S
Sirius
Not mine, hers. I'm not sure why. She has Free AVG... i guess it's not the
best. And with AVG she had not good firewall..
best. And with AVG she had not good firewall..
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
S
Sirius
Thank you, Jose.
I sincerely hope there is nothing seriously wrong with this system.
My friend had only AVG on it for protection. It did not protect her well,
obviously.
Dr Web is a portable scanner which I ran from a flash drive.
I did a scan with mbam older version but the definitions were not up to
date. The update was trying to install the new version.
The definition was from 6-09.
I was doing a clean start with the help of msconfig is what I meant,
hoping that would make mbam work.
Then I discovered that some checkmarks kept coming back in the startup tab,
namely:
ntuser.dat, ntuser.dat.LOG, ntuser.ini, and ~ (tilde file).
Which I found very strange, never seen it before on other pc startup.
I've decided to run a health test on the hardware next. If the hard drive is
dying, that could cause data corruptions.
MBAM does not recommend running in Safe Mode.
There was some issue on certain systems (especially with other
scanning tools installed) reporting the error like you describe with
MBAM 1.46.
It does not indicate a seriously compromised system. It indicates a
system that had had a bunch of other stuff run on it that can't tell a
legitimate file from a bad file (Avast!, Dr, Web Cureit!) and then the
system had been tampered with by the user (self inflicted wounds).
If you have MBAM 1.46:
Uninstall MBAM from Add/Remove Programs
Reboot
Download and run mbam-clean.exe from here:
http://www.malwarebytes.org/mbam-clean.exe
Reboot again.
Go back to malwarebytes.org and download version 1.45.
Install and do a full scan with MBAM 1.45
Sadly, I don't know what you mean about "doing things" to files in
your msconfig....
Your msinfo32 information looks fine to me.
I sincerely hope there is nothing seriously wrong with this system.
My friend had only AVG on it for protection. It did not protect her well,
obviously.
Dr Web is a portable scanner which I ran from a flash drive.
I did a scan with mbam older version but the definitions were not up to
date. The update was trying to install the new version.
The definition was from 6-09.
I was doing a clean start with the help of msconfig is what I meant,
hoping that would make mbam work.
Then I discovered that some checkmarks kept coming back in the startup tab,
namely:
ntuser.dat, ntuser.dat.LOG, ntuser.ini, and ~ (tilde file).
Which I found very strange, never seen it before on other pc startup.
I've decided to run a health test on the hardware next. If the hard drive is
dying, that could cause data corruptions.
Thank you, Jose. I did a scan in safe mode with DR Web Cure it an
quarantined everything it found.
I was able to run a safe mode scan with mbam older version.
I can not get the new verison of mbam to work.
Keep getting the "mbam error expanding variables 0 9".
Every scan takes a very long time because there is a lot.
Now I am doing Avast boot time scanner. I'll post back with what you
suggested when finished.
Thanks again.
If I were you, I would stop "trying" things. You can try things all
day long nd it doesn't seem to be working very well.
Did booting in Safe Mode help you at all? Describe what you learned
from that exercise and what you will do next.
You need to have some known starting point so get there and then work
on the issues. Nothing you describe sounds too terrible, but some of
the ideas to get your system working are way overboard - but, you can
do what you want of course.
You should stop messing with msconfig, turning things off and on,
don't worry about extracting just registry files from a restore point,
etc. If SR is missing or borken, no problem - we can fix it later
but first you need to get stabilized.
If your system boots and can get on the Internet, you con't need to
slave it in another machine - fix it where it is.
To eliminate questions and guessing, please provide additional
information about your system.
Click Start, Run and in the box enter:
msinfo32
Click OK, and when the System Summary info appears, click Edit, Select
All, Copy and then paste the information back here.
There will be some personal information (like System Name and User
Name), and whatever appears to be private information to you, just
delete it from the pasted information.
Perform some scans for malicious software, then fix any remaining
issues:
Download, install, update and do a full scan with these free malware
detection programs:
Malwarebytes (MBAM): http://malwarebytes.org/
SUPERAntiSpyware: (SAS): http://www.superantispyware.com/
They can be uninstalled later if desired.
MBAM does not recommend running in Safe Mode.
There was some issue on certain systems (especially with other
scanning tools installed) reporting the error like you describe with
MBAM 1.46.
It does not indicate a seriously compromised system. It indicates a
system that had had a bunch of other stuff run on it that can't tell a
legitimate file from a bad file (Avast!, Dr, Web Cureit!) and then the
system had been tampered with by the user (self inflicted wounds).
If you have MBAM 1.46:
Uninstall MBAM from Add/Remove Programs
Reboot
Download and run mbam-clean.exe from here:
http://www.malwarebytes.org/mbam-clean.exe
Reboot again.
Go back to malwarebytes.org and download version 1.45.
Install and do a full scan with MBAM 1.45
Sadly, I don't know what you mean about "doing things" to files in
your msconfig....
Your msinfo32 information looks fine to me.
S
Sirius
Tried it, did not help. Thank you.
George said:Have you tried UNCHECKING it, rebooting, then CHECKING it and rebooting
again? May not do anything but you won't lose anything by trying.
S
Sirius
The hard drive is fine, passed all tests.
MBAM does not recommend running in Safe Mode.
There was some issue on certain systems (especially with other
scanning tools installed) reporting the error like you describe with
MBAM 1.46.
It does not indicate a seriously compromised system. It indicates a
system that had had a bunch of other stuff run on it that can't tell a
legitimate file from a bad file (Avast!, Dr, Web Cureit!) and then the
system had been tampered with by the user (self inflicted wounds).
If you have MBAM 1.46:
Uninstall MBAM from Add/Remove Programs
Reboot
Download and run mbam-clean.exe from here:
http://www.malwarebytes.org/mbam-clean.exe
Reboot again.
Go back to malwarebytes.org and download version 1.45.
Install and do a full scan with MBAM 1.45
Sadly, I don't know what you mean about "doing things" to files in
your msconfig....
Your msinfo32 information looks fine to me.
Thank you, Jose. I did a scan in safe mode with DR Web Cure it an
quarantined everything it found.
I was able to run a safe mode scan with mbam older version.
I can not get the new verison of mbam to work.
Keep getting the "mbam error expanding variables 0 9".
Every scan takes a very long time because there is a lot.
Now I am doing Avast boot time scanner. I'll post back with what you
suggested when finished.
Thanks again.
If I were you, I would stop "trying" things. You can try things all
day long nd it doesn't seem to be working very well.
Did booting in Safe Mode help you at all? Describe what you learned
from that exercise and what you will do next.
You need to have some known starting point so get there and then work
on the issues. Nothing you describe sounds too terrible, but some of
the ideas to get your system working are way overboard - but, you can
do what you want of course.
You should stop messing with msconfig, turning things off and on,
don't worry about extracting just registry files from a restore point,
etc. If SR is missing or borken, no problem - we can fix it later
but first you need to get stabilized.
If your system boots and can get on the Internet, you con't need to
slave it in another machine - fix it where it is.
To eliminate questions and guessing, please provide additional
information about your system.
Click Start, Run and in the box enter:
msinfo32
Click OK, and when the System Summary info appears, click Edit, Select
All, Copy and then paste the information back here.
There will be some personal information (like System Name and User
Name), and whatever appears to be private information to you, just
delete it from the pasted information.
Perform some scans for malicious software, then fix any remaining
issues:
Download, install, update and do a full scan with these free malware
detection programs:
Malwarebytes (MBAM): http://malwarebytes.org/
SUPERAntiSpyware: (SAS): http://www.superantispyware.com/
They can be uninstalled later if desired.
MBAM does not recommend running in Safe Mode.
There was some issue on certain systems (especially with other
scanning tools installed) reporting the error like you describe with
MBAM 1.46.
It does not indicate a seriously compromised system. It indicates a
system that had had a bunch of other stuff run on it that can't tell a
legitimate file from a bad file (Avast!, Dr, Web Cureit!) and then the
system had been tampered with by the user (self inflicted wounds).
If you have MBAM 1.46:
Uninstall MBAM from Add/Remove Programs
Reboot
Download and run mbam-clean.exe from here:
http://www.malwarebytes.org/mbam-clean.exe
Reboot again.
Go back to malwarebytes.org and download version 1.45.
Install and do a full scan with MBAM 1.45
Sadly, I don't know what you mean about "doing things" to files in
your msconfig....
Your msinfo32 information looks fine to me.
J
Jose
Thank you, Jose.
I sincerely hope there is nothing seriously wrong with this system.
My friend had only AVG on it for protection. It did not protect her well,
obviously.
Dr Web is a portable scanner which I ran from a flash drive.
I did a scan with mbam older version but the definitions were not up to
date. The update was trying to install the new version.
The definition was from 6-09.
I was doing a clean start with the help of msconfig is what I meant,
hoping that would make mbam work.
Then I discovered that some checkmarks kept coming back in the startup tab,
namely:
ntuser.dat, ntuser.dat.LOG, ntuser.ini, and ~ (tilde file).
Which I found very strange, never seen it before on other pc startup.
I've decided to run a health test on the hardware next. If the hard driveis
dying, that could cause data corruptions.
MBAM does not recommend running in Safe Mode.
There was some issue on certain systems (especially with other
scanning tools installed) reporting the error like you describe with
MBAM 1.46.
It does not indicate a seriously compromised system. It indicates a
system that had had a bunch of other stuff run on it that can't tell a
legitimate file from a bad file (Avast!, Dr, Web Cureit!) and then the
system had been tampered with by the user (self inflicted wounds).
If you have MBAM 1.46:
Uninstall MBAM from Add/Remove Programs
Reboot
Download and run mbam-clean.exe from here:
http://www.malwarebytes.org/mbam-clean.exe
Reboot again.
Go back to malwarebytes.org and download version 1.45.
Install and do a full scan with MBAM 1.45
Sadly, I don't know what you mean about "doing things" to files in
your msconfig....
Your msinfo32 information looks fine to me.
You should not have not have entries like that in the msconfig Startup
tab, so I don't get it at all, so let's see your startup information:
Download and install CCleaner from here and the Startup information to
a text file. Launch CCLeaner, click Tools, Startup, Save to text file
and save the startup information to your desktop (or someplace you can
find it) open the file with a text editor, select all and paste the
contents back here:
http://www.piriform.com/ccleaner
Uninstall CCleaner later fif you don't like it (most people seem to
like it for it's other features).
Uninstall any old versions of MBAM, reboot, install the latest
versions of MBAM (no problem for me with 1.46), update and do a fill
scan.
If MBAM does not work, define what does not work means. It won't
install, it won't launch, etc. We have our ways to make it talk....
S
Sirius
I don't see a "save to text file" in ccleaner for the startup, only for the
installed programs.
I do like ccleaner myself. I agree, those entries should not be there.
I have error messages when I try to start mbam "mbam error expanding
variables 0 9".
Hard drive passed the hardware test. Are you around this holliday weekend?
Thank you.
You should not have not have entries like that in the msconfig Startup
tab, so I don't get it at all, so let's see your startup information:
Download and install CCleaner from here and the Startup information to
a text file. Launch CCLeaner, click Tools, Startup, Save to text file
and save the startup information to your desktop (or someplace you can
find it) open the file with a text editor, select all and paste the
contents back here:
http://www.piriform.com/ccleaner
Uninstall CCleaner later fif you don't like it (most people seem to
like it for it's other features).
Uninstall any old versions of MBAM, reboot, install the latest
versions of MBAM (no problem for me with 1.46), update and do a fill
scan.
If MBAM does not work, define what does not work means. It won't
install, it won't launch, etc. We have our ways to make it talk....
installed programs.
I do like ccleaner myself. I agree, those entries should not be there.
I have error messages when I try to start mbam "mbam error expanding
variables 0 9".
Hard drive passed the hardware test. Are you around this holliday weekend?
Thank you.
Thank you, Jose.
I sincerely hope there is nothing seriously wrong with this system.
My friend had only AVG on it for protection. It did not protect her well,
obviously.
Dr Web is a portable scanner which I ran from a flash drive.
I did a scan with mbam older version but the definitions were not up to
date. The update was trying to install the new version.
The definition was from 6-09.
I was doing a clean start with the help of msconfig is what I meant,
hoping that would make mbam work.
Then I discovered that some checkmarks kept coming back in the startup
tab,
namely:
ntuser.dat, ntuser.dat.LOG, ntuser.ini, and ~ (tilde file).
Which I found very strange, never seen it before on other pc startup.
I've decided to run a health test on the hardware next. If the hard drive
is
dying, that could cause data corruptions.
You should not have not have entries like that in the msconfig Startup
tab, so I don't get it at all, so let's see your startup information:
Download and install CCleaner from here and the Startup information to
a text file. Launch CCLeaner, click Tools, Startup, Save to text file
and save the startup information to your desktop (or someplace you can
find it) open the file with a text editor, select all and paste the
contents back here:
http://www.piriform.com/ccleaner
Uninstall CCleaner later fif you don't like it (most people seem to
like it for it's other features).
Uninstall any old versions of MBAM, reboot, install the latest
versions of MBAM (no problem for me with 1.46), update and do a fill
scan.
If MBAM does not work, define what does not work means. It won't
install, it won't launch, etc. We have our ways to make it talk....
D
Daave
Sirius said:I have error messages when I try to start mbam "mbam error expanding
variables 0 9".
That is the result of the malware you have. You will continue to go
around in circles as long as you to try to run MBAM while still in the
infected system. In another post you mentioned you would consider
slaving the drive to a working PC. That's your ticket. (Either that or
perform a Clean Install.)
Or just continue to spin your wheels...
J
Jose
I don't see a "save to text file" in ccleaner for the startup, only for the
installed programs.
Then you may have an old version of CCleaner - they added it recently
in 2.31.1153 (that was nice of them)
Get CCleaner here:
http://www.ccleaner.com/
If MBAM installs okay but will not launch, rename mbam.exe to jose.exe
and launch jose.exe (the malware will not be expecting that. Or maybe
it will by now...).
Your MBAM installation could also be afflicted - uninstall MBAM from
Add/Remove Programs, reboot and install it again and report the
results.
If you still have a problem, run SAS from the other link I provided.
S
Sirius
Daave,
I respect everybody's suggestions. Some of them
will not work. If I slave the drive. Jose, for instance.
Thank you.
I respect everybody's suggestions. Some of them
will not work. If I slave the drive. Jose, for instance.
Thank you.
S
Sirius
Jose, here it is:
Yes HKCU:Run ctfmon.exe C:\WINDOWS\system32\ctfmon.exe
Yes HKCU:Run swg "C:\Program
Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
No HKCU:Run ctfmon C:\WINDOWS\system32\ctfmon.exe
No HKCU:Run DesktopWeather "C:\Program Files\The Weather Channel
FW\Desktop\DesktopWeather.exe"
No HKCU:Run notifyapp C:\Documents and Settings\Owner\Application
Data\Jenkat\Jenkat Games Arcade\notifyapp.exe
No HKCU:Run NBJ "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
No HKCU:Run smileycons C:\Program Files\Smileycons\smileycons.exe
No HKCU:Run SUPERAntiSpyware C:\Program
Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
No HKCU:Run GoogleToolbarNotifier "C:\Program
Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
No HKCU:Run wweb32
Yes HKLM:Run MSConfig C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
/auto
Yes HKLM:Run avast5 C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
No HKLM:Run AdobeARM "C:\Program Files\Common
Files\Adobe\ARM\1.0\AdobeARM.exe"
No HKLM:Run Reader_sl "C:\Program Files\Adobe\Reader
9.0\Reader\Reader_sl.exe"
No HKLM:Run avgtray C:\PROGRA~1\AVG\AVG9\avgtray.exe
No HKLM:Run CarbonitePreinstaller "C:\Program
Files\Carbonite\CarbonitePreinstaller.exe" /preinstalled /showonfirst
/reshowat=1800
No HKLM:Run brctrcen C:\Program Files\Brother\ControlCenter2\brctrcen.exe
/autorun
No HKLM:Run CorelIOMonitor C:\Program Files\Corel\Corel Paint Shop Pro Photo
X2\CorelIOMonitor.exe
No HKLM:Run CTHELPER CTHELPER.EXE
No HKLM:Run GWInkMonitor "C:\Program Files\Gateway\Gateway Ink
Monitor\GWInkMonitor.exe"
No HKLM:Run InCD C:\Program Files\Ahead\InCD\InCD.exe
No HKLM:Run IndexSearch C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
No HKLM:Run NeroCheck C:\WINDOWS\system32\NeroCheck.exe
No HKLM:Run NvCpl RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
No HKLM:Run NvMcTray RUNDLL32.EXE
C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
No HKLM:Run nwiz nwiz.exe /install
No HKLM:Run pptd40nt C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
No HKLM:Run QTTask "C:\Program Files\QuickTime\QTTask.exe" -atboottime
No HKLM:Run RealPlay C:\Program Files\Real\RealPlayer\RealPlay.exe
SYSTEMBOOTHIDEPLAYER
No HKLM:Run BrStDvPt C:\Program Files\Brother\Brmfl04b\BrStDvPt.exe
No HKLM:Run SSBkgdupdate "C:\Program Files\Common Files\Scansoft
Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
No HKLM:Run jusched "C:\Program Files\Common Files\Java\Java
Update\jusched.exe"
No Startup Common ntuser.dat \ntuser.dat
No Startup Common ntuser.dat.LOG \ntuser.dat.LOG
No Startup Common ntuser.ini \ntuser.ini
No Startup Common ~ \~
Then you may have an old version of CCleaner - they added it recently
in 2.31.1153 (that was nice of them)
Get CCleaner here:
http://www.ccleaner.com/
If MBAM installs okay but will not launch, rename mbam.exe to jose.exe
and launch jose.exe (the malware will not be expecting that. Or maybe
it will by now...).
Your MBAM installation could also be afflicted - uninstall MBAM from
Add/Remove Programs, reboot and install it again and report the
results.
If you still have a problem, run SAS from the other link I provided.
Yes HKCU:Run ctfmon.exe C:\WINDOWS\system32\ctfmon.exe
Yes HKCU:Run swg "C:\Program
Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
No HKCU:Run ctfmon C:\WINDOWS\system32\ctfmon.exe
No HKCU:Run DesktopWeather "C:\Program Files\The Weather Channel
FW\Desktop\DesktopWeather.exe"
No HKCU:Run notifyapp C:\Documents and Settings\Owner\Application
Data\Jenkat\Jenkat Games Arcade\notifyapp.exe
No HKCU:Run NBJ "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
No HKCU:Run smileycons C:\Program Files\Smileycons\smileycons.exe
No HKCU:Run SUPERAntiSpyware C:\Program
Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
No HKCU:Run GoogleToolbarNotifier "C:\Program
Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
No HKCU:Run wweb32
Yes HKLM:Run MSConfig C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
/auto
Yes HKLM:Run avast5 C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
No HKLM:Run AdobeARM "C:\Program Files\Common
Files\Adobe\ARM\1.0\AdobeARM.exe"
No HKLM:Run Reader_sl "C:\Program Files\Adobe\Reader
9.0\Reader\Reader_sl.exe"
No HKLM:Run avgtray C:\PROGRA~1\AVG\AVG9\avgtray.exe
No HKLM:Run CarbonitePreinstaller "C:\Program
Files\Carbonite\CarbonitePreinstaller.exe" /preinstalled /showonfirst
/reshowat=1800
No HKLM:Run brctrcen C:\Program Files\Brother\ControlCenter2\brctrcen.exe
/autorun
No HKLM:Run CorelIOMonitor C:\Program Files\Corel\Corel Paint Shop Pro Photo
X2\CorelIOMonitor.exe
No HKLM:Run CTHELPER CTHELPER.EXE
No HKLM:Run GWInkMonitor "C:\Program Files\Gateway\Gateway Ink
Monitor\GWInkMonitor.exe"
No HKLM:Run InCD C:\Program Files\Ahead\InCD\InCD.exe
No HKLM:Run IndexSearch C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
No HKLM:Run NeroCheck C:\WINDOWS\system32\NeroCheck.exe
No HKLM:Run NvCpl RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
No HKLM:Run NvMcTray RUNDLL32.EXE
C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
No HKLM:Run nwiz nwiz.exe /install
No HKLM:Run pptd40nt C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
No HKLM:Run QTTask "C:\Program Files\QuickTime\QTTask.exe" -atboottime
No HKLM:Run RealPlay C:\Program Files\Real\RealPlayer\RealPlay.exe
SYSTEMBOOTHIDEPLAYER
No HKLM:Run BrStDvPt C:\Program Files\Brother\Brmfl04b\BrStDvPt.exe
No HKLM:Run SSBkgdupdate "C:\Program Files\Common Files\Scansoft
Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
No HKLM:Run jusched "C:\Program Files\Common Files\Java\Java
Update\jusched.exe"
No Startup Common ntuser.dat \ntuser.dat
No Startup Common ntuser.dat.LOG \ntuser.dat.LOG
No Startup Common ntuser.ini \ntuser.ini
No Startup Common ~ \~
I don't see a "save to text file" in ccleaner for the startup, only for
the
installed programs.
Then you may have an old version of CCleaner - they added it recently
in 2.31.1153 (that was nice of them)
Get CCleaner here:
http://www.ccleaner.com/
If MBAM installs okay but will not launch, rename mbam.exe to jose.exe
and launch jose.exe (the malware will not be expecting that. Or maybe
it will by now...).
Your MBAM installation could also be afflicted - uninstall MBAM from
Add/Remove Programs, reboot and install it again and report the
results.
If you still have a problem, run SAS from the other link I provided.
D
Daave
I'm not sure I follow, Sirius.
Slaving the drive is probably the only way to properly scan for malware
at this point (especially if you want to use MBAM). If you are unable to
slave the drive and if none of the other suggestions work, I think you
need to copy the data and perform a Clean Install.
If you are able to figure out another way, that's cool. But from what
I've seen in this thread, your PC is probably too compromised. And
although a Clean Install can take some time to do, it would have been a
lot quicker than the alternatives!
You could also try booting off one of the rescue CDs mentioned here:
http://www.techmixer.com/free-bootable-antivirus-rescue-cds-download-list/
Good luck.
Slaving the drive is probably the only way to properly scan for malware
at this point (especially if you want to use MBAM). If you are unable to
slave the drive and if none of the other suggestions work, I think you
need to copy the data and perform a Clean Install.
If you are able to figure out another way, that's cool. But from what
I've seen in this thread, your PC is probably too compromised. And
although a Clean Install can take some time to do, it would have been a
lot quicker than the alternatives!
You could also try booting off one of the rescue CDs mentioned here:
http://www.techmixer.com/free-bootable-antivirus-rescue-cds-download-list/
Good luck.
S
Sirius
This thread got pretty complicated.
Jose wanted me to post an msinfo32, then print the startup items
from ccleaner latest version from the sick computer itself.
I did a scan with superantyspyware, nothing.
Trendmicro sysclean, nothing found. Also their rubotted and rootkit
buster, nothing found.
My friend is out of town for the weekend and I don't have the installation
disks to do a clean install. Untill then, I don't mind learning
and trying new things.
Jose wanted me to post an msinfo32, then print the startup items
from ccleaner latest version from the sick computer itself.
I did a scan with superantyspyware, nothing.
Trendmicro sysclean, nothing found. Also their rubotted and rootkit
buster, nothing found.
My friend is out of town for the weekend and I don't have the installation
disks to do a clean install. Untill then, I don't mind learning
and trying new things.
S
Sirius
Jose, did you see this?
Sirius said:Jose, here it is:
Yes HKCU:Run ctfmon.exe C:\WINDOWS\system32\ctfmon.exe
Yes HKCU:Run swg "C:\Program
Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
No HKCU:Run ctfmon C:\WINDOWS\system32\ctfmon.exe
No HKCU:Run DesktopWeather "C:\Program Files\The Weather Channel
FW\Desktop\DesktopWeather.exe"
No HKCU:Run notifyapp C:\Documents and Settings\Owner\Application
Data\Jenkat\Jenkat Games Arcade\notifyapp.exe
No HKCU:Run NBJ "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
No HKCU:Run smileycons C:\Program Files\Smileycons\smileycons.exe
No HKCU:Run SUPERAntiSpyware C:\Program
Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
No HKCU:Run GoogleToolbarNotifier "C:\Program
Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
No HKCU:Run wweb32
Yes HKLM:Run MSConfig C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
/auto
Yes HKLM:Run avast5 C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
No HKLM:Run AdobeARM "C:\Program Files\Common
Files\Adobe\ARM\1.0\AdobeARM.exe"
No HKLM:Run Reader_sl "C:\Program Files\Adobe\Reader
9.0\Reader\Reader_sl.exe"
No HKLM:Run avgtray C:\PROGRA~1\AVG\AVG9\avgtray.exe
No HKLM:Run CarbonitePreinstaller "C:\Program
Files\Carbonite\CarbonitePreinstaller.exe" /preinstalled /showonfirst
/reshowat=1800
No HKLM:Run brctrcen C:\Program Files\Brother\ControlCenter2\brctrcen.exe
/autorun
No HKLM:Run CorelIOMonitor C:\Program Files\Corel\Corel Paint Shop Pro
Photo X2\CorelIOMonitor.exe
No HKLM:Run CTHELPER CTHELPER.EXE
No HKLM:Run GWInkMonitor "C:\Program Files\Gateway\Gateway Ink
Monitor\GWInkMonitor.exe"
No HKLM:Run InCD C:\Program Files\Ahead\InCD\InCD.exe
No HKLM:Run IndexSearch C:\Program
Files\ScanSoft\PaperPort\IndexSearch.exe
No HKLM:Run NeroCheck C:\WINDOWS\system32\NeroCheck.exe
No HKLM:Run NvCpl RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
No HKLM:Run NvMcTray RUNDLL32.EXE
C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
No HKLM:Run nwiz nwiz.exe /install
No HKLM:Run pptd40nt C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
No HKLM:Run QTTask "C:\Program Files\QuickTime\QTTask.exe" -atboottime
No HKLM:Run RealPlay C:\Program Files\Real\RealPlayer\RealPlay.exe
SYSTEMBOOTHIDEPLAYER
No HKLM:Run BrStDvPt C:\Program Files\Brother\Brmfl04b\BrStDvPt.exe
No HKLM:Run SSBkgdupdate "C:\Program Files\Common Files\Scansoft
Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
No HKLM:Run jusched "C:\Program Files\Common Files\Java\Java
Update\jusched.exe"
No Startup Common ntuser.dat \ntuser.dat
No Startup Common ntuser.dat.LOG \ntuser.dat.LOG
No Startup Common ntuser.ini \ntuser.ini
No Startup Common ~ \~
Then you may have an old version of CCleaner - they added it recently
in 2.31.1153 (that was nice of them)
Get CCleaner here:
http://www.ccleaner.com/
If MBAM installs okay but will not launch, rename mbam.exe to jose.exe
and launch jose.exe (the malware will not be expecting that. Or maybe
it will by now...).
Your MBAM installation could also be afflicted - uninstall MBAM from
Add/Remove Programs, reboot and install it again and report the
results.
If you still have a problem, run SAS from the other link I provided.