[davidpat]

My virus scanner has popped up a "Scan Alert":

Trojan program:
Trojan-Clicker.Win32.Small.qo

File:
i:\system volume information\_restore{23cf0729-bce9-401b-acba-3116ae5757d4}\rp516\a0152830.exe


(i: is a USB drive)
it says that it ...cannot be disinfected: write is not supported.

At the same time ZoneAlarm keeps popping up an alert:

nsB.tmp is trying to launch C:\WINDOWS\system32\Macromed\Flash\FLASHUTIL9E.EXE, or use another program to gain access to privileged resources

Application: nsB.tmp

The name of the file changes but it is always xxx.tmp

First off I don't know if they are related, but they are both a pain in the a$$.
If I DENY the xxx.tmp file it disappears and then is recreated at a later date with a new name.

Antivirus: Kaspersky
Spyware: SpySweeper
Firewall: ZoneAlarm

Help!
David

[cybertech]

Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.

• Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
• The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
• Wait until it has finished scanning and then exit the program.
• Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

[davidpat]

OK...as i said I didn't know if these 2 issues were related. The fix you gave me might have fixed one, but I just got a ZoneAlarm SUSPICIOUS BEHAVIOR popup

ns4C.tmp is trying to launch C:\WINDOWS\system32\Macromed\Flash\FLASHUTIL9E.EXE, or use another program to gain access to privileged resources

Application: ns4C.tmp

it is located at C:\Documents and Settings\David\Local Settings\Temp\nsq4B.tmp\ns4C.tmp
How do Figure out what is creating this file and more importantly...How do I get rid of it?

[cybertech]

Remove Adobe Flash Player in add/remove programs.

[davidpat]

Can you expand on that? It seems that something is trying to access the flash player from my PC...I want to get rid of what ever that is. I have Adobe Flash Player ActiveX on my other 2 PCs and I don't see this issue. It sounds like "The termites are eating my house...get rid of the house" I want to get rid of the termites! Is there a way I can clean up whatever is creating the XXX.tmp file?

[cybertech]

Go to this web site: http://virusscan.jotti.org/
In the File to upload & scan box copy and paste

C:\WINDOWS\system32\Macromed\Flash\FLASHUTIL9E.EXE

Then click the Submit button.

Copy the results and paste them back here in your next reply

[davidpat]

Service load: 0% 100%

File: FlashUtil9e.exe
Status: OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 55dae09cbe5fe5e8eb2698107c18fd0d
Packers detected: -
Bit9 reports: No threat detected (more info)

A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

[cybertech]

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

• Double-click ATF-Cleaner.exe to run the program.
  Under Main choose: Select All
  Click the Empty Selected button.

Click Exit on the Main menu to close the program.



Download and scan with SUPERAntiSpyware Free for Home Users

• Double-click SUPERAntiSpyware.exe and use the default settings for installation.
• An icon will be created on your desktop. Double-click that icon to launch the program.
• If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
• Under "Configuration and Preferences", click the Preferences button.
• Click the Scanning Control tab.
• Under Scanner Options make sure the following are checked (leave all others unchecked):
  • Close browsers before scanning.
  • Scan for tracking cookies.
  • Terminate memory threats before quarantining.
• Click the "Close" button to leave the control center screen.
• Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
• On the left, make sure you check C:\Fixed Drive.
• On the right, under "Complete Scan", choose Perform Complete Scan.
• Click "Next" to start the scan. Please be patient while it scans your computer.
• After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
• Make sure everything has a checkmark next to it and click "Next".
• A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
• If asked if you want to reboot, click "Yes".
• To retrieve the removal information after reboot, launch SUPERAntispyware again.
  • Click Preferences, then click the Statistics/Logs tab.
  • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
  • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
  • Please copy and paste the Scan Log results in your next reply with a new hijackthis log.
• Click Close to exit the program.