[emeraldnzl]

You might try a repair installation.

Go to Perform a Repair Installation for instructions on how to use your installation CD to repair your system.

[Advertisements]

Okey i tried it, but the only repairing option that could work was the Windows Memory Diagnostic Tool. There's no thing like "Repair Vista" or anything like that. This is how the screen for repairing windows looks:
Windows Repair Screen

I just did a "chkdsk /f /r". Took 2 hours and i don't think it found anything, but now the computer seems to start up a bit faster :S

Edited by Orre, 14 December 2008 - 11:30 AM.

[Orre]

Okey i tried it, but the only repairing option that could work was the Windows Memory Diagnostic Tool. There's no thing like "Repair Vista" or anything like that. This is how the screen for repairing windows looks:
Windows Repair Screen

I just did a "chkdsk /f /r". Took 2 hours and i don't think it found anything, but now the computer seems to start up a bit faster :S

Edited by Orre, 14 December 2008 - 11:30 AM.

[emeraldnzl]

Well this is getting outside my ability to help you.

The Vista forum here has technical helpers that are better equiped to give you the advice needed.

Their diagnostics may also help in identifing any hardware problems that may exist.

Before you go there though we need to do the best we can to send you with a clean of malware machine.

The tools I would like to use won't work on your machine it seems so lets run Malwarebytes and Kaspersky again to see if they find anything.

Post the results of the two scans back here.

After that, all going well, we will remove the tools we have been using and you can go to the techs.

Your computer was very badly infected though and there can be damage that even with the best will in the world can't be fixed without a re-format.

[Orre]

had too do it twice, but now the malwarebytes scan is at least finished. The kaspersky scan is still going though.

Malwarebytes' Anti-Malware 1.31
Database version: 1478
Windows 6.0.6001 Service Pack 1

2008-12-15 22:47:50
mbam-log-2008-12-15 (22-47-50).txt

Scan type: Full Scan (C:\|)
Objects scanned: 511413
Time elapsed: 5 hour(s), 33 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Azureus Downloads\Freeworld3D.v2.4.0.Incl.Keymaker-CORE\CORE10k.EXE (Trojan.Agent) -> Quarantined and deleted successfully.

[emeraldnzl]

Well done that man.

Look forward to the Kaspersky result. Yep it may take a long time.

[Orre]

okey, only took a good 26 hours but here's the kaspersky scan

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, December 16, 2008
Operating System: Microsoft Windows Vista Ultimate Edition, 64-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, December 15, 2008 13:58:24
Records in database: 1462800
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
G:\

Scan statistics:
Files scanned: 479081
Threat name: 4
Infected objects: 5
Suspicious objects: 0
Duration of the scan: 25:58:57


File name / Threat name / Threats count
C:\Program1\FlashMute\uninstall.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.ih 1
C:\Users\Oscar\AppData\Roaming\Thunderbird\Profiles\nooz476p.default\Mail\Local Folders\Trash Infected: Trojan-Downloader.JS.Agent.cxx 1
C:\_OTMoveIt\MovedFiles\12122008_220755\Program1\VOIPlay\BsSndRpt.exe Infected: Trojan-Downloader.Win32.Banload.szf 1
C:\_OTMoveIt\MovedFiles\12122008_220755\Windows.old.000\Users\Orre\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\4ea529eb-2620a8af Infected: Trojan.Win32.VB.hcw 1
C:\_OTMoveIt\MovedFiles\12122008_220755\Windows.old.000\Users\Orre\java_plugin.exe Infected: Trojan.Win32.VB.hcw 1

The selected area was scanned.

[emeraldnzl]

Hello Orre,

Kaspersky has shown up that infected e-mail default trash again. Also there is that adware in the Flashmute uninstall which we might as well get rid of.

I have included them for removal in OTMoveIt below. You should be aware that you may have to re-install Thunderbird afterwards.

Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).

• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :processes
  explorer.exe
  :files
  C:\Users\Oscar\AppData\Roaming\Thunderbird\Profiles\nooz476p.default\Mail\Local Folders\Trash
  C:\Program1\FlashMute\uninstall.exe
  :commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

[Orre]

Okey, OTMoveIt3 doesn't do anything after the reboot, but here's what's in the log:

========== PROCESSES ==========
Unable to kill process: explorer.exe
========== FILES ==========
File/Folder C:\Users\Oscar\AppData\Roaming\Thunderbird\Profiles\nooz476p.default\Mail\Local Folders\Trash not found.
File/Folder C:\Program1\FlashMute\uninstall.exe not found.
========== COMMANDS ==========
File delete failed. C:\Users\Oscar\AppData\Local\Temp\etilqs_S1QcVv2mUjYtmMhcTSrG scheduled to be deleted on reboot.
File delete failed. C:\Users\Oscar\AppData\Local\Temp\FXSAPIDebugLogFile.txt scheduled to be deleted on reboot.
File delete failed. C:\Users\Oscar\AppData\Local\Temp\~DF8971.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
File delete failed. C:\Users\Oscar\AppData\Local\Mozilla\Firefox\Profiles\exeifs24.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Users\Oscar\AppData\Local\Mozilla\Firefox\Profiles\exeifs24.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Users\Oscar\AppData\Local\Mozilla\Firefox\Profiles\exeifs24.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Users\Oscar\AppData\Local\Mozilla\Firefox\Profiles\exeifs24.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Users\Oscar\AppData\Local\Mozilla\Firefox\Profiles\exeifs24.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Users\Oscar\AppData\Local\Mozilla\Firefox\Profiles\exeifs24.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12172008_001716

[emeraldnzl]

Okay Orre, I half thought that might happen.

I am not certain about this but lets see if it works.

Just like physical files, e-mails are not completely deleted when you delete them from Thunderbird. They are somehow hidden.

The e-mails are completely removed when you compact the files. "Compacting" the files actually means "removing all un-necessary data from the database, such as deleted e-mails".

In Thunderbird, you should find an option like: Compact folders, Compress folders, etc.... I'm not using Thunderbird, so I cannot say for sure what the function is called and where it is placed, but in Outlook Express it is placed in File > Folder > Compact.

Check if you have "compacting files" activated. If not, activate it and hopefully it will remove the hidden infection.

After that we will need another Kaspersky scan unfortunately because that seems to be the best way to check it. Post the results back here.

[Orre]

okey, here's the log after compacting the files:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, December 18, 2008
Operating System: Microsoft Windows Vista Ultimate Edition, 64-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, December 17, 2008 15:35:03
Records in database: 1469502
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Files scanned: 451963
Threat name: 5
Infected objects: 6
Suspicious objects: 0
Duration of the scan: 12:12:38


File name / Threat name / Threats count
C:\Program Files (x86)\Client\Main.exe Infected: Backdoor.Win32.VB.gwb 1
C:\_OTMoveIt\MovedFiles\12122008_220755\Program1\VOIPlay\BsSndRpt.exe Infected: Trojan-Downloader.Win32.Banload.szf 1
C:\_OTMoveIt\MovedFiles\12122008_220755\Windows.old.000\Users\Orre\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\4ea529eb-2620a8af Infected: Trojan.Win32.VB.hcw 1
C:\_OTMoveIt\MovedFiles\12122008_220755\Windows.old.000\Users\Orre\java_plugin.exe Infected: Trojan.Win32.VB.hcw 1
C:\_OTMoveIt\MovedFiles\12162008_230739\Program1\FlashMute\uninstall.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.ih 1
C:\_OTMoveIt\MovedFiles\12162008_230739\Users\Oscar\AppData\Roaming\Thunderbird\Profiles\nooz476p.default\Mail\Local Folders\Trash Infected: Trojan-Downloader.JS.Agent.cxx 1

The selected area was scanned.


also, nobody is answering my topic on thevistaforums *sigh*

[emeraldnzl]

Hello Orre,

Well it looks like that e-mail one has gone.

But we have another.

Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).

• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :processes
  explorer.exe
  :files
  C:\Program Files (x86)\Client\Main.exe
  :commands
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

[Orre]

Hiya.

Here's the log for OTMoveIt3:

========== PROCESSES ==========
Unable to kill process: explorer.exe
========== FILES ==========
C:\Program Files (x86)\Client\Main.exe moved successfully.
========== COMMANDS ==========
File delete failed. C:\Users\Oscar\AppData\Local\Temp\hsperfdata_Oscar\4764 scheduled to be deleted on reboot.
File delete failed. C:\Users\Oscar\AppData\Local\Temp\e4j730D.tmp_dir23088\exe4jlib.jar scheduled to be deleted on reboot.
File delete failed. C:\Users\Oscar\AppData\Local\Temp\FXSAPIDebugLogFile.txt scheduled to be deleted on reboot.
File delete failed. C:\Users\Oscar\AppData\Local\Temp\swt-gdip-win32-3448.dll scheduled to be deleted on reboot.
File delete failed. C:\Users\Oscar\AppData\Local\Temp\swt-win32-3448.dll scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12192008_011356

[emeraldnzl]

Normally at this point I would say your machine is clean but I am slightly uncomfortable about the way that last one appeared. Just wonder whether something is respawning in there. May well not be but still...

If you have the time we could do this:

It is a pretty big download at 28mb's but is very useful at detecting\cleaning rootkits or whatever it finds.

You will need to disable any security progams to allow the download.

Please click here to download AVP Tool by Kaspersky.

• Save it to your desktop.
• Reboot your computer into SafeMode.
  

  You can do this by restarting your computer and continually tapping the F8 key until a menu appears.
  Use your up arrow key to highlight SafeMode then hit enter.

• Double click the setup file to run it.
• Click Next to continue.
• It will by default install it to your desktop folder.Click Next.
• Hit ok at the prompt for scanning in Safe Mode.
• It will then open a box There will be a tab that says Automatic scan.
• Under Automatic scan make sure these are checked.

• System Memory
• Startup Objects
• Disk Boot Sectors.
• My Computer.
• Also any other drives (Removable that you may have)

After that click on Security level then choose Customize then click on the tab that says Heuristic Analyzer then choose Enable Deep rootkit search then choose ok.
Then choose OK again then you are back to the main screen.

• Then click on Scan at the to right hand Corner.
• It will automatically Neutralize any objects found.
• If some objects are left un-neutralized then click the button that says Neutralize all
• If it says it cannot be Neutralized then chooose The delete option when prompted.
• After that is done click on the reports button at the bottom and save it to file, name it Kas.
• Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.
  
  

  Note: This tool will self uninstall when you close it so please save the log before closing it.

[Orre]

Oki, here's the log (a part of it that is):

Scan
----
Scanned: 1377855
Detected: 4
Untreated: 0
Start time: 2008-12-19 16:09:34
Duration: 04:03:27
Finish time: 2008-12-19 20:13:01


Detected
--------
Status Object
------ ------
deleted: Trojan program Trojan-Downloader.Win32.Banload.szf File: C:\_OTMoveIt\MovedFiles\12122008_220755\Program1\VOIPlay\BsSndRpt.exe
deleted: Trojan program Trojan.Win32.VB.hcw File: C:\_OTMoveIt\MovedFiles\12122008_220755\Windows.old.000\Users\Orre\java_plugin.exe
deleted: Trojan program Trojan.Win32.VB.hcw File: C:\_OTMoveIt\MovedFiles\12122008_220755\Windows.old.000\Users\Orre\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\4ea529eb-2620a8af
deleted: adware not-a-virus:AdWare.Win32.BetterInternet.ih File: C:\_OTMoveIt\MovedFiles\12162008_230739\Program1\FlashMute\uninstall.exe

[emeraldnzl]

Hello Orre,

Been an interesting ride but I think we are there. To my eyes your machine is clean of malware.

As I have mentioned before the tech forum is the place for your other problems.

If you don't get an answer there after 3 days, post again in the waiting room with a link to your topic.

We have a couple of last steps to perform and then you're all set.

Please go here to download OTCleanIt.

Run this program to remove the tools we have been using.

You will be asked to reboot the machine to finish the Cleanup process choose Yes.

MBAM can be uninstalled via control panel add/remove but it may be a useful tool to keep

Next, we need to clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again.

-------------------------------------------------------------------------------------------------------------------

Now that you are clean here are some things I think are worth having a look at:

---------------------------------------------------------------------------------------------------------------------

Be sure and give the Temp folders a cleaning out now and then. This helps with security and your computer will run more efficiently. I clean mine once a week. For ease of use, you might consider the following free program which works well with XP:

• ATF Cleaner

--------------------------------------------------------------------------------------------------------------------

A great way to check that your Microsoft and Java have the latest updates is to go to Software Inspector at Secunia.

I do this weekly. Not only do they tell you which programs need updating but they give you the link to follow.

To bolster your security go to Secunia.com to ensure essential programs are up to date.

---------------------------------------------------------------------------------------------------------------------

Make Internet Explorer more secure

• Click Start > Run
• Type Inetcpl.cpl & click OK
• Click on the Security tab
• Click Reset all zones to default level
• Make sure the Internet Zone is selected & Click Custom level
• In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
• Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Consider using an alternate browser. Mozilla's Firefox browser is excellant; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up blocker (Note: this as an added benefit!) that I have seen. Firefox is my default browser but I retain Internet Explorer as well so that I can access the very few sites that require it.

Firefox may be downloaded from Here

-----------------------------------------------------------------------------------------------------------------------

To help protect your computer in the future here are some free programs you can look at:

• SUPERAntiSpyware Free for Home Users to detect and remove spyware.
  
  If your Microsoft Update is not working automatically. Keep your operating system up to date by visiting [list]
• Microsoft Windows Update

monthly. And to keep your system clean run these free malware scanners

• AdAware SE Personal
  
• Spybot Search & Destroy

weekly, and be aware of what emails you open and websites you visit.

To learn more about how to protect yourself while on the internet read this article by Tony Klein: So how did I get infected in the first place?

Have a safe and happy computing day!