[island-boy]

I used trend-micro's scan. It found 4 malware/viruses

the names of the viruses are:
1 - Java_bytever.A, its in c:\documents and settings\user\application data\sun\java..
3 - troj_qoologic.N, in c:\system volume information\_restore\...

however, when I clicked on the clean button, trend-micro states that these 4 can't be cleaned (Removal of an infection failed!)

should I just delete them (since there is a delete option)?
Also, there doesn't seem to be an option to save results

Edited by island-boy, 08 August 2005 - 02:56 AM.

[Advertisements]

No need to delete them, we can clear java cache to get those out then we will clear restore points to get rid of the ones hiding out in system restore when your system is clean.

Let's clear java cache, first:

1. Click Start > Control Panel.

2. Double-click the Java icon (coffee cup) in the control panel. It will say "Java Plug-in" under the icon - please find the update button or tab in that Java control panel. Update your Java, and reboot.

After reboot, go back into the Control Panel and double-click the Java icon.

3. Under Temporary Internet Files, click the Delete Files button.

There are three options on this window to clear the cache - leave ALL 3 checked.
1. Downloaded Applets
2. Downloaded Applications
3. Other Files

4. Click OK on Delete Temporary Files window.
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

5. Click OK to leave the Java Control Panel.

[Michelle]

No need to delete them, we can clear java cache to get those out then we will clear restore points to get rid of the ones hiding out in system restore when your system is clean.

Let's clear java cache, first:

1. Click Start > Control Panel.

2. Double-click the Java icon (coffee cup) in the control panel. It will say "Java Plug-in" under the icon - please find the update button or tab in that Java control panel. Update your Java, and reboot.

After reboot, go back into the Control Panel and double-click the Java icon.

3. Under Temporary Internet Files, click the Delete Files button.

There are three options on this window to clear the cache - leave ALL 3 checked.
1. Downloaded Applets
2. Downloaded Applications
3. Other Files

4. Click OK on Delete Temporary Files window.
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

5. Click OK to leave the Java Control Panel.

[island-boy]

done.

what's next?

[Michelle]

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):

• Click the Free Trial link on the right - next to "SpySweeper for Home Computers" to download the program.
• Install it.
• Once the program is installed, it will open.
• It will prompt you to update to the latest definitions, click Yes.
• Once the definitions are installed, click Sweep Now on the left side.
• Click the Start button.
• When it's done scanning, click the Next button.
• Make sure everything has a check next to it, then click the Next button.
• It will remove all of the items found.
• Click Session Log in the upper right corner, copy everything in that window.
• Click the Summary tab and click Finish.
• Paste the contents of the session log you copied into your next reply.

[island-boy]

spysweeper log

********
3:28 PM: |··· Start of Session, Wednesday, August 10, 2005 ···|
3:28 PM: Spy Sweeper started
3:28 PM: Sweep initiated using definitions version 512
3:28 PM: Starting Memory Sweep
3:31 PM: Memory Sweep Complete, Elapsed Time: 00:02:53
3:31 PM: Starting Registry Sweep
3:31 PM: Found Adware: icannnews
3:31 PM: HKCR\activexctrl\ (3 subtraces) (ID = 169450)
3:31 PM: HKCR\clsid\{3bfadce2-1141-4b81-8878-49af625f0fdc}\ (3 subtraces) (ID = 169451)
3:31 PM: HKCR\interface\{980ad470-04ea-4d1d-bd26-e178b7bda6d8}\ (8 subtraces) (ID = 169454)
3:31 PM: HKCR\interface\{fd39937a-c583-4aac-9332-8a3e44988a67}\ (8 subtraces) (ID = 169455)
3:31 PM: HKCR\typelib\{ee5ac3d6-6f43-4047-af0a-d66fc2cf8f42}\ (9 subtraces) (ID = 169456)
3:31 PM: HKLM\software\classes\activexctrl\ (3 subtraces) (ID = 169457)
3:31 PM: HKLM\software\classes\clsid\{3bfadce2-1141-4b81-8878-49af625f0fdc}\ (3 subtraces) (ID = 169458)
3:31 PM: HKLM\software\classes\interface\{980ad470-04ea-4d1d-bd26-e178b7bda6d8}\ (8 subtraces) (ID = 169461)
3:31 PM: HKLM\software\classes\interface\{fd39937a-c583-4aac-9332-8a3e44988a67}\ (8 subtraces) (ID = 169462)
3:31 PM: HKLM\software\classes\typelib\{ee5ac3d6-6f43-4047-af0a-d66fc2cf8f42}\ (9 subtraces) (ID = 169463)
3:31 PM: Registry Sweep Complete, Elapsed Time:00:00:29
3:31 PM: Starting Cookie Sweep
3:31 PM: Found Spy Cookie: belnk cookie
3:31 PM: user@belnk[1].txt (ID = 2292)
3:31 PM: [email protected][2].txt (ID = 2293)
3:31 PM: Found Spy Cookie: questionmarket cookie
3:31 PM: user@questionmarket[1].txt (ID = 3217)
3:31 PM: Found Spy Cookie: 2o7.net cookie
3:31 PM: user@2o7[1].txt (ID = 1957)
3:31 PM: Found Spy Cookie: centrport net cookie
3:31 PM: user@centrport[2].txt (ID = 2374)
3:31 PM: Found Spy Cookie: go.com cookie
3:31 PM: [email protected][2].txt (ID = 2729)
3:31 PM: user@go[1].txt (ID = 2728)
3:31 PM: [email protected][1].txt (ID = 2729)
3:31 PM: [email protected][2].txt (ID = 2729)
3:31 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
3:31 PM: Starting File Sweep
3:31 PM: Warning: Failed to open file "c:\pagefile.sys". Access is denied
3:31 PM: Warning: Failed to open file "c:\hiberfil.sys". Access is denied
3:32 PM: Warning: Failed to open file "c:\windows\system32\config\system.log". The process cannot access the file because it is being used by another process
3:32 PM: Warning: Failed to open file "c:\windows\system32\config\software.log". The process cannot access the file because it is being used by another process
3:32 PM: Warning: Failed to open file "c:\windows\system32\config\default.log". The process cannot access the file because it is being used by another process
3:32 PM: Warning: Failed to open file "c:\windows\system32\config\security". The process cannot access the file because it is being used by another process
3:32 PM: Warning: Failed to open file "c:\windows\system32\config\sam". The process cannot access the file because it is being used by another process
3:32 PM: Warning: Failed to open file "c:\windows\system32\config\sam.log". The process cannot access the file because it is being used by another process
3:32 PM: Warning: Failed to open file "c:\windows\system32\config\security.log". The process cannot access the file because it is being used by another process
3:32 PM: Warning: Failed to open file "c:\windows\system32\config\system". The process cannot access the file because it is being used by another process
3:32 PM: Warning: Failed to open file "c:\windows\system32\config\software". The process cannot access the file because it is being used by another process
3:32 PM: Warning: Failed to open file "c:\windows\system32\config\default". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\windows\softwaredistribution\eventcache\{49fa30b4-c0c1-4de0-9e4c-72d20a6b5256}.bin". The process cannot access the file because it is being used by another process
3:35 PM: Found Adware: bargain buddy
3:35 PM: setup.inf (ID = 50870)
3:35 PM: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat". The process cannot access the file because it is being used by another process
3:35 PM: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat.log". The process cannot access the file because it is being used by another process
3:35 PM: Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
3:35 PM: Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
3:35 PM: Warning: Failed to open file "c:\documents and settings\localservice\ntuser.dat". The process cannot access the file because it is being used by another process
3:35 PM: Warning: Failed to open file "c:\documents and settings\localservice\ntuser.dat.log". The process cannot access the file because it is being used by another process
3:35 PM: Warning: Failed to open file "c:\documents and settings\localservice\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
3:35 PM: Warning: Failed to open file "c:\documents and settings\localservice\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
3:35 PM: Warning: Failed to open file "c:\documents and settings\user\ntuser.dat". The process cannot access the file because it is being used by another process
3:35 PM: Warning: Failed to open file "c:\documents and settings\user\ntuser.dat.log". The process cannot access the file because it is being used by another process
3:35 PM: Warning: Failed to open file "c:\documents and settings\user\local settings\temp\perflib_perfdata_640.dat". The process cannot access the file because it is being used by another process
3:35 PM: Warning: Failed to open file "c:\documents and settings\user\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
3:35 PM: Warning: Failed to open file "c:\documents and settings\user\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
3:36 PM: Warning: Failed to open file "c:\program files\common files\symantec shared\ccpd-lc\symlcrst.dll". The process cannot access the file because it is being used by another process
3:43 PM: Found Adware: powerscan
3:43 PM: power scan.lnk (ID = 72676)
3:43 PM: Found Adware: ipinsight
3:43 PM: conscorr.inf (ID = 64277)
3:43 PM: Found Adware: abetterinternet
3:43 PM: localnrd.inf (ID = 83368)
3:47 PM: File Sweep Complete, Elapsed Time: 00:15:40
3:47 PM: Full Sweep has completed. Elapsed time 00:19:09
3:47 PM: Traces Found: 85
3:57 PM: Removal process initiated
3:58 PM: Quarantining All Traces: icannnews
3:58 PM: Quarantining All Traces: belnk cookie
3:58 PM: Quarantining All Traces: questionmarket cookie
3:58 PM: Quarantining All Traces: 2o7.net cookie
3:58 PM: Quarantining All Traces: centrport net cookie
3:58 PM: Quarantining All Traces: go.com cookie
3:58 PM: Quarantining All Traces: bargain buddy
3:58 PM: Quarantining All Traces: powerscan
3:58 PM: Quarantining All Traces: ipinsight
3:58 PM: Quarantining All Traces: abetterinternet
3:58 PM: Removal process completed. Elapsed time 00:00:10
********
3:26 PM: |··· Start of Session, Wednesday, August 10, 2005 ···|
3:26 PM: Spy Sweeper started
3:28 PM: |··· End of Session, Wednesday, August 10, 2005 ···|

[Michelle]

Are you having any other problems?

[island-boy]

hey

as of the last few days, I'm no longer being bombarded by popups and the cpu isn't rebooting by itself.

So I guess it looks like everything's a-ok

thanks for the help again bananafanafo

I'm wondering though, of all the software I downloaded, which ones should I keep, and which ones can I uninstall so as to not clutter up my cpu's resources.

again, much appreciation for your help *applauds*

[Michelle]

You're very welcome!

Delete the l2mfix.exe and the l2mfix folder (then empty your recycle bin)

I really like Ewido. After the 2 week trial is up, it goes to the freeware version that can be updated and run as much as you want. I would recommend keeping this one.

You can uninstall Cleanup (through Add or Remove Programs) if you want or you can keep it, it's up to you

You can uninstall SpySweeper if you don't want to keep it for the 2 week trial.

However, you need some protection programs otherwise your system will become infected again.

Congratulations your log is clean! Great job on the clean up

I recommend checking the http://www.microsoft.com website periodically for critical updates to install.

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

Detect and Remove Programs:

• How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
• How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.

Prevention Programs:

• Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
• Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
• Google Toolbar <= Get the free google toolbar to help stop pop up windows.

Other necessary Programs:

• Firewall<= A firewall is definitely a must have. Three good free versions are Sygate, Kerio, and ZoneAlarm.

Edited by bananafanafo, 10 August 2005 - 09:18 AM.

[Michelle]

After you're absolutely sure, you're not having any other problems, you need to clear restore points to get rid of the malware hiding out in System Restore and give your system a fresh start on System Restore incase you ever need it:

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.

[island-boy]

thanks

I uninstalled spy sweeper and deleted l2mfix.

I'm keeping ewido and installed spyware blaster.
I already have adaware and spybot destroyer installed.
and I have norton as my firewall.

I guess you can file this thread under *resolved*

many thanks again bananafanafo (michelle )
I don't know what I would have done without you

Edited by island-boy, 11 August 2005 - 11:55 AM.

[Michelle]

You're very welcome!

[Michelle]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.