Thread for sickofthis

Hi could you post the logs here please

Download OTL to your Desktop

[]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[
]Under the Custom Scan box paste this in


netsvcs
%SYSTEMDRIVE%*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
nvraid.sys
/md5stop
%systemroot%*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32*.dll /lockedfiles
%systemroot%\Tasks*.job /lockedfiles
%systemroot%\system32\drivers*.sys /lockedfiles
%systemroot%\System32\config*.sav
%systemroot%\system32\drivers*.sys /90

[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs

How do I post the logs since they are too long to fit the 10000 character limit?

down left corner: Additional Options > Attach

When you reply if you click the additional options on the bottom left - you will be able to browse for the logs and then attach

Thanks!

What problems do you have at the moment ?

Right now, the computer is running fine with no unusual behavior. The last thing that happened was when we got this blue Avast screen that said we had this Win32 malware-gen and where it was. I had to restart the computer to get out of that because pressing any of the keys indicated did not work. Since then, there have been not other incidents or warnings.

I can see nothing on that scan which is good, have you run a MBAM scan ?

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Please download Malwarebytes’ Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[
]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

I had already downloaded malwarebytes after reading posts to other people with this problem. It found a lot of stuff. I am running the scan again and will also run an Avast scan and then let you know what happens.

Cheers ;D

since we are curious, can you post the MBAM scan logs so we can see what was found… :o

I started the Malwarebytes scan. In the middle of it, I checked to see how it was doing and there was an avast warning window that said a virsus - Win32malware-gen - had been found and suggested that I move it to the chest, which I did. The malwarebytes program is still scanning.

What was the file name and location of the detection made by avast! ?

Malwarebytes is still running and the same avast window came up again. I moved the same virus to the chest again.

You should still be able to see what those file names and locations were, File System Shield, Show report file.
Or open the avast chest and get the information there.

I may be that as MBAM opens files so that they may be scanned, this forces avast to scan the file also, so it may be that avast jumps on something before MBAM scans it. So in effect you have a degree of duplicate scanning going on.

I tended to pause/stop avast File System Shield whilst running other security scans. This avoids this duplication of scanning, reducing overall scan duration and avoiding any possible conflict.

I looked in the Avast log and couldn’t find a record of the avast thing that just happened or that I had moved it to the chest. What I did find in the log and chest was a record (mostly from 4/26/10) of that win32 virus in many different files including system volume information/restore . . . and temporary internet files. Was that a real avast alert that came up earlier today or a fake caused by a virus - is that even possible?

This is the mbam log:
Malwarebytes’ Anti-Malware 1.45
www.malwarebytes.org

Database version: 4041

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/1/2010 12:52:08 PM
mbam-log-2010-05-01 (12-52-08).txt

Scan type: Full scan (C:|)
Objects scanned: 184969
Time elapsed: 47 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

If you sent the file to the chest the name and location would show there - could you note it down as I can see nothing and it may be a false positive

Like I said there is no trace of the activity done today. But here are a couple of the files found back on the 26th:
zpscon_1272316048.exe found in C:\DOCUME~1\Lager\LOCALS~1\Temp
zpscon_1272295690.exe found in C:\Documents and Settings\Lager\local settings\Temp

Maybe it was a false positive because the Avast scan just finished and found nothing.

Am I okay then?

Do I leave those things I moved to the chest in the chest or should I delete them out of there?

If you moved them to the chest (a protected area) as you said, then avast won’t subsequently find them, so you shouldn’t have a problem.

Given the file names and the location, I suspect that the detection is good.

There is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.

However in this case since they are also from a Temp location these files are of a less critical nature and could be deleted sooner, but it isn’t a good habit to get into, follow the general rule above.