TechSpot

System Check removal

By Andrew1234
Jan 27, 2012
  1. Andrew1234

    Andrew1234 TS Enthusiast Topic Starter Posts: 113

  2. Broni

    Broni Malware Annihilator Posts: 52,478   +337

    It's so huge I can't even open damn thing on my computer.
    Is there any part of that log which shows some actual infection?
     
  3. Andrew1234

    Andrew1234 TS Enthusiast Topic Starter Posts: 113

    What should I look for? A lot of them are temporary internet files. Should I try to split the file into parts?
     
  4. Broni

    Broni Malware Annihilator Posts: 52,478   +337

    Show me 10-15 lines of temporary files findings.
    Then list anything what is NOT in temporary files.
     
  5. Andrew1234

    Andrew1234 TS Enthusiast Topic Starter Posts: 113

    C:\Documents and Settings\Mary\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7LO5FSUO\GetAdCAI4WIAG.js - archive JS-HTML
    >C:\Documents and Settings\Mary\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7LO5FSUO\GetAdCAI4WIAG.js/JSFile_1[0][70e] - probably infected with SCRIPT.Virus
    >C:\Documents and Settings\Mary\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7LO5FSUO\GetAdCAI4WIAG.js/JSWrite_2[190] - OK
    >C:\Documents and Settings\Mary\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7LO5FSUO\GetAdCAI4WIAG.js/IFrame_3[a9] - OK
    C:\Documents and Settings\Mary\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7LO5FSUO\GetAdCAI4WIAG.js - archive contains infected objects - moved
    C:\Documents and Settings\Mary\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7LO5FSUO\GetAdCAI56RFI.js - probably infected with SCRIPT.Virus
    C:\Documents and Settings\Mary\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7LO5FSUO\GetAdCAI56RFI.js - archive JS-HTML
    >C:\Documents and Settings\Mary\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7LO5FSUO\GetAdCAI56RFI.js/JSFile_1[0][dcf] - probably infected with SCRIPT.Virus
    >C:\Documents and Settings\Mary\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7LO5FSUO\GetAdCAI56RFI.js/JSWrite_2[2be] - OK
    >C:\Documents and Settings\Mary\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7LO5FSUO\GetAdCAI56RFI.js/IFrame_3[e4] - OK
    >C:\Documents and Settings\Mary\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7LO5FSUO\GetAdCAI56RFI.js/IFrame_4[1d8] - OK
    C:\Documents and Settings\Mary\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7LO5FSUO\GetAdCAI56RFI.js - archive contains infected objects - moved
    C:\Documents and Settings\Mary\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7LO5FSUO\GetAdCAI5XHBP.js - probably infected with SCRIPT.Virus
    C:\Documents and Settings\Mary\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7LO5FSUO\GetAdCAI5XHBP.js - archive JS-HTML
    >C:\Documents and Settings\Mary\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7LO5FSUO\GetAdCAI5XHBP.js/JSFile_1[0][712] - probably infected with SCRIPT.Virus
    >C:\Documents and Settings\Mary\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7LO5FSUO\GetAdCAI5XHBP.js/JSWrite_2[19c] - OK
    >C:\Documents and Settings\Mary\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7LO5FSUO\GetAdCAI5XHBP.js/IFrame_3[b4] - OK
    C:\Documents and Settings\Mary\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7LO5FSUO\GetAdCAI5XHBP.js - archive contains infected objects - moved
    C:\Documents and Settings\Mary\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7LO5FSUO\GetAdCAI6KWZW.js - probably infected with SCRIPT.Virus
    C:\Documents and Settings\Mary\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7LO5FSUO\GetAdCAI6KWZW.js - archive JS-HTML
    >C:\Documents and Settings\Mary\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7LO5FSUO\GetAdCAI6KWZW.js/JSFile_1[0][7d3] - probably infected with SCRIPT.Virus
    >C:\Documents and Settings\Mary\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7LO5FSUO\GetAdCAI6KWZW.js/JSWrite_2[54] - OK
     
  6. Andrew1234

    Andrew1234 TS Enthusiast Topic Starter Posts: 113

    C:\Documents and Settings\Mary\DoctorWeb\Quarantine\GetAdCA7WKK3O.js - archive JS-HTML
    >C:\Documents and Settings\Mary\DoctorWeb\Quarantine\GetAdCA7WKK3O.js/JSFile_1[0][7d6] - probably infected with SCRIPT.Virus
    >C:\Documents and Settings\Mary\DoctorWeb\Quarantine\GetAdCA7WKK3O.js/JSWrite_2[1a9] - OK
    >C:\Documents and Settings\Mary\DoctorWeb\Quarantine\GetAdCA7WKK3O.js/IFrame_3[c3] - OK
    C:\Documents and Settings\Mary\DoctorWeb\Quarantine\GetAdCA7WKK3O.js - archive contains infected objects - moved
    C:\Documents and Settings\Mary\DoctorWeb\Quarantine\GetAdCA7WKP0R.js - probably infected with SCRIPT.Virus
    C:\Documents and Settings\Mary\DoctorWeb\Quarantine\GetAdCA7WKP0R.js - archive JS-HTML
    >C:\Documents and Settings\Mary\DoctorWeb\Quarantine\GetAdCA7WKP0R.js/JSFile_1[0][72c] - probably infected with SCRIPT.Virus
    >C:\Documents and Settings\Mary\DoctorWeb\Quarantine\GetAdCA7WKP0R.js/JSWrite_2[1a4] - OK
    >C:\Documents and Settings\Mary\DoctorWeb\Quarantine\GetAdCA7WKP0R.js/IFrame_3[bc] - OK
     
  7. Broni

    Broni Malware Annihilator Posts: 52,478   +337

    Is that about it?
     
  8. Andrew1234

    Andrew1234 TS Enthusiast Topic Starter Posts: 113

    Yeah the only other things that don't say "ok" are things like archive ZLIB, archive JS-HTML, archive BASE64, packed by FLY-CODE, packed by BINARYRES and a couple others but they're all say "archive" something or "packed by" something
     
  9. Broni

    Broni Malware Annihilator Posts: 52,478   +337

    I assume all those issues had been fixed?

    Any change regarding those marked icons?
     
  10. Andrew1234

    Andrew1234 TS Enthusiast Topic Starter Posts: 113

    What issues?

    Icons are still there.
     
  11. Broni

    Broni Malware Annihilator Posts: 52,478   +337

    Did you allow Dr. Web to fix all findings?

    • Download RogueKiller on the desktop
    • Close all the running programs
    • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
    • Otherwise just double-click on RogueKiller.exe
    • Click on SCAN.
      [/b]
    • A report (RKreport.txt) should open. Post its content in your next reply. (RKreport could also be found on your desktop
    • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again
     
  12. Andrew1234

    Andrew1234 TS Enthusiast Topic Starter Posts: 113

    When it found the first object and asked if I wanted to cure it I clicked "yes to all". But I haven't done anything since then, didn't delete or move anything.
     
  13. Andrew1234

    Andrew1234 TS Enthusiast Topic Starter Posts: 113

    RogueKiller V7.1.0 [02/15/2012] by Tigzy
    mail: tigzyRK<at>gmail<dot>com
    Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Blog: http://tigzyrk.blogspot.com

    Operating System: Windows Vista (6.0.6002 Service Pack 2) 64 bits version
    Started in : Normal mode
    User: Mary [Admin rights]
    Mode: Scan -- Date: 02/22/2012 15:44:08

    ¤¤¤ Bad processes: 3 ¤¤¤
    [SUSP PATH] CNYHKey.exe -- C:\Windows\CNYHKey.exe -> KILLED [TermProc]
    [SUSP PATH] ChiFuncExt.exe -- C:\Windows\ChiFuncExt.exe -> KILLED [TermProc]
    [SUSP PATH] ModLEDKey.exe -- C:\Windows\ModLedKey.exe -> KILLED [TermProc]

    ¤¤¤ Registry Entries: 10 ¤¤¤
    [SUSP PATH] winupd.job : C:\Users\Mary\AppData\Local\Temp:winupd.exe -> FOUND
    [HJ] HKCU\[...]\Advanced : Start_ShowUser (0) -> FOUND
    [HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
    [HJ] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND
    [HJ] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND
    [HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
    [HJ] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
    [HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
    [HJ] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
    [HJ] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver: [NOT LOADED] ¤¤¤

    ¤¤¤ Infection : ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    127.0.0.1 localhost


    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: WDC WD6400AAKS-22A7B2 +++++
    --- User ---
    [MBR] 8e95ba475d310b3c4162741c9557d42b
    [BSP] 7421173970e4901fbac72c90fd066b1f : Windows Vista MBR Code
    Partition table:
    0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 13312 Mo
    1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 27265024 | Size: 597166 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    Finished : << RKreport[1].txt >>
    RKreport[1].txt
     
  14. Broni

    Broni Malware Annihilator Posts: 52,478   +337

    I really don't see anything.
    I'm not sure what to tell you.
     
  15. Andrew1234

    Andrew1234 TS Enthusiast Topic Starter Posts: 113

    Ok. A RK_Quaratine folder popped on the desktop along with the .txt file. Are the objects it found taken care of or do I manually need to do anything? And also what do I do about the objects that DrWeb found?
     
  16. Broni

    Broni Malware Annihilator Posts: 52,478   +337

    Delete the tool and its log.

    What are the options?
     
  17. Andrew1234

    Andrew1234 TS Enthusiast Topic Starter Posts: 113

    I opened up DrWeb and all I can do is re-scan. There doesn't seem to be an archive to select when I run the program. It did say that DrWeb will clean any infected file and whatever couldn't be cleaned will be put in quarantine which there is a quaratine folder with the objects.
     
  18. Broni

    Broni Malware Annihilator Posts: 52,478   +337

    That's Dr. Web default.
    I can see from your logs that findings were removed.
     
  19. Andrew1234

    Andrew1234 TS Enthusiast Topic Starter Posts: 113

    Ok so I can delete DrWeb and RogueKiller now?
     
  20. Broni

    Broni Malware Annihilator Posts: 52,478   +337

    Yes.............
     
  21. Andrew1234

    Andrew1234 TS Enthusiast Topic Starter Posts: 113

    I'm still worried about that first Kaspersky scan, because it found 9 infections and I was never able to neutralize anything. I re-scanned but my computer messed up and it only had enough time to find one of the infections which was a trojan and I neutralized that one. Should I try to run Kaspersky one more time?
     
  22. Broni

    Broni Malware Annihilator Posts: 52,478   +337

    I'd go for it.
     
  23. Andrew1234

    Andrew1234 TS Enthusiast Topic Starter Posts: 113

    How do I turn off windows automatic updates? That messed up one of the scans.
     
  24. Andrew1234

    Andrew1234 TS Enthusiast Topic Starter Posts: 113

    Nevermind I got.
     
  25. Andrew1234

    Andrew1234 TS Enthusiast Topic Starter Posts: 113

    Ok Kaspersky finished. It didn't find anything. I looked at the log and basically looked for the same stuff I did with the RogueKiller report and couldn't find anything, I figured I'd scan it over because it's bigger than the RK log, lol. One question I have about Kaspersky, does the "Disinfect" and "Delete if disinfection fails" actions automatically neutralize/disinfect any objects found?
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...