Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Trojan.Vundo, Ultimate Defender(?), and probably much more. [Solved]


  • This topic is locked This topic is locked

#1
Seiaa

Seiaa

    New Member

  • Member
  • Pip
  • 7 posts
I hope a little back story will help, I don't want to waste time, but, there was definitely a series of events that led up to this and I don't know if it's relevant or not.


The other day some nasty little thing installed on my computer that opened Firefox windows to random sites like an airfare site, and a pseudo white pages site. It would do this even without me opening Firefox. It would start the program itself or if Firefox was running it'd open a new tab.

I was a little distressed.

So I did a little googling and ended up on this forum because someone had a similar problem before. I started to read through the steps and realized that it wasn't going to be as simple as just looking what their solution since everyone's computer is different and so are their running tasks, etc.

It was late, I was ill, and I wanted the problem fixed right away! (I am unfortunately impulsive) I had noticed what I thought to be a recommendation or something like it for STOPZilla and in a slip of memory and judgment I went and downloaded it. My slip in memory was that I already have Malwarebytes' Anti-Malware and I even purchased STOPZilla.

After running a scan and finding over 100 (?!) infections, including Trojan.Vundo I got really panicy and purchased the product since it wouldn't get rid of anything before that. I wasn't displeased with the results until it started to find the same thing it had just gotten rid of, such as Ultimate Defender and Trojan.Vundo. (Is this program worth keeping?)

I mean, I guess it did something right, because whatever sent Firefox off in its own direction seems to be gone, but now my Trend Micro PC-Cillin Internet Security is catching things it didn't seem to before and I don't know if anything is conflicting with anything else.

Finally getting my butt into gear I came back to these forums and I've gone through all the steps detailed in the "Read this before you post" post. (I never realized how many processes I un-enabled in msconfig until I re-enabled them all. My tray hasn't been this cluttered since I first turned the computer on)

I've run Mbam twice and each time it still finds (and says it's fixed) Trojan.Vundo, but obviously not, because it was still there the second time I scanned.



I'm running Windows XP Media Center Edition on a Dell Inspiron E1505, I have Trend Micro PC-Cillin Internet Security 12 and STOPZilla ( :) ), and Mbam.



Here's the HijackThis Log, thanks in advance.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:47:37 AM, on 12/24/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\lxdicoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe
C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe
C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Roxio\Media Experience\DMXLauncher.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\Creative\MEDIAS~1\MtdAcqu.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\DOCUME~1\Rebekah\LOCALS~1\Temp\clclean.0001
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft....k/?LinkId=54843
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {180F4BCE-92E5-4586-AA3D-3E7FC1677A17} - C:\WINDOWS\system32\jkKCuSIx.dll (file missing)
O2 - BHO: SITEguard BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\SZSG.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\system32\TwcToolbarIe7.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [lxdimon.exe] "C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe"
O4 - HKLM\..\Run: [lxdiamon] "C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [VoiceCenter] "C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" /tray
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\EarthLink TotalAccess\FastLane2\IPMon32.exe"
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\EarthLink TotalAccess\FastLane2\IPClient.exe" -l
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [DellHelp] C:\Dell\DellHelp\DellHelp.exe /c
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [MtdAcqu] "C:\PROGRA~1\Creative\MEDIAS~1\MtdAcqu.exe" /s
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKUS\S-1-5-20\..\Run: [direfozemi] Rundll32.exe "C:\WINDOWS\system32\duguyubi.dll",s (User 'NETWORK SERVICE')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Button Manager v1.874.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O4 - Global Startup: TotalMedia Backup Monitor.lnk = C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL c:\windows\system32\vugukibo.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lxdiCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdiserv.exe
O23 - Service: lxdi_device - - C:\WINDOWS\system32\lxdicoms.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 17058 bytes

Edited by Seiaa, 24 December 2008 - 09:50 AM.

  • 0

Advertisements


#2
Transience

Transience

    Unofficial Music Guru

  • Retired Staff
  • 2,448 posts
Hi seiaa and welcome to Geeks to Go! My name is Dave and I'll be helping you out with your malware problem. First to answer your questions:

(Is this program worth keeping?)

Stopzilla is a well-respected program that has been around for a while. It was initially just a popup blocker but has since grown into a full-blown antispyware program. I can't say I've tested it much myself, however since you've already purchsed a subscription it makes sense to stick with it. It should suffice to keep you protected. For the future though, I would never recommend paying for any security software - the free antivirus, firewall, and antispyware programs available are in most cases actually more effective than paid software.

Let's do this for starters:

1. Norton Removal Tool

It looks like Norton/Symantec is/was installed on your computer, but you're not actively using it anymore. Remains are left over when Norton is uninstalled, and it's best to remove them. We'll use the Norton Removal Tool to get rid of it once and for all. Click the link and select the version of the tool appropriate to your version of the software. Save the tool to your desktop, then double click it and follow the prompts to finish removing Norton.

2. Remove Vundo

Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

3. Lop Search & Destroy

Download Lop S&D and save it to your desktop.

Note: Before running this program, please disable all your active protection programs (antivirus, firewall) so they don't interfere. Use this page for reference if you don't know how.
  • Double-click Lop S&D.exe to run it.
  • Choose the language, then choose Option 1 (Search).
  • Allow the scan to complete.
  • Post the log which is created, located at C:\lopR.txt.
In your next reply I just need the logs from VundoFix and Lop S&D, also let me know of anything noteworthy (error messages) that occurred while performing my instructions.

Cheers,
Dave
  • 0

#3
Seiaa

Seiaa

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Ran the Norton removal program without a hitch, didn't get any error messages with anything else either. So far so good. :)

Here's the VundoFix log


VundoFix V7.0.6

Scan started at 11:37:08 AM 12/24/2008

Listing files found while scanning....

C:\Windows\system32\divxdec_0407.dll
C:\Windows\system32\divxdec_0411.dll
C:\Windows\system32\RGSS100J.dll

Beginning removal...

Attempting to delete C:\Windows\system32\divxdec_0407.dll
C:\Windows\system32\divxdec_0407.dll Has been deleted!

Attempting to delete C:\Windows\system32\divxdec_0411.dll
C:\Windows\system32\divxdec_0411.dll Has been deleted!

Attempting to delete C:\Windows\system32\RGSS100J.dll
C:\Windows\system32\RGSS100J.dll Has been deleted!

Performing Repairs to the registry.
Done!


Aaaand the lopR log (I am amused that under "Cracks and Keygens" it picked up every file that had the word crack in it. I didn't realize just how many files, mostly art I've saved, used the word "crack" in them. Hahaha :) )


--------------------\\ Lop S&D 4.2.5-0 XP/Vista

Microsoft Windows XP Professional ( v5.1.2600 ) Service Pack 3
X86-based PC ( Multiprocessor Free : Intel® Core™2 CPU T7400 @ 2.16GHz )
BIOS : Phoenix ROM BIOS PLUS Version 1.10 A08
USER : Rebekah ( Administrator )
BOOT : Normal boot
Antivirus : Trend Micro PC-cillin Internet Security 12.7.1019 (Not Activated)
Firewall : Trend Micro PC-cillin Internet Security (Firewall) 12 (Not Activated)
C:\ (Local Disk) - NTFS - Total:79 Go (Free:4 Go)
D:\ (Local Disk) - NTFS - Total:26 Go (Free:2 Go)
E:\ (CD or DVD)
F:\ (CD or DVD)
G:\ (CD or DVD)

"C:\Lop SD" ( MAJ : 19-12-2008|23:40 )
Option : [1] ( Wed 12/24/2008|12:18 )

--------------------\\ Listing folders in APPLIC~1

[08/16/2005|04:50] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Identities
[08/16/2005|04:30] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Microsoft
[09/12/2006|07:22] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Symantec

[10/30/2006|01:16] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Adobe
[10/30/2006|01:17] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Adobe Systems
[09/18/2006|05:24] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> AOL
[10/02/2008|11:02] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Apple
[11/18/2008|06:15] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Apple Computer
[07/16/2008|08:10] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Autodesk
[09/12/2006|07:14] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Creative Labs
[08/16/2005|08:54] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> DIGStream
[07/23/2007|10:20] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Google
[09/12/2006|07:22] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> GTek
[09/12/2006|07:21] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> InstallShield
[08/01/2008|10:11] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> LightScribe
[11/01/2006|11:11] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Macromedia
[11/02/2008|12:58] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Malwarebytes
[12/14/2007|04:51] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Microsoft
[06/11/2008|09:58] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> NCH Software
[08/19/2008|09:13] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Nero
[10/04/2006|10:24] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> NVIDIA
[03/30/2007|12:48] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Otto
[10/05/2006|09:30] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> QuickTime
[09/05/2007|08:21] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Roxio
[12/24/2008|01:11] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> SITEguard
[09/05/2007|08:22] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Sonic
[05/23/2007|06:09] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Spybot - Search & Destroy
[12/24/2008|12:16] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> STOPzilla!
[01/11/2007|11:08] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Viewpoint
[03/31/2007|11:36] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Visual Networks
[09/20/2006|02:31] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Windows Genuine Advantage
[12/14/2007|04:44] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> WLInstaller

[08/16/2005|04:50] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Identities
[08/16/2005|04:30] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Microsoft
[09/12/2006|07:22] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Symantec

[01/31/2008|05:28] C:\DOCUME~1\Guest\APPLIC~1\<DIR> Adobe
[01/07/2008|08:55] C:\DOCUME~1\Guest\APPLIC~1\<DIR> AOL
[07/22/2008|01:00] C:\DOCUME~1\Guest\APPLIC~1\<DIR> ArcSoft
[06/13/2007|02:12] C:\DOCUME~1\Guest\APPLIC~1\<DIR> Earthlink
[06/13/2007|02:11] C:\DOCUME~1\Guest\APPLIC~1\<DIR> Google
[12/24/2008|07:08] C:\DOCUME~1\Guest\APPLIC~1\<DIR> Gtek
[08/16/2005|04:50] C:\DOCUME~1\Guest\APPLIC~1\<DIR> Identities
[01/07/2008|08:55] C:\DOCUME~1\Guest\APPLIC~1\<DIR> InstallShield
[01/31/2008|05:28] C:\DOCUME~1\Guest\APPLIC~1\<DIR> Macromedia
[07/22/2008|02:14] C:\DOCUME~1\Guest\APPLIC~1\<DIR> Microsoft
[01/31/2008|05:16] C:\DOCUME~1\Guest\APPLIC~1\<DIR> Mozilla
[09/12/2006|07:22] C:\DOCUME~1\Guest\APPLIC~1\<DIR> Symantec
[01/31/2008|05:16] C:\DOCUME~1\Guest\APPLIC~1\<DIR> Talkback
[07/22/2008|01:27] C:\DOCUME~1\Guest\APPLIC~1\<DIR> U3

[08/16/2005|04:30] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Microsoft
[09/05/2007|09:13] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Roxio

[08/16/2005|04:30] C:\DOCUME~1\NETWOR~1\APPLIC~1\<DIR> Microsoft

[10/31/2008|05:13] C:\DOCUME~1\Rebekah\APPLIC~1\<DIR> Adobe
[12/24/2008|01:13] C:\DOCUME~1\Rebekah\APPLIC~1\<DIR> AdobeUM
[09/18/2006|06:00] C:\DOCUME~1\Rebekah\APPLIC~1\<DIR> Aim
[03/13/2007|05:42] C:\DOCUME~1\Rebekah\APPLIC~1\<DIR> AOL
[11/18/2008|06:16] C:\DOCUME~1\Rebekah\APPLIC~1\<DIR> Apple Computer
[10/31/2008|05:13] C:\DOCUME~1\Rebekah\APPLIC~1\<DIR> ArcSoft
[10/31/2008|05:13] C:\DOCUME~1\Rebekah\APPLIC~1\<DIR> Azureus
[10/14/2007|08:31] C:\DOCUME~1\Rebekah\APPLIC~1\<DIR> BSplayer
[10/14/2007|08:25] C:\DOCUME~1\Rebekah\APPLIC~1\<DIR> BSplayer Pro
[10/14/2007|08:17] C:\DOCUME~1\Rebekah\APPLIC~1\<DIR> CoreCodec
[09/18/2006|08:09] C:\DOCUME~1\Rebekah\APPLIC~1\<DIR> Corel Photo Album
[09/20/2006|03:32] C:\DOCUME~1\Rebekah\APPLIC~1\<DIR> Creative
[09/15/2007|08:34] C:\DOCUME~1\Rebekah\APPLIC~1\<DIR> CyberLink
[07/22/2008|08:10] C:\DOCUME~1\Rebekah\APPLIC~1\<DIR> Download Manager
[05/21/2008|11:48] C:\DOCUME~1\Rebekah\APPLIC~1\<DIR> dvdcss
[05/23/2007|05:07] C:\DOCUME~1\Rebekah\APPLIC~1\<DIR> e frontier
[11/17/2006|05:07] C:\DOCUME~1\Rebekah\APPLIC~1\<DIR> GeoVid
[12/22/2008|10:04] C:\DOCUME~1\Rebekah\APPLIC~1\<DIR> Google
[12/24/2008|07:17] C:\DOCUME~1\Rebekah\APPLIC~1\<DIR> Gtek
[03/24/2008|12:48] C:\DOCUME~1\Rebekah\APPLIC~1\<DIR> Hamachi
[03/23/2008|11:06] C:\DOCUME~1\Rebekah\APPLIC~1\<DIR> Hamachi-Backup
[12/01/2006|10:52] C:\DOCUME~1\Rebekah\APPLIC~1\<DIR> Help
[08/16/2005|04:50] C:\DOCUME~1\Rebekah\APPLIC~1\<DIR> Identities
[09/05/2007|08:32] C:\DOCUME~1\Rebekah\APPLIC~1\<DIR> InstallShield
[11/07/2006|04:50] C:\DOCUME~1\Rebekah\APPLIC~1\<DIR> Leadertech
[12/10/2008|01:53] C:\DOCUME~1\Rebekah\APPLIC~1\<DIR> Lexmark Productivity Studio
[10/26/2006|07:53] C:\DOCUME~1\Rebekah\APPLIC~1\<DIR> Lost Marble
[11/01/2006|11:14] C:\DOCUME~1\Rebekah\APPLIC~1\<DIR> Macromedia
[11/02/2008|12:58] C:\DOCUME~1\Rebekah\APPLIC~1\<DIR> Malwarebytes
[12/14/2007|04:51] C:\DOCUME~1\Rebekah\APPLIC~1\<DIR> Microsoft
[08/29/2008|08:03] C:\DOCUME~1\Rebekah\APPLIC~1\<DIR> Moyea
[12/17/2008|07:00] C:\DOCUME~1\Rebekah\APPLIC~1\<DIR> Mozilla
[08/01/2008|08:57] C:\DOCUME~1\Rebekah\APPLIC~1\<DIR> Nero
[02/06/2007|05:52] C:\DOCUME~1\Rebekah\APPLIC~1\<DIR> Opera
[03/30/2007|12:48] C:\DOCUME~1\Rebekah\APPLIC~1\<DIR> Otto
[02/17/2008|08:28] C:\DOCUME~1\Rebekah\APPLIC~1\<DIR> Roxio
[12/20/2007|05:11] C:\DOCUME~1\Rebekah\APPLIC~1\<DIR> SmartFTP
[11/07/2006|04:51] C:\DOCUME~1\Rebekah\APPLIC~1\<DIR> Sonic
[09/19/2006|12:54] C:\DOCUME~1\Rebekah\APPLIC~1\<DIR> Sun
[09/18/2006|11:17] C:\DOCUME~1\Rebekah\APPLIC~1\<DIR> Talkback
[12/03/2006|04:39] C:\DOCUME~1\Rebekah\APPLIC~1\<DIR> Template
[08/18/2008|11:13] C:\DOCUME~1\Rebekah\APPLIC~1\<DIR> U3
[12/22/2008|12:21] C:\DOCUME~1\Rebekah\APPLIC~1\<DIR> uTorrent
[01/11/2007|11:08] C:\DOCUME~1\Rebekah\APPLIC~1\<DIR> Viewpoint
[10/14/2007|08:09] C:\DOCUME~1\Rebekah\APPLIC~1\<DIR> vlc
[10/10/2008|08:31] C:\DOCUME~1\Rebekah\APPLIC~1\<DIR> Winamp

--------------------\\ Scheduled Tasks located in C:\WINDOWS\Tasks

[12/24/2008 12:05 PM][--a------] C:\WINDOWS\tasks\xnsqvyjd.job
[12/18/2008 06:57 PM][--a------] C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[05/15/2008 12:02 AM][--a------] C:\WINDOWS\tasks\12 - Knockin' Down Hesitation.job
[04/04/2008 04:10 AM][--a------] C:\WINDOWS\tasks\[AnY]_Sukisyo_01_[7BC40CE0].job
[02/28/2008 12:44 AM][--a------] C:\WINDOWS\tasks\Shaman King - 52 [Soldats].job
[01/04/2008 10:18 AM][--a------] C:\WINDOWS\tasks\[3g-wpp]_Digimon_Adventure_-_00_[B0FFDFE6].job
[05/23/2007 11:12 PM][--a------] C:\WINDOWS\tasks\scholarshipessay.job
[12/24/2008 12:07 PM][--ah-----] C:\WINDOWS\tasks\SA.DAT
[08/10/2004 05:00 AM][-r-h-----] C:\WINDOWS\tasks\desktop.ini

--------------------\\ Listing Folders in C:\Program Files

[06/28/2008|12:30] C:\Program Files\<DIR> 3D Home Design Suite
[12/11/2006|08:28] C:\Program Files\<DIR> 4Musics OGG to MP3 Converter
[02/06/2007|05:04] C:\Program Files\<DIR> Adobe
[06/13/2008|04:37] C:\Program Files\<DIR> AIM
[05/23/2007|04:41] C:\Program Files\<DIR> Alcohol Soft
[06/13/2008|04:37] C:\Program Files\<DIR> America Online 9.0
[07/07/2008|09:08] C:\Program Files\<DIR> Angels Online
[09/18/2006|06:00] C:\Program Files\<DIR> AOD
[09/12/2006|07:20] C:\Program Files\<DIR> AOL Companion
[10/02/2008|11:02] C:\Program Files\<DIR> Apple Software Update
[06/15/2008|03:16] C:\Program Files\<DIR> ArcSoft
[03/01/2008|02:21] C:\Program Files\<DIR> Audacity
[07/16/2008|08:09] C:\Program Files\<DIR> Autodesk
[12/11/2008|11:26] C:\Program Files\<DIR> AVI Codec Pack
[09/04/2008|09:26] C:\Program Files\<DIR> AVS4YOU
[06/11/2008|11:41] C:\Program Files\<DIR> Azureus
[09/12/2006|07:28] C:\Program Files\<DIR> BAE
[11/18/2008|06:15] C:\Program Files\<DIR> Bonjour
[09/12/2006|07:13] C:\Program Files\<DIR> Broadcom
[05/16/2008|11:49] C:\Program Files\<DIR> BurnAware Free Edition
[12/22/2008|07:11] C:\Program Files\<DIR> Common Files
[08/16/2005|04:38] C:\Program Files\<DIR> ComPlus Applications
[04/01/2007|08:22] C:\Program Files\<DIR> CompuServe 7.0
[09/12/2006|07:10] C:\Program Files\<DIR> CONEXANT
[09/21/2006|07:19] C:\Program Files\<DIR> CoreCodec
[09/12/2006|07:26] C:\Program Files\<DIR> Corel Corporation
[09/12/2006|07:15] C:\Program Files\<DIR> Creative
[09/05/2007|08:55] C:\Program Files\<DIR> Creative Installation Information
[09/12/2006|07:17] C:\Program Files\<DIR> CyberLink
[09/25/2008|06:30] C:\Program Files\<DIR> Daniusoft
[09/12/2006|07:36] C:\Program Files\<DIR> Dell
[12/24/2008|07:07] C:\Program Files\<DIR> DellSupport
[09/12/2006|07:14] C:\Program Files\<DIR> Digital Line Detect
[08/16/2005|08:54] C:\Program Files\<DIR> DIGStream
[12/11/2008|11:49] C:\Program Files\<DIR> DivX
[11/09/2008|08:45] C:\Program Files\<DIR> DOSBox-0.72
[05/22/2007|10:13] C:\Program Files\<DIR> e frontier
[06/11/2008|11:43] C:\Program Files\<DIR> EarthLink TotalAccess
[06/13/2008|04:37] C:\Program Files\<DIR> EnglishOtto
[03/27/2007|11:22] C:\Program Files\<DIR> Enterbrain
[12/24/2008|06:23] C:\Program Files\<DIR> ERUNT
[06/13/2008|04:37] C:\Program Files\<DIR> ESPNMotion
[06/16/2008|10:34] C:\Program Files\<DIR> FLV Player
[12/20/2007|02:04] C:\Program Files\<DIR> Free FLV Converter
[06/13/2008|04:37] C:\Program Files\<DIR> GemMaster
[07/24/2007|05:37] C:\Program Files\<DIR> Google
[10/14/2007|08:17] C:\Program Files\<DIR> Haali
[03/23/2008|10:54] C:\Program Files\<DIR> Hamachi
[12/22/2008|03:03] C:\Program Files\<DIR> Hijackthis
[06/15/2008|03:25] C:\Program Files\<DIR> INITIO
[06/15/2008|03:25] C:\Program Files\<DIR> InstallShield Installation Information
[09/05/2007|08:32] C:\Program Files\<DIR> InterActual
[12/13/2008|02:23] C:\Program Files\<DIR> Internet Explorer
[09/21/2006|07:19] C:\Program Files\<DIR> Jasc Software Inc
[09/12/2006|07:05] C:\Program Files\<DIR> Java
[12/12/2008|12:00] C:\Program Files\<DIR> K-Lite Codec Pack
[09/12/2006|07:20] C:\Program Files\<DIR> Learn2.com
[12/08/2008|08:26] C:\Program Files\<DIR> Lexmark 3500-4500 Series
[11/01/2006|11:11] C:\Program Files\<DIR> Macromedia
[07/16/2008|08:02] C:\Program Files\<DIR> MagicDisc
[11/10/2008|07:47] C:\Program Files\<DIR> MagicISO
[11/02/2008|12:58] C:\Program Files\<DIR> Malwarebytes' Anti-Malware
[06/23/2007|05:13] C:\Program Files\<DIR> Maxis
[08/15/2008|04:34] C:\Program Files\<DIR> Messenger
[09/12/2006|07:32] C:\Program Files\<DIR> Microsoft ActiveSync
[12/16/2007|04:27] C:\Program Files\<DIR> Microsoft CAPICOM 2.1.0.2
[08/16/2005|04:43] C:\Program Files\<DIR> microsoft frontpage
[11/17/2008|10:24] C:\Program Files\<DIR> Microsoft Kids
[09/15/2008|07:16] C:\Program Files\<DIR> Microsoft Office
[09/12/2006|07:18] C:\Program Files\<DIR> Microsoft Plus! Digital Media Edition
[09/12/2006|07:18] C:\Program Files\<DIR> Microsoft Plus! Photo Story 2 LE
[09/12/2006|07:35] C:\Program Files\<DIR> Microsoft SQL Server
[12/14/2007|04:52] C:\Program Files\<DIR> Microsoft SQL Server Compact Edition
[09/12/2006|07:32] C:\Program Files\<DIR> Microsoft Visual Studio
[09/09/2008|11:40] C:\Program Files\<DIR> Microsoft Works
[09/12/2006|07:32] C:\Program Files\<DIR> Microsoft.NET
[06/13/2008|04:37] C:\Program Files\<DIR> Modem Helper
[06/20/2008|10:01] C:\Program Files\<DIR> Movie Maker
[12/24/2008|12:18] C:\Program Files\<DIR> Mozilla Firefox
[09/15/2008|07:16] C:\Program Files\<DIR> MSECache
[08/16/2005|04:37] C:\Program Files\<DIR> MSN
[08/16/2005|04:37] C:\Program Files\<DIR> MSN Gaming Zone
[11/15/2006|06:37] C:\Program Files\<DIR> MSXML 4.0
[07/23/2007|10:17] C:\Program Files\<DIR> MUSICMATCH
[11/17/2008|10:19] C:\Program Files\<DIR> Myst
[06/20/2008|09:55] C:\Program Files\<DIR> NetMeeting
[06/13/2008|04:37] C:\Program Files\<DIR> NetWaiting
[09/12/2006|07:18] C:\Program Files\<DIR> NetZeroInstallers
[03/22/2007|12:58] C:\Program Files\<DIR> NEXON
[03/27/2007|11:24] C:\Program Files\<DIR> NJStar Japanese WP
[08/16/2005|04:38] C:\Program Files\<DIR> Online Services
[06/20/2008|09:55] C:\Program Files\<DIR> Outlook Express
[11/10/2008|07:47] C:\Program Files\<DIR> QuickTime
[09/12/2006|07:20] C:\Program Files\<DIR> Real
[09/04/2008|09:27] C:\Program Files\<DIR> Red Kawa
[06/13/2008|04:37] C:\Program Files\<DIR> RGB
[09/05/2007|08:24] C:\Program Files\<DIR> Roxio
[12/24/2007|09:52] C:\Program Files\<DIR> Samsung
[12/29/2006|02:01] C:\Program Files\<DIR> Sierra
[09/12/2006|07:10] C:\Program Files\<DIR> Sigmatel
[07/18/2007|08:42] C:\Program Files\<DIR> SlySoft
[12/20/2007|05:11] C:\Program Files\<DIR> SmartFTP Client
[12/20/2007|05:10] C:\Program Files\<DIR> SmartFTP Client 2.5 Setup Files
[09/05/2007|08:14] C:\Program Files\<DIR> Sonic
[05/23/2007|06:09] C:\Program Files\<DIR> Spybot - Search & Destroy
[12/22/2008|07:11] C:\Program Files\<DIR> STOPzilla!
[09/12/2006|07:13] C:\Program Files\<DIR> Synaptics
[07/19/2007|10:07] C:\Program Files\<DIR> Tales of Pirates Online
[07/07/2008|04:15] C:\Program Files\<DIR> The Learning Company
[11/11/2008|08:17] C:\Program Files\<DIR> The Silver Lining Demo RC1
[02/14/2008|04:24] C:\Program Files\<DIR> The Weather Channel FW
[06/13/2008|04:37] C:\Program Files\<DIR> The Weather Channel Toolbar
[12/22/2008|03:03] C:\Program Files\<DIR> Trend Micro
[03/15/2007|01:07] C:\Program Files\<DIR> UnH Solutions
[08/16/2005|04:50] C:\Program Files\<DIR> Uninstall Information
[01/30/2008|12:27] C:\Program Files\<DIR> uTorrent
[10/14/2007|08:07] C:\Program Files\<DIR> VideoLAN
[09/12/2006|07:20] C:\Program Files\<DIR> Viewpoint
[09/26/2006|10:17] C:\Program Files\<DIR> Wacom
[09/12/2006|07:21] C:\Program Files\<DIR> WebCyberCoach
[10/14/2007|08:25] C:\Program Files\<DIR> Webteh
[09/12/2006|07:08] C:\Program Files\<DIR> WIDCOMM
[01/10/2007|07:53] C:\Program Files\<DIR> WildTangent
[10/10/2008|08:31] C:\Program Files\<DIR> Winamp
[02/27/2008|07:02] C:\Program Files\<DIR> Windows Live
[06/13/2008|04:37] C:\Program Files\<DIR> Windows Media Connect 2
[06/20/2008|09:55] C:\Program Files\<DIR> Windows Media Player
[06/20/2008|09:55] C:\Program Files\<DIR> Windows NT
[08/16/2005|04:37] C:\Program Files\<DIR> Windows Plus
[08/16/2005|04:40] C:\Program Files\<DIR> WindowsUpdate
[01/28/2007|07:10] C:\Program Files\<DIR> WinRAR
[08/16/2005|04:43] C:\Program Files\<DIR> xerox
[11/17/2006|05:33] C:\Program Files\<DIR> zeraha.org

--------------------\\ Listing Folders in C:\Program Files\Common Files

[02/06/2007|05:05] C:\Program Files\Common Files\<DIR> Adobe
[10/30/2006|01:17] C:\Program Files\Common Files\<DIR> Adobe Systems Shared
[09/21/2006|02:22] C:\Program Files\Common Files\<DIR> AOL
[09/12/2006|07:20] C:\Program Files\Common Files\<DIR> aolshare
[11/18/2008|06:14] C:\Program Files\Common Files\<DIR> Apple
[06/15/2008|03:16] C:\Program Files\Common Files\<DIR> ArcSoft
[07/16/2008|08:29] C:\Program Files\Common Files\<DIR> Autodesk Shared
[09/04/2008|09:26] C:\Program Files\Common Files\<DIR> AVSMedia
[09/12/2006|07:15] C:\Program Files\Common Files\<DIR> Creative
[09/12/2006|07:14] C:\Program Files\Common Files\<DIR> Creative Labs Shared
[04/01/2007|08:22] C:\Program Files\Common Files\<DIR> CSSHARE
[09/12/2006|07:32] C:\Program Files\Common Files\<DIR> DESIGNER
[11/02/2008|12:51] C:\Program Files\Common Files\<DIR> Download Manager
[03/27/2007|11:22] C:\Program Files\Common Files\<DIR> Enterbrain
[09/12/2006|07:21] C:\Program Files\Common Files\<DIR> InstallShield
[12/22/2008|07:11] C:\Program Files\Common Files\<DIR> iS3
[09/12/2006|07:04] C:\Program Files\Common Files\<DIR> Java
[09/12/2006|07:33] C:\Program Files\Common Files\<DIR> L&H
[09/05/2007|08:24] C:\Program Files\Common Files\<DIR> LightScribe
[11/01/2006|11:12] C:\Program Files\Common Files\<DIR> Macromedia
[11/17/2008|10:24] C:\Program Files\Common Files\<DIR> Microsoft Shared
[08/16/2005|04:40] C:\Program Files\Common Files\<DIR> MSSoap
[08/19/2008|09:13] C:\Program Files\Common Files\<DIR> Nero
[09/12/2006|07:20] C:\Program Files\Common Files\<DIR> Nullsoft
[08/16/2005|04:33] C:\Program Files\Common Files\<DIR> ODBC
[09/12/2006|07:20] C:\Program Files\Common Files\<DIR> Real
[09/05/2007|08:18] C:\Program Files\Common Files\<DIR> Roxio Shared
[08/16/2005|04:40] C:\Program Files\Common Files\<DIR> Services
[09/05/2007|08:23] C:\Program Files\Common Files\<DIR> Sonic Shared
[08/16/2005|04:33] C:\Program Files\Common Files\<DIR> SpeechEngines
[09/05/2007|08:23] C:\Program Files\Common Files\<DIR> SureThing Shared
[12/24/2008|11:18] C:\Program Files\Common Files\<DIR> Symantec Shared
[06/20/2008|09:55] C:\Program Files\Common Files\<DIR> System
[09/12/2006|07:19] C:\Program Files\Common Files\<DIR> TiVo Shared
[12/14/2007|04:50] C:\Program Files\Common Files\<DIR> WindowsLiveInstaller

--------------------\\ Process

( 79 Processes )

... OK !

--------------------\\ Searching with S_Lop

No Lop folder found !

--------------------\\ Searching for Lop Files - Folders

C:\DOCUME~1\Rebekah\LOCALS~1\Temp\nstmp

--------------------\\ Searching within the Registry

..... OK !

--------------------\\ Checking the Hosts file

Hosts file CLEAN


--------------------\\ Searching for hidden files with Catchme

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-24 12:19:12
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden files: 0

--------------------\\ Searching for other infections

C:\WINDOWS\system32\aycdd.bak1
==> VUNDO <==

--------------------\\ Cracks & Keygens ..

C:\DOCUME~1\Rebekah\Application Data\Adobe\Common\Media Cache\C\Documents and Settings\Rebekah\Desktop\ProskysLandOfChibiCrack.avi.mcdb
C:\DOCUME~1\Rebekah\Application Data\Adobe\Common\Media Cache\C\Documents and Settings\Rebekah\Desktop\ProskysLandOfChibiCrack2.avi.mcdb
C:\DOCUME~1\Rebekah\Application Data\Adobe\Common\Media Cache\C\Documents and Settings\Rebekah\Desktop\ProskysWildWorldOfCrack.avi.mcdb
C:\DOCUME~1\Rebekah\Application Data\Adobe\Common\Media Cache\D\My Music Videos\ConventionCrack.wmv.mcdb
C:\DOCUME~1\Rebekah\Application Data\uTorrent\Registry Easy.v4.7-working.crack.rar.torrent
C:\DOCUME~1\Rebekah\Desktop\Kiriban_pic_plus_Crack_fan_art_by_OniYon.jpg
C:\DOCUME~1\Rebekah\My Documents\Brand_New_Background_by_TwitchWolfOnCrack.jpg
C:\DOCUME~1\Rebekah\My Documents\ProskysWildWorldOfCrack.avi
C:\DOCUME~1\Rebekah\My Documents\My Pictures\crackchibies.png
C:\DOCUME~1\Rebekah\My Documents\My Pictures\ladychimera & GardenGnomesWillStealYourSanity - Crack Comic I choose YOU!.jpg
C:\DOCUME~1\Rebekah\My Documents\My Pictures\Naruto_crack___shoulder_demons_by_askerian.jpg
C:\DOCUME~1\Rebekah\My Documents\My Pictures\Naruto_Valentine_Crack_by_gabzillaz.jpg
C:\DOCUME~1\Rebekah\My Documents\My Pictures\Naruto\Fan Art\hehehaha - NaruCrack - Petting Zoo.png
C:\DOCUME~1\Rebekah\My Documents\My Pictures\Video Games\Kingdom Hearts\A4R - omg it's their CRACK!baby.png.jpg
C:\DOCUME~1\Rebekah\My Documents\Role Plays\Naruto_Valentine_Crack_by_gabzillaz.jpg
C:\DOCUME~1\Rebekah\Recent\Kiriban_pic_plus_Crack_fan_art_by_OniYon.jpg.lnk
C:\DOCUME~1\Rebekah\Recent\omfgcrack.lnk


[F:6550][D:151]-> C:\DOCUME~1\Rebekah\LOCALS~1\Temp
[F:31][D:0]-> C:\DOCUME~1\Rebekah\Cookies
[F:1015][D:9]-> C:\DOCUME~1\Rebekah\LOCALS~1\TEMPOR~1\content.IE5

1 - "C:\Lop SD\LopR_1.txt" - Wed 12/24/2008|12:28 - Option : [1]

--------------------\\ Scan completed at 12:28:49
  • 0

#4
Transience

Transience

    Unofficial Music Guru

  • Retired Staff
  • 2,448 posts
Hi Seiaa -

A quick warning for your continuted security before we continue cleaning: I see you're using p2p software, and it appears that you're using or have used cracks/keygens to illegally access paid software. I'm not here to lecture you about ethics and that isn't my place, but from a purely security standpoint using p2p software and cracks is a very bad idea. This is the one thing you can do to guarantee that you will end up infected. Many security experts refuse to help people who use p2p and cracks, they see it as a waste of time because of the almost certain prospect of reinfection. You could end up out of luck and have to reformat next time. I'm not asking you to stop, but you need to be aware of the risks so you can make an informed decision. Be careful.

Moving on:

1. Uninstall Programs

In the Add/Remove Programs menu of your Control Panel, please remove anything that says Viewpoint (Viewpoint Media Player, Viewpoint Manager, etc.)

2. ATF Cleaner

Please download ATF Cleaner by Atribune to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • Note: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • Note: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

3. OTMoveIt3

Please download the OTMoveIt3 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :Processes
    explorer.exe
    
    :Files
    C:\WINDOWS\tasks\xnsqvyjd.job
    C:\WINDOWS\system32\aycdd.bak1
    
    :Commands
    [Purity]
    [EmptyTemp]
    [Start Explorer]
    [Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, navigate to the open C:\_OTMoveIt\MovedFiles folder. Open the newest .log file present in notepad and post its contents in your next reply.

4. Update Java

Your java is out of date, old versions of Java have vulnerabilities that can be exploited by malware. To update it, please download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Open JavaRa.exe again and select Search For Updates.
  • Select [b]Update Using Sun Java's Website then click Search and click on the [b]Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

Just need the OTMI3 log in your next reply, don't bother with the JavaRa log. If that looks alright we'll just do a couple final scans and should have you on your way :)

- Dave

Edited by Transience, 24 December 2008 - 01:16 PM.

  • 0

#5
Seiaa

Seiaa

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hi Dave, thanks for all the help so far and the advice about P2P/uTorrent. :) At first I thought all the files with "Crack" were just the file names of pictures and videos I'd dubbed "crack" for their sheer ridiculousness and such, but I looked at it closer and the Registry Easy crack torrent I definitely don't remember ever trying to download. I went through and deleted the torrent since I haven't found any sign of it on the computer, but I think I'll be having a talk with one of my friends who I let borrow my computer from time to time. >>

Here's the OTMI3 log :)

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
C:\WINDOWS\tasks\xnsqvyjd.job moved successfully.
C:\WINDOWS\system32\aycdd.bak1 moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Rebekah\LOCALS~1\Temp\clclean.0001.dir.0000\~df394b.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Rebekah\LOCALS~1\Temp\clclean.0001.dir.0000\~efe2.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Rebekah\LOCALS~1\Temp\clclean.0001 scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Rebekah\LOCALS~1\Temp\etilqs_w61VHVsIAmiepast6mid scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_768.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Rebekah\Local Settings\Application Data\Mozilla\Firefox\Profiles\amlsr3qh.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Rebekah\Local Settings\Application Data\Mozilla\Firefox\Profiles\amlsr3qh.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Rebekah\Local Settings\Application Data\Mozilla\Firefox\Profiles\amlsr3qh.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Rebekah\Local Settings\Application Data\Mozilla\Firefox\Profiles\amlsr3qh.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Rebekah\Local Settings\Application Data\Mozilla\Firefox\Profiles\amlsr3qh.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Rebekah\Local Settings\Application Data\Mozilla\Firefox\Profiles\amlsr3qh.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12242008_142417

Files moved on Reboot...
File C:\DOCUME~1\Rebekah\LOCALS~1\Temp\clclean.0001.dir.0000\~df394b.tmp not found!
File C:\DOCUME~1\Rebekah\LOCALS~1\Temp\clclean.0001.dir.0000\~efe2.tmp not found!
C:\DOCUME~1\Rebekah\LOCALS~1\Temp\clclean.0001 moved successfully.
File C:\DOCUME~1\Rebekah\LOCALS~1\Temp\etilqs_w61VHVsIAmiepast6mid not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File C:\WINDOWS\temp\Perflib_Perfdata_768.dat not found!
C:\Documents and Settings\Rebekah\Local Settings\Application Data\Mozilla\Firefox\Profiles\amlsr3qh.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Rebekah\Local Settings\Application Data\Mozilla\Firefox\Profiles\amlsr3qh.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Rebekah\Local Settings\Application Data\Mozilla\Firefox\Profiles\amlsr3qh.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Rebekah\Local Settings\Application Data\Mozilla\Firefox\Profiles\amlsr3qh.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Rebekah\Local Settings\Application Data\Mozilla\Firefox\Profiles\amlsr3qh.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\Rebekah\Local Settings\Application Data\Mozilla\Firefox\Profiles\amlsr3qh.default\XUL.mfl moved successfully.

Edited by Seiaa, 24 December 2008 - 02:55 PM.

  • 0

#6
Transience

Transience

    Unofficial Music Guru

  • Retired Staff
  • 2,448 posts
Hi seiaa -

Sounds good to me :). Let's do a final check, after that you should be all set:

1. Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware from here or here.

Doubleclick mbam-setup.exe to install the program.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware at the end of setup, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Full Scan, then click Scan.
  • The scan will take a fairly long time to finish (you can leave it to run and go do something else), please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to restart.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab.
  • Copy & Paste the entire report in your next reply.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so and allow MBAM to finish.

2. Kaspersky Online Scan

Kaspersky online scanner uses Java technology to perform the scan. Because your Java is out of date, we need to update it first so that the scan will run without issues.

Scan
  • Follow this link to the Kaspersky WebScanner
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
So post back with the logs from MBAM and Kaspersky and give me an update on how the PC is running, and we should have you on your way :).

- Dave
  • 0

#7
Seiaa

Seiaa

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hey Dave :) sorry it took so long to get back to you, the scans took a while and then I was dragged out somewhere while the Kapersky scan went.

Here's the MBam log

Malwarebytes' Anti-Malware 1.30
Database version: 1399
Windows 5.1.2600 Service Pack 3

12/24/2008 6:46:25 PM
mbam-log-2008-12-24 (18-46-25).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 245837
Time elapsed: 2 hour(s), 42 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP556\A0173923.sys (Trojan.Downloader) -> Quarantined and deleted successfully.



aaand the Kapersky log :)


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, December 24, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, December 24, 2008 19:42:43
Records in database: 1510545
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Files scanned: 197051
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 02:38:35

No malware has been detected. The scan area is clean.

The selected area was scanned.



Now, when MBam was scanning, PC-Cillin popped up with this alert:

Infected file: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP554\A0172617.dll
Virus name: DIAL_DIALER.RJ
User name: Rebekah
Scan action result: Denied Access.


It's different than the file MBam found but only slightly, the file type and the folder name is ever so slightly off, but then Kapersky didn't find it, so perhaps MBam got rid of it along with the other file? I dunno. I did make sure that the anti-virus part of PC-Cillin wasn't going when Kapersky was running so it wouldn't interfere.

I don't know, I'm not really worried about it, buuuuut it seemed important to mention. :)


Thanks again :)
  • 0

#8
Transience

Transience

    Unofficial Music Guru

  • Retired Staff
  • 2,448 posts
Hi Seiaa -

C:\System Volume Information is the location of the System Restore cache. Scans often detect bad files that have been backed up in system restore, but there's no reason to worry - those files are completely separated from the rest of your PC and can't do anything. Still, in a second we'll clean out all your old system restore points that may be infected and create a new, clean one.

The good news: you're clean :).

We have a couple last things to take care of and then you're good to go.

Over the course of the fix you've used a variety of special tools to help with the cleaning process - none of these are of any use to you now that you're clean, and it's best not to have them hanging around on your computer. OTCleanIt is a small program that removes all the leftovers tools and logs from cleanup of malware.

Please download OTCleanIt! to your desktop.
  • Double-click OTCleanIt.exe to run it. (Vista users, please right click on OTCleanIt.exe and select "Run as an Administrator")
  • Click on the CleanUp! button
  • A list of tool components used in the cleanup of malware will be downloaded.
  • If your firewall or other protection attempts to block OTCleanIt's attempts to reach the internet, please allow it to run.
  • Click Yes to begin the Cleanup process and remove the tools we used, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process, choose Yes.
  • After the reboot all the tools we used should be gone.
Note: RSIT is not currently removed by OTCleanIt. If we used RSIT, feel free to delete RSIT.exe and the logfiles it created manually as they have no further use to you.

Now to get you off to a good start we will clean your system restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:
  • Select Start > All Programs > Accessories > System tools > System Restore.
  • On the dialogue box that appears select Create a Restore Point
  • Click NEXT
  • Enter a name e.g. Clean
  • Click CREATE
You now have a clean restore point, to get rid of the bad ones:
  • Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  • In the Drop down box that appears select your main drive e.g. C
  • Click OK
  • The System will do some calculation and the display a dialogue box with TABS
  • Select the More Options Tab.
  • At the bottom will be a system restore box with a CLEANUP button click this
  • Accept the Warning and select OK again, the program will close and you are done
Finally, here are some tips I like to give people to reduce the potential for malware infection in the future; I strongly that you read them and take them to heart so that you don't have to endure the process of cleaning your computer again.

Proper use of antivirus and firewall
Antivirus and Firewall programs are integral to your computer security. However, just having them installed isn't enough. The definitions of these programs are frequently updated to detect the latest malware, and if you don't keep up with these updates then you'll be vulnerable to infection. Many antivirus and firewall programs have automatic update features, make use of those if you can. If your program doesn't, then get in the habit of routinely performing manual updates, because it's important.

You should keep your antivirus and firewall guard enabled at all times, don't shut them off unless there's a specific reason to do so. Also, regularly performing a full system scan with your antivirus program is a good idea to make sure nothing has slipped through your protection. Once a week works well for many people. You can set the scan to run during a time when you don't plan to use the computer and just leave it to complete on its own.

Finally, for a great tutorial on how to get the best protection out of your firewall, visit this link.

Safer web browser
Internet Explorer is not the most secure tool for browsing the web. It has been known to be very susceptible to infection, and there are a couple good other options: Firefox and Opera. Both are excellent faster, safer, more powerful and functional free alternatives to Internet Explorer. It's definitely worth the short period of adjustment to start using one of these. If you wish to continue using Internet Explorer, it would be a good idea to follow the tutorial here, which will detail some steps that can help you to make IE much safer.

Be careful
Having security programs installed is very helpful to you, but none of them have the gift of human thought. The best way to make sure you don't get infected is to exercise common sense. Be careful of what websites you visit - if a site looks suspicious, trust your instincts and get out of there. Be careful of what attachments you open in emails and files you download from websites - check them over carefully and look at the file extensions to make sure that you know what you're getting. Using peer-to-peer file sharing programs or downloading cracks and keygens is something else to avoid - the files you will be downloading are infected in a vast majority of cases, and the benefits simply aren't worth the risk to your computer.

Here are some other excellent tools for increasing your PC security:
SpywareBlaster: An excellent protection tool that targets a great many specific malware infections to stop them from installing.
MVPS Hosts File: Changes the windows hosts file to redirect your computer away from a huge number of dangerous websites if it ever tries to access any of them.
IE-SPYAD: Adds thousands of malware domains to the IE restricted zone to stop your computer from accessing them.
ATF Cleaner: Cleans unnecessary temporary files from your computer, run regularly to save disk space and keep your computer performing smoothly.
McAfee SiteAdvisor: A great firefox add-on that puts McAfee's database of tested sites at your fingertips so you can know whether or not that link you're about to click is safe.

Updates
Along with keeping all of the programs above that you choose to use updated, it is also important to keep up on system updates from Microsoft, as these patch critical security vulnerabilities and keep you safe. You can update them at this site if they don't automatically install for you: http://www.windowsupdate.com. If you have automatic updates, you should always install them as soon as possible, that extra time is worth it over getting infected from an exploit and having to clean your PC again.

And finally, see TonyKlein's good advice (recently rewritten by our own admin Kat) which reinforces and extends on some of the above concepts:
So how did I get infected in the first place?

I'll leave this thread open for a couple days in case you come across any lingering problems that need fixing, then I'll close it up. If you need it reopened for any reason just shoot me a PM. It's been a pleasure working with you, now best of luck!

Cheers,
Dave

Edited by Transience, 25 December 2008 - 09:49 AM.

  • 0

#9
Seiaa

Seiaa

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
:) thank you so much and have a Merry Christmas!
  • 0

#10
Transience

Transience

    Unofficial Music Guru

  • Retired Staff
  • 2,448 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP