[jhn-e-bee]

OK, Just did a MBAM scan and it found and quarantened 6 items:

worm.downadup
worm.kolab
worm.archive
malware.trace
disabled.securitycenter
disabled.securitycenter

things seem a lot better, I can get AV sites again and have even validated windows. Here is the MBAM log:



Malwarebytes' Anti-Malware 1.44
Database version: 3902
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

3/23/2010 3:37:39 AM
mbam-log-2010-03-23 (03-37-39).txt

Scan type: Quick Scan
Objects scanned: 107135
Time elapsed: 4 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_Windows_HOSTS_CONTROLLER (Worm.Kolab) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\windows hosts controller (Worm.Archive) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\waittokillservicet (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\heqxdc.dll (Worm.Downadup) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\45UFGT2F\jkmcjhj[1].png (Worm.Downadup) -> Quarantined and deleted successfully.


IT's getting late, I imagine you have probably gone to bed. I will keep an eye out for when you get back.

Thanks.

[Advertisements]

OK, things are looking good since the MBAM scan. Have been online now for half hour, validated windows, no browser probs, and kaspersky is still running. Fingers crossed heh.

[jhn-e-bee]

OK, things are looking good since the MBAM scan. Have been online now for half hour, validated windows, no browser probs, and kaspersky is still running. Fingers crossed heh.

[jhn-e-bee]

it's started again!

Cannot access AV sites, microsoft.com. kaspersky said it finished and that it had downloaded onto my pc but i cannot find it. I am going to turn off and get some sleep, will be back on tommorow lunchtime or early afternoon.

Thanks.

[Rorschach112]

ok do this

Please download Dr.Web CureIt . Save it to your desktop:

• Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in the pop-up window to allow the scan.
• This will scan the files currently running in memory and if something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, select Complete scan.
• Click the green arrow at the right, and the scan will start.
• Click Yes to all if it asks if you want to cure/move the file.
• When the scan has finished, in the menu, click File and choose Save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Note:this report may need to be renamed to Dr.Web.txt in order to post it on the forum.
• Please post the Dr.Web.txt report in your next reply
• Close Dr.Web Cureit.
• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

NOTE. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on the X in the upper right corner.


* Go here to run an online scannner from ESET.

• Note: You will need to use Internet explorer for this scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Check next options: Remove found threats and Scan unwanted applications.
• Click Scan
• Wait for the scan to finish
• Use notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txt
• Copy and paste that log as a reply to this topic

[jhn-e-bee]

cannot get to the dr web site and eset site. Have to go out for an hour so will pick up when I get back.

That is actually quite spooky, I have literaly just got up and come ut the shower and checked here and there was no answer, I went over to check email quickly and there was an email saying there was a reply from you. We must have logged on here pretty much exactly the same time. weird heh!

[Rorschach112]

can you use another pc to download the file then transfer it to the infected one

[jhn-e-bee]

ok, just started download dr web curelt from here:


Is this the same? I dont want any more viruses.

Edited by Rorschach112, 23 March 2010 - 05:08 AM.

[Rorschach112]

no

can you use another pc to download it

[jhn-e-bee]

I would have to go into town with my flash drive, going to take an hour or two.

Is there anything else i should download while i am at it?

[Rorschach112]

yes download this too

Save these instructions so you can have access to them while in Safe Mode.

Please click here to download AVP Tool by Kaspersky.

• Save it to your desktop.
• Reboot your computer into SafeMode.
  

  You can do this by restarting your computer and continually tapping the F8 key until a menu appears.
  Use your up arrow key to highlight SafeMode then hit enter.

• Double click the setup file to run it.
• Click Next to continue.
• Accept the Licence agreement and click on next
• It will by default install it to your desktop folder.Click Next.
• It will then open a box There will be a tab that says Automatic scan.
• Under Automatic scan make sure these are checked.

• Hidden Startup Objects
• System Memory
• Disk Boot Sectors.
• My Computer.
• Also any other drives (Removable that you may have)

Leave the rest of the settings as they appear as default.

• Then click on Scan at the to right hand Corner.
• It will automatically Neutralize any objects found.
• If some objects are left un-neutralized then click the button that says Neutralize all
• If it says it cannot be Neutralized then chooose The delete option when prompted.
• After that is done click on the reports button at the bottom and save it to file name it Kas.
• Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.
  
  

  Note: This tool will self uninstall when you close it so please save the log before closing it.

[jhn-e-bee]

OK, I have put them into a quick html page for quickness. I will set off in a minute, will be an hour or two.

Just so im sure, can I just download the installers onto my flash drive and then install them when I get back without going online? Or do I need to download the full programs?

And will they fit onto my flash(2GB) or should I take a blank DVD/R with me? Bear in mind I do not know if there is facility to burn DVDs at the internet cafe.

Edited by jhn-e-bee, 23 March 2010 - 07:02 AM.

[jhn-e-bee]

Right, I'm back.

Do you want me to run all three scans or just the first two for now?

[Rorschach112]

run all 3

[jhn-e-bee]

Wow, that took some doing!

Here's the three log reports.

1. DrWebCureit:




heqxdc.dll;C:\WINDOWS\system32;Win32.HLLW.Shadow.based;Deleted.;
autorun.inf;e:\;Win32.HLLW.Shadow;Deleted.;
ComboFix.exe\32788R22FWJFW\FIND3M.bat;C:\Documents and Settings\jhn barrett\Desktop\ComboFix.exe;Probably BATCH.Virus;;
ComboFix.exe;C:\Documents and Settings\jhn barrett\Desktop;Archive contains infected objects;Moved.;
paxbmj[1].bmp;C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\45UFGT2F;Win32.HLLW.Shadow.based;Deleted.;
A0001029.dll;C:\System Volume Information\_restore{B1345870-9C57-4F74-84F2-0A7BFF5F33FC}\RP1;Win32.HLLW.Shadow.based;Deleted.;
A0001030.exe\32788R22FWJFW\FIND3M.bat;C:\System Volume Information\_restore{B1345870-9C57-4F74-84F2-0A7BFF5F33FC}\RP1\A0001030.exe;Probably BATCH.Virus;;
A0001030.exe;C:\System Volume Information\_restore{B1345870-9C57-4F74-84F2-0A7BFF5F33FC}\RP1;Archive contains infected objects;Moved.;
jwgkvsq.vmx;E:\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665;Win32.HLLW.Shadow.based;Deleted.;






2. Eset:




ESETSmartInstaller@High as downloader log:
Can not open internetESETSmartInstaller@High as downloader log:
Can not open internet# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=e7a03f511d3820479ad80eee250e6772
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-03-23 06:24:40
# local_time=2010-03-23 06:24:40 (+0000, GMT Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=768 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 4582 4582 0 0
# scanned=21117
# found=6
# cleaned=6
# scan_time=2352
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\45UFGT2F\ijkbxvla[1].gif Win32/Conficker.AA worm (cleaned by deleting (after the next restart) - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\_heqxdc_.dll.zip Win32/Conficker.AA worm (deleted - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{B1345870-9C57-4F74-84F2-0A7BFF5F33FC}\RP1\A0001029.dll a variant of Win32/Conficker.AA worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\Fonts\uninstall_.exe probably a variant of Win32/Hatob.E worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\Fonts\unwise_.exe probably a variant of Win32/Hatob.E worm (cleaned by deleting (after the next restart) - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\asr_aberzf.exe a variant of Win32/Hatob.E worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C





3. Kaspersky:



3/23/2010 6:41:40 PM Task started
3/23/2010 6:49:47 PM Detected: Hoax.JS.BadJoke.RJump C:\Documents and Settings\jhn barrett\Desktop\installers\fp2006-final-3.00-setup.exe/data1625
3/23/2010 6:58:06 PM Deleted: Hoax.JS.BadJoke.RJump C:\Documents and Settings\jhn barrett\Desktop\installers\fp2006-final-3.00-setup.exe
3/23/2010 7:07:37 PM Detected: Hoax.JS.BadJoke.RJump C:\Program Files\Evrsoft First Page 2006\Iscripts\Page Details\crazy-window.izs
3/23/2010 7:08:49 PM Deleted: Hoax.JS.BadJoke.RJump C:\Program Files\Evrsoft First Page 2006\Iscripts\Page Details\crazy-window.izs
3/23/2010 7:18:44 PM Detected: Hoax.JS.BadJoke.RJump C:\System Volume Information\_restore{B1345870-9C57-4F74-84F2-0A7BFF5F33FC}\RP1\A0000003.exe/data1625
3/23/2010 7:19:19 PM Detected: Net-Worm.Win32.Kido.ih C:\WINDOWS\system32\heqxdc.dll
3/23/2010 7:20:03 PM Untreated: Net-Worm.Win32.Kido.ih C:\WINDOWS\system32\heqxdc.dll Cannot be disinfected
3/23/2010 7:20:56 PM Deleted: Net-Worm.Win32.Kido.ih C:\WINDOWS\system32\heqxdc.dll
3/23/2010 7:23:19 PM Deleted: Hoax.JS.BadJoke.RJump C:\System Volume Information\_restore{B1345870-9C57-4F74-84F2-0A7BFF5F33FC}\RP1\A0000003.exe
3/23/2010 7:27:05 PM Detected: Net-Worm.Win32.Kido.ih E:\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx
3/23/2010 7:27:06 PM Detected: Net-Worm.Win32.Kido.ir E:\autorun.inf
3/23/2010 7:31:39 PM Untreated: Net-Worm.Win32.Kido.ih E:\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx Cannot be disinfected
3/23/2010 7:31:39 PM Untreated: Net-Worm.Win32.Kido.ir E:\autorun.inf Cannot be disinfected
3/23/2010 7:36:04 PM Deleted: Net-Worm.Win32.Kido.ir E:\autorun.inf
3/23/2010 7:36:17 PM Task stopped


Disinfect active threats: completed 6 minutes ago (events: 5, objects: 1023, time: 00:02:59)
3/23/2010 7:39:13 PM Task completed
3/23/2010 7:36:26 PM Deleted: Net-Worm.Win32.Kido.ih E:\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx
3/23/2010 7:36:17 PM Untreated: Net-Worm.Win32.Kido.ih E:\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx Cannot be disinfected
3/23/2010 7:36:15 PM Detected: Net-Worm.Win32.Kido.ih E:\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx
3/23/2010 7:36:14 PM Task started
Autoscan: stopped 8 minutes ago (events: 16, objects: 54164, time: 00:54:37)
3/23/2010 7:36:17 PM Task stopped
3/23/2010 7:36:04 PM Deleted: Net-Worm.Win32.Kido.ir E:\autorun.inf
3/23/2010 7:31:39 PM Untreated: Net-Worm.Win32.Kido.ir E:\autorun.inf Cannot be disinfected
3/23/2010 7:31:39 PM Untreated: Net-Worm.Win32.Kido.ih E:\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx Cannot be disinfected
3/23/2010 7:27:06 PM Detected: Net-Worm.Win32.Kido.ir E:\autorun.inf
3/23/2010 7:27:05 PM Detected: Net-Worm.Win32.Kido.ih E:\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx
3/23/2010 7:23:19 PM Deleted: Hoax.JS.BadJoke.RJump C:\System Volume Information\_restore{B1345870-9C57-4F74-84F2-0A7BFF5F33FC}\RP1\A0000003.exe
3/23/2010 7:20:56 PM Deleted: Net-Worm.Win32.Kido.ih C:\WINDOWS\system32\heqxdc.dll
3/23/2010 7:20:03 PM Untreated: Net-Worm.Win32.Kido.ih C:\WINDOWS\system32\heqxdc.dll Cannot be disinfected
3/23/2010 7:19:19 PM Detected: Net-Worm.Win32.Kido.ih C:\WINDOWS\system32\heqxdc.dll
3/23/2010 7:18:44 PM Detected: Hoax.JS.BadJoke.RJump C:\System Volume Information\_restore{B1345870-9C57-4F74-84F2-0A7BFF5F33FC}\RP1\A0000003.exe/data1625
3/23/2010 7:08:49 PM Deleted: Hoax.JS.BadJoke.RJump C:\Program Files\Evrsoft First Page 2006\Iscripts\Page Details\crazy-window.izs
3/23/2010 7:07:37 PM Detected: Hoax.JS.BadJoke.RJump C:\Program Files\Evrsoft First Page 2006\Iscripts\Page Details\crazy-window.izs
3/23/2010 6:58:06 PM Deleted: Hoax.JS.BadJoke.RJump C:\Documents and Settings\jhn barrett\Desktop\installers\fp2006-final-3.00-setup.exe
3/23/2010 6:49:47 PM Detected: Hoax.JS.BadJoke.RJump C:\Documents and Settings\jhn barrett\Desktop\installers\fp2006-final-3.00-setup.exe/data1625
3/23/2010 6:41:40 PM Task started



Hope these are the right logs. kaspersky had quite a few threats that it could not neutralize, it had an option to create another report to be sent to a security expert and a box to paste in the code that they sent back so that kaspersky could deal with these, like with some of the other programs we have used. I had the report done and have copied this. let me know if we can use this. It came as a HTML file but I copied it into word also.

[jhn-e-bee]

I meant to mention that DrWebCureit removed ComboFix, I will have to redownload it if needed again.