware experience. I am so grateful you and SD have been able to help me return my computer to good health.
Thanks so much.