also 8000000.cb, Malware-Gen avast found 8 infections but seems to have left a few?
Any help would be appreciated.
Thanks
malware removers are notified, It may take sveral hours before one arrive so be patient
Monitoring 
Hello,
You computer and your USB flesh deviceis are infected:
Step1
[*] Please download BlitzBlank by emsisoft and save it to your desktop.
[*] Open Blitzblank.exe by double click on it.
[*] Click OK at the warning (and take note of it, this is a VERY powerful tool!).
[*] Click the Script tab and copy/paste the following text there:
DeleteFolder:
C:\Windows\Installer\{1f3b4c97-f522-8519-fa66-49166b32ce18}
C:\Users\Me\AppData\Local\{1f3b4c97-f522-8519-fa66-49166b32ce18}
CopyFile:
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe C:\Windows\SysNative\services.exe
[*] Click Execute Now. Your computer will need to reboot in order to replace the files.
[*] When done, post me the report created by Blitzblank. you can find it at the root of the drive C:\
Step2
Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.
Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this Instruction.
Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt) back to topic.
Step 3
Check USB storage devices / removable drives
Download MCShield.
Official site
[*] Double click MCShield-Setup to install the application.
[*] Wait a few seconds to MCShield finish initial scan.
Recommendation to under General and Scanner tab you click on Defaults button to choose recommended options.
[*] Connect your USB storage devices to the computer one at a time. Scanning will be done automatically.
When all scanning is done, you need to attach a logreport that has made MCShield.
Start → All Programs → MCShield → Logs
Attach here → AllScans.txt
Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.
did step 1.
did step 2, windows firewall is working again also. I hadn’t realized until I tried to disable, pre-combo fix that it was corrupted/ probably not functional
did step 3
Open notepad and copy/paste the text present inside the code box below:
File::
c:\users\UpdatusUser\AppData\Roaming\Microsoft\Nrsnug\nrsnug.exe
RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11g_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11g_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
Save this as CFScript.txt
http://img213.imageshack.us/img213/1218/cfscript1.gif
Close all browser windows and refering to the picture above.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )
Here you go. thanks so much. I have no idea what you are doing but Avast is quiet now
Np
It is necessary to uninstall Combofix
Start (
http://fotkica.com/thumbs2/117539_tmb_191855275_Windows_Logo_key.gif
) >> Run
Combofix /Uninstall
Enter
I recommended to you to keep MCShield if you will.
It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but will immediately clean Memory card or external HDD
How is your computer behavior now?
computer is working very well. N: access is much faster, also.
I have had paid versions of pctools and trendmicro, norton, long ago. all seemed to get large footprint an ineffective.
should I get the pay version of avast?
computer is working very well. N: access is much faster, also.
Good.
The last fix before we finish.
Re-run OTL.exe.
[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
:files
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
:Commands
[emptytemp]
[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done.
.
[*] Re-run OTL and hit CleanUp!. OTL will be uninstalled.
.
I truly recommend that, yes.
ok, did that.
got the “blue screen of death.” windows failed and rebooted. was that normal for OTL," Run Fix" ?
then did clean up after restart.
Hm…it is possible that something ( some driver crashed ) has blocked OTLFix wile in progress but should not be something that is important or worrying abaut.
Happens sometimes when OTL deletes temp files
Beside that BSOD, your computer works normally?
We will check BSOD to…but probably nothing important.
: arrow: Download the installation of WhoCrashed program from the following link:
http://www.resplendence.com/download/whocrashedSetup.exe
This analysis of the program will try to check which driver is the cause of errors.
Note:This program requires the installation.
http://amf.mycity.rs/pg/images/arrow.png
Double-click install and run Next .
[*] Check the
http://http ://amf.mycity.rs /pg /images/checkmark.png
I Accept the agreement and then the Next .
Program install to location, that softwere offer you as defaults.
[*] Click Next in the next window, click Next
[*] Check the
http://amf.mycity.rs/pg/images/checkmark.png
Create a Desktop Icon , and then click on Next and then Install .
When you install WhoCrashed program, run it.
Note: If you get a notice that the program should look like this
http://fotkica.com/thumbs2/117539_tmb_59577092_Who%20Crashed%20-%20Debuqqing.jpg
Click on Download the requested file from the Microsoft site now and wait for the process
downloading additional files and their installation is complete.
When the program starts click on the Analyze .
When the program ends you’ll cut out the analysis window with notification. Click OK .
[*] Right click on the area of the page with the report and choose the option Select All .
[*] Right click on the area of the page with the report and choose the option copy
[*] Open a new notepad and choose the option [b] Paste [/ b] to copy the contents of the logo in the notepad.
Now you can close the program.
: arrow: Attach notepad with the contents of the log the following message.
So, I don’t see the event in here. The BSOD was momentary, only had time to read that windows was terminating.
Is this volunteer duty for you? How do you get trained for it? I wouldn’t mind helping but I have the idea that it would take much education before I would be helpful. I understood DOS but things are much more complicated now.
Never mind, I see that the time is GMT so this was the event. sorry
According to the log that is created WhoCrashed program, your BSOD it is not caused by a any driver.
Reports which he listed the usually caused by some hardware issues. Of course, if the BSOD occurs frequently.
But since the error occurred during the OTL fixing, there is no reason to worry. Something is just blocked OTL works (malwarebytes perhaps ).
But lets dont lose time finding the cause of it, because the error is harmless.
Is this volunteer duty for you?Yes. :)
How do you get trained for it?Im enrol at mycity.rs traning school sinse Avg 2008 when I started training/work for malware removal. But it is a non english forum area.
I wouldn't mind helping but I have the idea that it would take much education before I would be helpful.If you are interested in malware removal, try the following forums. Search boot camp.. geekstogo.com <--- colleague essexboy who helps on this forum is from there:
also…
bleepingcomputer.com
spywareinfoforum.com
techsupportforum.com
whatthetech.com
…etc:
OK, thanks again,
Archie