Trojans in Unauthorized Bing Toolbar and Can's get Windows Updates
I've tried everything -- system restore, running anti-virus programs (Avast, MalwareBytes, Eusing Registry Cleaner, SuperAntiSpyware). Have problems redirecting online. Now I just suddenly had a Bing toolbar installed WITHOUT PERMISSION. System shut down big time, SAS told me there were trojans, as did Avast. Ran every program and cleaned out ALL temp files. All scans showed some trojans and they were removed or repaired. Now I go to a Bing page when logging on and opening a 2nd tab, trying to go elsewhere.This has also blocked me from updating windows. Either IE or Foxfire "can't display the page". I found another posting on this; tried to search for other postings and got shut down by Foxfire. It was a few years old anyways, so I thought I'd try again to put a post on.Any suggestions? Mighty frustrating!Thanks and Blessings,Luke
November 17th, 2010 9:10pm

Lukeville,Is the computer connected to the internet via a wired or wireless router ?Are Malwarebytes Anti-malware (MBAM) and SAS still able to update their definitions ?If yes, update them and then restart the system to Safe Mode - Start your computer in safe modeWhen you've restarted to Safe Mode open MBAM and choose Perform full scan.Have it remove all detected items.Do not restart the computer yet if you are prompted to by MBAM.Leave MBAM open for now but minimize it, please.Do the same with SAS. Again, if you are prompted to restart when it attempts to remove any remaining detected items, choose No.Leave SAS open for now, too.Click the Start orb.In the Start Search field type in cmdUnder Programs, right click cmd.exe and choose 'Run as administrator'. Agree to the UAC prompt to allow the Command Prompt to run with Elevated Privileges.At the prompt type in the below exactly as written, including the spaces, and then press Enteripconfig /flushdnsYou should receive a confirmation message that the DNS cache was flushed.At the prompt type in exit , press Enter.Restart the system to normal Windows mode now.Using Internet Explorer, see if the system can be scanned here now - Windows Live OneCare safety scanner for Windows Vista and Windows 7If it can not be scanned there, then try the - ESET Online ScannerThe Windows Live OneCare scanner may be able to repair Windows Update, too.MowGreen Windows Expert IT Pro - Consumer Security
Free Windows Admin Tool Kit Click here and download it now
November 18th, 2010 1:57am

Thanks so much for the info. I have tried the safe mode scans; however I will try them again and follow the rest of your response. One person said they thought my IP address had been hijacked since I seem to be getting hit so much. I have to go out of town tomorrow and pack right now, but I've printed out your response and will work on them when I return. Thanks so much for your help!!
November 19th, 2010 7:26am

It is possible that your router has been hijacked, 'tis why I asked " Is the computer connected to the internet via a wired or wireless router ? "Flushing the DNS cache from your computer will narrow down just where the search hijacking is taking place, Lukeville.Have a safe trip !MowGreen Windows Expert IT Pro - Consumer Security
Free Windows Admin Tool Kit Click here and download it now
November 19th, 2010 8:44pm

Sorry, forgot to tell you that it's wired (Wild Blue). We live in a very rural setting, so I don't worry about over-the-air hijackers. But who knows?And I tried your suggestions; I'm so sorry -- when I searched for a common answer, I started a new thread in the same topic (Vista). I have windows xp. I started safe modes, ran both programs, and had to stop when I realized I had a different OS from what I posted. Could you continue in XP suggestions or should I post on the correct page? Thanks and so sorry!
November 23rd, 2010 10:54pm

Hello, LukevilleI moved your thread to the correct forum.What Trojans were detected?Try pinging update.microsoft.com and check what IP it returns: go to Start, type cmd.exe in the search box then press enter. In the Command Prompt window, type ping update.microsoft.com then press enter, it should then say: Pinging update.microsoft.com [65.54.51.251 ] with 32 bytes of data:Let us know what is in the brackets.If you do have a Trojan installed, it is likely that it is blocking the security software from working. You may try running an online scan from one of the major antivirus companies.DavidMicrosoft Answers Support EngineerVisit our Microsoft Answers Feedback Forum and let us know what you think.
Free Windows Admin Tool Kit Click here and download it now
November 27th, 2010 8:27pm

Hello, LukevilleI moved your thread to the correct forum.What Trojans were detected?Try pinging update.microsoft.com and check what IP it returns: go to Start, type cmd.exe in the search box then press enter. In the Command Prompt window, type ping update.microsoft.com then press enter, it should then say: Pinging update.microsoft.com [65.54.51.251 ] with 32 bytes of data:Let us know what is in the brackets.If you do have a Trojan installed, it is likely that it is blocking the security software from working. You may try running an online scan from one of the major antivirus companies.DavidMicrosoft Answers Support EngineerVisit our Microsoft Answers Feedback Forum and let us know what you think.
November 28th, 2010 4:27am

Thanks so much, David. What I get is:[65.55.13.91] with 32 bytes of dataIt also showed that it "timed out" 3 times.When I ran the suggestion on the other thread (the Windows Vista suggestion); I did a run where it showed websites with the "#" in the line. I had TONS of websites listed; this must be why it redirects. (Annoying but doesn't shut me down, I just close the window it opened).So it seems my ping address is incorrect. Could you help me go from here?Thanks so much.
Free Windows Admin Tool Kit Click here and download it now
November 28th, 2010 10:37pm

The address varies a little so it's fine.Are you referring to the HOSTS file?Start > Run > notepad.exe %windir%\system32\drivers\etc\hostsIf that's what you are referring to, copy a few lines that are toward the middle of the file to us.If there are any lines with a website URL that start with something other than 127.0.0.1, it may be the cause.You can always try renaming the file to see if it is the cause as well. If you go to Start, Run then type %windir%\system32\drivers\etc and press OK it will open you to the folder with the hosts file, rename the file to something else then reboot your computer and test if you get the redirects.DavidMicrosoft Answers Support EngineerVisit our Microsoft Answers Feedback Forum and let us know what you think.
December 1st, 2010 6:34pm

The address varies a little so it's fine.Are you referring to the HOSTS file?Start > Run > notepad.exe %windir%\system32\drivers\etc\hostsIf that's what you are referring to, copy a few lines that are toward the middle of the file to us.If there are any lines with a website URL that start with something other than 127.0.0.1, it may be the cause.You can always try renaming the file to see if it is the cause as well. If you go to Start, Run then type %windir%\system32\drivers\etc and press OK it will open you to the folder with the hosts file, rename the file to something else then reboot your computer and test if you get the redirects.DavidMicrosoft Answers Support EngineerVisit our Microsoft Answers Feedback Forum and let us know what you think.
Free Windows Admin Tool Kit Click here and download it now
December 2nd, 2010 2:33am

Thanks so much for your help, David. Here's what I did:Ran the hosts file. Here's some of the lines (and there's hundreds of them, not ones I've accessed):127.0.0.1 mediaactivex.com127.0.0.1 www.mediaactivexfile.com127.0.0.1 mediaactivexfile.com127.0.0.1 www.mediaactivexobject.com127.0.0.1 mediaactivexobject.com127.0.0.1 www.mediaactivextask.com127.0.0.1 mediaactivextask.com127.0.0.1 www.mediaaxobject.comAt the beginning, it says these urls were inserted by Spybot, something I don't have on my system anymore. Is that where these came from? I suppose that's where I got this virus. I renamed to hostsnew. Ran hosts again, nothing. Ran hostsnew and got these same urls.I still can't update windows, "Internet Explorer Cannot Display Webpage". fyi, I normally use Foxfire.And it still redirects. If it helps any, when I use Dogpile to do a search and click on the link, it redirects to one of these websites. How I get around it is to click on the lower link, copy it, open a new window, paste and go. Every now and then a new window pops up going somewhere.Again, thank you so much for trying to help me, David. I'd just love to get my normal computer back!Kim
December 2nd, 2010 2:03pm

Also, Malwarebytes just found 3 trojans in my file, folder and registry keys. Same name, PUP.WhiteSmoke. I quarantined them, and now when I turn on I get a dll error: c:\WINDOWS\axediqatarive.dll not found Any relation? I find I have to shut down my system completely (sometimes a few times) in order to get windows to load. Not just from this particular trojan, but it seems to have made it worse. THANKS again, David.
Free Windows Admin Tool Kit Click here and download it now
December 2nd, 2010 2:11pm

The sites added by SpyBot should be fine - 127.0.0.1 points to your computer so in nearly all cases it will block the websites listed. The real risk is if there are websites listed that point to something other than 127.0.0.1To clarify, do the websites get redirected when using firefox as well?Since you had the Trojan previously, it may have altered some settings.Try resetting Winsock and TCP/IP, if the Trojan changed the settings here it could certainly cause this problem.Reset Winsock: http://support.microsoft.com/kb/811259 Reset TCP/IP: http://support.microsoft.com/kb/299357DavidMicrosoft Answers Support EngineerVisit our Microsoft Answers Feedback Forum and let us know what you think.
December 4th, 2010 4:43pm

you run hijackthis and post log khttp://free.antivirus.com/hijackthis/east most peninsula is the secret
Free Windows Admin Tool Kit Click here and download it now
December 4th, 2010 4:45pm

The sites added by SpyBot should be fine - 127.0.0.1 points to your computer so in nearly all cases it will block the websites listed. The real risk is if there are websites listed that point to something other than 127.0.0.1To clarify, do the websites get redirected when using firefox as well?Since you had the Trojan previously, it may have altered some settings.Try resetting Winsock and TCP/IP, if the Trojan changed the settings here it could certainly cause this problem.Reset Winsock: http://support.microsoft.com/kb/811259 Reset TCP/IP: http://support.microsoft.com/kb/299357DavidMicrosoft Answers Support EngineerVisit our Microsoft Answers Feedback Forum and let us know what you think.
December 5th, 2010 12:43am

To begin, I again want to thank you so much for your help on my problem. Ok - I reset the winsock and tcp/ip. However, I don't have the 10 sections it says I should have, I have 14. Then I ran hijack this and here's the log: Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 6:27:49 PM, on 12/6/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Alwil Software\Avast5\AvastSvc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\AGRSMMSG.exe C:\Program Files\Apoint2K\Apoint.exe C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Logitech\MouseWare\system\em_exec.exe C:\WINDOWS\system32\sol.exe C:\Program Files\Apoint2K\Apntex.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\pchealth\helpctr\binaries\helpctr.exe C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe C:\WINDOWS\system32\msiexec.exe C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=laptop R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [EPSON Stylus Photo R1800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.EXE /P24 "EPSON Stylus Photo R1800" /O6 "USB002" /M "Stylus Photo R1800" O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" O4 - HKLM\..\Run: [Nfenaxayotikap] rundll32.exe "C:\WINDOWS\axediqatarive.dll",Startup O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1286822063578 O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- End of file - 6063 bytes I hope this helps to steer in the right direction to find the problem. (And sorry I couldn't get to it right away, had a time-sensitive project I had to complete). Blessings!
Free Windows Admin Tool Kit Click here and download it now
December 6th, 2010 8:37pm

I just saw the mish-mash that was in my reply. Seemed to ignore returns ??? Sorry!!
December 6th, 2010 8:39pm

O4 - HKLM\..\Run: [Nfenaxayotikap] rundll32.exe "C:\WINDOWS\axediqatarive.dll"The above is where the Trojan was/is loading from. Please open a Command Prompt by clicking Start > Run > in the Open: line type in cmd ( If Run is not available press the Winkey + R at the same time and it will open )Click OK or press EnterAt the prompt type in proxycfg Press EnterThis is what should be showing if no proxy has been configured ( malware tends to create a proxy server ) Direct access (no proxy server)If it's showing a proxy server instead of the above, at the prompt, type inproxycfg -dPress EnterThat will reset to no proxy, Direct accessBack to the prompt, type inipconfig /flushdnsPress EnterYou should be notified that the DNS cache has been successfully flushed. Now type inexitPress Enter. The Command Prompt will close.Configure the system to Show hidden files, folders, and system filesOpen Windows Explorer ( Start > (All) Programs > Accessories )Navigate to Documents and Settings\YourUserAccountName\Start Menu\Programs\Startup<--- this subfolderand see if the Trojan is loading some 'thing' from there.Also check Documents and Settings\All Users\Start Menu\Programs\Startup <--- this subfolderMove any suspicious file found in those locations to the Recycle Bin for now.Using Internet Explorer, see if the system can be scanned here now -OneCare Safety ScannerIf it can not be scanned there, try - ESET Online Scanner MowGreen Windows Expert IT Pro - Consumer Security
Free Windows Admin Tool Kit Click here and download it now
December 7th, 2010 2:24pm

Thanks again, Mow. The proxy showed Direct Access. I flushed the cache. Nothing at all was shown in either my Folder or the All Users folders under Startup.The OneCare Safety Scanner told me "this version of OneCare Safety Scanner doesn't work with your Web browser or operating system".ESET didn't find any infections.However, I noted above on 12/2: Also, Malwarebytes just found 3 trojans in my file, folder and registry keys. Same name, PUP.WhiteSmoke. I quarantined them, and now when I turn on I get a dll error: c:\WINDOWS\axediqatarive.dll not foundDoes this help narrow it down?Thanks so much to all for your help!
December 7th, 2010 6:34pm

According to the OneCare Safety Scanner's Help File ( which, BTW, is not always accurate )Windows Live OneCare safety scanner supports:Microsoft Windows XP all versions Microsoft Windows 2000 Microsoft Windows Server 2003 Which browsers will Windows Live OneCare safety scanner work with ? Windows Live OneCare safety scanner is compatible with Microsoft Internet Explorer 6.0 or higher, or MSN 9.2.The .dll error is not really an error, it indicates that the file was being loaded on start up but is now missing.Click Start > Run > type in msconfigPress Enter or click OK.Click the Startup tab and look for the axediqatarive.dll under the Command heading. It should be at the end of a Command, like belowrundll32.exe C:\WINDOWS\axediqatarive.dllIt may also be under Startup Item, Nfenaxayotikap, but the name is random and can change if the system is still infected.Uncheck the box next to it if/when you locate it, then click Apply, then OK, and then click the button that will Restart the system now.That should do away with the message on boot.MowGreen Windows Expert IT Pro - Consumer Security
Free Windows Admin Tool Kit Click here and download it now
December 7th, 2010 7:35pm

According to the OneCare Safety Scanner's Help File ( which, BTW, is not always accurate )Windows Live OneCare safety scanner supports:Microsoft Windows XP all versions Microsoft Windows 2000 Microsoft Windows Server 2003 Which browsers will Windows Live OneCare safety scanner work with ? Windows Live OneCare safety scanner is compatible with Microsoft Internet Explorer 6.0 or higher, or MSN 9.2.The .dll error is not really an error, it indicates that the file was being loaded on start up but is now missing.Click Start > Run > type in msconfigPress Enter or click OK.Click the Startup tab and look for the axediqatarive.dll under the Command heading. It should be at the end of a Command, like belowrundll32.exe C:\WINDOWS\axediqatarive.dllIt may also be under Startup Item, Nfenaxayotikap, but the name is random and can change if the system is still infected.Uncheck the box next to it if/when you locate it, then click Apply, then OK, and then click the button that will Restart the system now.That should do away with the message on boot.BTW, there's a current thread about pup.whitesmoke here: riddled with threats RKill and MBAM saves me again pup.whitesmoke that you should read.MowGreen Windows Expert IT Pro - Consumer Security
December 7th, 2010 7:35pm

Thanks again. The one scan wouldn't work because I tried to open it with Foxfire. I opened IE and it allowed me to scan. Found one serious virus, "Win32/Alureon.H". I checked the boxes and am assuming it fixed it. But just now I got a new window opened and a redirect. So there's still something there. Read through the thread on whitesmoke; thankfully I didn't have all the junk that one fellow did. Probably because I restored the system right after I found a problem. If there are any suggestions on how to get rid of the redirects, I sure would appreciate it. Again, doesn't shut me down, but it definitely is annoying!Regarding the axediqatarive.dll problem, I found it and unchecked it; I don't get the message anymore. It was part of the whitesmoke issue; SAS found the whitesmoke virus, removed it, and then I started getting the messages.
Free Windows Admin Tool Kit Click here and download it now
December 8th, 2010 7:57pm

Do you have all your personal data (pictures/music/software installatin files, etc.) backed up ?If no, then do that ASAP. The removal of Win32/Alureon.H (aka Rootkit.Win32.TDSS ) can sometimes cause a system not to boot.Before running this removal I want to be absolutely certain that you do not lose any personal data, Lukeville.How to remove malware belonging to the family Rootkit.Win32.TDSS (aka Tidserv, TDSServ, Alureon)?Kaspersky updated the removal tool on December 3rd in response to the latest variant of Win32/Alureon.Win32/Alureon.H is an older variant but may have been altered by whomever "authors" it.MowGreen Windows Expert IT Pro - Consumer Security
December 9th, 2010 2:16pm

You have received some good advice here but, personally, after analyzing thousands of Hijack This log files, with all due respect, I fail to see how anyone could make heads or tails of the log you posted.The log file entries should be posted in the order they appear on the log file.If you deleted the 04 entry below using Hijack This as instructed above by MOwGreen you should not have been getting the error on start-up since the deleted entry is what calls for the file in question to be loaded.O4 - HKLM\..\Run: [Nfenaxayotikap] rundll32.exe "C:\WINDOWS\axediqatarive.dll"Also, Win32/Alureon.H hijacks your DNS settings. To repair this click start > run > type inetcpl.cpl > click Ok. In the Internet Properties window click on the Advanced tab > click on the Restore Advanced settings button near the middle of the window. Save the changes then exit.Finally, Win32/Alureon.H is designed to steal information from your computer. It is only one of many trojans within the Win32/Alureon. family which have infected your computer. Removing all infections and remnants of this malware returning your computer back to normal operation is nearly impossible. It is much better and easier to reformat and re-install windows if at all possible. This DOES NOT mean a repair installation. The hard drive needs to be completely wiped and formatted. This is a very very nasty malware.I don't vote for myself I'm not here for the points. If this post helps you, vote. Visit my forum @ http://repairbotsonline.com/
Free Windows Admin Tool Kit Click here and download it now
December 9th, 2010 3:32pm

HOORAY!!! I don't know which of the 2 solutions worked, but I FINALLY was able to download Windows updates. THANKS!!!!I have an external drive and everything's backed up.And here's another HiJack This log. I have no idea why it wouldn't format it before:Logfile of Trend Micro HijackThis v2.0.4Scan saved at 5:38:04 PM, on 12/9/2010Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Alwil Software\Avast5\AvastSvc.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\AGRSMMSG.exeC:\Program Files\Apoint2K\Apoint.exeC:\Program Files\HPQ\Quick Launch Buttons\EabServr.exeC:\Program Files\HP\hpcoretech\hpcmpmgr.exeC:\PROGRA~1\ALWILS~1\Avast5\avastUI.exeC:\Program Files\Common Files\Java\Java Update\jusched.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeC:\Program Files\Logitech\MouseWare\system\em_exec.exeC:\Program Files\Apoint2K\Apntex.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\Analog Devices\SoundMAX\SMAgent.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\system32\sol.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\plugin-container.exeC:\Program Files\Trend Micro\HiJackThis\HiJackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=laptopR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNCO4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMENameO4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exeO4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.ExeO4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exeO4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /StartO4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"O4 - HKLM\..\Run: [EPSON Stylus Photo R1800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.EXE /P24 "EPSON Stylus Photo R1800" /O6 "USB002" /M "Stylus Photo R1800"O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /noguiO4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cabO16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1286822063578O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLLO22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dllO22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dllO23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exeO23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exeO23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exeO23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exeO23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe--End of file - 6160 bytesThanks again. Would you let me know if this log shows anything?
December 9th, 2010 7:40pm

First, It is frowned upon to post Hijack This log files on this forum. Second, if you backed up your data after your computer became infected chances are very good one or more of those files are infected as well. Also, as I stated above, no one is ever infected with just one variant of Win32/Alureon. The Alureon malware isn't just a mild form of malware. It is a rootkit which is one of the worst forms of malware.Virus:Win32/Alureon.H is a detection for system drivers infected by members of theWin32/Alureon family. Win32/Alureon is a multi-component family of trojans involved in a broad range of subversive activities online in order to generate revenue from various sources for its controllers. Mostly, Win32/Alureon is associated with moderating affected user's activities online to the attacker's benefit. As such, the various components of this family have been used for:modifying affected user's search results (search hijacking)redirecting affected user's browsing to sites of the attacker's choice (browser hijacking)changing Domain Name System (DNS) settings in order to redirect users to sites of the attacker's choice without the affected user's knowledgedownloading and executing arbitrary files, including additional components and other malwareserving illegitimate advertisinginstalling Rogue security softwarebanner clicking http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FAlureon.HIn other words, if the only thing detected by the scan thus far is win32 alureon.h then there are other variants of the win32 alureon family still on the computer. One, that I can see from the log file is as below.C:\WINDOWS\system32\sol.exesol.exe is normally related to the windows solitaire game. However, solitaire does not run from the system32 folder. See the link below.http://www.microsoft.com/security/portal/Threat/Encyclopedia/Search.aspx?query=C%3a\WINDOWS\system32\sol.exeYour redirects are most probably being continued by Java.Your computer needs to be completely reformatted and windows re-installed. If that is not an option then you need to go through a thorough malware removal process. Not just a couple online scans. I will be happy to assist you if you'd like but, I do not analyze HJT log files on this forum and I do not deal with malware of this magnitude here either. You are welcome to post your issue on the free computer support forum on the link below. You must first create an account before you can post. This is to prevent spamming and drive by posting. There is no fee involved whatsoever. If you choose to post the issue on the forum do not post your HJT log until requested to do so by your helper. Simply post in the Virus/Malware section you are infected. No further details are needed.Free forum : Repair-Bots OnlineRergards,JoelI don't vote for myself I'm not here for the points. If this post helps you, vote. Visit my forum @ http://repairbotsonline.com/
Free Windows Admin Tool Kit Click here and download it now
December 9th, 2010 9:51pm

C:\WINDOWS\system32\sol.exesol.exe is normally related to the windows solitaire game. However, solitaire does not run from the system32 folderAlthough I agree with your assessment of what should be done with systems that have been root-kitted, you are wrong about Solitaire, Joel.Solitaire in Windows XP does run from the system32 subfolder.The question that remains is, why was Solitaire already loaded when the HJT scan was initiated ? Be cautious of what you've backed up, Lukeville. Joel is correct that backed up data from a compromised system can contain malware.Before restoring your data it's best to scan it to ensure nothing is hidden in it.Now that you've gained enough control of the system so that it can update, it would be best to scan it when the Hard Drive is not active using a Rescue CD offered by Kaspersky. Or, format and reinstall Windows XP.Those are the only 2 choices that you have if you ever want to be able Trust the system again.Kaspersky Rescue Disk 10MowGreen Windows Expert IT Pro - Consumer Security
December 12th, 2010 2:06pm

Although I agree with your assessment of what should be done with systems that have been root-kitted, you are wrong about Solitaire, Joel.Solitaire in Windows XP does run from the system32 subfolder.The question that remains is, why was Solitaire already loaded when the HJT scan was initiated ? I stand corrected. I was thinking it ran from program files but, that wouldn't make any sense. Nevertheless, I believe in this case it is related to malware.I don't vote for myself I'm not here for the points. If this post helps you, vote. Visit my forum @ http://repairbotsonline.com/
Free Windows Admin Tool Kit Click here and download it now
December 12th, 2010 7:02pm

Thanks again for your assistance.I downloaded the Kaspersky scan to a CD. But I've tried everything to get it to load from the CD with no success. When I restart, I hit the Escape key as soon as I get the black screen. It takes me to a list of 4 items. I moved the CD-ROM to the top of the list with the Hard Drive following it. I keep Restarting my CD, but it just keeps loading regularly.Could you offer any suggestions? I've been trying to get it to work for a couple of hours!!Thanks,Luke
December 14th, 2010 6:25pm

I'm not clear on what you mean by " When I restart, I hit the Escape key as soon as I get the black screen "Who manufactured the computer, Luke ? If it was made by an OEM ( Dell, HP, etc. ), then suggest you either consult their web site or the manual that came with the system to see how to configure the Boot options to start from the CD player first. Usually, right before Windows starts to load, a screen comes up with the key combinations needed to access the Boot Configuration or Setup.Sometimes there at the top right of the screen, sometimes in another location on the screen.When you've set the CD to the first item in the Boot Configuration you need to Save the changes before exiting the Setup screen.Then, when you restart, the CD must be in the CD drive so that it's loaded prior to the Hard Drive loading Windows. MowGreen Windows Expert IT Pro - Consumer Security
Free Windows Admin Tool Kit Click here and download it now
December 15th, 2010 12:28pm

I have an HP pavilion zv5000. When I go to start/shut down/ I change it to restart. After it shuts down and right as it starts back up again, there's a black screen that has "HP" on it and it's where I hit F8 several times really fast to go to change to safe mode. One of the messages on this screen is "Hit Escape for Boot Configuration". I did so, and moved the CD to the top of the list. (It had hard drive for first choice, CD for 2nd. Also has a Floppy choice (no older floppy drive though); and I think Network is the 4th choice for start-up. I also hit F10 and went to a safe mode screen where I again changed and applied/saved my boot to go to a CD first. But still nothing. I can hear the CD running, but it doesn't come up. I'll try checking out HP to see what I can find out. Thanks so much again! I feel like we're almost there!
December 15th, 2010 2:40pm

I just verified that what I did was correct:http://h10025.www1.hp.com/ewfrf/wc/document?docname=c00750524&cc=us&lc=en&dlc=en&product=385148&tmp_track_link=ot_searchIf the factory boot order has been changed in the BIOS, power on the notebook PC and depress F10 when prompted upon initial boot up. If the factory boot order has not been changed, proceed to step 4.Access the “Advanced” menu.Change the boot order so that the “Optical” or “CD” drive is listed before the hard drive.Example: Optical / CD = First, Hard Drive = SecondPress the F10 key to “Save Changes”.Toggle to the “File” menu and select “Save Changes and Exit”Insert the Windows CD or DVD into the optical disk drive. Restart the notebook PC.Press any key at the prompt to Press any key to boot from the CD .However; When I hit F10 it says Save and Exit; this shows 2 separate steps. I never get the prompt, it just starts up windows.And I can't run it from my start menu? It has to run before Windows loads, correct?Thanks again!
Free Windows Admin Tool Kit Click here and download it now
December 15th, 2010 3:10pm

There is no way to access the BIOS when pressing F8. HP's instructions for accessing the BIOS are not easy to find. But, I did find this1.Press the power button to start the computer and immediately press F10 to access the BIOS setup panel.NOTE: Different models may prompt you to press a different key, such as F1, F2, or Esc to access the BIOS setup.Try the different keys suggested if pressing F10 doesn't allow you to access the Advanced menu, Luke.MowGreen Windows Expert IT Pro - Consumer Security
December 16th, 2010 12:58pm

Thanks, Mow; sorry if I wasn't more clear -- I did access BIOS and changed to boot from the CD, but it wouldn't. Something the virus changed? This time I went in and disabled the hard drive hoping it would read the CD. I had the following lines: Intel UNDI, PXE-2.0 (build 082) Copyright (c) 1997-2000 Intel Corporation For Realtek RTL8139(x)/8130/810X PCI Fast Ethernet Controller V2.13 (020326) CLIENT MAC ADDR: (Don't know if I should post) CLIENT IP: (Don't know if I should post) MASK: ( Post? ) DHCP IP: (Post?) GATEWAY IP: ( Post? ) PXE-E32: TFTP open timeout Now I'm wondering if my CD copied correctly. Could you tell from this?THANKS SO MUCH for your persistence!!!Luke
Free Windows Admin Tool Kit Click here and download it now
December 16th, 2010 2:20pm

I may be wrong but, it sounds to me like the disc isn't bootable. I did not see where the instructions from Kapersky informed you on how to make the disc bootable. What software did you use to burn the iso image? Downloading the file and placing it on a cd/dvd is not enough. In order to make the disc bootable the iso image must be burned using an iso image burning software. ImgBurn or CdBurnerXp are the two I choose and both are free. Alternatively, if you are unable to get the disc to boot you can uninstall your current anti-virus software and install Avast 5.0 Free Version. Once installed and updated schedule a boot-time scan. Restart the computer and allow the scan to complete choosing first to repair the detected file or placing the file in the virus chest if Avast is unable to perform the repair.Avast Free Antivirus - Free software downloads and software reviews - CNET Download.comhttp://i67.servimg.com/u/f67/15/17/80/12/avast_10.jpg <<<--- How to schedule a boot-time scan with Avast. http://download.cnet.com/ImgBurn/3000-2646_4-10847481.html <<< ImgBurn Free DownloadThe video tutorial on the link below demonstrates how to burn an iso file using ImgBurn. It's very simple.http://www.youtube.com/watch?v=AVZMvGZjOWA&feature=related I don't vote for myself I'm not here for the points. If this post helps you, vote. Visit my forum @ http://repairbotsonline.com/
December 16th, 2010 7:31pm

When the ISO is burned correctly to a CD the files necessary to boot from it are already included. One can even have it 'burned' to an external USB Hard Drive using Kaspersky's rescue2usb.exe.`Luke,Joel may be on to something here. Suggest you insert the CD into the tray while the system is booted up and then check the CD's contents.It should be should be showing these folders - bases, help , isolinuxAnd these files - BASES.ID, image.squashfs , IMPORTANT LEGAL NOTICE, livecd, README.txt, VERSIONMowGreen Windows Expert IT Pro - Consumer Security
Free Windows Admin Tool Kit Click here and download it now
December 17th, 2010 12:38pm

I have avast and always to a boot scan.I can't see the files other than the file name on the CD, it's kav_rescue_10 and it's an iso file. If I click for more, I'm asked to go online to find a compatible program.The other 2 links were GREAT. However, the only CDs I have are 700 MB, not a choice on imgburn. I did try however, using 1.44 as a choice. The error I got was "Boot image file (Win98_SE.img) size is 1.474.560 bytes, Expected size: 1,228.800 bytes. Boot image is wrong size for selected boot type". I'm assuming it's my CD size (?) If so, I'll have to delay until next week to get CDs; we're very rural and are planning on a 2 hour trip out next week.Could I have your opinions?Thanks again!
December 18th, 2010 5:56pm

I have avast and always to a boot scan.I can't see the files other than the file name on the CD, it's kav_rescue_10 and it's an iso file. If I click for more, I'm asked to go online to find a compatible program.The other 2 links were GREAT. However, the only CDs I have are 700 MB, not a choice on imgburn. I did try however, using 1.44 as a choice. The error I got was "Boot image file (Win98_SE.img) size is 1.474.560 bytes, Expected size: 1,228.800 bytes. Boot image is wrong size for selected boot type". I'm assuming it's my CD size (?) If so, I'll have to delay until next week to get CDs; we're very rural and are planning on a 2 hour trip out next week.Could I have your opinions?Thanks again! The files MowGreen refers to on the disc are as demonstrated in the image below. Insert the disc into your cd rom device. Open My Computer and locate the cd rom device. Right click on the device and choose explore. You should see all the files.http://img232.imageshack.us/i/kaperskyrescuedisc.jpg/I am uncertain as to what you are referring to in your last statement. The iso file for Kapersky is 199mb. It will fit on a regular cd. The video below will show you how to burn the iso to a disc.http://www.youtube.com/watch?v=mime42kGoc8 I don't vote for myself I'm not here for the points. If this post helps you, vote. Visit my forum @ http://repairbotsonline.com/
Free Windows Admin Tool Kit Click here and download it now
December 18th, 2010 8:19pm

OK!! I finally got the Kaspersky disc copied and ran it. It did find a few things, some recommended deleting, some quarantining. Only one said I had to skip it:Virus: HEUR:Exploit.Script.GenericCould not move to quarantine; write not supported.Any suggestions on getting rid of this last one?THANKS and I hope you had a Merry Christmas and here's to a great 2011!Luke
December 30th, 2010 7:11pm

Luke,Glad to hear you got the Kaspersky Rescue CD to scan the system. Strongly suggest that you make sure Avast has it's latest definitions and that you do another full scan of the system in Safe Mode -A description of the Safe Mode options in Windows XPWithout knowing the name of the file that was skipped it's difficult to say if it's malicious or not.HEUR: exploit.script.generic is a heuristic detection for suspicious scripts embedded in websites or script files. For all I know, since the system was not running from the Hard Drive, the script may be a legitimate component of one of the installed softwares.If it was malware that was protecting itself while the Hard Drive was not active, then we definitely need a copy of it. MowGreen Windows Expert IT Pro - Consumer Security
Free Windows Admin Tool Kit Click here and download it now
December 31st, 2010 9:02am

As always, thanks Mow.I did some researching online, and although all sources say it can't definitely be a virus, it most probably is.I have run Avast in safe mode in the past and will now do it again. I will also send a copy of it to Kaspersky (suggested in one of the articles).Where would you want a copy of it sent?Going to do the 2 tasks now. I'll check in later.Happy New Year!
December 31st, 2010 1:58pm

For one, submit it to Microsoft - Submit a sampleFor the Product, put Other. The Support Number is not required.Two, compress the file to the .zip format and create the password to the .zip folder. The password must be infected .You can use 7zip to compress and set the password for the .zip folder.Then send an email with the .zip attached to Email removed for privacy .The above email address is in contact with all of the major AV vendors and analysts who will analyze the sample.And, you can have the file scanned online here - Virus Total There are plenty of AV vendors scanners on Virus Total and unknown files scanned there that are found to be malicious are added to their detection databases.MowGreen Windows Expert IT Pro - Consumer Security
Free Windows Admin Tool Kit Click here and download it now
December 31st, 2010 3:27pm

ok Mow, you're conversing with a virgin for most of these actions (as though you didn't know that by now. . .)The weird thing is that I saved all 4 files found (1 deleted, 2 quarantined and the one I had to skip) on my D: disk as text files (save as "D:\Quarantine 1", "D:\Skipped 1", etc.). Yet I can't find them. I just searched by date created, then added a search for text files. Nothing found (yet I did see them on the Kaspersky list, so I know they're there). I'll try saving them to my C: drive next. (Just searched through the Kaspersky files and folders on drive C, couldn't find them there either.) Suggestions on saving?I downloaded the program to compress files; I'm guessing when I get to that point there will be some type of option as file to save as and look for a ".zip" extension. (?)I was a little confused on the password; it looks like you're telling me if the file is infected, the password would definitely be infected (?) And since the "above email address" which is removed for privacy that you referenced: Please confirm that you mean the MS submission url you sent me. (?)Thanks. I think I need to wait on a response from you as to how I can locate the files I saved.Or you can take the evening off! Happy New Year!!
December 31st, 2010 5:07pm

For one, submit it to Microsoft - Submit a sampleFor the Product, put Other. The Support Number is not required.Two, compress the file to the .zip format and create the password to the .zip folder. The password must be infected .You can use 7zip to compress and set the password for the .zip folder.Then send an email with the .zip attached to Gizlilik iin e-posta kaldrld .The above email address is in contact with all of the major AV vendors and analysts who will analyze the sample.And, you can have the file scanned online here - Virus Total There are plenty of AV vendors scanners on Virus Total and unknown files scanned there that are found to be malicious are added to their detection databases.MowGreen Windows Expert IT Pro - Consumer Security
Free Windows Admin Tool Kit Click here and download it now
December 31st, 2010 11:25pm

Or you can take the evening off! Happy New Year!!Great suggestion. Since I've been watching the Marx Brothers all night long all I can say is ... "Hail, hail Freedonia, land of the brave and free ! "MowGreen Windows Expert IT Pro - Consumer Security
January 1st, 2011 3:46am

We must have the same sense of humor. I could watch those 20 people falling out of the cabin door over and over again and love every minute of it.
Free Windows Admin Tool Kit Click here and download it now
January 1st, 2011 12:41pm

The people falling out of the cabin scene was in " A Night at the Opera ". That was on right after " Duck Soup ", which was supposed to be in Freedonia. <g>This article will show you how to save the scan Report to a file - How to create a report file in Kaspersky Rescue Disk 10? Please bear in mind that the computer was booted from the Rescue CD and that nothing was written to the C:\ drive , the drive that the computer usually boots from but in this situation, was inactive when it was scanned rom the CD.The definition files for the CD that were downloaded were loaded into memory, not written anywhere.The files that were quarantined/deleted were never saved to any location on C:\, they were deleted from it.So, the question is ... what was the D:\ drive that you saved the files to ? I have a feeling it was the actual CD drive , not the C:\ drive of the computer.The MS link to submit the file is correct, but, I'm not so sure we have a file to send them.The email address I posted is still visible to me but ... I'm not so sure we're allowed to post email addresses here and the forum software may have hidden it.Let's not be concerned with the above, we can work that out later if we get a sample of the suspect file.Did Avast find anything when you scanned the system while in Safe Mode ?MowGreen Windows Expert IT Pro - Consumer Security
January 3rd, 2011 12:59pm

No, Avast didn't find anything. However, the first time I brought it up in Safe Mode, it with without Networking, I had an alert that my system was unprotected. I believe I've done this before and didn't get that message. The next day the program was updated, so I ran it again, this time in Safe Mode with Networking. Still got that message.
Free Windows Admin Tool Kit Click here and download it now
January 3rd, 2011 7:16pm

Now I remember why I get frustrated here -- when I hit reply on the above post, I get a new screen. When I submit the post, it removes all returns. Can't edit and fix.This time it simply opened a post box at the bottom and it formats fine. Ugh!Yes, I do have Kaspersky files on my C drive (D is my CD drive). When I open Windows Explorer, C, I have a folder for Kaspersky Rescue Disk 10.0, it shows 5 folders and 2 documents within it. However, I saved and renamed the files it found on my D (CD) drive. They showed on the Kaspersky list (running from the CD). Again, I couldn't find them later.On My C drive, one Kaspersky Folder is a Report folder. Within that folder are several more folders numbered 1-8, and some files that are .dat, .idx and .rpt. Perhaps these could be zipped. (?)Your post shows to me: " Then send an email with the .zip attached to Email removed for privacy ."Thanks for your time. Yes, I knew it was Night at the Opera, but I thought that was the Freedonia one also. Your Marx trivia is better than mine!
January 3rd, 2011 7:29pm

As to Avast giving you that message in Safe Mode ... it means that some components of it can not run in Safe Mode . It's nothing to be concerned over unless Avast is unable to scan the system and you get that message when the system is running in normal Windows mode.As to the forums' useability and convenience to the User ... no comment. <w>Finally, don't worry about emailing the various files in the Report folder. There are no actual suspected files in there, only logs.Suggest you try to open a .rpt file using Notepad. Heck, you can try to view all of them in Notepad but I'm not sure they're formatting will be viewable.Give it a shot, Luke. If you find anything interesting, namely what was detected, quarantined, deleted, or could not be deleted, please post the content of the file.BTW, suggest you ensure SAS is fully up to date and that you do another scan of the system with it.Are any of the symptoms still present that were in your initial post ?MowGreen Windows Expert IT Pro - Consumer Security
Free Windows Admin Tool Kit Click here and download it now
January 4th, 2011 9:17am

Well, here's the file "detected.rpt" from the Kaspersky files on my C drive (again, I still couldn't find the .txt files I saved on my D drive): RPD2 %  P ù ’¿únŸX +HIŸX ’¿únŸX % P v ! ¿ " Ê # ¡ $  œe7#ŸXstrm  ¼Š  ö ¼ ? ÿÿÿÿÿÿ‰0ods ‰0 ÿÿÿÿÿÿÿÿ ‰0hC:/Documents and Settings/NetworkService/Local Settings/Temporary Internet Files/Content.IE5/JAEYX01A/sgapgh[1].htm ‰08HEUR:Exploit.Script.Generic „èòÔ‰0 ‰0 …= ‰0 ‰0 ‰0rC:/Documents and Settings/NetworkService/Local Settings/Temporary Internet Files/Content.IE5/JAEYX01A/sgapgh[1].htm//JIM “¹©ÅˆÊÀ t A  ôÿÿÿ C:/Documents and Settings/NetworkService/Local Settings/Temporary Internet Files/Content.IE5/JAEYX01A/sgapgh[1].htm „èóÖP ‰0 - œe7#ŸXstrm  ¼Š -  Á ? ÿÿÿÿÿÿ‰0ods ‰0 ÿÿÿÿÿÿÿÿ‰0rC:/Documents and Settings/NetworkService/Local Settings/Temporary Internet Files/Content.IE5/JAEYX01A/sgapgh[1].htm//JIM ‰08HEUR:Exploit.Script.Generic  „èòÔ‰0 ‰0 …= ó…£Ää& ‰0 ‰0 ‰0rC:/Documents and Settings/NetworkService/Local Settings/Temporary Internet Files/Content.IE5/JAEYX01A/sgapgh[1].htm//JIM èçó§—ÂÿA“¹©ÅˆÊÀ t A  ôÿÿÿ C:/Documents and Settings/NetworkService/Local Settings/Temporary Internet Files/Content.IE5/JAEYX01A/sgapgh[1].htm „èóÖP ‰0 Î strm  ¼Š Î Ý ¥ ? ÿÿÿÿÿÿ‰0ods ‰0 ÿÿÿÿÿÿÿÿ‰0:C:/System Volume Information/_restore{BF77AB7F-AC17-463A-ADFD-A92FF8D00C76}/RP3/A0006819.dll ‰0*Packed.Win32.Krap.hc  „èòÞ ‰0 ‰0 x ’ì`…‰üö ‰0 ‰0 ‰0:C:/System Volume Information/_restore{BF77AB7F-AC17-463A-ADFD-A92FF8D00C76}/RP3/A0006819.dll øÇû…îÎàÜ= u] A  ôÿÿÿ C:/System Volume Information/_restore{BF77AB7F-AC17-463A-ADFD-A92FF8D00C76}/RP3/A0006819.dll „èóÖP ‰0  strm  ¼Š  £ d ? ÿÿÿÿÿÿ‰0ods ‰0 ÿÿÿÿÿÿÿÿ‰0:C:/WINDOWS/system32/12543.js ‰08HEUR:Exploit.Script.Generic  „èòá‰0 ‰0 …= ó…£Ää& ‰0 ‰0 ‰0:C:/WINDOWS/system32/12543.js Îꀲ‰×ø 5 A  ôÿÿÿ C:/WINDOWS/system32/12543.js „èóÖP ‰0  strm  ¼Š  ¡ b ? ÿÿÿÿÿÿ‰0ods ‰0 ÿÿÿÿÿÿÿÿ‰06C:/WINDOWS/system32/123.js ‰08HEUR:Exploit.Script.Generic  „èòá ‰0 ‰0 …= ºLçôÝ ‰0 ‰0 ‰06C:/WINDOWS/system32/123.js ÂøúʹÛÿ¾ 3 A  ôÿÿÿ C:/WINDOWS/system32/123.js „èóÖP ‰0 Ö È$¿nŸXstrm  ¼Š Ö Ý ¥ ? ÿÿÿÿÿÿ‰0ods ‰0 ÿÿÿÿÿÿÿÿ ‰0:C:/System Volume Information/_restore{BF77AB7F-AC17-463A-ADFD-A92FF8D00C76}/RP3/A0006819.dll ‰0*Packed.Win32.Krap.hc  „èòíH‰0 ‰0 x ’ì`…‰üö ‰0 ‰0 ‰0:C:/System Volume Information/_restore{BF77AB7F-AC17-463A-ADFD-A92FF8D00C76}/RP3/A0006819.dll øÇû…îÎàÜ= u] A  ôÿÿÿ C:/System Volume Information/_restore{BF77AB7F-AC17-463A-ADFD-A92FF8D00C76}/RP3/A0006819.dll „èóÖP“󿘪¶£?‰0  ïÝènŸXstrm  ¼Š  © j G ÿÿÿ‰0ods ‰0Scan_Objects ÿÿÿÿÿÿÿÿ ‰06C:/WINDOWS/system32/123.js ‰08HEUR:Exploit.Script.Generic  „èòíO‰0 ‰0 …= ºLçôÝ ‰0 ‰0 ‰06C:/WINDOWS/system32/123.js ÂøúʹÛÿ¾ 3 A  ôÿÿÿ C:/WINDOWS/system32/123.js „èóÖP¨ÈØʈ̒‡‰0 # ’¿únŸXstrm  ¼Š # « l G ÿÿÿ‰0ods ‰0Scan_Objects ÿÿÿÿÿÿÿÿ ‰0:C:/WINDOWS/system32/12543.js ‰08HEUR:Exploit.Script.Generic  „èòíR‰0 ‰0 …= ó…£Ää& ‰0 ‰0 ‰0:C:/WINDOWS/system32/12543.js Îꀲ‰×ø 5 A  ôÿÿÿ C:/WINDOWS/system32/12543.js „èóÖP¢΅ùÝæщ0 I figured I'd wait to see if this means anything to you before copying another one (there's a report.rpt file also). It shows the HEUR file (which was the only one it said it couldn't quarantine or delete because it couldn't read it). The other files in IE5 must have been the others.I try to run Avast, SAS and MB daily.No, my system's definitely improved. I finally got MS updates, don't get pop-ups and redirects, and don't have a problem booting anymore.Please let me know if this helps. And, again, THANK YOU for your support!
January 6th, 2011 2:54pm

Now this is interesting. I have to wonder if this virus is still morphing --I ran an Avast boot scan. At 4% scanned, it noted that a file in a TIF folder file (. . . TIF\Content IE5\7ZB9WJLI\scnAvavbase19500000[1].cab|>mpavbase.vdm): "Error 42127 - CAB archive is corrupted". So I Escaped out of the scan, went into the TIF folder noted, but the file wasn't there. I still deleted everything inside the TIF folder. In addition, I used the Eusing Registry cleaner and cleaned out any unnecessary files. I then started another Avast boot scan. I still got the same message about the same file.Is this still hiding/changing?Thanks for any info.
Free Windows Admin Tool Kit Click here and download it now
January 8th, 2011 6:16pm

mpavbase.vdm is the base signature set of antimalware definitions for Windows Defender, the One Care Scanner, or Microsoft Security Essentials.Suggest you set Internet Explorer to delete it's cache (TIF) each time it closes. With Internet Explorer closed, open Internet Options in Control Panel. Click the Advanced tab.Scroll almost to the bottom until you get to Security. Place a check mark next to 'Empty Temporary Internet Files folder when browser is closed '. Click Apply.Now click the General tab.For IE 8, click the Delete button under Browsing history ( In IE6 click the Delete button under Temporary Internet Files ) Make sure that Temporary Internet files is checked in IE8, then click the Delete button.Click OK to close Internet Properties.Be very careful using a registry cleaner. Eusing backs up all the registry changes it makes so learn how to restore them before any crititcal issue arises. Such as being unable to uninstall or update a program/application.Also, while the system is running well, now would be a good time to turn off/turn on System Restore to purge all restore points as some still contain infected files -How to turn off and turn on System Restore in Windows XPAfter you've done that, manually create a restore point - How to set a system restore point in Windows XPYou should be good to go now, Luke. MowGreen Windows Expert IT Pro - Consumer Security
January 9th, 2011 2:07pm

I use Firefox (heard it was more secure than IE); there's no option to delete the TIF, only how many mb you allow for your cache.I make restore points (before and after) when cleaning registries.I still would like to know how Avast can find a corrupted file, and it won't show when I search for it (I always ask it to show hidden files and folders, so that's not it). I've seen this before, gone in, and deleted it. So I have to wonder if it's connected to the virus.Could you tell anything from the Kaspersky report? I think I should be concerned since the virus is still showing and Kaspersky can't delete or quarantine it.Thanks for your suggestions.
Free Windows Admin Tool Kit Click here and download it now
January 9th, 2011 4:44pm

"Lukeville" wrote in message news:Email removed for privacy...I use Firefox (heard it was more secure than IE); there's no option to delete the TIF, only how many mb you allow for your cache.I make restore points (before and after) when cleaning registries.I still would like to know how Avast can find a corrupted file, and it won't show when I search for it (I always ask it to show hidden files and folders, so that's not it). I've seen this before, gone in, and deleted it. So I have to wonder if it's connected to the virus.Could you tell anything from the Kaspersky report? I think I should be concerned since the virus is still showing and Kaspersky can't delete or quarantine it.Thanks for your suggestions.The latest release of Mozilla Firefox (v.3.6.13) does include an option to clear Offline storage. You will find it under Tools / Advanced.Alternatively, you could install CCleaner. Amongst its many options, CCleaner allows you to delete data from Internet Explorer, Mozilla Firefox, and Opera. It also permits selective deletion/retention of cookies.
January 9th, 2011 5:06pm

You can clear the cache, but you can't automatically clear it when you close your Firefox browser. Thanks for trying.
Free Windows Admin Tool Kit Click here and download it now
January 9th, 2011 10:35pm

"Lukeville" wrote in message news:Gizlilik iin e-posta kaldrld...I use Firefox (heard it was more secure than IE); there's no option to delete the TIF, only how many mb you allow for your cache.I make restore points (before and after) when cleaning registries.I still would like to know how Avast can find a corrupted file, and it won't show when I search for it (I always ask it to show hidden files and folders, so that's not it). I've seen this before, gone in, and deleted it. So I have to wonder if it's connected to the virus.Could you tell anything from the Kaspersky report? I think I should be concerned since the virus is still showing and Kaspersky can't delete or quarantine it.Thanks for your suggestions.The latest release of Mozilla Firefox (v.3.6.13) does include an option to clear Offline storage. You will find it under Tools / Advanced.Alternatively, you could install CCleaner. Amongst its many options, CCleaner allows you to delete data from Internet Explorer, Mozilla Firefox, and Opera. It also permits selective deletion/retention of cookies.
January 10th, 2011 1:04am

"Lukeville" wrote in message news:Email removed for privacy...You can clear the cache, but you can't automatically clear it when you close your Firefox browser. Thanks for trying.Agreed. However, Options / Advanced does allow you to set a maximum size for the cache.Setting the maximum size to zero might have the same effect as clearing the cache at the end of every browsing session. However, I haven't tried this, so I don't know whether disabling the cache would have an adverse effect upon the functionality of Mozilla Firefox.
Free Windows Admin Tool Kit Click here and download it now
January 10th, 2011 10:32am

Firefox's cache can be automatically cleared on exit. Please see -Automatically clear the cacheThe infection is no longer active or you'd be seeing the same symptoms as you did before.What you're now seeing is left over remnants of the rootkit that can not be removed due to Permissions issues.To delete the 2 files remaining in WINDOWS\system32, you will need to use Avenger as described in this thread -http://forums.majorgeeks.com/showpost.php?p=1574668&postcount=13In your situation, you need to copy the below and "paste it into the Input script here: part of the window: "C:\WINDOWS\system32\123.jsC:\WINDOWS\system32\12543.jsHowever, these forums do not specialize in malware removal and final cleanup of an infected system.Suggest you either post to a reputable anti-malware forum for the final clean up steps or format and reinstall XP.The latter method is the only way to be 100% certain that everything related to the compromise is no longer present on the system.If you choose the former, here's a list of some reputable anti-malware forums -Atribune.orgBleepingComputerDSL ReportsGeeks to GoMajorGeeksMalwareBytesMalWare RemovalSafer-Networking SpywareHammerSpyware WarriorTech Support Guy The Spykiller MowGreen Windows Expert IT Pro - Consumer Security
January 10th, 2011 2:17pm

However, these forums do not specialize in malware removal and final cleanup of an infected system.Suggest you either post to a reputable anti-malware forum for the final clean up steps or format and reinstall XP.The latter method is the only way to be 100% certain that everything related to the compromise is no longer present on the system.Excellent recommendation. Your reasoning is precisely why I made the same recommendation many post back on Dec. 10th. This is not the forum to deal with malware.I don't vote for myself I'm not here for the points. If this post helps you, vote. Visit my forum @ http://repairbotsonline.com/
Free Windows Admin Tool Kit Click here and download it now
January 10th, 2011 5:26pm

"Lukeville" wrote in message news:Gizlilik iin e-posta kaldrld...You can clear the cache, but you can't automatically clear it when you close your Firefox browser. Thanks for trying.Agreed. However, Options / Advanced does allow you to set a maximum size for the cache.Setting the maximum size to zero might have the same effect as clearing the cache at the end of every browsing session. However, I haven't tried this, so I don't know whether disabling the cache would have an adverse effect upon the functionality of Mozilla Firefox.
January 10th, 2011 6:30pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics