I deleted that revsci file in the cookies folder and seconds later it came right back!
Printable View
I deleted that revsci file in the cookies folder and seconds later it came right back!
I right clicked that file and tested with malware and nothing wrong?
Malwarebytes' Anti-Malware 1.22
Database version: 984
Windows 5.1.2600 Service Pack 2
3:03:38 PM 7/23/2008
mbam-log-7-23-2008 (15-03-38).txt
Scan type: Quick Scan
Objects scanned: 1
Time elapsed: 4 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
You have got something that is making that key to make the folder and stuff that address cookie in there.So unless you are real good with the regs, I suggest saving what you would hate to lose and do a clean install.
That probably would be the fastest and easiest way to handle it.
There are about five other "newuser@" cookies in that folder. I think they change like the revsci ones--adding the brackets with a number [2]...
Broni seems to be familiar with that item. Let's get his take on it. I'd be inclined to do some more digging before we reinstall the OS esp since all we've seen is adware and cookies so far.
I'll go along with that idea.Quote:
Originally Posted by fink
We're not done, yet.Quote:
DO NOT make any other changes to your computer (like installing programs, using another cleaning tools, etc.), until it's officially declared clean!!!
*** You need to update Java:
http://java.sun.com/javase/downloads/index.jsp
Java Runtime Environment (JRE) 6 Update 7
Uninstall all previous versions of Java through Add\Remove.
*** Download, and run CTFMON-Remover: http://www.gerhard-schlager.at/en/pr...ctfmonremover/
The CTFMON-Remover helps you removing the annoying CTFMON.EXE from your Windows operating system. The program is easy to use and displays whether the CTFMON.EXE is installed and running or not. If it was found then you can remove it within seconds. Just in case that you need the CTFMON sometime in the future there is also an option to restore the original one.
Note:The CTFMON.EXE is among other things responsible for changing the language schema of your keyboard (e.g. for switching between the German and English keyboard layout). So in case you are using this feature you shouldn't remove or disable the CTFMON.EXE!
*** Is Juno your ISP?
Also, open newuser@revsci[1].txt in Notepad, copy, and paste, back here.
I'll take care of the other stuff, here's the revsci txt.
NETID01
UeAWz1Rx-goAAABN1ywA
revsci.net/
2147484672
796392064
32294716
3389410400
29945100
*
NETSEGS_K06578
f617e628492f645e&K06578&0&48ac9117&0&&48869eb5&4e6fc2bc3a2648abe4e8286d68f834
revsci.net/
2147484672
1848804736
29950734
2121703104
29945101
*
rsi_cls_1000000
pUNV5s2kOBIQ7cR26mkabovKrmevpj0GStPHVyVggAzJ45/EXBD1l8vWYSugwyVvu3AvojB6eXrYuAQHnvasLy8W0 oyUFKm5+bMch3/0dtWAo8NnHi9zBczVym2bbPi1EQqkUEb59wc/s683GtX9hS2cJXfpVcDk6OFOWsBzfPe1FKA37Wd2 RLFenGjHfeFLBkQxzw6QJXJnvZ1HKMEjs/U12V6SUIGTVBKWSOTgOG2gZR/ldGGVKXdli32pRGGE7UWnDiHiH08IAjVHzH5 M/VfapyAUajWqLJVC0pD5euwgQM5Bto/GNyYCqeZyU9+i+i/jZd4ylP8TytYks86efTWIyPx1n76TYp4Fofy2S/FMRw7 gmbw/v7mtBEu2QYlcgv6GvnPDOAub7vmAJB/5yHFZ6p/YdutNLTbFfImM5+ce0Z6Wx+duiOsThnnrjxL0G3WO7 OtovCvhohbzx8NtJXgGH/ABoCFAxPiO0FbcKsv8e+qO1OTpovvGorF+gy5g94BvGl12BoKePV1fjkD8BQeN6RSPss5S5 StRffyMmXrSrQ==
revsci.net/
2147484672
2422215168
30018567
3412131264
29945141
*
rsi_segs_1000000
pUPDROROmfuIUoJyvOzCVgy/pjEkjhdzYx4wYfYjr0QZgJEHJs08tRf8WcUuLrQAFxcySqgq4lJtLYIVF5A2r78vfkI6GqjxmVeJWtwf0wDT7Fu8GN7lxA/BsVMz0LemPgXWjWye5IwFYg==
revsci.net/
2147484672
2422215168
30018567
3415931264
29945141
*
Edited by Train to stop the side scrolling.
Open Windows Explorer.
Navigate to:
C:\WINDOWS\system32\drivers\etc\ folder
You'll see hosts file (no extension).
Right click on it, click Open with, select Notepad.
At the end of all text add following line:
127.0.0.1 www.revsci.net (<---- watch for a "space" after 127.0.0.1)
Click File>Save.
Restart computer.
In Windows Explorer, navigate to:
C:\Documents and Settings\NewUser\Cookies
and delete newuser@revsci[2].txt, if it's there.
BTW....did YOU create "NewUser" account?
Awaiting your answers to my other questions.
Broni, I have juno as a backup in case the DSL has problems, so I hardly ever use it.
Your last post was done while I made the above. I'll do the w/e thing. No, I bought this used so maybe the newuser was done before me.
I have that number and "localhost" after it. Do you want me to delete "localhost" and insert "www.revsci.net"?
Well, I left "localhost" and typed "www.revsci.net" after it allowing a few spaces in between. After I tried to close and save it I got the message something like windows can't ... and then another window allowing me to save it as host file. Closed it and restarted but revsci filed reappeared after I removed it. Checked back to that hosts file and "www.revsci.net" wasn't typed in there. ?
Wow! One thing at a time, please...
OK.Quote:
I have juno as a backup in case the DSL has problems
That's fine.Quote:
I have that number and "localhost" after it
You may need to take ownership of "hosts" file:Quote:
After I tried to close and save it I got the message something like windows can't
http://www.winxptutor.com/ownership.htm
Then try again to add:
127.0.0.1 www.revsci.net
I discovered this http://www.winpatrol.com/ and it works. Interestingly the revsci problem showed up not under Mozilla but IE (C:\...Cookies\newuser..) according to winpatrol. Maybe THAT'S why they couldn't be blocked using tools/options in Mozilla.
Really appreciate all your help.
Very good, then :)
I'd like to see fresh HJT log...