Explorer keeps closing?

May 27, 2009 at 07:42:01
Specs: Windows XP
I tried Malwarebytes Anti-malwire tool, as well as running a TrendMicro scan. The TrendMicro scan keeps messing up at about 50% done, not sure if it's just my connection or something that this virus or whatever is doing. Malwarebytes found 2-3 items that I had it quarantine, but I'm still having the problem. Search and Destroy wouldn't even load.

I did a HijackThis Scan and here are the results:

--------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:36:06 AM, on 5/27/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\explorer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://help.cableone.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://help.cableone.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by CableONE.Net
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Disc Detector] "C:\Program Files\Creative\ShareDLL\CtNotify.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://help.cableone.net
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 4795 bytes

--------------------

Any ideas? I'm all ears to suggestions or steps to get this off of here. Incidentally, I think I picked it up when my wife went to netfix.com instead of netflix. A google search didn't turn up anything about that though.

Thanks!


See More: Explorer keeps closing?

Report •


#1
May 27, 2009 at 09:41:24
Can you post your malwarebytes scan log.

--------------------------------------------
To Private Message me Click Here


Report •

#2
May 27, 2009 at 09:50:17
Here's the log:

Malwarebytes' Anti-Malware 1.34
Database version: 1853
Windows 5.1.2600 Service Pack 2

5/27/2009 7:49:24 AM
mbam-log-2009-05-27 (07-49-24).txt

Scan type: Full Scan (C:\|)
Objects scanned: 173931
Time elapsed: 36 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Hijack.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Hijack.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Hijack.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

--------------------

I had it clean those items, and in the following clean, the MalwareBytes log was clean.

Another thing I probably should have mentioned, is I get the windows tray icon for the Security Alert (which makes sense considering the items in the above log).

Thanks for the prompt reply, waiting and ready for more information.


Report •

#3
May 27, 2009 at 10:00:04
Can you please post your AVZ log:
Note: Run AVZ in windows normal mode. If avz.exe doesn't start, then try to rename the file avz.exe to something else and try to run it again.

1) To create the logfile, download AVZ by clicking HERE. Please save this file to your desktop or "My Documents" folder.

2) Next, unpack the file to a new folder using the Compressed (zipped) folders wizard built into Windows XP/Vista, or a zip utility of your choice.

3) Once you have unpacked the contents of the zip archive, please launch the file AVZ.exe by double clicking on it or right clicking and selecting Open.
Note: If you are running Windows vista launch AVZ.exe by right clicking and selecting Run as Administrator

You should now see the main window of the AVZ utility. Please navigate to File->Custom Scripts. Copy the script below by using the keyboard shortcut CTRL+C or the corresponding option via right click.

begin
ExecuteStdScr(3);
RebootWindows(true);
end.

Paste the script into the execution window by using CTRL+V keyboard shortcut, or the "paste" option via the right click menu. Click on Run to run the script, the PC will reboot. After the reboot the LOG subfolder is created in the folder with AVZ, with a file called virusinfo_syscure.zip inside. Upload that file to rapidshare.com and paste the link here.

Image Tutorial

--------------------------------------------
To Private Message me Click Here


Report •

Related Solutions

#4
May 27, 2009 at 10:15:06
Here you are:

http://rapidshare.com/files/2378637...

Sorry for the delay. It's a hassle to get anything done when explorer.exe crashes and restarts constantly, and this is an older machine. Took some fast clicking to get where I wanted before it shut down on me again.


Report •

#5
May 27, 2009 at 10:40:01
Follow these steps in order numbered:
Note: if you system is still unstable after Step 1 you can do step 2 in safe mode if its stable.

1) Run this script in AVZ like before. Your computer will reboot.

begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
 QuarantineFile('C:\WINDOWS\system32\apiwidllrip.dll','');
 QuarantineFile('C:\WINDOWS\System32\Drivers\au1klqkh.SYS','');
 DeleteFile('C:\WINDOWS\System32\Drivers\au1klqkh.SYS');
 DeleteFile('C:\WINDOWS\system32\apiwidllrip.dll');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

2) After reboot. Attach a Combofix log, please review and follow these instructions carefully.

Download it here -> http://download.bleepingcomputer.co...

Before Saving it to Desktop, please rename it to something like 123.exe to stop malware from disabling it.

Now, please make sure no other programs are running, close all other windows and pause Antivirus/Sypware programs (http://www.bleepingcomputer.com/forums/topic114351.html Programs to disable) until after the scanning and removal process has taken place.

Please double click on the file you downloaded. Follow the onscreen prompts to start the scan. Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall. It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please upload that file to rapidshare.com and paste the link here.

--------------------------------------------
To Private Message me Click Here


Report •

#6
May 27, 2009 at 10:58:15
Okay, 2nd AVZ script was run and completed successfully. When Windows restarted, explorer.exe was no longer constantly closing and restarting, so that's one problem out of the way!

Here's the ComboFix log as requested:

http://rapidshare.com/files/2378794...

Also, while waiting for responses and scans I've browsed some of the different threads on here, and it seems HijackThis, AVZ, and ComboFix are some of the more common tools. I'm doubt they're a good substitute for some solid antivirus protection, but I have a couple questions.

Google pulls up a ton of results when searching for either of these three programs. I'm curious how you started to learn about them, and how you learned how to read the logs (and also create the AVZ scripts, etc.). I just thought, why not learn some myself so I don't have to turn to you guys unless something really stumps me.

Any direction you could provide would be appreciated. And thanks for the help thus far; ready and waiting for more!


Report •

#7
May 27, 2009 at 11:24:45
Follow these steps in order numbered:

1) Run this script in AVZ your computer will reboot.

begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
QuarantineFile('c:\windows\system32\winsyncupx.exe','');
QuarantineFile('c:\windows\system32\apiwidllrip.dat','');
DeleteFile('c:\windows\system32\apiwidllrip.dat');
DeleteFile('c:\windows\system32\winsyncupx.exe');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

2) Upload following files to rapishare and private message me download link:
c:\windows\$NtServicePackUninstall$\winlogon.exe
c:\windows\$NtServicePackUninstall$\winlogon.exe
c:\windows\system32\winlogon.exe
c:\documents and settings\Daniel Murray\Start Menu\Programs\Startup\ChkDisk.dll

3) Run this script in AVZ:


begin
CreateQurantineArchive('c:\quarantine.zip');
end.

4) A file called quarantine.zip should be created in C:\. Then please zip up C:\qoobox\quarantine and upload both it and C:\quarantine.zip to a filehost such as http://rapidshare.com/ Then, Private Message me the Download link to the uploaded file.

5) Lastly, uninstall Combofix by: pause Antivirus/Sypware programs (http://www.bleepingcomputer.com/forums/topic114351.html Programs to disable) > Start > run > type combofix /u > ok. Or Start > run > type 123 /u > ok.

PS: Complete all the steps i will answer your questions at the end :).

--------------------------------------------
To Private Message me Click Here


Report •

#8
May 27, 2009 at 11:44:30
I sent the message.

Ready when you are.


Report •

#9
May 27, 2009 at 12:10:08
Thanks for the files. Please follow these steps in order numbered and post summary log after each step.

1) If you use Windows System restore, turn it off > reboot. How to turn it off/on: http://support.kaspersky.com/faq/?q... Run a full scan with:

Download and run Kaspersky AVP tool:

http://devbuilds.kaspersky-labs.com...

Once you download and start the tool select all the objects/places to be scanned and hit Scan. Fix what it detects and at the end of the scan post screen shot/log of detected items that is fixed and which it could not fix.

2) Run a full scan with http://www.eset.eu/online-scanner

# Check the box next to YES, I accept the Terms of Use.
# Click Start
# When asked, allow the activex control to be installed.
# Click Start
# Check below options:

    * Remove found threats
    * Scan unwanted applications.

# Click Scan
# Wait for the scan to finish
# When it finishes it will create a log file here: C:\Program Files\EsetOnlineScanner\log.txt
# Attach this logfile to your next message.

Note: Turn system restore back on, if you wish; this to remove malware from system volume information files.

3) Install, update and run full scan with Malwarebytes' Anti-Malware. Attach malwarebyte full scan log, but Please Don't fix anything yet, until the log is reviewed.

4) House cleaning [Optional]. Scan with SuperAntispyware : http://www.superantispyware.com/dow... . Fix what it detects and post summary scan log.

--------------------------------------------
To Private Message me Click Here


Report •

#10
May 27, 2009 at 14:34:57
Unless this Kapersky scan starts speeding up, the estimated time of completion is tomorrow morning.

I'll update when I manage to finish everything.


Report •

#11
May 27, 2009 at 14:40:15
Yes Response Number 9 will take day or two to complete all. But do finish it since it will reduce chance of reinfection and clear up unwanted residual files from your system. As far as your question you need to be trained in malware removal. This is short way to clean up those hard to get rid of infections. Use Google to search and read about malware removal, to get started.

--------------------------------------------
To Private Message me Click Here


Report •

#12
May 28, 2009 at 00:24:12
Okay, that took a little longer than expected, but I think everything went ok.

First off, I disabled the Windows System Restore, then I ran Kapersky's AVG scanner. The log ended up being something like 91mb of text, but here's the 33 items that it found and fixed:


Detected
--------
Status Object
------ ------
deleted: Trojan program Trojan.Java.ClassLoader.i File: C:\Documents and Settings\Daniel Murray\.housecall6.6\Quarantine\3e021ed8-3914857b.bac_a02176//CryptFF.b/Counter.class
deleted: Trojan program Trojan.Java.ClassLoader.k File: C:\Documents and Settings\Daniel Murray\.housecall6.6\Quarantine\3e021ed8-3914857b.bac_a02176//CryptFF.b/VerifierBug.class
deleted: Trojan program Trojan.Java.ClassLoader.k File: C:\Documents and Settings\Daniel Murray\.housecall6.6\Quarantine\3e021ed8-3914857b.bac_a02176//CryptFF.b/Beyond.class
deleted: Trojan program Trojan.Java.ClassLoader.k File: C:\Documents and Settings\Daniel Murray\.housecall6.6\Quarantine\3e021ed8-3914857b.bac_a03792//CryptFF.b/Beyond.class
deleted: Trojan program Trojan-Downloader.Win32.Small.ddx File: C:\Documents and Settings\Daniel Murray\.housecall6.6\Quarantine\backup-20070127-114312-279.dll.bac_a02176//CryptFF.b//PE_Patch.PECompact//PecBundle//PECompact
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bls File: C:\Documents and Settings\Daniel Murray\.housecall6.6\Quarantine\backup-20070127-114312-456.dll.bac_a01104//CryptFF.b//PE_Patch
deleted: Trojan program Trojan-Clicker.Win32.Costrat.t File: C:\Documents and Settings\Daniel Murray\.housecall6.6\Quarantine\bot[2].bac_a01104//CryptFF.b//PE_Patch//PE_Patch
deleted: Trojan program Exploit.Java.ByteVerify File: C:\Documents and Settings\Daniel Murray\.housecall6.6\Quarantine\count.jar-652b4e66-46d64fcd.zip.bac_a02176//CryptFF.b/BlackBox.class
deleted: Trojan program Exploit.Java.ByteVerify File: C:\Documents and Settings\Daniel Murray\.housecall6.6\Quarantine\count.jar-652b4e66-46d64fcd.zip.bac_a02176//CryptFF.b/VerifierBug.class
deleted: Trojan program Trojan-Downloader.Java.OpenConnection.aa File: C:\Documents and Settings\Daniel Murray\.housecall6.6\Quarantine\count.jar-652b4e66-46d64fcd.zip.bac_a02176//CryptFF.b/Beyond.class
deleted: Trojan program Trojan-Downloader.Java.OpenConnection.aa File: C:\Documents and Settings\Daniel Murray\.housecall6.6\Quarantine\count.jar-6699b1e6-2ffebda7.zip.bac_a02176//CryptFF.b
deleted: Trojan program Exploit.Java.ByteVerify File: C:\Documents and Settings\Daniel Murray\.housecall6.6\Quarantine\count3.jar-2a1f473-7d643d4c.zip.bac_a02176//CryptFF.b/Beyond.class
deleted: Trojan program Trojan.Java.ClassLoader.af File: C:\Documents and Settings\Daniel Murray\.housecall6.6\Quarantine\count3.jar-2a1f473-7d643d4c.zip.bac_a02176//CryptFF.b/BlackBox.class
deleted: Trojan program Trojan.Java.ClassLoader.ai File: C:\Documents and Settings\Daniel Murray\.housecall6.6\Quarantine\count3.jar-2a1f473-7d643d4c.zip.bac_a02176//CryptFF.b/VerifierBug.class
deleted: Trojan program Trojan-Downloader.Win32.Small.dwr File: C:\Documents and Settings\Daniel Murray\.housecall6.6\Quarantine\down.exe.bac_a02176//CryptFF.b
deleted: Trojan program Trojan-Downloader.Win32.Small.dwr File: C:\Documents and Settings\Daniel Murray\.housecall6.6\Quarantine\down[1].exe.bac_a02176//CryptFF.b
deleted: Trojan program Trojan-Clicker.Win32.Costrat.af File: C:\Documents and Settings\Daniel Murray\.housecall6.6\Quarantine\heimhq[1].txt.bac_a01104//CryptFF.b
deleted: Trojan program Backdoor.Win32.Rbot.byj File: C:\Documents and Settings\Daniel Murray\.housecall6.6\Quarantine\keygen.exe.bac_a03792//CryptFF.b
deleted: Trojan program Trojan-Downloader.Win32.Small.edb File: C:\Documents and Settings\Daniel Murray\.housecall6.6\Quarantine\loadadv690[1].bac_a02176//CryptFF.b//FSG
deleted: Trojan program Rootkit.Win32.Small.sy File: C:\Documents and Settings\Daniel Murray\.housecall6.6\Quarantine\msb.dll.bac_a03792//CryptFF.b
deleted: Trojan program Trojan-Downloader.Win32.Small.dwc File: C:\Documents and Settings\Daniel Murray\.housecall6.6\Quarantine\new[1].bac_a01104//CryptFF.b
deleted: Trojan program Trojan-Proxy.Win32.Xorpix.ar File: C:\Documents and Settings\Daniel Murray\.housecall6.6\Quarantine\partnership.dll.bac_a01104//CryptFF.b//UPack
deleted: Trojan program Trojan-PSW.Win32.Sinowal.bv File: C:\Documents and Settings\Daniel Murray\.housecall6.6\Quarantine\zslifp[1].txt.bac_a01104//CryptFF.b//PE_Patch.UPX//UPX
deleted: Trojan program Trojan-Downloader.Win32.Murlo.fa File: C:\Documents and Settings\Daniel Murray\.housecall6.6\Quarantine\~tmp0374.exe~.bac_a01104//CryptFF.b//PE_Patch.UPX//UPX
deleted: Trojan program Backdoor.Win32.Rbot.byj File: C:\Documents and Settings\Daniel Murray\Desktop\AVZ\avz4\Quarantine\2009-05-27\avz00002.dta
deleted: malware Hoax.Win32.BadJoke.Autoit.b File: C:\old primary\Documents and Settings\Daniel Murray\Local Settings\Temp\FishBot.zip/FishBot/FishBot.exe//UPX//script.au3
deleted: Trojan program Packed.Win32.NSAnti.r File: C:\old primary\Documents and Settings\Daniel Murray\Local Settings\Temp\pendbg.exe
deleted: Trojan program Packed.Win32.NSAnti.r File: C:\old primary\Documents and Settings\Daniel Murray\Local Settings\Temp\sqlstone.exe
quarantined: virus Heur.Downloader (modification) File: C:\old primary\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\FROQRO5H\serv[1]
deleted: Trojan program Trojan-Clicker.Win32.Costrat.t File: C:\old primary\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\TJX7RXRQ\bot[1]//PE_Patch//PE_Patch
deleted: Trojan program Rootkit.Win32.Small.sy File: C:\WINDOWS\pss\ChkDisk.dllStartup
deleted: Trojan program Trojan-PSW.Win32.Delf.dml File: C:\WINDOWS\system32\dojtoy.dll
deleted: adware not-a-virus:AdWare.Win32.AdMedia.ay File: C:\wowmodelviewer\wowmodelview.exe


Next, I ran the scanner from eset.eu, and it found and fixed 10 items. However, after a bunch of searching around, I wasn't able to find the log for that one, I hope it's not too much of a problem.

Next up was the scan from Malwarebytes, which found 3 items, and here's that log (as requested, I didn't fix anything yet):


Malwarebytes' Anti-Malware 1.37
Database version: 2186
Windows 5.1.2600 Service Pack 2

5/28/2009 12:56:38 AM
mbam-log-2009-05-28 (00-56-17).txt

Scan type: Full Scan (C:\|)
Objects scanned: 183811
Time elapsed: 31 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


And finally, SuperAntiSpyware found a bunch of cookie items, attached is the rapidshare link.

http://rapidshare.com/files/2380643...


What's next, boss?


Report •

#13
May 28, 2009 at 06:29:37
You should be malware free. Your original problem solved? eset log should be in: C:\Program Files\EsetOnlineScanner\log.txt

edited by moderator


Report •

#14
May 28, 2009 at 11:06:58
Tried looking there, but I didn't find anything. However, everything seems to be solved.

Thanks a bunch for your help!


Report •


Ask Question