[tlcfromtn]

Panda Activescan


Incident Status Location

Adware:adware/sbsoft No disinfected Windows Registry
Dialer:Dialer.BEW No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\I9UPGH61\connect[1].htm
Dialer:Dialer.BEW No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\S78XI909\m7[1].htm
Hacktool:HackTool/ProcLog.A No disinfected C:\HP\bin\ProcessLogger.exe
Virus:Trj/Full.A Disinfected C:\_RESTORE\TEMP\A0000011.CPY
Adware:Adware/Megatds No disinfected C:\_RESTORE\TEMP\A0000012.CPY
Virus:Trj/Full.A Disinfected C:\_RESTORE\TEMP\A0000019.CPY
Virus:Trj/Full.A Disinfected C:\_RESTORE\TEMP\A0000003.CPY
Adware:Adware/Megatds No disinfected C:\_RESTORE\TEMP\A0000004.CPY
Adware:Adware/Megatds No disinfected C:\_RESTORE\TEMP\A0000020.CPY
Adware:Adware/SecurityError No disinfected C:\Recycled\Dc1.exe
Adware:Adware/WindowEnhancer No disinfected C:\Recycled\Dc4\SBWebCtl.dll

[Advertisements]

Disable System Restore again. Restart... Enable System Restore.

Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. Right click and copy the below lines. Go back to KillBox. Go to File->Paste from Clipboard and then hit the button with a red circle and white X. Confirm to delete and when asked if you want to reboot, say Yes:

C:\WINDOWS\Temporary Internet Files\Content.IE5\I9UPGH61\connect[1].htm
C:\WINDOWS\Temporary Internet Files\Content.IE5\S78XI909\m7[1].htm
C:\Recycled\Dc1.exe
C:\Recycled\Dc4\SBWebCtl.dll

If you get a PendingOperations message, just close it and restart your computer manually.

Restart...

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/CleanUp.exe ) and install it. CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

Run a new Panda scan. Anything found?

[greyknight17]

Disable System Restore again. Restart... Enable System Restore.

Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. Right click and copy the below lines. Go back to KillBox. Go to File->Paste from Clipboard and then hit the button with a red circle and white X. Confirm to delete and when asked if you want to reboot, say Yes:

C:\WINDOWS\Temporary Internet Files\Content.IE5\I9UPGH61\connect[1].htm
C:\WINDOWS\Temporary Internet Files\Content.IE5\S78XI909\m7[1].htm
C:\Recycled\Dc1.exe
C:\Recycled\Dc4\SBWebCtl.dll

If you get a PendingOperations message, just close it and restart your computer manually.

Restart...

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/CleanUp.exe ) and install it. CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

Run a new Panda scan. Anything found?

[tlcfromtn]

Incident Status Location

Adware:adware/sbsoft No disinfected Windows Registry
Hacktool:HackTool/ProcLog.A No disinfected C:\HP\bin\ProcessLogger.exe
Virus:Trj/Full.A Disinfected C:\_RESTORE\TEMP\A0000020.CPY
Adware:Adware/Megatds No disinfected C:\_RESTORE\TEMP\A0000021.CPY
Virus:Trj/Full.A Disinfected C:\_RESTORE\TEMP\A0000003.CPY
Adware:Adware/Megatds No disinfected C:\_RESTORE\TEMP\A0000004.CPY
Adware:Adware/Megatds No disinfected C:\_RESTORE\TEMP\A0000075.CPY
Virus:Trj/Full.A Disinfected C:\_RESTORE\TEMP\A0000076.CPY

[greyknight17]

It should be good now. Ignore any registry entries found. If you want, disable system restore once more and then run the online Panda scan to see if anything is found. If not, restart and enable system restore again.

Any problems now?

[tlcfromtn]

How does this look? I had more stuff on there this morning. I need to keep my computer locked I guess!

Incident Status Location

Adware:adware/sbsoft No disinfected Windows Registry
Hacktool:HackTool/ProcLog.A No disinfected C:\HP\bin\ProcessLogger.exe
Virus:Trj/Full.A Disinfected C:\_RESTORE\TEMP\A0000020.CPY
Adware:Adware/Megatds No disinfected C:\_RESTORE\TEMP\A0000021.CPY
Virus:Trj/Full.A Disinfected C:\_RESTORE\TEMP\A0000003.CPY
Adware:Adware/Megatds No disinfected C:\_RESTORE\TEMP\A0000004.CPY
Adware:Adware/Megatds No disinfected C:\_RESTORE\TEMP\A0000075.CPY
Virus:Trj/Full.A Disinfected C:\_RESTORE\TEMP\A0000120.CPY
Adware:Adware/Megatds No disinfected C:\_RESTORE\TEMP\A0000121.CPY
Virus:Trj/Full.A Disinfected C:\_RESTORE\TEMP\A0000138.CPY
Adware:Adware/Megatds No disinfected C:\_RESTORE\TEMP\A0000139.CPY
Virus:Trj/Full.A Disinfected C:\_RESTORE\TEMP\A0001138.CPY
Adware:Adware/Megatds No disinfected C:\_RESTORE\TEMP\A0001139.CPY
Virus:Trj/Full.A Disinfected C:\_RESTORE\TEMP\A0003137.CPY
Adware:Adware/Megatds No disinfected C:\_RESTORE\TEMP\A0003138.CPY
Virus:Trj/Full.A Disinfected C:\_RESTORE\TEMP\A0004137.CPY
Adware:Adware/Megatds No disinfected C:\_RESTORE\TEMP\A0004138.CPY

[greyknight17]

Doesn't look right? You disabled System Restore and restarted ... then enabled System Restore right?

Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. Right click and copy the below lines. Go back to KillBox. Go to File->Paste from Clipboard and then hit the button with a red circle and white X. Confirm to delete and when asked if you want to reboot, say Yes:

C:\_RESTORE\TEMP\A0000021.CPY
C:\_RESTORE\TEMP\A0000004.CPY
C:\_RESTORE\TEMP\A0000075.CPY
C:\_RESTORE\TEMP\A0000121.CPY
C:\_RESTORE\TEMP\A0000139.CPY
C:\_RESTORE\TEMP\A0001139.CPY
C:\_RESTORE\TEMP\A0003138.CPY
C:\_RESTORE\TEMP\A0004138.CPY

If you get a PendingOperations message, just close it and restart your computer manually.

Disable System Restore again and restart your computer. Don't enable system restore yet. Run a Panda scan. Anything found? Turn it back on and run another Panda scan. Clear?

[tlcfromtn]

No,I forgot to disable system restore before that last scan. Sorry. So should I do that, run another scan and post it again or just do as you said in the post above? Thanks for all your help!

[greyknight17]

You should disable system restore...enable it back after a restart. That should have cleared it out immediately.

[tlcfromtn]

This is the scan with system restore disabled:

Incident Status Location

Adware:adware/sbsoft No disinfected Windows Registry
Hacktool:HackTool/ProcLog.A No disinfected C:\HP\bin\ProcessLogger.exe

This is the scan with system restore on:

Incident Status Location

Adware:adware/sbsoft No disinfected Windows Registry
Hacktool:HackTool/ProcLog.A No disinfected C:\HP\bin\ProcessLogger.exe
Virus:Trj/Full.A Disinfected C:\_RESTORE\TEMP\A0000003.CPY
Adware:Adware/Megatds No disinfected C:\_RESTORE\TEMP\A0000004.CPY

[greyknight17]

OK, try disabling System Restore during the Panda scan and see if it finds anything. Once done, enable system restore again and do this:

Run a virus scan using Kapersky Online Scanner and see what it finds.

[tlcfromtn]

I want to make sure I have this straight, you want me disable system restore while the scan is running?

[greyknight17]

Yes, that's correct. For some reason it seems like the restore point is keeping the bad files. So I want you to run it with system restore turned off. Turn it back on when the Panda scan is done. Then (while system restore is turned back on), run Kapersky scan.

[tlcfromtn]

Incident Status Location

Adware:adware/sbsoft No disinfected Windows Registry
Hacktool:HackTool/ProcLog.A No disinfected C:\HP\bin\ProcessLogger.exe

--------
KASPERSKY ON-LINE SCANNER REPORT
Tuesday, October 25, 2005 21:06:55
Operating System: Microsoft Windows Millennium Edition
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 26/10/2005
Kaspersky Anti-Virus database records: 146837
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
a:\
c:\
d:\

Scan Statistics:
Total number of scanned objects: 38562
Number of viruses found: 3
Number of infected objects: 7
Number of suspicious objects: 0
Duration of the scan process: 3263 sec

Infected Object Name - Virus Name
c:\WINDOWS\Application Data\Identities\{5BD0A2D8-D211-41B5-8DC7-7DD04D2C860B}\Microsoft\Outlook Express\Hotmail - Deleted Items.dbx/[From Wed, 14 Nov 2001 00:47:13 -0800][Date Sun, 21 Oct 2001 06:18:43 -0700 (PDT)]/UNNAMED/CONEONCO.EXE Infected: Email-Worm.Win32.Hybris.b
c:\WINDOWS\Application Data\Identities\{5BD0A2D8-D211-41B5-8DC7-7DD04D2C860B}\Microsoft\Outlook Express\Hotmail - Deleted Items.dbx/[From Wed, 14 Nov 2001 00:47:13 -0800][Date Sun, 21 Oct 2001 06:18:43 -0700 (PDT)]/UNNAMED Infected: Email-Worm.Win32.Hybris.b
c:\WINDOWS\Application Data\Identities\{5BD0A2D8-D211-41B5-8DC7-7DD04D2C860B}\Microsoft\Outlook Express\Hotmail - Deleted Items.dbx/[From Wed, 14 Nov 2001 00:47:13 -0800][Date Mon, 12 Nov 2001 13:36:11 -0800 (PST)]/UNNAMED/CONEONCO.EXE Infected: Email-Worm.Win32.Hybris.b
c:\WINDOWS\Application Data\Identities\{5BD0A2D8-D211-41B5-8DC7-7DD04D2C860B}\Microsoft\Outlook Express\Hotmail - Deleted Items.dbx/[From Wed, 14 Nov 2001 00:47:13 -0800][Date Mon, 12 Nov 2001 13:36:11 -0800 (PST)]/UNNAMED Infected: Email-Worm.Win32.Hybris.b
c:\WINDOWS\Application Data\Identities\{5BD0A2D8-D211-41B5-8DC7-7DD04D2C860B}\Microsoft\Outlook Express\Hotmail - Deleted Items.dbx Infected: Email-Worm.Win32.Hybris.b
c:\_RESTORE\TEMP\A0000003.CPY Infected: Trojan.Win32.Small.fb
c:\_RESTORE\TEMP\A0000004.CPY Infected: Trojan-Downloader.Win32.Agent.uj

Scan process completed.

[greyknight17]

You see those bad files found by Kapersky? It seems to be stored in your Outlook Express emails. Look for those specific ones (they have the date and time for the email listed) and delete them. Empty your email trash bin when done.

This might not work, but let's give it a try:

Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. Right click and copy the below lines. Go back to KillBox. Go to File->Paste from Clipboard and then hit the button with a red circle and white X. Confirm to delete and when asked if you want to reboot, say Yes:

c:\_RESTORE\TEMP\A0000003.CPY
c:\_RESTORE\TEMP\A0000004.CPY

If you get a PendingOperations message, just close it and restart your computer manually.

Restart...

Run a new Panda and Kapersky scan. Post their logs here.

[tlcfromtn]

We only used Outlook Express for mail for a short time when we first got our computer. Sometime within the last year I removed it. I found it again and added it back after I read your last reply. Bad thing is 3 of us had email accounts and nobody remembers their password now. Is there any way to get into it or to delete the files without getting into it?