Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Malware - Explorer shuts down, pop-ups

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Malware - Explorer shuts down, pop-ups

Unread postby sflonglegs » June 29th, 2008, 1:46 am

Okay, here is the OTMoveIt log:

File/Folder C:\Documents and Settings\adler\Local Settings\Temp\orz.exe not found.
File/Folder C:\Documents and Settings\adler\Local Settings\Temp\V1E0HilA.exe not found.
File/Folder C:\WINDOWS\system32\6FxMsqYy.exe not found.
File/Folder C:\WINDOWS\system32\TXm040gX.exe not found.
File/Folder C:\WINDOWS\system32\TXm040gX.exe_ not found.
C:\WINDOWS\system32\affv6628p5now.sys moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 06282008_224234


whew!
thanks
sflonglegs
Regular Member
 
Posts: 20
Joined: June 26th, 2008, 12:47 am
Advertisement
Register to Remove

Re: Malware - Explorer shuts down, pop-ups

Unread postby km2357 » June 29th, 2008, 5:26 pm

I must be doing something wrong with Deckard. I run the program off the desktop and it starts to scan automatically, it does not give me any dialog box or options.


Did you just double-click dss.exe or did you do the following:


  • Press the Start->Run, copy/paste the following command into the box and press OK:
    "%userprofile%\desktop\dss.exe" /config
  • A configuration box will appear, click the Check All button, then un-check Main Log and press Scan!

and it still didn't give you any dialog boxes or options?


Step # 1 Run OTMoveIt2


  • Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code: Select all
    C:\WINDOWS\system32\PTi040cT.dll


  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

In your next post/reply, I need to see the following:

1. Deckard's extra txt, if possible
2. OTMoveIT2 Log
3. Are you still getting pop-ups, is your computer doing any better?
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Malware - Explorer shuts down, pop-ups

Unread postby sflonglegs » June 29th, 2008, 9:27 pm

Yep, I was doing it wrong. I started Deckard properly this time. First will be the mail log then the extra log. Main:

Deckard's System Scanner v20071014.68
Run by adler on 2008-06-29 18:18:49
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------



-- Last 5 Restore Point(s) --
46: 2008-06-28 21:35:55 UTC - RP177 - Deckard's System Scanner Restore Point
45: 2008-06-28 17:44:32 UTC - RP176 - Installed Java(TM) 6 Update 6
44: 2008-06-28 17:32:42 UTC - RP175 - Removed Java(TM) 6 Update 5
43: 2008-06-28 17:31:27 UTC - RP174 - Removed Java(TM) 6 Update 3
42: 2008-06-28 01:52:58 UTC - RP173 - System Checkpoint


-- First Restore Point --
1: 2008-05-07 04:00:04 UTC - RP132 - System Checkpoint


Performed disk cleanup.



-- HijackThis (run as adler.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:18:52 PM, on 6/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\TEMP\QFC5B4.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\adler\desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\adler.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Trend OfficeScan ImageSetup] "U:\Trend Image 8.0 setup utility\ImgSetup.exe" "/000d567b3e84" -HideWindow
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://burnt-orange/officescan/console ... nNTChk.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://burnt-orange/officescan/console ... /setup.cab
O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) - https://burnt-orange/officescan/console ... AtxEnc.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://burnt-orange/officescan/console ... veCtrl.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/B ... ofupld.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = KRON.com
O17 - HKLM\Software\..\Telephony: DomainName = KRON.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = KRON.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = KRON.com
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 6440 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 Scap (SecureClient Application Policy Module) - c:\windows\system32\drivers\scap.sys <Not Verified; Check Point Software Technologies; desktop>
R2 VPN-1 (VPN-1 Module) - c:\windows\system32\drivers\vpn.sys <Not Verified; Check Point Software Technologies; vpn1>

S3 UIUSys (Conexant Setup API) - c:\windows\system32\drivers\uiusys.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>
R2 SR_Service (Check Point SecuRemote Service) - "c:\program files\checkpoint\securemote\bin\sr_service.exe" <Not Verified; Check Point Software Technologies; VPN-1 SecuRemote/SecureClient>
R2 SR_WatchDog (Check Point SecuRemote WatchDog) - "c:\program files\checkpoint\securemote\bin\sr_watchdog.exe" <Not Verified; Check Point Software Technologies; desktop>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID:
Description: Network Controller
Device ID: PCI\VEN_1260&DEV_3886&SUBSYS_00031630&REV_01\5&11F07975&0&0008F0
Manufacturer:
Name: Network Controller
PNP Device ID: PCI\VEN_1260&DEV_3886&SUBSYS_00031630&REV_01\5&11F07975&0&0008F0
Service:


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\system32\winlogon.exe (pid 1144)
2004-07-13 23:14:08 24673 --a------ C:\WINDOWS\system32\ckpNotify.dll <Not Verified; Check Point Software Technologies; desktop>

C:\WINDOWS\explorer.exe (pid 1612)
2002-10-11 08:10:00 20552 --a------ C:\Program Files\WinZip\WZSHLSTB.DLL <Not Verified; WinZip Computing, Inc.; WinZip>


-- Scheduled Tasks -------------------------------------------------------------

2008-06-29 07:00:00 350 --a------ C:\WINDOWS\Tasks\At8.job
2008-06-29 07:00:00 350 --a------ C:\WINDOWS\Tasks\At32.job
2008-06-28 22:00:00 350 --a------ C:\WINDOWS\Tasks\At47.job
2008-06-28 22:00:00 350 --a------ C:\WINDOWS\Tasks\At23.job
2008-06-28 17:00:00 350 --a------ C:\WINDOWS\Tasks\At42.job
2008-06-28 17:00:00 350 --a------ C:\WINDOWS\Tasks\At18.job
2008-06-28 16:00:00 350 --a------ C:\WINDOWS\Tasks\At41.job
2008-06-28 16:00:00 350 --a------ C:\WINDOWS\Tasks\At17.job
2008-06-28 14:45:26 350 --a------ C:\WINDOWS\Tasks\At37.job
2008-06-28 14:00:11 350 --a------ C:\WINDOWS\Tasks\At39.job
2008-06-28 14:00:03 350 --a------ C:\WINDOWS\Tasks\At15.job
2008-06-28 13:00:15 350 --a------ C:\WINDOWS\Tasks\At38.job
2008-06-28 13:00:08 350 --a------ C:\WINDOWS\Tasks\At14.job
2008-06-28 12:00:09 350 --a------ C:\WINDOWS\Tasks\At13.job
2008-06-28 11:00:01 350 --a------ C:\WINDOWS\Tasks\At12.job
2008-06-28 11:00:00 350 --a------ C:\WINDOWS\Tasks\At36.job
2008-06-27 21:46:19 350 --a------ C:\WINDOWS\Tasks\At45.job
2008-06-27 20:00:09 350 --a------ C:\WINDOWS\Tasks\At21.job
2008-06-27 19:11:14 350 --a------ C:\WINDOWS\Tasks\At44.job
2008-06-27 19:00:01 350 --a------ C:\WINDOWS\Tasks\At20.job
2008-06-27 06:39:00 350 --a------ C:\WINDOWS\Tasks\At48.job
2008-06-26 23:00:07 350 --a------ C:\WINDOWS\Tasks\At24.job
2008-06-26 06:00:16 350 --a------ C:\WINDOWS\Tasks\At31.job
2008-06-26 06:00:03 350 --a------ C:\WINDOWS\Tasks\At7.job
2008-06-26 05:00:13 350 --a------ C:\WINDOWS\Tasks\At30.job
2008-06-26 05:00:04 350 --a------ C:\WINDOWS\Tasks\At6.job
2008-06-26 04:00:12 350 --a------ C:\WINDOWS\Tasks\At29.job
2008-06-26 04:00:06 350 --a------ C:\WINDOWS\Tasks\At5.job
2008-06-26 03:00:11 350 --a------ C:\WINDOWS\Tasks\At28.job
2008-06-26 03:00:03 350 --a------ C:\WINDOWS\Tasks\At4.job
2008-06-26 02:00:11 350 --a------ C:\WINDOWS\Tasks\At27.job
2008-06-26 02:00:04 350 --a------ C:\WINDOWS\Tasks\At3.job
2008-06-26 01:00:11 350 --a------ C:\WINDOWS\Tasks\At26.job
2008-06-26 01:00:03 350 --a------ C:\WINDOWS\Tasks\At2.job
2008-06-26 00:40:02 350 --a------ C:\WINDOWS\Tasks\At1.job
2008-06-26 00:21:11 350 --a------ C:\WINDOWS\Tasks\At25.job
2008-06-23 23:10:44 350 --a------ C:\WINDOWS\Tasks\At46.job
2008-06-23 23:10:43 350 --a------ C:\WINDOWS\Tasks\At43.job
2008-06-23 23:10:43 350 --a------ C:\WINDOWS\Tasks\At40.job
2008-06-23 23:10:43 350 --a------ C:\WINDOWS\Tasks\At35.job
2008-06-23 23:10:43 350 --a------ C:\WINDOWS\Tasks\At34.job
2008-06-23 23:10:43 350 --a------ C:\WINDOWS\Tasks\At33.job
2008-06-22 21:00:02 350 --a------ C:\WINDOWS\Tasks\At22.job
2008-06-22 18:00:03 350 --a------ C:\WINDOWS\Tasks\At19.job
2008-06-22 15:00:04 350 --a------ C:\WINDOWS\Tasks\At16.job
2008-06-22 10:00:03 350 --a------ C:\WINDOWS\Tasks\At11.job
2008-06-22 09:00:42 350 --a------ C:\WINDOWS\Tasks\At10.job
2008-06-22 08:00:05 350 --a------ C:\WINDOWS\Tasks\At9.job
2008-05-12 09:36:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-05-29 and 2008-06-29 -----------------------------

2008-06-28 10:44:37 0 d-------- C:\Program Files\Common Files\Java
2008-06-27 19:20:42 0 d-------- C:\Documents and Settings\adler\Application Data\Malwarebytes
2008-06-27 19:20:39 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-27 19:20:39 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-25 23:19:44 5 --a------ C:\WINDOWS\system32\system.dat
2008-06-25 23:17:43 0 d-------- C:\Program Files\easetech
2008-06-24 07:00:34 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Macromedia
2008-06-24 07:00:34 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Adobe
2008-06-24 07:00:11 0 dr------- C:\Documents and Settings\NetworkService\Favorites
2008-06-24 06:48:33 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-22 21:23:56 0 d-------- C:\Documents and Settings\adler\.housecall6.6


-- Find3M Report ---------------------------------------------------------------

2008-06-28 10:45:35 0 d-------- C:\Program Files\Java
2008-06-28 10:44:37 0 d-------- C:\Program Files\Common Files
2008-06-26 07:43:40 0 d-------- C:\Documents and Settings\adler\Application Data\Azureus
2008-06-26 07:36:13 0 d-------- C:\Documents and Settings\adler\Application Data\Apple Computer
2008-06-25 21:34:40 0 d-------- C:\Program Files\Trend Micro
2008-06-17 23:11:14 0 d-------- C:\Program Files\Azureus
2008-06-16 22:47:36 0 d-------- C:\Documents and Settings\adler\Application Data\com.zipeg
2008-06-16 22:46:53 0 d-------- C:\Program Files\Zipeg
2008-05-26 07:32:39 0 d-------- C:\Documents and Settings\adler\Application Data\BitZipper
2008-05-07 21:41:28 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-07 06:39:25 0 d-------- C:\Documents and Settings\adler\Application Data\Winamp
2008-05-07 06:24:22 0 d-------- C:\Program Files\Winamp


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [11/10/2005 10:05 PM]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [12/19/2005 10:08 AM]
"Trend OfficeScan ImageSetup"="U:\Trend Image 8.0 setup utility\ImgSetup.exe" []
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [05/08/2007 12:43 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 09:24 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
ckpNotify.dll 07/13/2004 11:14 PM 24673 C:\WINDOWS\system32\ckpNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-905031722-3973244588-3983749042-1123\Scripts\Logon\0\0]
"Script"=\\KRON.com\SysVol\KRON.com\scripts\IT.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-905031722-3973244588-3983749042-1172\Scripts\Logon\0\0]
"Script"=\\Radical-red\SYSVOL\KRON.com\scripts\IT-Test.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-905031722-3973244588-3983749042-1976\Scripts\Logon\0\0]
"Script"=\\Radical-red\SYSVOL\KRON.com\scripts\Creative_Services.vbs

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- Hosts -----------------------------------------------------------------------

10.21.0.4 hal2 hal2.kron.com
10.21.0.32 radical-red radical-red.kron.com
10.21.0.33 pacific-blue pacific-blue.kron.com
10.21.0.34 screamin-green screamin-green.kron.com
10.21.0.35 indigo indigo.kron.com
10.21.0.36 laser-lemon laser-lemon.kron.com
10.21.0.37 electric-lime electric-lime.kron.com
10.21.0.38 unmellow-yellow unmellow-yellow.kron.com
10.21.0.30 kron-enps1 kron-enps1.kron.com
10.21.0.31 kron-enps2 kron-enps2.kron.com

8755 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-06-29 18:19:27 ------------

Extra:
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Pentium(R) M processor 1600MHz
Percentage of Memory in Use: 43%
Physical Memory (total/avail): 1023.23 MiB / 577.55 MiB
Pagefile Memory (total/avail): 2462 MiB / 2077.32 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1934.87 MiB

C: is Fixed (NTFS) - 18.62 GiB total, 9.47 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - IC25N020ATMR04-0 - 18.63 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 18.62 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is enabled.

UpdatesDisableNotify is set.

FW: Trend Micro Personal Firewall v3.3 (Trend Micro Inc.)
AV: Trend Micro OfficeScan Antivirus v8.0 (TrendAntiVirus)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"="C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe:*:Enabled:SecureClient Application"
"C:\\Program Files\\ENPS\\ENPS.EXE"="C:\\Program Files\\ENPS\\ENPS.EXE:*:Enabled:ENPS"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"="C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe:*:Enabled:SecureClient Application"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"="C:\\Program Files\\BitTornado\\btdownloadgui.exe:*:Enabled:btdownloadgui"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\adler\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=ADLER-LAPTOP
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\adler
LOGONSERVER=\\PACIFIC-BLUE
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 9 Stepping 5, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0905
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\adler\LOCALS~1\Temp
TMP=C:\DOCUME~1\adler\LOCALS~1\Temp
USERDNSDOMAIN=KRON.COM
USERDOMAIN=KRON
USERNAME=adler
USERPROFILE=C:\Documents and Settings\adler
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Administrator (admin)
proffitt (new local, admin, net ready)
wsadmin (admin)
adler (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Azureus Vuze --> C:\Program Files\Azureus\uninstall.exe
Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
Broadcom Gigabit Integrated Controller --> MsiExec.exe /X{7E369B27-13E2-41A5-9879-358EE1C8B5AD}
C-Major Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly
Check Point VPN-1 SecuRemote NG_AI_R56 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9FCF2FC0-8268-11D4-A313-0006290D766E}\setup.exe" ADD_REMOVE
Conexant D480 MDC V.92 Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_8086&DEV_24x6&SUBSYS_542214F1\HXFSETUP.EXE -U -Idel5422k.inf
Dell Printer Software Uninstall --> C:\Program Files\Dell\Install\Uninstall.exe
Dell Software Uninstall --> C:\Program Files\Dell_HostCD\Install\x86\Uninstall.exe
Dell Wireless WLAN Card --> "C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwlu00.exe" verbose /rootkey="Software\Broadcom\802.11\UninstallInfo" /rootdir="C:\Program Files\Dell\Dell Wireless WLAN Card"
Ease Audio Converter 1.30 --> "C:\Program Files\easetech\AudioConverter\unins000.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
InFlac 1.1.1 --> "C:\Program Files\Winamp\InFlac-Uninstall.exe"
iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
Java(TM) 6 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160060}
LiveUpdate 2.0 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
MetaFrame Presentation Server Web Client for Win32 --> C:\WINDOWS\system32\ctxsetup.exe /uninst C:\PROGRA~1\Citrix\icaweb32\uninst.inf
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
O2Micro Smartcard Driver --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{C5BED10B-42A9-4142-B4C2-008C0FDE27D5} /l1033
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Trend Micro OfficeScan Client --> "C:\Program Files\Trend Micro\OfficeScan Client\ntrmv.exe"
VideoLAN VLC media player 0.8.6c --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Winamp --> "C:\Program Files\Winamp\UninstWA.exe"
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
Zipeg --> "C:\Program Files\Zipeg\zipeg.exe" -uninstall


-- Application Event Log -------------------------------------------------------

Event Record #/Type2974 / Error
Event Submitted/Written: 06/29/2008 06:09:19 PM
Event ID/Source: 1000 / UserInit
Event Description:
Could not execute the following script \\Radical-red\SYSVOL\KRON.com\scripts\Creative_Services.vbs. The network path was not found.
.

Event Record #/Type2973 / Error
Event Submitted/Written: 06/29/2008 06:05:27 PM
Event ID/Source: 15 / AutoEnrollment
Event Description:
Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted.
Enrollment will not be performed.

Event Record #/Type2971 / Error
Event Submitted/Written: 06/29/2008 06:04:50 PM
Event ID/Source: 1054 / Userenv
Event Description:
Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

Event Record #/Type2966 / Error
Event Submitted/Written: 06/29/2008 06:04:27 PM
Event ID/Source: 1054 / Userenv
Event Description:
Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

Event Record #/Type2964 / Warning
Event Submitted/Written: 06/29/2008 07:14:16 AM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type13750 / Error
Event Submitted/Written: 06/29/2008 06:12:59 PM
Event ID/Source: 59 / SideBySide
Event Description:
Generate Activation Context failed for C:\WINDOWS\system32\PTi040cT.dll.
Reference error message: The operation completed successfully.
.

Event Record #/Type13749 / Error
Event Submitted/Written: 06/29/2008 06:12:59 PM
Event ID/Source: 59 / SideBySide
Event Description:
Resolve Partial Assembly failed for Microsoft.VC80.ATL.
Reference error message: The referenced assembly is not installed on your system.
.

Event Record #/Type13748 / Error
Event Submitted/Written: 06/29/2008 06:12:59 PM
Event ID/Source: 32 / SideBySide
Event Description:
Dependent Assembly Microsoft.VC80.ATL could not be found and Last Error was The referenced assembly is not installed on your system.

Event Record #/Type13731 / Error
Event Submitted/Written: 06/29/2008 06:05:51 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The QoS Packet Scheduler service failed to start due to the following error:
%%1058

Event Record #/Type13730 / Error
Event Submitted/Written: 06/29/2008 06:04:46 PM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.



-- End of Deckard's System Scanner: finished at 2008-06-29 18:19:27 ------------

I also did the OTMovIt but failed to copy it before closing. I did it a second time and the item you listed did not show up. Here is the OTMoveIt log after I did it a second time:


OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 06292008_182227


Nothing. As for your final question on how the computer is running...yes, much better. Before and while we were doing this Explorer kept shutting down and it was quite frustrating. The random pop-up has also vanished. So far, so good.

Nice job! Thank you. Thank you!
sflonglegs
Regular Member
 
Posts: 20
Joined: June 26th, 2008, 12:47 am

Re: Malware - Explorer shuts down, pop-ups

Unread postby km2357 » June 29th, 2008, 11:17 pm

As for your final question on how the computer is running...yes, much better. Before and while we were doing this Explorer kept shutting down and it was quite frustrating. The random pop-up has also vanished. So far, so good.

Nice job! Thank you. Thank you!


That's good to hear. :) One more batch of files to move with OTMoveIT2 and if everything goes ok with that and there are no more problems, then you'll be good to go and I can give you the All-Clean. :)



Step # 1 Run OTMoveIt2


  • Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code: Select all
    C:\WINDOWS\Tasks\At8.job
    C:\WINDOWS\Tasks\At32.job
    C:\WINDOWS\Tasks\At47.job
    C:\WINDOWS\Tasks\At23.job
    C:\WINDOWS\Tasks\At42.job
    C:\WINDOWS\Tasks\At18.job
    C:\WINDOWS\Tasks\At41.job
    C:\WINDOWS\Tasks\At17.job
    C:\WINDOWS\Tasks\At37.job
    C:\WINDOWS\Tasks\At39.job
    C:\WINDOWS\Tasks\At15.job
    C:\WINDOWS\Tasks\At38.job
    C:\WINDOWS\Tasks\At14.job
    C:\WINDOWS\Tasks\At13.job
    C:\WINDOWS\Tasks\At12.job
    C:\WINDOWS\Tasks\At36.job
    C:\WINDOWS\Tasks\At45.job
    C:\WINDOWS\Tasks\At21.job
    C:\WINDOWS\Tasks\At44.job
    C:\WINDOWS\Tasks\At20.job
    C:\WINDOWS\Tasks\At48.job
    C:\WINDOWS\Tasks\At24.job
    C:\WINDOWS\Tasks\At31.job
    C:\WINDOWS\Tasks\At7.job
    C:\WINDOWS\Tasks\At30.job
    C:\WINDOWS\Tasks\At6.job
    C:\WINDOWS\Tasks\At29.job
    C:\WINDOWS\Tasks\At5.job
    C:\WINDOWS\Tasks\At28.job
    C:\WINDOWS\Tasks\At4.job
    C:\WINDOWS\Tasks\At27.job
    C:\WINDOWS\Tasks\At3.job
    C:\WINDOWS\Tasks\At26.job
    C:\WINDOWS\Tasks\At2.job
    C:\WINDOWS\Tasks\At1.job
    C:\WINDOWS\Tasks\At25.job
    C:\WINDOWS\Tasks\At46.job
    C:\WINDOWS\Tasks\At43.job
    C:\WINDOWS\Tasks\At40.job
    C:\WINDOWS\Tasks\At35.job
    C:\WINDOWS\Tasks\At34.job
    C:\WINDOWS\Tasks\At33.job
    C:\WINDOWS\Tasks\At22.job
    C:\WINDOWS\Tasks\At19.job
    C:\WINDOWS\Tasks\At16.job
    C:\WINDOWS\Tasks\At11.job
    C:\WINDOWS\Tasks\At10.job
    C:\WINDOWS\Tasks\At9.job


  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Malware - Explorer shuts down, pop-ups

Unread postby sflonglegs » June 30th, 2008, 12:24 am

I did as you instructed. Here is the log confirmation:

C:\WINDOWS\Tasks\At8.job moved successfully.
C:\WINDOWS\Tasks\At32.job moved successfully.
C:\WINDOWS\Tasks\At47.job moved successfully.
C:\WINDOWS\Tasks\At23.job moved successfully.
C:\WINDOWS\Tasks\At42.job moved successfully.
C:\WINDOWS\Tasks\At18.job moved successfully.
C:\WINDOWS\Tasks\At41.job moved successfully.
C:\WINDOWS\Tasks\At17.job moved successfully.
C:\WINDOWS\Tasks\At37.job moved successfully.
C:\WINDOWS\Tasks\At39.job moved successfully.
C:\WINDOWS\Tasks\At15.job moved successfully.
C:\WINDOWS\Tasks\At38.job moved successfully.
C:\WINDOWS\Tasks\At14.job moved successfully.
C:\WINDOWS\Tasks\At13.job moved successfully.
C:\WINDOWS\Tasks\At12.job moved successfully.
C:\WINDOWS\Tasks\At36.job moved successfully.
C:\WINDOWS\Tasks\At45.job moved successfully.
C:\WINDOWS\Tasks\At21.job moved successfully.
C:\WINDOWS\Tasks\At44.job moved successfully.
C:\WINDOWS\Tasks\At20.job moved successfully.
C:\WINDOWS\Tasks\At48.job moved successfully.
C:\WINDOWS\Tasks\At24.job moved successfully.
C:\WINDOWS\Tasks\At31.job moved successfully.
C:\WINDOWS\Tasks\At7.job moved successfully.
C:\WINDOWS\Tasks\At30.job moved successfully.
C:\WINDOWS\Tasks\At6.job moved successfully.
C:\WINDOWS\Tasks\At29.job moved successfully.
C:\WINDOWS\Tasks\At5.job moved successfully.
C:\WINDOWS\Tasks\At28.job moved successfully.
C:\WINDOWS\Tasks\At4.job moved successfully.
C:\WINDOWS\Tasks\At27.job moved successfully.
C:\WINDOWS\Tasks\At3.job moved successfully.
C:\WINDOWS\Tasks\At26.job moved successfully.
C:\WINDOWS\Tasks\At2.job moved successfully.
C:\WINDOWS\Tasks\At1.job moved successfully.
C:\WINDOWS\Tasks\At25.job moved successfully.
C:\WINDOWS\Tasks\At46.job moved successfully.
C:\WINDOWS\Tasks\At43.job moved successfully.
C:\WINDOWS\Tasks\At40.job moved successfully.
C:\WINDOWS\Tasks\At35.job moved successfully.
C:\WINDOWS\Tasks\At34.job moved successfully.
C:\WINDOWS\Tasks\At33.job moved successfully.
C:\WINDOWS\Tasks\At22.job moved successfully.
C:\WINDOWS\Tasks\At19.job moved successfully.
C:\WINDOWS\Tasks\At16.job moved successfully.
C:\WINDOWS\Tasks\At11.job moved successfully.
C:\WINDOWS\Tasks\At10.job moved successfully.
C:\WINDOWS\Tasks\At9.job moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 06292008_211831

Thank you again for everything. Everything does seem to be working fine. Let me know if there is anything else. I greatly appreciate all of the time you took on this. Thanks to your directions it has been very easy.

Let me know if you need me to do anything else.
thanks
sflonglegs
Regular Member
 
Posts: 20
Joined: June 26th, 2008, 12:47 am

Re: Malware - Explorer shuts down, pop-ups

Unread postby km2357 » June 30th, 2008, 1:07 am

It looks like everything went well with OTMoveIT2 and since everything is running fine, then you are good to go. :)

You can delete dss.exe from your Desktop.

Please open OTMoveIt2.

  • Click on the CleanUp! button. If your Firewall gives a warning about OTMoveIt wanting to download a file, allow it.
  • Answer Yes to the prompt.
  • The program will ask for a reboot. Answer Yes.

You can also re-enable Teatimer as well.

Empty your Recycle Bin.


Please take the time to read my All Clean Post.

Please follow these simple steps in order to keep your computer clean and secure:

This is a good time to clear your existing system restore points and establish a new clean restore point

  • Go to Start > All Programs > Accessories > System Tools > System Restore
  • Select Create a restore point, and Ok it.
  • Next, go to Start > Run and type in cleanmgr
  • Select the More options tab
  • Choose the option to clean up system restore and OK it.
  • This will remove all restore points except the new one you just created.
.

Clearing your restore points is not something you should do on a regular basis. Normally, this process only needs to be done after clearing out an infestation of malware.


Make your Internet Explorer more secure This can be done by following these simple instructions:
  1. From within Internet Explorer click on the Tools menu and then click on Options.
  2. Click once on the Security tab
  3. Click once on the Internet icon so it becomes highlighted.
  4. Click once on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialize and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub frames across different domains to Prompt
  5. When all these settings have been made, click on the OK button.
  6. If it asks you if you want to save the settings, press the Yes button.
  7. Next press the Apply button and then the OK to exit the Internet Properties page.
Set correct settings for files that should be hidden in Windows XP
  • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
  • Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
  • If unchecked please checkHide protected operating system files (Recommended)
  • If necessary check "Display content of system folders"
  • If necessary Uncheck Hide file extensions for known file types.
  • Click OK
  • Use An Antivirus Software and Keep It Updated - It is very important that your computer has an antivirus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a day. If you do not update your antivirus software, then it will not be able to catch any of the new variants that may come out.
  • Visit Microsoft's Windows Update Site Frequently It is important that you visit Microsoft Windows Update regularly. This will ensure your computer has the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  • Install SpywareBlaster SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. An article on anti-malware products with links for this program and others can be found here:
    Computer Safety on line Anti Malware
  • Use the hosts file: Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate web pages. We can customize a hosts file so that it blocks certain web pages. However, it can slow down certain computers. This is why using a hosts file is optional. Download mvps hosts file Make sure you read the instructions on how to install the hosts file. There is a good tutorial HERE If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
    1. Click the start button on the task bar at the bottom of your screen
    2. Click run
    3. In the dialog box, type services.msc
    4. hit enter, then locate dns client
    5. Highlight it, then doubleclick it.
    6. On the dropdown box, change the setting from automatic to manual.
    7. Click ok..
  • Use an alternative instant messenger program.Trillian and Miranda IM These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  • Please read Tony Klein's excellent article: How I got Infected in the First Place
  • Please read Understanding Spyware, Browser Hijackers, and Dialers
  • Please read Simple and easy ways to keep your computer safe and secure on the Internet
  • If you are using Internet Explorer, please consider using an alternate browser: Mozilla's Firefox or
    Opera.
    If you decide to use either FireFox or Opera, it is very important that you keep them up to date and check frequently for updates of the browser of your choice.
  • Update all these programs regularly Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
  • If your computer was infected by a website, a program, IM, MSN, or p2p, check this site because it is Time To Fight Back.
Follow these steps and your potential for being infected again will reduce dramatically.

Here's a good website to read about Malware prevention:

http://users.telenet.be/bluepatchy/miek ... ntion.html

Good luck!


Please reply one last time so that I know you have read my post and this thread can be closed.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Malware - Explorer shuts down, pop-ups

Unread postby sflonglegs » June 30th, 2008, 11:35 pm

Great, thank you. I did as you instructed. When it comes to AntiVirus programs, could you recommend any? Thank you for all of your time and energy. It is quite nice that you offer your services like you do.
sflonglegs
Regular Member
 
Posts: 20
Joined: June 26th, 2008, 12:47 am

Re: Malware - Explorer shuts down, pop-ups

Unread postby km2357 » July 1st, 2008, 1:55 am

You're welcome. I'm glad I was able to help. :)

As for AntiVirus programs, here are a couple (free) choices:

1)Antivir PersonalEdition Classic
2)avast! 4 Home Edition


Download and install only one!

Whatever one you pick, be sure to uninstall your Trend Micro AV before installing the new AV.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Malware - Explorer shuts down, pop-ups

Unread postby NonSuch » July 4th, 2008, 2:33 am

As this issue appears to be resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27302
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 31 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware