[gr8joel]

It was actually very weird. My brother got Norton antivirus and it couldnt detect anything. very weird. anyways the first time i tried norton , it actually made my computer keyboard work again. (some of the buttons wouldnt work and i thought this was due to hardware failure) but now i knew it was a virus , because the second i rebooted like norton asked me, some of the buttons wouldnt work again. kind of reminds me of a hacking program called netbus that i read about the other day. remember my brother bought this laptop and it was previoulsy used. so we didnt know what it had on it prior to out "buy-age"lol. thanks again heir, i appreciate your time.

[Advertisements]

sorry for the mistake heir, even though i didnt overlap, i can assure you that everything has been posted with nothing left out. thanks again for your time. once this is done , then i too will join GeekU. i am so looking foward to learning about how to stop viruses and protect against them . ive always been into computers and stuff like that. once again thanks very much heir.

That's OK.
Looking forward to see you in GeekU later on then.
I'll review the log and get back to you as soon as possible.

[heir]

sorry for the mistake heir, even though i didnt overlap, i can assure you that everything has been posted with nothing left out. thanks again for your time. once this is done , then i too will join GeekU. i am so looking foward to learning about how to stop viruses and protect against them . ive always been into computers and stuff like that. once again thanks very much heir.

That's OK.
Looking forward to see you in GeekU later on then.
I'll review the log and get back to you as soon as possible.

[heir]

Looking much better
Let's do some cleaning and a couple more scans.


Connect your removable memory drives to your computer and keep them connected during until you are clean.

Step 1.
Flashdrive disinfector:

Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.

• Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
• The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
• Wait until it has finished scanning and then exit the program.
• Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.


Step 2.
Uninstall unneeded software:

Please go to Start > Control Panel > Add/Remove Programs and remove the following:

Java™ 6 Update 2
Java™ 6 Update 3


Step 3.
OTMoveIt2:

• Please double-click OTMoveIt2.exe on your desktop to run it.
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  [kill explorer]
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar\\SITEguard
  HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{98279C38-DE4B-4BCF-93C9-8EC26069D6F4}
  HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{C4069E3A-68F1-403E-B40E-20066696354B}
  HKEY_CLASSES_ROOT\CLSID\{98279C38-DE4B-4BCF-93C9-8EC26069D6F4}
  HKEY_CLASSES_ROOT\CLSID\{C4069E3A-68F1-403E-B40E-20066696354B}
  HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{52b68651-6768-11dd-9bf7-00e0b854cb13}
  HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b7016880-adec-11dc-9a09-00e0b854cb13}
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\system32\sysvx.exe
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\LimeWire\LimeWire.exe
  [start explorer]

• Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the yellow bar) and choose Paste.
  
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Step 4.
Clean temp-locations:

Please download ATF Cleaner by Atribune.
Caution: This program is for Windows 2000, XP and Vista onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


Step 5.
Scan with MABM:

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


Step 6.
Scan with KAspersky Webscanner:

Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  Extended (if available otherwise Standard)
  
  • Scan Options:
  Scan Archives
  Scan Mail Bases
• Click OK
• Now under select a target to scan:Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

Step 7.
Things I want to see in your reply:

• The content of the Result window in OTMoveIt2 from step 3.
• The content of the report from MBAM from step 5.
• The content of the report from Kaspersky Webscanner from step 6.

[gr8joel]

Explorer killed successfully
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar\\SITEguard >
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar\\SITEguard deleted successfully.
< HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{98279C38-DE4B-4BCF-93C9-8EC26069D6F4} >
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{98279C38-DE4B-4BCF-93C9-8EC26069D6F4} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{98279C38-DE4B-4BCF-93C9-8EC26069D6F4}\ not found.
< HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{C4069E3A-68F1-403E-B40E-20066696354B} >
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{C4069E3A-68F1-403E-B40E-20066696354B} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C4069E3A-68F1-403E-B40E-20066696354B}\ not found.
< HKEY_CLASSES_ROOT\CLSID\{98279C38-DE4B-4BCF-93C9-8EC26069D6F4} >
Registry key HKEY_CLASSES_ROOT\CLSID\{98279C38-DE4B-4BCF-93C9-8EC26069D6F4}\\ not found.
< HKEY_CLASSES_ROOT\CLSID\{C4069E3A-68F1-403E-B40E-20066696354B} >
Registry key HKEY_CLASSES_ROOT\CLSID\{C4069E3A-68F1-403E-B40E-20066696354B}\\ not found.
< HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{52b68651-6768-11dd-9bf7-00e0b854cb13} >
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{52b68651-6768-11dd-9bf7-00e0b854cb13}\\ deleted successfully.
< HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b7016880-adec-11dc-9a09-00e0b854cb13} >
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b7016880-adec-11dc-9a09-00e0b854cb13}\\ deleted successfully.
< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\system32\sysvx.exe >
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\system32\sysvx.exe deleted successfully.
< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\LimeWire\LimeWire.exe >
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\LimeWire\LimeWire.exe deleted successfully.
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 10232008_175644

[gr8joel]

Malwarebytes' Anti-Malware 1.28
Database version: 1270
Windows 5.1.2600 Service Pack 2

10/23/2008 10:13:12 PM
mbam-log-2008-10-23 (22-13-12).txt

Scan type: Quick Scan
Objects scanned: 45752
Time elapsed: 11 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[gr8joel]

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, October 25, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, October 25, 2008 21:37:05
Records in database: 1346539
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 43113
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 01:26:10


File name / Threat name / Threats count
C:\WINDOWS\system32\mcwtaaaa.exe Infected: Trojan-Downloader.Win32.Tiny.fb 1

The selected area was scanned.

[heir]

Let's remove that one also.

Step 1.
Remove file:

• Please double-click OTMoveIt2.exe to run it.
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  [kill explorer]
  C:\WINDOWS\system32\mcwtaaaa.exe
  purity
  emptytemp
  [start explorer]

• Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the yellow bar) and choose Paste.
  
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Step 2.
Things I want to see in your reply

• The content of the Results Window in OTMoveIt2 from step 1.
• Information on how you computer is running now

[gr8joel]

Explorer killed successfully
C:\WINDOWS\system32\mcwtaaaa.exe moved successfully.
< purity >
< emptytemp >
File delete failed. C:\DOCUME~1\Richard\LOCALS~1\Temp\~DFD219.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\JETDB42.tmp scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 10272008_123624

Files moved on Reboot...
C:\DOCUME~1\Richard\LOCALS~1\Temp\~DFD219.tmp moved successfully.
File C:\WINDOWS\temp\JETDB42.tmp not found!

[gr8joel]

Hi Heir!,

I would llike to say that I really appreciate your help,as well as the others who have been very patient with me (and not just me but other poeple as well) with helping with my issue. I can't wait for this subject to close as "resolved". Then I can apply for GeekU!

Anyways, I would like to point out, that its kinda weird that this old laptop that was purchased from a previous owner had very little problems ( i think) compared to the other computer that was fixed a while ago with a person on this forum named "Egwene" (ps thanks for all the great help Egwene).

Now i would like to tell you how the computer is running. For some reason when i first purchased Norton Anti-Virus, it cleared all of the virus (or so i thought). Even the "y" button was working again. It was disabled previosly i beleive, and when norton claimed to fix it, it worked fine UNTIL SYSTEM REBOOT. So i also had a problem with the background turning into a white page that said "active restore". Even with the help you provided, i still had the white background, and everytime i cliked on to fix it , it would return a script error. This is of no concern now because with the last set of instructions, i changed the background, reobooted and the system loaded the desktop background!. Sweet!. But now the "y" button as well as some of the other buttons will not work. At first i beleived it to be a virus controlling and disabling my computer buttons, but now i believe it just may be hardware failure.

Is there anyway to tell if my buttons were tampered with heir. If so i would appreciate your help in solving this issue as well.

Thanks again Heir.

[heir]

Hey there, gr8joel!

Is there anyway to tell if my buttons were tampered with heir. If so i would appreciate your help in solving this issue as well.

Not that I know of.
Start a new topic in the hardware section of the forum, and mention that you were directed there from here, also post a link to this topic.


OK! Well done, your log is clean again!

Time for some housekeeping.

Step 1.
Clean up:

First:
We need to do is to remove all the tools that you have used. This is so that should you ever be re-infected, you will download updated versions. It will also remove the quarantined Malware from your computer.

Click Here to download OTCleanIt
Double-click OTCleanIt.exe to run it.
Click the Clean up button
Click Yes to the reboot.

Now delete any tools/logs that is left over after you ran OTCleanIt.


Second:
Now lets Reset and Re-enable your System Restore to remove any infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected, but that's good news).

Turn OFF System Restore.

• On the Desktop, right-click My Computer.
• Click Properties.
• Click the System Restore tab.
• Check Turn off System Restore.
• Click Apply, and then click OK.

Restart your computer.

Turn ON System Restore.

• On the Desktop, right-click My Computer.
• Click Properties.
• Click the System Restore tab.
• UN-Check Turn off System Restore.
• Click Apply, and then click OK.

System Restore will now be active again.


Step 2.
Prevention:

OK, lets carry out a few preventative steps to make sure you reduce the risk of further infections.

First:

One of the essentials is to keep your computer updated with the latest operating system patches and security fixes. Windows Updates are constantly being revised to combat the newest hacks and threats, Microsoft releases security updates that help your computer from becoming vunerable. It is best if you have these set to download automatically.

Automatic Updates for Windows

• Click Start.
• Select Settings and then Control Panel.
• Select Automatic Updates.
• Click Automatic (recommended)
• Choose a day and a time when you know the computer will be on and connected to the internet.
• Click Apply then OK.

Second:
Now lets download some preventative programs that will help to keep the nasties away! We will start with Anti Spyware programs. I would advise getting a couple of them at least, and running each at least once a month.

Anti Spyware

• SpywareBlaster to help prevent spyware from installing in the first place. A tutorial can be found here.
• SpywareGuard to catch and block spyware before it can execute. A tutorial can be found here.
• IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email. A tutorial can be found here

.
Note: If you find your system slows down after installing any of these, just uninstall it, or disable it from running at startup.


Third:
Nearly done! If you like to use chat, MSN and Yahoo have vunerabilities that can leave you open to infections. There are however a couple of very good, Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN):

Instant Messengers

• Trillian or,
• Miranda-IM

Lastly:
It is a good idea to clear out all your temp files every now and again with ATF Cleaner. This will help your computer from bogging down and slowing. It also can assist in getting rid of files that may contain malicious code that could re-infect your computer.


To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.


I will keep this log open for the next couple of days, so if you have any further problems post another reply here.
Or when everything works as normal post here and it will be closed, and you'll be able to apply to Geek U.

OK, all the best, and stay safe!

[gr8joel]

Thanks i appreciate all the hard work heir. I also would like to say that I will be applying for GeekU in the next few days. See ya soon Heir. Later

[ScHwErV]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.