TechSpot

System Check removal

Solved
By Andrew1234
Jan 27, 2012
  1. Andrew1234

    Andrew1234 TS Enthusiast Topic Starter Posts: 113

  2. Broni

    Broni Malware Annihilator Posts: 48,033   +271

    It's so huge I can't even open damn thing on my computer.
    Is there any part of that log which shows some actual infection?
     
  3. Andrew1234

    Andrew1234 TS Enthusiast Topic Starter Posts: 113

    What should I look for? A lot of them are temporary internet files. Should I try to split the file into parts?
     
  4. Broni

    Broni Malware Annihilator Posts: 48,033   +271

    Show me 10-15 lines of temporary files findings.
    Then list anything what is NOT in temporary files.
     
  5. Andrew1234

    Andrew1234 TS Enthusiast Topic Starter Posts: 113

    C:\Documents and Settings\Mary\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7LO5FSUO\GetAdCAI4WIAG.js - archive JS-HTML
    >C:\Documents and Settings\Mary\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7LO5FSUO\GetAdCAI4WIAG.js/JSFile_1[0][70e] - probably infected with SCRIPT.Virus
    >C:\Documents and Settings\Mary\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7LO5FSUO\GetAdCAI4WIAG.js/JSWrite_2[190] - OK
    >C:\Documents and Settings\Mary\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7LO5FSUO\GetAdCAI4WIAG.js/IFrame_3[a9] - OK
    C:\Documents and Settings\Mary\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7LO5FSUO\GetAdCAI4WIAG.js - archive contains infected objects - moved
    C:\Documents and Settings\Mary\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7LO5FSUO\GetAdCAI56RFI.js - probably infected with SCRIPT.Virus
    C:\Documents and Settings\Mary\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7LO5FSUO\GetAdCAI56RFI.js - archive JS-HTML
    >C:\Documents and Settings\Mary\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7LO5FSUO\GetAdCAI56RFI.js/JSFile_1[0][dcf] - probably infected with SCRIPT.Virus
    >C:\Documents and Settings\Mary\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7LO5FSUO\GetAdCAI56RFI.js/JSWrite_2[2be] - OK
    >C:\Documents and Settings\Mary\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7LO5FSUO\GetAdCAI56RFI.js/IFrame_3[e4] - OK
    >C:\Documents and Settings\Mary\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7LO5FSUO\GetAdCAI56RFI.js/IFrame_4[1d8] - OK
    C:\Documents and Settings\Mary\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7LO5FSUO\GetAdCAI56RFI.js - archive contains infected objects - moved
    C:\Documents and Settings\Mary\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7LO5FSUO\GetAdCAI5XHBP.js - probably infected with SCRIPT.Virus
    C:\Documents and Settings\Mary\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7LO5FSUO\GetAdCAI5XHBP.js - archive JS-HTML
    >C:\Documents and Settings\Mary\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7LO5FSUO\GetAdCAI5XHBP.js/JSFile_1[0][712] - probably infected with SCRIPT.Virus
    >C:\Documents and Settings\Mary\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7LO5FSUO\GetAdCAI5XHBP.js/JSWrite_2[19c] - OK
    >C:\Documents and Settings\Mary\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7LO5FSUO\GetAdCAI5XHBP.js/IFrame_3[b4] - OK
    C:\Documents and Settings\Mary\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7LO5FSUO\GetAdCAI5XHBP.js - archive contains infected objects - moved
    C:\Documents and Settings\Mary\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7LO5FSUO\GetAdCAI6KWZW.js - probably infected with SCRIPT.Virus
    C:\Documents and Settings\Mary\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7LO5FSUO\GetAdCAI6KWZW.js - archive JS-HTML
    >C:\Documents and Settings\Mary\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7LO5FSUO\GetAdCAI6KWZW.js/JSFile_1[0][7d3] - probably infected with SCRIPT.Virus
    >C:\Documents and Settings\Mary\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7LO5FSUO\GetAdCAI6KWZW.js/JSWrite_2[54] - OK
     
  6. Andrew1234

    Andrew1234 TS Enthusiast Topic Starter Posts: 113

    C:\Documents and Settings\Mary\DoctorWeb\Quarantine\GetAdCA7WKK3O.js - archive JS-HTML
    >C:\Documents and Settings\Mary\DoctorWeb\Quarantine\GetAdCA7WKK3O.js/JSFile_1[0][7d6] - probably infected with SCRIPT.Virus
    >C:\Documents and Settings\Mary\DoctorWeb\Quarantine\GetAdCA7WKK3O.js/JSWrite_2[1a9] - OK
    >C:\Documents and Settings\Mary\DoctorWeb\Quarantine\GetAdCA7WKK3O.js/IFrame_3[c3] - OK
    C:\Documents and Settings\Mary\DoctorWeb\Quarantine\GetAdCA7WKK3O.js - archive contains infected objects - moved
    C:\Documents and Settings\Mary\DoctorWeb\Quarantine\GetAdCA7WKP0R.js - probably infected with SCRIPT.Virus
    C:\Documents and Settings\Mary\DoctorWeb\Quarantine\GetAdCA7WKP0R.js - archive JS-HTML
    >C:\Documents and Settings\Mary\DoctorWeb\Quarantine\GetAdCA7WKP0R.js/JSFile_1[0][72c] - probably infected with SCRIPT.Virus
    >C:\Documents and Settings\Mary\DoctorWeb\Quarantine\GetAdCA7WKP0R.js/JSWrite_2[1a4] - OK
    >C:\Documents and Settings\Mary\DoctorWeb\Quarantine\GetAdCA7WKP0R.js/IFrame_3[bc] - OK
     
  7. Broni

    Broni Malware Annihilator Posts: 48,033   +271

    Is that about it?
     
  8. Andrew1234

    Andrew1234 TS Enthusiast Topic Starter Posts: 113

    Yeah the only other things that don't say "ok" are things like archive ZLIB, archive JS-HTML, archive BASE64, packed by FLY-CODE, packed by BINARYRES and a couple others but they're all say "archive" something or "packed by" something
     
  9. Broni

    Broni Malware Annihilator Posts: 48,033   +271

    I assume all those issues had been fixed?

    Any change regarding those marked icons?
     
  10. Andrew1234

    Andrew1234 TS Enthusiast Topic Starter Posts: 113

    What issues?

    Icons are still there.
     
  11. Broni

    Broni Malware Annihilator Posts: 48,033   +271

    Did you allow Dr. Web to fix all findings?

    • Download RogueKiller on the desktop
    • Close all the running programs
    • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
    • Otherwise just double-click on RogueKiller.exe
    • Click on SCAN.
      [/b]
    • A report (RKreport.txt) should open. Post its content in your next reply. (RKreport could also be found on your desktop
    • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again
     
     
  12. Andrew1234

    Andrew1234 TS Enthusiast Topic Starter Posts: 113

    When it found the first object and asked if I wanted to cure it I clicked "yes to all". But I haven't done anything since then, didn't delete or move anything.
     
  13. Andrew1234

    Andrew1234 TS Enthusiast Topic Starter Posts: 113

    RogueKiller V7.1.0 [02/15/2012] by Tigzy
    mail: tigzyRK<at>gmail<dot>com
    Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Blog: http://tigzyrk.blogspot.com

    Operating System: Windows Vista (6.0.6002 Service Pack 2) 64 bits version
    Started in : Normal mode
    User: Mary [Admin rights]
    Mode: Scan -- Date: 02/22/2012 15:44:08

    ¤¤¤ Bad processes: 3 ¤¤¤
    [SUSP PATH] CNYHKey.exe -- C:\Windows\CNYHKey.exe -> KILLED [TermProc]
    [SUSP PATH] ChiFuncExt.exe -- C:\Windows\ChiFuncExt.exe -> KILLED [TermProc]
    [SUSP PATH] ModLEDKey.exe -- C:\Windows\ModLedKey.exe -> KILLED [TermProc]

    ¤¤¤ Registry Entries: 10 ¤¤¤
    [SUSP PATH] winupd.job : C:\Users\Mary\AppData\Local\Temp:winupd.exe -> FOUND
    [HJ] HKCU\[...]\Advanced : Start_ShowUser (0) -> FOUND
    [HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
    [HJ] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND
    [HJ] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND
    [HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
    [HJ] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
    [HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
    [HJ] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
    [HJ] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver: [NOT LOADED] ¤¤¤

    ¤¤¤ Infection : ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    127.0.0.1 localhost


    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: WDC WD6400AAKS-22A7B2 +++++
    --- User ---
    [MBR] 8e95ba475d310b3c4162741c9557d42b
    [BSP] 7421173970e4901fbac72c90fd066b1f : Windows Vista MBR Code
    Partition table:
    0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 13312 Mo
    1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 27265024 | Size: 597166 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    Finished : << RKreport[1].txt >>
    RKreport[1].txt
     
  14. Broni

    Broni Malware Annihilator Posts: 48,033   +271

    I really don't see anything.
    I'm not sure what to tell you.
     
  15. Andrew1234

    Andrew1234 TS Enthusiast Topic Starter Posts: 113

    Ok. A RK_Quaratine folder popped on the desktop along with the .txt file. Are the objects it found taken care of or do I manually need to do anything? And also what do I do about the objects that DrWeb found?
     
  16. Broni

    Broni Malware Annihilator Posts: 48,033   +271

    Delete the tool and its log.

    What are the options?
     
  17. Andrew1234

    Andrew1234 TS Enthusiast Topic Starter Posts: 113

    I opened up DrWeb and all I can do is re-scan. There doesn't seem to be an archive to select when I run the program. It did say that DrWeb will clean any infected file and whatever couldn't be cleaned will be put in quarantine which there is a quaratine folder with the objects.
     
  18. Broni

    Broni Malware Annihilator Posts: 48,033   +271

    That's Dr. Web default.
    I can see from your logs that findings were removed.
     
  19. Andrew1234

    Andrew1234 TS Enthusiast Topic Starter Posts: 113

    Ok so I can delete DrWeb and RogueKiller now?
     
  20. Broni

    Broni Malware Annihilator Posts: 48,033   +271

    Yes.............
     
  21. Andrew1234

    Andrew1234 TS Enthusiast Topic Starter Posts: 113

    I'm still worried about that first Kaspersky scan, because it found 9 infections and I was never able to neutralize anything. I re-scanned but my computer messed up and it only had enough time to find one of the infections which was a trojan and I neutralized that one. Should I try to run Kaspersky one more time?
     
  22. Broni

    Broni Malware Annihilator Posts: 48,033   +271

    I'd go for it.
     
  23. Andrew1234

    Andrew1234 TS Enthusiast Topic Starter Posts: 113

    How do I turn off windows automatic updates? That messed up one of the scans.
     
  24. Andrew1234

    Andrew1234 TS Enthusiast Topic Starter Posts: 113

    Nevermind I got.
     
  25. Andrew1234

    Andrew1234 TS Enthusiast Topic Starter Posts: 113

    Ok Kaspersky finished. It didn't find anything. I looked at the log and basically looked for the same stuff I did with the RogueKiller report and couldn't find anything, I figured I'd scan it over because it's bigger than the RK log, lol. One question I have about Kaspersky, does the "Disinfect" and "Delete if disinfection fails" actions automatically neutralize/disinfect any objects found?
     


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.