[KennyJG44]

Kaspersky's scan

--------Start of File

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, July 15, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, July 15, 2008 20:18:26
Records in database: 957114
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 66210
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 01:56:57

No malware has been detected. The scan area is clean.

The selected area was scanned.




Please note that AntiVir still detects those files previously mentioned

KG

[Advertisements]

Hi Kenny,

Does avir give you locations of these, ie C:\windows or similar

[loophole]

Hi Kenny,

Does avir give you locations of these, ie C:\windows or similar

[KennyJG44]

Hi,

Yes AntiVir gives locations (sort of).....they are usually given at the same time as the alert, usually looking like this however (due to long path):

C:\....\aad987slkjsd87 (the ending always looks arbitrary like this)

I have noticed one location = C:\System Volume Information.... , but I don't have this folder when exploring.

I will look further when I get home to my sick computer.

Thanks,
Ken

[loophole]

C:\System Volume Information

This is yor system restore, they arent active unless you do a system restore. We will clear these in our last step

I wonder if its finding things in Nortons quarantine, or possibly in a dss backup The aad987slkjsd87 ending with no extention usually means an archive. I doubt any of it is active malware. Strange that Kaspersky saw nothing. Can you see if there is an export feature with Avira. Im sorry for my unfamiliarity with it, its one of the few I've never really messed around with.

[KennyJG44]

You were right....the first 3 detections I mentioned in previous post are in Symantec quarantine, as seen in AntiVir log below. For the life of me I cannot seem to figure out how to empty the quarantine on Norton's. The other 3, I'm not sure. Awaiting further instruction...computer still running slugishly.
t/y,
Ken

----------- Start of File



Avira AntiVir Personal
Report file date: Tuesday, July 15, 2008 17:44

Scanning for 1454594 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: LINDSAY

Version information:
BUILD.DAT : 8.1.0.308 16478 Bytes 5/28/2008 17:03:00
AVSCAN.EXE : 8.1.2.12 311553 Bytes 3/18/2008 15:02:56
AVSCAN.DLL : 8.1.1.0 53505 Bytes 2/7/2008 14:43:37
LUKE.DLL : 8.1.2.9 151809 Bytes 2/28/2008 14:41:23
LUKERES.DLL : 8.1.2.1 12033 Bytes 2/21/2008 14:28:40
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 16:33:34
ANTIVIR1.VDF : 7.0.5.1 8182784 Bytes 6/24/2008 20:26:06
ANTIVIR2.VDF : 7.0.5.119 1264128 Bytes 7/15/2008 20:22:39
ANTIVIR3.VDF : 7.0.5.120 2048 Bytes 7/15/2008 20:22:40
Engineversion : 8.1.0.68
AEVDF.DLL : 8.1.0.5 102772 Bytes 2/25/2008 15:58:21
AESCRIPT.DLL : 8.1.0.53 303481 Bytes 7/15/2008 20:22:53
AESCN.DLL : 8.1.0.23 119156 Bytes 7/15/2008 20:22:49
AERDL.DLL : 8.1.0.20 418165 Bytes 7/13/2008 20:26:55
AEPACK.DLL : 8.1.2.1 364917 Bytes 7/15/2008 20:22:47
AEOFFICE.DLL : 8.1.0.20 192891 Bytes 7/13/2008 20:26:51
AEHEUR.DLL : 8.1.0.41 1339765 Bytes 7/15/2008 20:22:45
AEHELP.DLL : 8.1.0.15 115063 Bytes 7/13/2008 20:26:44
AEGEN.DLL : 8.1.0.29 307573 Bytes 7/13/2008 20:26:42
AEEMU.DLL : 8.1.0.6 430451 Bytes 7/13/2008 20:26:38
AECORE.DLL : 8.1.0.33 168311 Bytes 7/15/2008 20:22:41
AVWINLL.DLL : 1.0.0.7 14593 Bytes 1/23/2008 23:07:53
AVPREF.DLL : 8.0.0.1 25857 Bytes 2/18/2008 16:37:50
AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 19:26:47
AVREG.DLL : 8.0.0.0 30977 Bytes 1/23/2008 23:07:49
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 14:29:23
AVEVTLOG.DLL : 8.0.0.11 114945 Bytes 2/28/2008 14:31:31
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/22/2008 23:28:02
SMTPLIB.DLL : 1.2.0.19 28929 Bytes 1/23/2008 23:08:39
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 18:05:10
RCIMAGE.DLL : 8.0.0.35 2371841 Bytes 3/10/2008 20:37:25
RCTEXT.DLL : 8.0.32.0 86273 Bytes 3/6/2008 18:02:11

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Tuesday, July 15, 2008 17:44

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'symlcsvc.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'hposts08.exe' - '1' Module(s) have been scanned
Scan process 'hpoevm08.exe' - '1' Module(s) have been scanned
Scan process 'hpotdd01.exe' - '1' Module(s) have been scanned
Scan process 'hpohmr08.exe' - '1' Module(s) have been scanned
Scan process 'CTFMON.EXE' - '1' Module(s) have been scanned
Scan process 'sprtcmd.exe' - '1' Module(s) have been scanned
Scan process 'ccSvcHst.exe' - '1' Module(s) have been scanned
Scan process 'tfswctrl.exe' - '1' Module(s) have been scanned
Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
Scan process 'ALG.EXE' - '1' Module(s) have been scanned
Scan process 'ViewMgr.exe' - '1' Module(s) have been scanned
Scan process 'ViewpointService.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'sprtsvc.exe' - '1' Module(s) have been scanned
Scan process 'AluSchedulerSvc.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'AOLacsd.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'ccSvcHst.exe' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'LSASS.EXE' - '1' Module(s) have been scanned
Scan process 'SERVICES.EXE' - '1' Module(s) have been scanned
Scan process 'WINLOGON.EXE' - '1' Module(s) have been scanned
Scan process 'CSRSS.EXE' - '1' Module(s) have been scanned
Scan process 'SMSS.EXE' - '1' Module(s) have been scanned
37 processes with 37 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '25' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{29DF888D-4F1A-40AB-A4F7-1371576ACECD}\{9236A32C-4140-4B6F-ADED-340E365FEC68}.qbd
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{29DF888D-4F1A-40AB-A4F7-1371576ACECD}\{9236A32C-4140-4B6F-ADED-340E365FEC68}.qbd
[DETECTION] Is the Trojan horse TR/Dldr.PuritySca.A
[WARNING] The file could not be deleted!
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{3391D760-AF13-485D-83C2-19A8D519396C}\{BD8871D5-14B9-49C2-9FE7-8EA6642F1103}.qbd
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{3391D760-AF13-485D-83C2-19A8D519396C}\{BD8871D5-14B9-49C2-9FE7-8EA6642F1103}.qbd
[DETECTION] Is the Trojan horse TR/Drop.Agent.28160
[WARNING] The file could not be deleted!
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{3F40D23A-A37F-48AD-BBEC-6EB1B43142DF}\{EC8C6737-620A-4DAB-9B37-CFF1BCADE5C2}.qbd
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{3F40D23A-A37F-48AD-BBEC-6EB1B43142DF}\{EC8C6737-620A-4DAB-9B37-CFF1BCADE5C2}.qbd
[DETECTION] Is the Trojan horse TR/Crypt.PEPM.Gen
[WARNING] The file could not be deleted!
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll
[WARNING] The file could not be opened!
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\vfbyokqg.dll.vir
[DETECTION] Is the Trojan horse TR/Monderc.103424.3
[NOTE] The file was deleted!
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1052\A0085280.dll
[DETECTION] Is the Trojan horse TR/Monderc.103424.3
[NOTE] The file was deleted!
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1052\A0086279.dll
[DETECTION] Is the Trojan horse TR/Monderc.103424.3
[NOTE] The file was deleted!


End of the scan: Tuesday, July 15, 2008 18:50
Used time: 1:06:02 min

The scan has been done completely.

6870 Scanning directories
231022 Files were scanned
6 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
3 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
3 Files cannot be scanned
231016 Files not concerned
8993 Archives were scanned
6 Warnings
3 Notes

[loophole]

Great, They are all in Symantecs quarantine, your system restore except this one C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\vfbyokqg.dll.vir, Its a quarantine folder that combofix makes so no harm there either


Follow these steps to uninstall Combofix and tools used in the removal of malware

• Click START then RUN
• Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  

Follow These directions for flushing system restore


Try this for deleting the quarantin, its for a previous version but should still apply

1. Start Norton AntiVirus.
If Norton AntiVirus is installed as part of Norton SystemWorks or Norton Internet
Security, then start that program and click Norton AntiVirus.

2. In the left pane, click Reports.

3. Click View Norton Quarantined and Restore.

4. In the left pane, select the type of risk that you want to remove.

5. In the right pane, select the files that you want to remove.

6. Click Delete Item.

7. When you see the message "Warning! Are you sure that you want to remove this
item from Quarantine," click Yes.

8. Close the Quarantine window, and then exit Norton AntiVirus.

As far as the slowness, I think it is definately a RAM problem, Its the simplest way to fix the slowness problem I'm positive thats the problem. You have plenty of processing power but the processor has to wait on the ram to clear space before it can process the next function. Thats a crude explanation but the best way I can describe it without confusing both of us

Do you need help choosing an upgrade in ram, also let me know how te steps went

[KennyJG44]

Hey,

1) I had previously gotten rid of ComboFix so I was unable to carry out ComboFix /u; I deleted the directory w/the quarantined file.

2) System Restore successfully flushed.

3) Cannot find way to empty Norton's quarantine, your directions did not apply to this version of Norton's Internet Security.

Lastly, I pulled the RAM module out earlier, and its pretty old; might be hard to find something comparable:

Dell Part #D6467 DIMM (DRam; DDR II SDRam) 256, 400, 32x64, 8, 240, 1RX16

Only some of those numbers (256, 400) mean anything to me

Ken

[loophole]

Right click "my computer" then select properties, that will give you the make and model number of the pc, from there we can find out the best ram and deal for you.

Ill see if I can get directions on emptying the norton, just know its of no threat

[KennyJG44]

Hey,

I just wanted to say that I really appreciate you helping me out with this situation. Although it took time, its better than wiping out the drive and re-installing everything.

Its a Dell Dimension 4700 C
Pent 4 2.79 GHz
256 mb ram

Thanks again,
ken

[loophole]

Your welcome,

Im having some internet issues, will get back to you soon

[loophole]

http://www.memorysto...nsion4700C.html
http://www.4allmemor...;model_id=48797
http://www.newegg.co.......ries&DEPA=0

Have a look at the above, I recommend you get 1gig, that should work. Let me know what you are leaning towards

[KennyJG44]

I have several RAM modules around my house that I would like to try to use but for some reason they do not fit. The speed and type are the same, however the "keyed" part of the stick (where there is no plated contact) does not fit onto my board. Is there a way I can classify this - meaning what is the difference between these two pieces?

[loophole]

Unfortunately, Ram isnt uniform. Theres no way to alter it to fit what you need. They are made motherboard specific. So the only real difference is they are keyed differently. Probably so they can make more money