Page 2 of 4 FirstFirst 1234 LastLast
Results 11 to 20 of 31

Thread: Popups continue as I try to post right now!

  1. #11
    Security Expert-Emeritus steamwiz's Avatar
    Join Date
    Dec 2005
    Location
    Yorkshire. U.K.
    Posts
    1,313

    Default

    Hi

    This is the flashdrive infection I mentioned :-

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3b6e7aba-4783-11dc-891b-0014a5723710}]
    Auto\command- sxs.exe
    AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sxs.exe

    sxs.exe -> Trojan.QQPass.ln

    It normaly results in the appearance of a chinese infection ...

    I would have expected to see a lot more malware files in the logs you posted, if you undeed had this infection ... the sxs.exe file will be on the flashdrive, not your harddrive ...

    I want you to run AVG Anti-Spyware ... if you have any of the infected files, this program will delete them ... if anything is found, I'll get you to run another program as well to immunise against this infection ...

    make sure your flashdrive is plugged in when you run the scan

    Download and install the 30 day trial of AVG Anti-Spyware from HERE :-

    http://www.ewido.net/en/download/

    1. Download it to your desktop
    2. Doubleclick the AVG Anti-Spyware icon to start the AVG Anti-Spyware setup process...
    3. update the definition files....
    Click the Update icon then select the Update now link...
    Select the Start Update button, the update will start and a progress bar will show the updates being installed.
    4. select the Scanner icon at the top of the screen, then select the Settings tab
    click on Recommended actions and then select Quarantine
    5. Under Reports...
    Select Automatically generate report after every scan
    Un-Select Only if threats were found
    6. Close AVG Anti-Spyware > Do not run the scan yet.

    Boot your computer into Safemode

    1. Go to Start> Shut Off your Computer> Restart
    2. As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly, this will bring up a menu.
    3. Use the Up and Down Arrow Keys to scroll up to SAFEMODE
    4. Then press the Enter on your Keyboard

    IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning process

    1. Launch AVG Anti-Spyware by double-clicking the icon on your desktop.
    2. Select the Scanner icon at the top and then the Scan tab then click on Complete System Scan.
    3. AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
    4. Once the scan is complete do the following:
    5. If you have any infections you will prompted, then select Apply all actions
    6. Next select the Reports icon at the top.
    7. Select the Save report as button in the lower left hand of the screen and save it to a text file on your system
    8. make sure to remember where you saved that file, this is important
    9. Close AVG Anti-Spyware
    10. Copy & paste the AVG Anti-Spyware report in your next post

    -
    YES ... enable Tea Timer

    You can keep Adaware and update & run a scan with it every so often...

    You can also keep SUPERAntiSpyware, update and run occasionaly...

    You can delete Smitfraudfix, Sophos Anti-Rootkit, & combofix when we are finished ... but leave Combofix for now we will probably use it to remove the flashdrive malware regidtry key.

    Have a look here :-

    So how did I get infected in the first place? for ways to protect yourself by TonyKlein :-

    http://forums.spybot.info/showthread.php?t=279

    steam
    MICROSOFT MVP - Security 2004/9 .member of ASAP since 2004 - member of U.N.I.T.E

  2. #12
    Junior Member
    Join Date
    Aug 2007
    Posts
    26

    Default I did the scan...

    but I was unable to save the repo0rt as anything. When I clicked on the Reports icon, the program indicated that there were "no reports available." I went out of the program and back in, hoping it would appear under "Reports," but it still said "no reports available."

    I don't know why it did this. I did as you instructed and changed the setting to generate a report after every scan; but, it didn't apparently.

    I will have to run the whole thing again tomorrow.

  3. #13
    Junior Member
    Join Date
    Aug 2007
    Posts
    26

    Talking Did the scan again today,....

    This time nothing here. Last night it found 4 items. They were medium risk. One said "safer-networking" in the title. I followed your instructions and the program deleted them. Then, as I said in my last post, there was no report! I'm baffled as to why, but here is the log from the last scan of today:

    ---------------------------------------------------------
    AVG Anti-Spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 11:30:15 AM 9/14/2007

    + Scan result:



    Nothing found.


    ::Report end



    I am in the process of reading and following your recommended tips for future prevention.

    What about that problem on the flash drive? Do you think AVG Anti-Spyware deleted it when I ran it the first time last night?

  4. #14
    Security Expert-Emeritus steamwiz's Avatar
    Join Date
    Dec 2005
    Location
    Yorkshire. U.K.
    Posts
    1,313

    Default

    Quote Originally Posted by dancingqueen View Post
    What about that problem on the flash drive? Do you think AVG Anti-Spyware deleted it when I ran it the first time last night?
    I've no idea ... the log from the first scan may have told us, but as you couldn't get one ...

    please run these scans ... they wont hurt anything ....

    Please run this Flash_Disinfector tool by sUBs ...

    http://www.techsupportforum.com/sect...isinfector.exe

    Just download the exe file and double click on it to run it...then follow instructions

    A box will pop up telling you to plug in your flash drive and click OK to start the dis infection ... by the way if you try to cross the box of with the X in the corner ... it will run anyway ... after a few seconds a box will pop up saying "done"

    -
    When you have done that ... please download "Mountpoints Diagnostic.zip" by Mosaic1

    http://www.help2go.com/index2.php?op...wnload&id=1450

    Unzip it & Double click to run it. It will create a report named Diagnostic.txt. When finished, upload Diagnostic.txt in your next post ...

    steam
    MICROSOFT MVP - Security 2004/9 .member of ASAP since 2004 - member of U.N.I.T.E

  5. #15
    Junior Member
    Join Date
    Aug 2007
    Posts
    26

    Default Hey Steam! I know we're on the right track!

    I haven't had any more popups.

    I have, however, had a message that comes up now every time I boot up: Insruction at Ox734305be referenced memory at "Ox734305be." The memory could not be "written."

    It then ask me to OK to terminate or Cancel to Debug. I tried debugging, but it couldn't so I now click OK every time it does it.

    As for the Mountpoint log, here it is:

    Diagnostic Report
    Sat 09/15/2007 11:55:36.67

    Mountpoints > Drives subkeys:
    ------------------------------------

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{37a56324-a579-11da-865f-0014a5723710}]
    "BaseClass"="Drive"
    "_AutorunStatus"=hex:01,01,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
    ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
    ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
    ff,ff,00,00,10,00,00,08,00,00,00

    ~~~~~~~~~~~~~~~~~~~~~~~~~

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{37a56325-a579-11da-865f-0014a5723710}]
    "BaseClass"="Drive"
    "_AutorunStatus"=hex:01,01,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
    ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
    ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
    ff,ff,00,00,10,00,00,08,00,00,00

    ~~~~~~~~~~~~~~~~~~~~~~~~~

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3b6e7aba-4783-11dc-891b-0014a5723710}]
    "BaseClass"="Drive"
    "_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
    5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,01,00,01,01,ee,ff,ff,\
    ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
    ff,ff,00,00,10,00,00,09,06,00,00

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3b6e7aba-4783-11dc-891b-0014a5723710}\Shell]
    @="AutoRun"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3b6e7aba-4783-11dc-891b-0014a5723710}\Shell\Auto]

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3b6e7aba-4783-11dc-891b-0014a5723710}\Shell\Auto\command]
    @="sxs.exe"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3b6e7aba-4783-11dc-891b-0014a5723710}\Shell\Autoplay]
    "MUIVerb"="@shell32.dll,-8504"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3b6e7aba-4783-11dc-891b-0014a5723710}\Shell\Autoplay\DropTarget]
    "CLSID"="{f26a669a-bcbb-4e37-abf9-7325da15f931}"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3b6e7aba-4783-11dc-891b-0014a5723710}\Shell\AutoRun]
    "Extended"=""
    @="Auto&Play"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3b6e7aba-4783-11dc-891b-0014a5723710}\Shell\AutoRun\command]
    @="C:\\WINDOWS\\system32\\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sxs.exe"

    ~~~~~~~~~~~~~~~~~~~~~~~~~

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{59abff24-6ed6-11db-881b-0014a5723710}]
    "BaseClass"="Drive"
    "_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
    5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,00,5f,5f,5f,5f,5f,cf,\
    cf,5f,5f,5f,5f,01,01,00,ee,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
    ff,ff,00,01,00,00,00,08,02,00,00

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{59abff24-6ed6-11db-881b-0014a5723710}\shell]
    @="None"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{59abff24-6ed6-11db-881b-0014a5723710}\shell\Autoplay]
    "MUIVerb"="@shell32.dll,-8504"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{59abff24-6ed6-11db-881b-0014a5723710}\shell\Autoplay\DropTarget]
    "CLSID"="{f26a669a-bcbb-4e37-abf9-7325da15f931}"

    ~~~~~~~~~~~~~~~~~~~~~~~~~

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7a8224d6-cbf6-11da-86d8-0014a5723710}]
    "BaseClass"="Drive"
    "_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
    5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,00,5f,5f,5f,5f,5f,cf,\
    cf,5f,5f,5f,5f,01,01,00,ee,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
    ff,ff,00,00,10,00,00,08,02,00,00

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7a8224d6-cbf6-11da-86d8-0014a5723710}\shell]
    @="None"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7a8224d6-cbf6-11da-86d8-0014a5723710}\shell\Autoplay]
    "MUIVerb"="@shell32.dll,-8504"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7a8224d6-cbf6-11da-86d8-0014a5723710}\shell\Autoplay\DropTarget]
    "CLSID"="{f26a669a-bcbb-4e37-abf9-7325da15f931}"

    ~~~~~~~~~~~~~~~~~~~~~~~~~

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{90108b12-b3dc-11da-8690-0014a5723710}]
    "BaseClass"="Drive"
    "_AutorunStatus"=hex:01,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
    ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
    ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
    ff,ff,00,00,10,00,00,08,00,00,00

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{90108b12-b3dc-11da-8690-0014a5723710}\shell]
    @="None"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{90108b12-b3dc-11da-8690-0014a5723710}\shell\Autoplay]
    "MUIVerb"="@shell32.dll,-8504"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{90108b12-b3dc-11da-8690-0014a5723710}\shell\Autoplay\DropTarget]
    "CLSID"="{f26a669a-bcbb-4e37-abf9-7325da15f931}"

    ~~~~~~~~~~~~~~~~~~~~~~~~~

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a3e42512-0ebf-11da-8e46-806d6172696f}]
    "BaseClass"="Drive"

    ~~~~~~~~~~~~~~~~~~~~~~~~~

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a3e42513-0ebf-11da-8e46-806d6172696f}]
    "BaseClass"="Drive"

    ~~~~~~~~~~~~~~~~~~~~~~~~~

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b08ad9b7-e455-11da-8730-0014a5723710}]
    "BaseClass"="Drive"
    "_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
    5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,00,5f,5f,5f,5f,5f,cf,\
    cf,5f,5f,5f,5f,01,01,00,ee,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
    ff,ff,00,00,10,00,00,08,02,00,00

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b08ad9b7-e455-11da-8730-0014a5723710}\shell]
    @="None"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b08ad9b7-e455-11da-8730-0014a5723710}\shell\Autoplay]
    "MUIVerb"="@shell32.dll,-8504"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b08ad9b7-e455-11da-8730-0014a5723710}\shell\Autoplay\DropTarget]
    "CLSID"="{f26a669a-bcbb-4e37-abf9-7325da15f931}"

    ~~~~~~~~~~~~~~~~~~~~~~~~~

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{cb23cb14-a591-11da-865a-806d6172696f}]
    "BaseClass"="Drive"

    ~~~~~~~~~~~~~~~~~~~~~~~~~

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{cb23cb15-a591-11da-865a-806d6172696f}]
    "BaseClass"="Drive"
    "_AutorunStatus"=hex:01,01,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
    ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
    ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
    ff,ff,00,60,00,00,00,0c,00,00,00

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{cb23cb15-a591-11da-865a-806d6172696f}\_Autorun]

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{cb23cb15-a591-11da-865a-806d6172696f}\_Autorun\DefaultIcon]
    @="D:\\setup.exe"

    ~~~~~~~~~~~~~~~~~~~~~~~~~

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d338965e-d624-11da-86fc-0014a5723710}]
    "BaseClass"="Drive"
    "_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
    5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,01,00,01,01,ee,ff,ff,\
    ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
    ff,ff,00,00,10,00,00,08,03,00,00

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d338965e-d624-11da-86fc-0014a5723710}\shell]
    @="None"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d338965e-d624-11da-86fc-0014a5723710}\shell\Autoplay]
    "MUIVerb"="@shell32.dll,-8504"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d338965e-d624-11da-86fc-0014a5723710}\shell\Autoplay\DropTarget]
    "CLSID"="{f26a669a-bcbb-4e37-abf9-7325da15f931}"

    ~~~~~~~~~~~~~~~~~~~~~~~~~

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e2343b98-b524-11da-8694-0014a5723710}]
    "BaseClass"="Drive"
    "_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
    5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,cf,\
    cf,5f,5f,5f,5f,cf,cf,cf,cf,cf,01,01,01,ee,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
    ff,ff,00,00,10,00,00,08,00,00,00

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e2343b98-b524-11da-8694-0014a5723710}\shell]
    @="None"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e2343b98-b524-11da-8694-0014a5723710}\shell\Autoplay]
    "MUIVerb"="@shell32.dll,-8504"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e2343b98-b524-11da-8694-0014a5723710}\shell\Autoplay\DropTarget]
    "CLSID"="{f26a669a-bcbb-4e37-abf9-7325da15f931}"

    ~~~~~~~~~~~~~~~~~~~~~~~~~

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ec2edcf7-cbfe-11db-886c-0014a5723710}]
    "BaseClass"="Drive"
    "_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,01,00,01,01,ee,ff,ff,ff,ff,\
    ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
    ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
    ff,ff,00,20,00,00,00,09,00,00,00

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ec2edcf7-cbfe-11db-886c-0014a5723710}\_Autorun]

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ec2edcf7-cbfe-11db-886c-0014a5723710}\_Autorun\DefaultIcon]

    ~~~~~~~~~~~~~~~~~~~~~~~~~

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f7ac1c7a-00d2-11dc-88ab-0014a5723710}]
    "BaseClass"="Drive"
    "_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
    5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,cf,\
    cf,5f,5f,5f,5f,cf,cf,cf,cf,cf,01,01,01,ee,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
    ff,ff,00,00,10,00,00,08,00,00,00

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f7ac1c7a-00d2-11dc-88ab-0014a5723710}\shell]
    @="None"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f7ac1c7a-00d2-11dc-88ab-0014a5723710}\shell\Autoplay]
    "MUIVerb"="@shell32.dll,-8504"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f7ac1c7a-00d2-11dc-88ab-0014a5723710}\shell\Autoplay\DropTarget]
    "CLSID"="{f26a669a-bcbb-4e37-abf9-7325da15f931}"

    ~~~~~~~~~~~~~~~~~~~~~~~~~

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fad4e78e-6096-11da-bdce-806d6172696f}]
    "BaseClass"="Drive"

    ~~~~~~~~~~~~~~~~~~~~~~~~~

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fad4e78f-6096-11da-bdce-806d6172696f}]
    "BaseClass"="Drive"

    ~~~~~~~~~~~~~~~~~~~~~~~~~

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fad4e790-6096-11da-bdce-806d6172696f}]
    "BaseClass"="Drive"

    ~~~~~~~~~~~~~~~~~~~~~~~~~
    No Autorun files found in C:\WINDOWS

    No Autorun files found in C:\WINDOWS\system32

    C:\autorun.inf **folder** found
    Files in C:\autorun.inf
    Who created this folder.txt



    E:\autorun.inf **folder** found
    Files in E:\autorun.inf
    Who created this folder.txt



    No Autorun files found in root of G:




    And, last but not least, I dowloaded all of the programs to create layers of protection recommended in Tony Klein's document. I have a questions on that: I dowloaded Zone Alarm, so should I turn off Windows' firewall?

  6. #16
    Security Expert-Emeritus steamwiz's Avatar
    Join Date
    Dec 2005
    Location
    Yorkshire. U.K.
    Posts
    1,313

    Default

    Hi

    what was the last thing you ran/did before you started getting the error on startup ?

    What is the full error message ... app name/ mod name ?

    Yes ... if you're now running ZoneAlarm ... turn off the Windows firewall.

    steam
    MICROSOFT MVP - Security 2004/9 .member of ASAP since 2004 - member of U.N.I.T.E

  7. #17
    Junior Member
    Join Date
    Aug 2007
    Posts
    26

    Default The full message is...

    ON the top of the box, it reads:
    Explorer.EXE Application Error

    Then, inside the box, it says:
    The instruction at "Ox734305be" referenced memory at "Ox734305be." The memory could not be "written."

    Click on OK to terminate the program
    Click on Cancel to debug the program.

    But then, if I try to debug the program, it says that Dr. Watson's debugger has encountered a problem and must shut down.


    Boy, if it's not one thing it's another, huh!???

    Did you also see that flashdrive bug again?

    Thanks again for EVERYTHING! I don't know what I would have done without someone like you. We have a lot of medical expenses and it's a hard time.

  8. #18
    Junior Member
    Join Date
    Aug 2007
    Posts
    26

    Default I am almost certain that the last thing I did was to dowload and install Zone Alarm.

    HOwever, I have had messages like this come up before...just not for a long time. It didn't seem to ever stop anything..but I do wonder what they are. Doesn't seem right.

  9. #19
    Security Expert-Emeritus steamwiz's Avatar
    Join Date
    Dec 2005
    Location
    Yorkshire. U.K.
    Posts
    1,313

    Default

    HI

    Sorry for the late reply, I've been away for the weekend...

    First ... your flashdrive ... the Flash_Disinfector tool by sUBs has now immunised you against future problems from this infection ...

    I want you to remove some entries from your registry, to save you actually going into the registry and deleting them, I am going to tell you how to make a reg file to do the job for you (much safer)

    1. Open a new notepad

    2. copy & paste the text from the code box below into it

    Code:
    REGEDIT4
    
    [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3b6e7aba-4783-11dc-891b-0014a5723710}
    3. Save as filename: fixreg.reg

    4. save as Type: all files

    5. save to your desktop

    6. doubleclick the fixreg.reg file on your desktop & say yes to merge the contents with the registry

    7. you can then delete the fixreg.reg file

    -
    The error in startup ... is this every startup ?

    If it is, then I'll get you to remove a lot of third party programs which are loading at startup & see if you still get the error ... then we'll find out which one is causing it ... it looks like some other program is trying to write to an area of memory which is reserved for explorer ... the upside of this, is that it is not a malware problem, just an anoyance...

    steam
    MICROSOFT MVP - Security 2004/9 .member of ASAP since 2004 - member of U.N.I.T.E

  10. #20
    Junior Member
    Join Date
    Aug 2007
    Posts
    26

    Unhappy oh boy!

    Okay, first, I hope you had a great weekend!

    Second, I am baffled! I was just posting to you from the (I thought, formerly infected) computer.

    I haven't had any more popups or home page hijackings.

    I thought perhaps I was taking too much of your time since I last posted, so I ran a little search on my error message. Other than my own posts, I found one other in another forum which indicated that the removal of Spywareguard could fix the problem. I removed it and it seems it did. I haven't had the error message since.

    HOWEVER, I tried to send this post from the (possibly? formerly) infected computer and I couldn't!! Every time I try to send the post, it asks me to sign in, even though I'm already signed in!

    I hope it works on this other computer (the one I am on now.....

    here goes....

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •