[djkeyper]

No good on either front. Firstly the Trend logs on the local machine show succesfully removed both malware but will not give the location for either. Secondly the Khasparsky scan won't load correctly. It won't install the AV update and thus won't continue. Quote : Update process FAILED. No further antivirus actions can be performed!
Attention, you must be online to activate Kaspersky Online Scanner, since the latest Anti-virus bases version must be downloaded prior to scan. Otherwise we cannot guarantee dection of latest viruses. [21]

Also the System Restore was again enabled, I turned it off.

I tried disabling the windows firewall (as it was also enabled?!?), and disabled the Spybot and SuperantiSpyware from the systray, and held down the left ctrl key to allow pop-ups. No go. I don't want to disable the Trend just yet. What other things do you suggest my learned friend? ~K

[Advertisements]

You can leave System Restore enabled by the way. Lets do this instead

Click here to use the F-Secure Online Scanner

• Then click the Start Scanning button below.
• You should get a notification (bar on top) to install the activeX. Click on it and select to install the ActiveX.
• Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
• In case you are having problems with installing the ActiveX/starting the scan, please read here.
• Click the Full System Scan button.
• It will start to download scanner components and databases. This can take a while.
• The main scan will start.
• Once the scan finished scanning, click the Automatic cleaning (recommended) button
• It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
• The cleaning can take a while, so please be patient.
• Then click the Show report button and copy and paste what's present under results in your next reply.

Trend Micro is probably detecting the files that are in quarantine or in system restore, so don't worry about them. This scan will remove anything that may be left.

[Rorschach112]

You can leave System Restore enabled by the way. Lets do this instead

Click here to use the F-Secure Online Scanner

• Then click the Start Scanning button below.
• You should get a notification (bar on top) to install the activeX. Click on it and select to install the ActiveX.
• Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
• In case you are having problems with installing the ActiveX/starting the scan, please read here.
• Click the Full System Scan button.
• It will start to download scanner components and databases. This can take a while.
• The main scan will start.
• Once the scan finished scanning, click the Automatic cleaning (recommended) button
• It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
• The cleaning can take a while, so please be patient.
• Then click the Show report button and copy and paste what's present under results in your next reply.

Trend Micro is probably detecting the files that are in quarantine or in system restore, so don't worry about them. This scan will remove anything that may be left.

[djkeyper]

Hello my friend!
I manged to get the scan done before the user left for the day. Here is the result.

Scanning Report
Monday, December 17, 2007 15:21:15 - 16:33:20
Computer name: RONSIBM
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\


--------------------------------------------------------------------------------

Result: 3 malware found
Tracking Cookie (spyware)
System (Disinfected)
System
System

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 52295
System: 6440
Not scanned: 4
Actions:
Disinfected: 1
Renamed: 0
Deleted: 0
None: 2
Submitted: 0
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\TEMP\ANTISPYWARE\SMITFRAUDFIX.ZIP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR.SYMBIO\LOCAL SETTINGS\TEMP\HSPERFDATA_ADMINISTRATOR\4156

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure Libra: 2.4.2, 2007-12-17
F-Secure AVP: 7.0.171, 2007-12-17
F-Secure Orion: 1.2.37, 2007-12-17
F-Secure Blacklight: 1.0.64
F-Secure Draco: 1.0.35, 0597-150-72
F-Secure Pegasus: 1.19.0, 2007-11-10
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQX
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright © 1998-2006 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

[Rorschach112]

Your logs look good ! We need to do a few things

You can delete the tools that we used


Now we need to create a new System Restore point.

Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.



Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

Make Internet Explorer more secure

• Click Start > Run
• Type Inetcpl.cpl & click OK
• Click on the Security tab
• Click Reset all zones to default level
• Make sure the Internet Zone is selected & Click Custom level
• In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
• Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* I notice that you have no firewall on your PC, this is extremely dangerous and leaves your PC open to vulnerabilities, so please download and install one of the following programs : ZoneAlarm, Comodo, or
Outpost
Make sure you only use one firewall though. A tutorial on understanding and using firewalls may be found here.

* I notice that you have no anti-virus program on your PC, this is extremely dangerous and leaves your PC open to vulnerabilities, so please download and install one of the following programs :
AVG makes an excellent free antivirus client, as do AntiVir or avast!.

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.

[djkeyper]

Most excellent! Rorshach112, I want to thank you for your quick and knowledgeable responses. I followed your final bits of advice and thank you for your suggestions to shore up our defenses. One note, we have Trend Micro running as our AV and Firewall solution. This is a server-sided management with local install of client so may account for the (hopefully) false readout.

Anyways I want to say that your quick response has been quite noteworthy and I certainly appreciate your help. A very good day to you Rorshach112! =D ~K

[Rorschach112]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.