'Malicious URL blocked' alert when accessing My Computer directory (XP)

Recently I have been getting an alert with the following general format:

Object: 200807db062d.dativism.com
Infection: URL:Mal
Action: Blocked
Process: C:\Windows\Explorer.EXE

The object is always some variation on ‘dativism.com’. The odd thing is that despite being a url alert it seems to occur when I access the My Computer directory on my machine. I have also had Explorer crash on start-up a few times. Other very odd things have been happening too…

Running scannow might have helped, since my most recent start-up didn’t result in any problems.

Here is my aswMBR result:

[b]aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-06-08 19:30:11

19:30:11.546 OS Version: Windows 5.1.2600 Service Pack 3
19:30:11.546 Number of processors: 1 586 0x401
19:30:11.546 ComputerName: CHRISPC UserName: Chris
19:30:12.875 Initialize success
19:30:26.406 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-3
19:30:26.406 Disk 0 Vendor: HDS722580VLAT20 V32OA69A Size: 76293MB BusType: 3
19:30:26.406 Disk 0 MBR read error 0
19:30:26.406 Disk 0 MBR scan
19:30:26.406 Disk 0 unknown MBR code
19:30:26.406 MBR BIOS signature not found 0
19:30:26.421 Disk 0 scanning sectors +156232125
19:30:26.421 Disk 0 scanning C:\WINDOWS\system32\drivers
19:30:35.734 Service scanning
19:30:37.734 Disk 0 trace - called modules:
19:30:37.765 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys span.sys hal.dll >>UNKNOWN [0x87385944]<<
19:30:37.765 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x873375b0]
19:30:37.765 3 CLASSPNP.SYS[f75d6fd7] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-3[0x87306b00]
19:30:37.765 Scan finished successfully[/b]

When I try and run OTS Avast wants to start it in the sandbox, and for some reason claims that it’s being opened by C:\WINDOWS\SYSTEM32\dla\tfswshx.dll (I believe this is a system dll, something to do with drive letter access). I did a scan, but no log seemed to have been generated.

I am running XP SP3 on a Dell Dimension. I’ve had this for about five years, and have never encountered any serious problems before (and I’ve never used any antivirus software other than Avast). Recently, though, I have had some memory issues - the machine has been giving me a 1-3-2 beep code on start-up. I resolved this by removing one of the memory cards - whether this is related to my current problems I don’t know, but I thought it best to mention it.

Many thanks in advance for any help.

Christopher

Running Malwarebytes Quickscan I found 29 threats. Here’s the log:

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

09/06/2011 05:59:51
mbam-log-2011-06-09 (05-59-29).txt

Scan type: Quick scan
Objects scanned: 218750
Time elapsed: 11 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 3
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 18

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\xtoduig.dll (Trojan.Hiloti) -> No action taken.
c:\WINDOWS\epuhibazu.dll (IPH.Trojan.Hiloti.B) -> No action taken.

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{F919FBD3-A96B-4679-AF26-F551439BB5FD} (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\AV Care (Rogue.AVCare) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AV Care (Rogue.AVCare) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Xxacumusetubetog (Trojan.Hiloti) -> Value: Xxacumusetubetog -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fvecetuwef (IPH.Trojan.Hiloti.B) -> Value: Fvecetuwef -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AV Care (Rogue.AVCare) -> Value: AV Care -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\program files\AV Care (Rogue.AVCare) -> No action taken.
c:\program files\winupdates (Worm.P2P) -> No action taken.
c:\documents and settings\Chris\start menu\Programs\AV Care (Rogue.AVCare) -> No action taken.

Files Infected:
c:\WINDOWS\xtoduig.dll (Trojan.Hiloti) -> No action taken.
c:\WINDOWS\epuhibazu.dll (IPH.Trojan.Hiloti.B) -> No action taken.
c:\WINDOWS\SYSTEM32\bszip.dll (Worm.P2P) -> No action taken.
c:\documents and settings\Chris\Desktop\AV Care.lnk (Rogue.AVCare) -> No action taken.
c:\WINDOWS\SYSTEM32\cmd.com (Worm.Alcra) -> No action taken.
c:\WINDOWS\SYSTEM32\netstat.com (Worm.Alcra) -> No action taken.
c:\WINDOWS\SYSTEM32\ping.com (Worm.Alcra) -> No action taken.
c:\WINDOWS\SYSTEM32\regedit.com (Worm.Alcra) -> No action taken.
c:\WINDOWS\SYSTEM32\taskkill.com (Worm.P2P) -> No action taken.
c:\WINDOWS\SYSTEM32\tasklist.com (Worm.Alcra) -> No action taken.
c:\WINDOWS\SYSTEM32\tracert.com (Worm.Alcra) -> No action taken.
c:\documents and settings\Chris\application data\Adobe\shed\thr1.chm (Malware.Trace) -> No action taken.
c:\documents and settings\Chris\application data\Adobe\plugs\mmc45.exe (Trojan.Agent.Gen) -> No action taken.
c:\documents and settings\Chris\application data\Adobe\plugs\mmc718070656.txt (Trojan.Agent.Gen) -> No action taken.
c:\documents and settings\Chris\application data\Adobe\plugs\mmc90.exe (Trojan.Agent.Gen) -> No action taken.
c:\program files\AV Care\avc.ico (Rogue.AVCare) -> No action taken.
c:\program files\AV Care\uninstall.exe (Rogue.AVCare) -> No action taken.
c:\documents and settings\Chris\start menu\Programs\AV Care\AV Care.lnk (Rogue.AVCare) -> No action taken.

I haven’t done anything with these yet, especially as some of the results relate to important system utilities (cmd.com, regedit, netstat).

Christopher

You are right to exercise caution. For the time being I would leave the ones relating to Worm.Alcra in the system32 folder.

c:\WINDOWS\SYSTEM32\cmd.com (Worm.Alcra) -> No action taken. c:\WINDOWS\SYSTEM32\netstat.com (Worm.Alcra) -> No action taken. c:\WINDOWS\SYSTEM32\ping.com (Worm.Alcra) -> No action taken. c:\WINDOWS\SYSTEM32\regedit.com (Worm.Alcra) -> No action taken. c:\WINDOWS\SYSTEM32\taskkill.com (Worm.P2P) -> No action taken. c:\WINDOWS\SYSTEM32\tasklist.com (Worm.Alcra) -> No action taken. c:\WINDOWS\SYSTEM32\tracert.com (Worm.Alcra) -> No action taken

Only select the other entries that are infected for Removal.

MBAM does not just delete them but sends files to its Quarentine, so there are copies just in case. So run it again select the other entries I mentioned and click Remove Selected.

Run MBAM again and post the contents.

Interestingly these memory modules infected, don't appear to have been found a files infected.
<blockquote>Memory Modules Infected:
c:\WINDOWS\xtoduig.dll (Trojan.Hiloti) -> No action taken.</blockquote>

Do those files actually exist in the c:\WINDOWS folder ?

####
I will try to get a malware removal specialist to check out this problem as we don't want to go messing with the system files without a plan (replacing infected files with clean ones or repairing them).

Hi lets check the system first and see what that reveals

Download OTS to your Desktop and double-click on it to run it

[*]Make sure you close all other programs and don’t use the PC while the scan runs.
[*]Select All Users
[*]Under additional scans select the following
Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

[*]Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
CREATERESTOREPOINT

[*]Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Please attach the log in your next post.

Thanks essexboy. I ran OTS with the settings you suggested, but this time with Avast disabled (since the first time I tried Avast wanted to open it in the sandbox). The log was slightly too big to attach so you can find it at http://www.mediafire.com/?h9jrlz2u7er5q11.

DavidR - many thanks for your reply, but I’ll wait until essexboy gets back to me before I do anything else.

Oh, and I got an Explorer crash on start-up again. Yuk…

Best,
Chris

Well it was essexboy that I asked to jump in ;D

Ok when you reboot after this let me know if the explorer problem hasa gone

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

[Unregister Dlls]
[Modules - Safe List]
YY -> epuhibazu.dll -> C:\WINDOWS\epuhibazu.dll
[Registry - Safe List]
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> 
YN -> HKEY_LOCAL_MACHINE\: SearchURL\\"provider" -> gogl
< FireFox Settings [Prefs.js] > -> C:\Documents and Settings\Chris\Application Data\Mozilla\FireFox\Profiles\newl0piy.Default User\prefs.js
YN -> network.proxy.type -> 1
YN -> network.proxy.http -> "127.0.0.1"
YN -> network.proxy.http_port -> 81
YN -> network.proxy.socks -> "127.0.0.1"
YN -> network.proxy.socks_port -> 81
YN -> network.proxy.ssl -> "127.0.0.1"
YN -> network.proxy.ssl_port -> 81
YN -> keyword.URL -> "http://home.speedbit.com/search.aspx?aff=106&q="
YN -> browser.startup.homepage -> "http://home.speedbit.com/?aff=105"
< FireFox Extensions [Program Folders] > -> 
YY -> Java Console   -> C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
YY -> Java Console   -> C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
< HOSTS File > ([2007/05/12 23:35:48 | 000,000,757 | ---- | M] - 20 lines) -> C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts
YN -> Reset Hosts -> 
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {7E853D72-626A-48EC-A868-BA8D5E23E045} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> {9030D464-4C02-4ABF-8ECC-5164760863C6} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} [HKLM] -> Reg Error: Value error. [Google Toolbar Notifier BHO]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YN -> "{BA52B914-B692-46c4-B683-905236F6F655}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{119DBEDA-9C41-4F97-94B4-B6BCD01133CF}" [HKLM] -> [Morpheus Toolbar]
YN -> WebBrowser\\"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" [HKLM] -> Reg Error: Key error. [Yahoo! Toolbar]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{119DBEDA-9C41-4F97-94B4-B6BCD01133CF}" [HKLM] -> [Morpheus Toolbar]
YN -> WebBrowser\\"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" [HKLM] -> Reg Error: Key error. [Yahoo! Toolbar]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-1534998221-2138010193-684253111-1006\] > -> HKEY_USERS\S-1-5-21-1534998221-2138010193-684253111-1006\Software\Microsoft\Internet Explorer\Toolbar\
YN -> ShellBrowser\\"{119DBEDA-9C41-4F97-94B4-B6BCD01133CF}" [HKLM] -> [Morpheus Toolbar]
YN -> WebBrowser\\"{119DBEDA-9C41-4F97-94B4-B6BCD01133CF}" [HKLM] -> [Morpheus Toolbar]
YY -> WebBrowser\\"{A58686ED-FC46-44C3-95C6-4A812AB776F1}" [HKLM] -> C:\Program Files\FerretSoft\WebFerret\FerretBand.dll [WebFerret]
YN -> WebBrowser\\"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" [HKLM] -> Reg Error: Key error. [Yahoo! Toolbar]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "Fvecetuwef" -> C:\WINDOWS\epuhibazu.dll [rundll32.exe "C:\WINDOWS\epuhibazu.dll",Startup]
< Run [HKEY_USERS\S-1-5-21-1534998221-2138010193-684253111-1006\] > -> HKEY_USERS\S-1-5-21-1534998221-2138010193-684253111-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "AV Care" -> [C:\Program Files\AV Care\AVCare.exe]
YY -> "Xxacumusetubetog" -> C:\WINDOWS\xtoduig.dll [rundll32.exe  "C:\WINDOWS\xtoduig.dll",Startup]
< Internet Explorer Extensions [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] -> [Reg Error: Value error.]
YN -> CmdMapping\\"{119DBEDA-9c41-4F97-94B4-B6BCD01133CF}" [HKLM] -> [Morpheus Toolbar]
YN -> CmdMapping\\"{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}" [HKLM] -> [Reg Error: Value error.]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] -> [Reg Error: Value error.]
YN -> CmdMapping\\"{119DBEDA-9c41-4F97-94B4-B6BCD01133CF}" [HKLM] -> [Morpheus Toolbar]
YN -> CmdMapping\\"{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}" [HKLM] -> [Reg Error: Value error.]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-21-1534998221-2138010193-684253111-1006\] > -> HKEY_USERS\S-1-5-21-1534998221-2138010193-684253111-1006\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] -> [Reg Error: Value error.]
YN -> CmdMapping\\"{119DBEDA-9c41-4F97-94B4-B6BCD01133CF}" [HKLM] -> [Morpheus Toolbar]
YN -> CmdMapping\\"{7A2EFD41-E6B3-11D2-89E3-00E0292EE574}" [HKLM] -> [Reg Error: Key error.]
YN -> CmdMapping\\"{7A2EFD41-E6B3-11D2-89E3-00E0292EE575}" [HKLM] -> [Reg Error: Key error.]
[Files/Folders - Modified Within 30 Days]
NY ->  Udabadiyuregad.dat -> C:\WINDOWS\Udabadiyuregad.dat
NY ->  Qqovezibahaqev.bin -> C:\WINDOWS\Qqovezibahaqev.bin
NY ->  rezyn1.job -> C:\WINDOWS\tasks\rezyn1.job
[Files - No Company Name]
NY ->  Udabadiyuregad.dat -> C:\WINDOWS\Udabadiyuregad.dat
NY ->  Qqovezibahaqev.bin -> C:\WINDOWS\Qqovezibahaqev.bin
NY ->  MBR.dat -> C:\Documents and Settings\Chris\Desktop\MBR.dat
[File - Lop Check]
NY ->  rezyn1.job -> C:\WINDOWS\Tasks\rezyn1.job
[Alternate Data Streams]
NY -> @Alternate Data Stream - 872 bytes -> C:\Found.009:C2YRDjIZNYSJxfxBnSO
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
  

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

Thanks essexboy,

I applied the fix as you instructed and on reboot (OTS apparently needed to reboot to finish the operation) I didn’t get the Explorer crash. I did, however, get a dialog box headed RUNDLL with the following message:

Error loading C:\WINDOWS\xtoduig.dll
The specified module could not be found.

Indeed, there’s no sign of that dll in the WINDOWS folder.

I have attached the log file from the fix.

Many thanks,
Chris

Could you run a fresh OTS scan please selecting all users so that I can find the associated run key to delete it - that was the bad boy ;D

Should I run it with the same Additional and Custom Scan settings as before, or just select All Users?

Run a quick scan but ensure that you select all users and Under additional scans select the following
Reg - NetSvcs

OK, done that - log is attached.

This should get it

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> 
YN -> HKEY_LOCAL_MACHINE\: SearchURL\\"provider" -> gogl
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-1534998221-2138010193-684253111-1006\] > -> 
YN -> HKEY_USERS\S-1-5-21-1534998221-2138010193-684253111-1006\: Main\\"Start Page" -> http://home.speedbit.com/?aff=105
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YN -> "{A58686ED-FC46-44C3-95C6-4A812AB776F1}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Run [HKEY_USERS\S-1-5-21-1534998221-2138010193-684253111-1006\] > -> HKEY_USERS\S-1-5-21-1534998221-2138010193-684253111-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "Xxacumusetubetog" -> [rundll32.exe  "C:\WINDOWS\xtoduig.dll",Startup]
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
  

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

I ran the fix, but after setting the restore point the whole system froze. I rebooted the machine manually, and on start-up the log appeared - so I’m assuming the fix was applied correctly. I certainly didn’t see that RUNDLL error - and again no Explorer crash. Oh, and the original ‘Malicious URL’ alert hasn’t reappeared for a while…

Please find the OTS log attached. I also did another quick scan with Malwarebytes, which is still finding some infections. Here’s its latest log:

09/06/2011 23:01:02
mbam-log-2011-06-09 (23-00-38).txt

Scan type: Quick scan
Objects scanned: 206307
Time elapsed: 8 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 16

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{F919FBD3-A96B-4679-AF26-F551439BB5FD} (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\AV Care (Rogue.AVCare) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AV Care (Rogue.AVCare) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\program files\AV Care (Rogue.AVCare) -> No action taken.
c:\program files\winupdates (Worm.P2P) -> No action taken.
c:\documents and settings\Chris\start menu\Programs\AV Care (Rogue.AVCare) -> No action taken.

Files Infected:
c:\WINDOWS\SYSTEM32\bszip.dll (Worm.P2P) -> No action taken.
c:\documents and settings\Chris\Desktop\AV Care.lnk (Rogue.AVCare) -> No action taken.
c:\WINDOWS\SYSTEM32\cmd.com (Worm.Alcra) -> No action taken.
c:\WINDOWS\SYSTEM32\netstat.com (Worm.Alcra) -> No action taken.
c:\WINDOWS\SYSTEM32\ping.com (Worm.Alcra) -> No action taken.
c:\WINDOWS\SYSTEM32\regedit.com (Worm.Alcra) -> No action taken.
c:\WINDOWS\SYSTEM32\taskkill.com (Worm.P2P) -> No action taken.
c:\WINDOWS\SYSTEM32\tasklist.com (Worm.Alcra) -> No action taken.
c:\WINDOWS\SYSTEM32\tracert.com (Worm.Alcra) -> No action taken.
c:\documents and settings\Chris\application data\Adobe\shed\thr1.chm (Malware.Trace) -> No action taken.
c:\documents and settings\Chris\application data\Adobe\plugs\mmc45.exe (Trojan.Agent.Gen) -> No action taken.
c:\documents and settings\Chris\application data\Adobe\plugs\mmc718070656.txt (Trojan.Agent.Gen) -> No action taken.
c:\documents and settings\Chris\application data\Adobe\plugs\mmc90.exe (Trojan.Agent.Gen) -> No action taken.
c:\program files\AV Care\avc.ico (Rogue.AVCare) -> No action taken.
c:\program files\AV Care\uninstall.exe (Rogue.AVCare) -> No action taken.
c:\documents and settings\Chris\start menu\Programs\AV Care\AV Care.lnk (Rogue.AVCare) -> No action taken.

Best,
Chris

The restore point was set OK - re-run MBAM update it and allow it to delete any problems

Once you are happy I will remove my tools

Thanks again, essexboy. Just to be clear, can I safely remove the following?

c:\WINDOWS\SYSTEM32\bszip.dll (Worm.P2P) -> No action taken.
c:\WINDOWS\SYSTEM32\cmd.com (Worm.Alcra) -> No action taken.
c:\WINDOWS\SYSTEM32\netstat.com (Worm.Alcra) -> No action taken.
c:\WINDOWS\SYSTEM32\ping.com (Worm.Alcra) -> No action taken.
c:\WINDOWS\SYSTEM32\regedit.com (Worm.Alcra) -> No action taken.
c:\WINDOWS\SYSTEM32\taskkill.com (Worm.P2P) -> No action taken.
c:\WINDOWS\SYSTEM32\tasklist.com (Worm.Alcra) -> No action taken.
c:\WINDOWS\SYSTEM32\tracert.com (Worm.Alcra) -> No action taken.

Yep if MBAM still alerts after updating - but leave them in quarantine just to be sure

However, they are known alcra worm files

OK, all done. MBAM now reports no infections. ;D Will do a full scan with Avast later, just to be on the safe side…

You, sir, are a star. I am so grateful for your help - a million thanks! ;D ;D ;D

Oh, just one last observation - some of my folder options have changed. For instance hidden files and known file extensions are now not shown. Was that the result of some of the OTS fixes?

Yep sure was - once you are happy with the computer I will remove my tools and reset all back to as it should be

OK essexboy, I’ve just finished a high sensitivity quickscan with Avast and that revealed no infections. So I’m happy for you to remove your tools.

Once again, a million thanks. ;D