1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Virus problem

Discussion in 'Malware and Virus Removal Archive' started by RickyD2, 2010/05/14.

Page 2 of 2
  1. 2010/05/16
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Now you did fine :)

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start> "Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall "
    Click OK (Vista users - press Enter).
    Restart computer.

    ==============================================================

    Print these instructions out.

    NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

    ***VERY IMPORTANT! Make sure, you update Malwarebytes before running the scans.***


    STEP 1. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop.
    (Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform Quick Scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

    RESTART COMPUTER!

    STEP 2.
    Post fresh HijackThis log.
    NOTE. If you're using Vista, right click on HijackThis, and click Run as Administrator
    Do NOT attempt to "fix" anything!


    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #21
  2. 2010/05/16
    RickyD2

    RickyD2 Inactive Thread Starter

    Joined:
    2002/01/07
    Messages:
    421
    Likes Received:
    0
    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4106

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    5/16/2010 1:39:30 PM
    mbam-log-2010-05-16 (13-39-30).txt

    Scan type: Quick scan
    Objects scanned: 159601
    Time elapsed: 12 minute(s), 1 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 2
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_AXPSHOOK11 (Rogue.SpywareNukerXT) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    C:\Documents and Settings\All Users.WINDOWS\Application Data\25827327 (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users.WINDOWS\Application Data\35568229 (Rogue.Multiple) -> Quarantined and deleted successfully.

    Files Infected:
    (No malicious items detected)
     
    RickyD2,
    #22


  3. to hide this advert.

  4. 2010/05/16
    RickyD2

    RickyD2 Inactive Thread Starter

    Joined:
    2002/01/07
    Messages:
    421
    Likes Received:
    0
    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 2:22:32 PM, on 5/16/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZONELABS\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    C:\Program Files\Executive Software\Diskeeper Home Edition\DKService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\imapi.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\PCPitstop\PCPitstopScheduleService.exe
    C:\WINDOWS\system32\pctspk.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\AVG\AVG9\avgemc.exe
    C:\Program Files\AVG\AVG9\avgam.exe
    C:\Program Files\AVG\AVG9\avgnsx.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
    C:\Documents and Settings\Richard Doenges.HOME-KVJPCI4PIU\Desktop\HiJackThis.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZSTC07.EXE
    C:\WINDOWS\system32\rundll32.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe "
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKCU\..\Run: [TClockEx] C:\Program Files\TClockEx\TCLOCKEX.EXE
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
    O4 - Startup: MailWasherPro.lnk = C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\WINDOWS\system32\shdocvw.dll
    O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\WINDOWS\system32\shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
    O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} (Java Plug-in 1.6.0_13) -
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG9\Toolbar\ToolbarBroker.exe
    O23 - Service: AVG E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
    O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper Home Edition\DKService.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: PCPitstop Scheduling - PC Pitstop LLC - C:\Program Files\PCPitstop\PCPitstopScheduleService.exe
    O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZONELABS\vsmon.exe

    --
    End of file - 6412 bytes
     
    RickyD2,
    #23
  5. 2010/05/16
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Very well :)

    1. Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer.


    2. Go to Kaspersky website and perform an online antivirus scan.

    1. Disable your active antivirus program.
    2. Read through the requirements and privacy statement and click on Accept button.
    3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    4. When the downloads have finished, click on Settings.
    5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, Adware, Dialers, and other potentially dangerous programs
      [*] Archives
      [*] Mail databases
    6. Click on My Computer under Scan.
    7. Once the scan is complete, it will display the results. Click on View Scan Report.
    8. You will see a list of infected items there. Click on Save Report As....
    9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
     
    broni,
    #24
  6. 2010/05/17
    RickyD2

    RickyD2 Inactive Thread Starter

    Joined:
    2002/01/07
    Messages:
    421
    Likes Received:
    0
    Last edited: 2010/05/17
    RickyD2,
    #25
  7. 2010/05/17
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push List of found threats
    • Push Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
     
    broni,
    #26
  8. 2010/05/17
    RickyD2

    RickyD2 Inactive Thread Starter

    Joined:
    2002/01/07
    Messages:
    421
    Likes Received:
    0
    I downloaded Kapersky Internet Security 2010 and here is their log -

    Date: Today (events: 90)
    Absent (events: 2)
    5/17/2010 9:16:42 AM Network Attack Blocker Detected: Intrusion.Win.MSSQL.worm.Helkern UDP from 59.44.87.30 to local port 1434
    5/17/2010 8:57:39 AM Network Attack Blocker Detected: Intrusion.Win.MSSQL.worm.Helkern UDP from 218.30.22.82 to local port 1434
    Kaspersky Internet Security (events: 40)
    5/17/2010 11:12:31 AM My Update Center Task completed My Update Center
    5/17/2010 11:02:13 AM My Update Center Task started My Update Center
    5/17/2010 10:35:38 AM Objects Scan Task started Objects Scan
    5/17/2010 10:10:48 AM My Protection Detected: http://www.viruslist.com/en/advisories/37255 C:\WINDOWS\system32\java.exe
    5/17/2010 10:10:47 AM My Protection Detected: http://www.viruslist.com/en/advisories/38547 C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
    5/17/2010 10:10:38 AM My Protection Detected: http://www.viruslist.com/en/advisories/39133 C:\Program Files\QuickTime\QuickTimePlayer.exe
    5/17/2010 10:10:17 AM My Protection Detected: http://www.viruslist.com/en/advisories/37255 C:\Program Files\Java\jre6\bin\java.exe
    5/17/2010 10:01:12 AM Objects Scan Task started Full Scan
    5/17/2010 10:00:55 AM Objects Scan Task stopped Objects Scan
    5/17/2010 10:00:29 AM Objects Scan Task started Objects Scan
    5/17/2010 10:00:03 AM Objects Scan Task started Vulnerability Scan
    5/17/2010 9:59:23 AM Objects Scan Task completed Quick Scan
    5/17/2010 9:57:25 AM Objects Scan Task started Quick Scan
    5/17/2010 9:41:27 AM Objects Scan Task completed Rootkit Scan
    5/17/2010 9:36:56 AM Objects Scan Task started Rootkit Scan
    5/17/2010 9:06:58 AM My Protection Your computer is protected
    5/17/2010 9:06:47 AM Web Anti-Virus Task started Web Anti-Virus
    5/17/2010 9:06:47 AM Proactive Defense Task started Proactive Defense
    5/17/2010 9:06:47 AM Anti-Spam Task started Anti-Spam
    5/17/2010 9:06:47 AM Mail Anti-Virus Task started Mail Anti-Virus
    5/17/2010 9:06:47 AM File Anti-Virus Task started File Anti-Virus
    5/17/2010 9:06:47 AM Firewall Task started Firewall
    5/17/2010 9:06:47 AM Application Control Task started Application Control
    5/17/2010 9:06:47 AM Network Attack Blocker Task started Network Attack Blocker
    5/17/2010 9:06:47 AM IM Anti-Virus Task started IM Anti-Virus
    5/17/2010 9:02:04 AM My Update Center Task completed My Update Center
    5/17/2010 9:02:00 AM My Update Center It is necessary to restart the computer after update
    5/17/2010 8:54:00 AM My Protection Your computer is protected
    5/17/2010 8:53:51 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
    5/17/2010 8:53:50 AM My Update Center Task started My Update Center
    5/17/2010 8:53:37 AM Web Anti-Virus Task started Web Anti-Virus
    5/17/2010 8:53:30 AM Proactive Defense Task started Proactive Defense
    5/17/2010 8:53:30 AM Mail Anti-Virus Task started Mail Anti-Virus
    5/17/2010 8:53:30 AM IM Anti-Virus Task started IM Anti-Virus
    5/17/2010 8:53:30 AM Network Attack Blocker Task started Network Attack Blocker
    5/17/2010 8:53:30 AM Application Control Task started Application Control
    5/17/2010 8:53:30 AM Firewall Task started Firewall
    5/17/2010 8:53:30 AM File Anti-Virus Task started File Anti-Virus
    5/17/2010 8:53:30 AM Anti-Spam Task started Anti-Spam
    5/17/2010 8:53:28 AM My Protection Databases are obsolete
    Windows NT Session Manager (events: 1)
    5/17/2010 8:53:41 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
    Client Server Runtime Process (events: 1)
    5/17/2010 8:53:41 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
    Windows NT Logon Application (events: 1)
    5/17/2010 8:53:42 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
    Services and Controller app (events: 1)
    5/17/2010 8:53:42 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
    LSA Shell (Export Version) (events: 1)
    5/17/2010 8:53:42 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
    Generic Host Process for Win32 Services (events: 1)
    5/17/2010 8:53:42 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
    Spooler SubSystem App (events: 1)
    5/17/2010 8:53:43 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
    Windows Explorer (events: 1)
    5/17/2010 8:53:44 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
    Application Layer Gateway Service (events: 1)
    5/17/2010 8:53:44 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
    AVG Watchdog Service (events: 1)
    5/17/2010 8:53:45 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
    CTF Loader (events: 1)
    5/17/2010 8:53:45 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
    DKSERVICE.EXE (events: 2)
    5/17/2010 10:31:02 AM Application Control Allowed: Low level disk access Low level disk access Device\HarddiskVolume1 Low level disk access
    5/17/2010 8:53:45 AM Application Control Placed in group Low Restricted High value of threat rating calculated heuristically
    Image Mastering API (events: 1)
    5/17/2010 8:53:46 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
    Java(TM) Quick Starter Service (events: 1)
    5/17/2010 8:53:46 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
    PC Pitstop Scheduler Service (events: 1)
    5/17/2010 8:53:46 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
    PCTSPK.EXE (events: 1)
    5/17/2010 8:53:46 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
    SoundMAX service agent component (events: 2)
    5/17/2010 9:24:41 AM Application Control Placed in group Trusted Known on the database of the known software
    5/17/2010 8:53:49 AM Application Control Placed in group Low Restricted High value of threat rating calculated heuristically
    AVG E-Mail Scanner (events: 1)
    5/17/2010 8:53:53 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
    Internet Explorer (events: 1)
    5/17/2010 8:53:53 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
    AVG Alert Manager (events: 1)
    5/17/2010 8:53:55 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
    Windows Media Player Network Sharing Service (events: 1)
    5/17/2010 8:53:56 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
    AVG Network scanner Service (events: 1)
    5/17/2010 8:53:57 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
    AVG Scanning Core Module - Server Part (events: 1)
    5/17/2010 8:53:57 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
    AVG Cache Server (events: 1)
    5/17/2010 8:53:58 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
    AVG Resident Shield Service (events: 1)
    5/17/2010 8:53:58 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
    Canon Camera Access Library 8 (events: 1)
    5/17/2010 8:53:58 AM Application Control Placed in group Trusted Known on the database of the known software
    Windows Security Center Notification App (events: 1)
    5/17/2010 8:53:58 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
    Windows® installer (events: 1)
    5/17/2010 8:53:59 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
    Kaspersky Anti-Virus GUI Windows part (events: 1)
    5/17/2010 8:53:59 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
    Microsoft(C) Register Server (events: 1)
    5/17/2010 8:53:42 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
    Windows Logon UI (events: 1)
    5/17/2010 9:02:26 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
    Service Executable (events: 1)
    5/17/2010 9:08:07 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
    Windows Genuine Advantage Notifications (events: 1)
    5/17/2010 9:08:59 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
    MailWasher Pro 6.4.0 (events: 1)
    5/17/2010 9:09:36 AM Application Control Placed in group Untrusted High value of threat rating calculated heuristically
    WMI (events: 1)
    5/17/2010 9:08:39 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
    Windows Update (events: 1)
    5/17/2010 9:07:35 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
    CHECKSCHEDULE.WSF (events: 1)
    5/17/2010 9:09:02 AM Application Control Placed in group Low Restricted Known on the database of the known software
    WebToolBar component (events: 1)
    5/17/2010 9:12:06 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
    Prevalence reporter (events: 1)
    5/17/2010 9:37:12 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
    Verify Class ID (events: 1)
    5/17/2010 9:58:19 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
    Volume Control (events: 1)
    5/17/2010 10:15:45 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
    DFRGFAT.EXE (events: 5)
    5/17/2010 11:35:10 AM Application Control Allowed: Low level file system access Low level file system access Device\HarddiskVolume1\Documents and Settings\Richard Doenges.HOME-KVJPCI4PIU\My Documents\Laura's Mexico Trip\100B0422_141_128 (Small).jpg Low level file system access
    5/17/2010 11:35:07 AM Application Control Allowed: Low level file system access Low level file system access Device\HarddiskVolume1\Documents and Settings\Richard Doenges\My Documents\Richards Homepage_files\luwana_pic.jpg Low level file system access
    5/17/2010 10:31:53 AM Application Control Allowed: Low level file system access Low level file system access Device\HarddiskVolume1 Low level file system access
    5/17/2010 10:31:40 AM Application Control Allowed: Low level disk access Low level disk access Device\HarddiskVolume1 Low level disk access
    5/17/2010 10:31:22 AM Application Control Placed in group Low Restricted High value of threat rating calculated heuristically


    Do you wish me to go ahead with ESET Online Scanner?
     
    RickyD2,
    #27
  9. 2010/05/17
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Yes, please.
     
    broni,
    #28
  10. 2010/05/17
    RickyD2

    RickyD2 Inactive Thread Starter

    Joined:
    2002/01/07
    Messages:
    421
    Likes Received:
    0
    ESET Online Scanner - No threats found.
     
    RickyD2,
    #29
  11. 2010/05/17
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Verify your Java version here: http://www.java.com/en/download/installed.jsp
    Update, if necessary.
    Uninstall all previous Java versions, through Add\Remove (Programs & Features in Vista).

    ===============================================================

    Other than that...


    Your computer is clean :)

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.

    Turn off System Restore:

    - Windows XP:
    1. Click Start.
    2. Right-click the My Computer icon, and then click Properties.
    3. Click the System Restore tab.
    4. Check "Turn off System Restore ".
    5. Click Apply.
    6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
    7. Click OK.
    - Windows Vista and 7:
    1. Click Start.
    2. Right-click the Computer icon, and then click Properties.
    3. Click on System Protection under the Tasks column on the left side
    4. Click on Continue on the "User Account Control" window that pops up
    5. Under the System Protection tab, find Available Disks
    6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C: ")
    7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
    8. Click OK

    2. Restart computer.

    3. Turn System Restore on.

    4. Make sure, Windows Updates are current.

    [SIZE= "4"]5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately![/SIZE]

    6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    7. Run defrag at your convenience.

    8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    9. Please, let me know, how is your computer doing.
     
    broni,
    #30
  12. 2010/05/17
    RickyD2

    RickyD2 Inactive Thread Starter

    Joined:
    2002/01/07
    Messages:
    421
    Likes Received:
    0
    System Restore is cleared with May 17 being the first available restroreable day.

    I'll take care of the Java thing in a little while.

    Computer is working better than it has in months and months.

    You took me for quite a little ride with the virus cleaning but well worth it. I have a defrag program that works whenever the program senses the need to defrag. Insofar as Trojans are concernmed I have no clue as to whether or not any were in my computer but I have very few web sites with passwords considered sensitive.

    Thanks so much for all your help.
     
    RickyD2,
    #31
  13. 2010/05/17
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    I'm glad to hear good news :)
    Hahaha....

    Yes, you had some trojans, so it's up to your judgment, if those passworded sites are sensitive enough to go through changes.
    Surely, having a trojan, there is no 100% guarantee anything got "stolen ". It's just a possibility.

    Good luck and stay safe :)
     
    broni,
    #32
Page 2 of 2

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...