also @ TechSpot: OCZ Vertex 450 SSD Review

TechSpot

TechSpot News Products Downloads Forums

About
Sign in

Welcome to TechSpot

Why should I register?

Sign up for a new account or log in here:

Forgot your password?

Couldn't sign you in, please try again.

Windows command processor and possibly more

Discussion in 'Virus and Malware Removal' started by Nereth, Nov 2, 2012.

Page 2 of 3

Nereth Newcomer, in training Posts: 24

Ok then, well if I can choose between having a bunch of infected files and having a bunch of broken files on my computer, I will definitely choose broken files, since that way it is both obvious what needs replacing, and not likely to ruin the new install if I mess up.

So definitely my choice is to "kill it with fire" so to speak, and see what survives afterwards

Lead on, and let us crush this virus!

=D

By the way, can you tell me what file types are generally at risk? I read somewhere that even .TXTs and .DOCs are potential risks, I need to be careful of corrupting those if that is the case, it would be worth my time to print or copy and paste some of them out first or something since there is some important work that could be lost otherwise.

Thanks for your help,
-Nereth

Nereth, Nov 6, 2012

#21
Jay Pfoutz Malware Helper Posts: 4,286 +49
All file types.

Once the file is infected, it gets damaged, and may be impossible to access...

Here is the scan list:

Norman Malware Cleaner

Please download Norman Malware Cleaner and save to your desktop.
alternate download link

Double-click on Norman_Malware_Cleaner.exe to start the program.

Read the End User License Agreement and click the Accept button to open the scanning window.

Click Start Scan to begin.

In some cases Norman Malware Cleaner may require that you restart the computer to completely remove an infection. If prompted, reboot and run the tool again to ensure that all infections are removed.

After the scan has finished, a log file with the date (I.e. NFix_2009-06-22_07-08-56.log) will be created on your desktop with the results.

Note: For usb flash drives and/or other removable drives to scan, use the Add button to browse to the drives location, click on the drive to highlight and choose Ok.

Kaspersky Virus Removal Tool

The Kaspersky Virus Removal Tool is a scan-and-remove solution from Kaspersky that searches out the most common malware and attempts to remove it from your computer.

Please download the Kaspersky Virus Removal Tool from Kaspersky's Official Link and save it to your Desktop.

Double-click the Setup file to install it on your computer.

Once it has installed, review and accept the agreement and press the Start button.

You will presented with the main interface, but don't scan yet, click the options tab (gear icon):

On the Scan Scope tab, make sure to checkmark all the options, except for the CD/DVD drive:

On the Security Level tab, make sure to move the slider up denoting "Current Security Level: High":

Now, go back to the Automatic Scan tab, and choose "Start Scanning". It may take several hours to complete. Please allow it to do so.

Once done scanning, choose the Report tab (page icon), select Detected Threats tab on left, and choose Disinfect All:

Then, choose Save. Also, in the Automatic Report tab, select Save:

Please post the reports in your next reply.

Once you exit, the tool should uninstall automatically.

Panda ActiveScan

Please run Panda ActiveScan online scan.

Choose Quick Scan then click the big green Scan now button

If it wants to install an ActiveX component allow it

It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)

Once the scan is completed, please hit the notepad icon next to the text Export to:

Save it to a convenient location such as your Desktop

Post the contents of the ActiveScan.txt in your next reply
Jay Pfoutz, Nov 6, 2012

#22
Nereth Newcomer, in training Posts: 24

I'm going to have to sleep (Australia!) before I can go through with that, but I will just ask one more question before I do so I can be clear on what will be happening when I get to this tomorrow:

If a file is going to be inaccessible due to the virus, is it going to be inaccessible even before the AV processes above? Or is it the scanning/curing process that can break them? Judging by what ESETs scan did (deleted infected .DLLs etc and therefore broke some programs), I can understand that a lot of programs will break, but what about documents? Could an otherwise accessible document become broken or deleted after we go through with these fixes? If so I should go through and try to salvage them first before doing this as I don't know if they will come out corrupted, if not, I can just wait and see.

Nereth, Nov 6, 2012

#23

DragonMaster Jay likes this.
Jay Pfoutz Malware Helper Posts: 4,286 +49

It will be inaccessible before and/or after the AV processes - Just depends.

Sometimes the virus breaks them, sometimes the removal tools break them - Just depends.

Programs will probably continue breaking. Programs are nontransferable anyway, unless they're portable versions (most aren't).

Jay Pfoutz, Nov 7, 2012

#24
Nereth Newcomer, in training Posts: 24

Hi there,

Sorry to keep asking these questions - if that's the case, I read somewhere a while ago while researching this stuff that there was a way to make a USB flash disk safe for use with this virus, despite the fact that they are usually an infection vector for it. Something like cleaning the flash disk, and then putting some kind of file into it that would prevent the virus from transferring itself on. I'm not sure if I misunderstood this or not, but if this is possible, would you be able to help me do this?

Best regards,
Nereth

Nereth, Nov 7, 2012

#25

Jay Pfoutz Malware Helper Posts: 4,286 +49

I doubt that. If the virus is going to spread, it'll spread via files. The only way that it won't spread to your flash drive when it's connected to the PC, is if it is write protected. But you'd still have to turn write protection off just to save files, so you'll throw yourself in a loop, if that makes sense.

Jay Pfoutz, Nov 8, 2012

#26

Nereth Newcomer, in training Posts: 24

Hi there,

Kapersky Labs first scan crashed, so I started it again - it slowed down really hard at 50% and has been there for about 3 hours. It's now about 5 hours into the scan. It's still incrementing through files though, but I'll have to leave it while I get some sleep. It has currently found 8 threats. 6 are 'vulnerabilities', 2 are 'win32.Nimnul.e'

Oh, and there was no "OS" tick box available under scan scope in Kapersky. I ticked everything except optical drives though

So I'll post the log of the Norman Malware Cleaner Scan first incase it is useful to you on its own. The rest of the logs will come when their scan is complete.

By the way the NMC log was not named precisely as you described it would be, not sure if this is just a newer version or something.

Normal Malware Cleaner log:

Norman Malware Cleaner v2.06.01
Copyright © 1990 - 2012, Norman ASA.

Norman Scanner Engine Version: 7.00.12
nvcbin.def: Version: 7.00.1803, Date: 2012/11/08 14:20:42, Variants: 15294968
nvcmacro.def: Version: 0.00.00, Date: 1970/01/01 08:00:00, Variants: 0

Operating System: Windows 7 x64

Switches: /iagree

Scan started: 2012/11/08 17:59:35

Running pre-scan cleanup routine...

Number of malicious objects found: 0
Number of malicious objects cleaned: 0
Scanning time: 0s

Scanning running processes and process memory...

Number of objects found: 2016
Number of objects scanned: 2016
Number of objects not scanned: 0
Number of malicious memory objects found: 0
Number of malicious objects cleaned: 0
Number of malicious files found: 0
Number of malicious files cleaned: 0
Scanning time: 17s

Scanning system for FakeAV...

Number of malicious objects found: 0
Number of malicious objects cleaned: 0
Number of malicious files found: 0
Number of malicious files cleaned: 0
Scanning time: 0s

Running full scan...
C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\DATA\master.mdf: Error opening file for read: 0x00000020
C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\DATA\mastlog.ldf: Error opening file for read: 0x00000020
C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\DATA\model.mdf: Error opening file for read: 0x00000020
C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\DATA\modellog.ldf: Error opening file for read: 0x00000020
C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\DATA\MSDBData.mdf: Error opening file for read: 0x00000020
C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\DATA\MSDBLog.ldf: Error opening file for read: 0x00000020
C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\DATA\tempdb.mdf: Error opening file for read: 0x00000020
C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\DATA\templog.ldf: Error opening file for read: 0x00000020
C:\Program Files (x86)\Altium\AD 10\HS-AD10.exe: File infected with winpe/Suspicious_Gen2.JJFPG
Delete file: C:\Program Files (x86)\Altium\AD 10\HS-AD10.exe
Cleaning successful
C:\System Volume Information\Syscache.hve: Error opening file for read: 0x00000020
C:\System Volume Information\Syscache.hve.LOG1: Error opening file for read: 0x00000020
C:\System Volume Information\Syscache.hve.LOG2: Error opening file for read: 0x00000020
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat: Error opening file for read: 0x00000020
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat: Error opening file for read: 0x00000020
C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\PeerNetworking\48f599bc7394900b6b5b3925722d724750599fab.HomeGroupClassifier\027edd5e419cdf88462bec34151cbabd\grouping\db.mdb: Error opening file for read: 0x00000020
C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\PeerNetworking\48f599bc7394900b6b5b3925722d724750599fab.HomeGroupClassifier\027edd5e419cdf88462bec34151cbabd\grouping\edb.log: Error opening file for read: 0x00000020
C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\PeerNetworking\48f599bc7394900b6b5b3925722d724750599fab.HomeGroupClassifier\027edd5e419cdf88462bec34151cbabd\grouping\tmp.edb: Error opening file for read: 0x00000020
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT: Error opening file for read: 0x00000020
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT.LOG1: Error opening file for read: 0x00000020
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT.LOG2: Error opening file for read: 0x00000020
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT: Error opening file for read: 0x00000020
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT.LOG1: Error opening file for read: 0x00000020
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT.LOG2: Error opening file for read: 0x00000020
C:\Windows\System32\catroot2\edb.log: Error opening file for read: 0x00000020
C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb: Error opening file for read: 0x00000020
C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb: Error opening file for read: 0x00000020
C:\Windows\System32\config\DEFAULT: Error opening file for read: 0x00000020
C:\Windows\System32\config\DEFAULT.LOG1: Error opening file for read: 0x00000020
C:\Windows\System32\config\DEFAULT.LOG2: Error opening file for read: 0x00000020
C:\Windows\System32\config\RegBack\DEFAULT: Error opening file for read: 0x00000020
C:\Windows\System32\config\RegBack\SAM: Error opening file for read: 0x00000020
C:\Windows\System32\config\RegBack\SECURITY: Error opening file for read: 0x00000020
C:\Windows\System32\config\RegBack\SOFTWARE: Error opening file for read: 0x00000020
C:\Windows\System32\config\RegBack\SYSTEM: Error opening file for read: 0x00000020
C:\Windows\System32\config\SAM: Error opening file for read: 0x00000020
C:\Windows\System32\config\SAM.LOG1: Error opening file for read: 0x00000020
C:\Windows\System32\config\SECURITY: Error opening file for read: 0x00000020
C:\Windows\System32\config\SAM.LOG2: Error opening file for read: 0x00000020
C:\Windows\System32\config\SECURITY.LOG1: Error opening file for read: 0x00000020
C:\Windows\System32\config\SECURITY.LOG2: Error opening file for read: 0x00000020
C:\Windows\System32\config\SOFTWARE: Error opening file for read: 0x00000020
C:\Windows\System32\config\SOFTWARE.LOG2: Error opening file for read: 0x00000020
C:\Windows\System32\config\SOFTWARE.LOG1: Error opening file for read: 0x00000020
C:\Windows\System32\config\SYSTEM.LOG2: Error opening file for read: 0x00000020
C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTSteam Event Tracing.etl: Error opening file for read: 0x00000020
C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl: Error opening file for read: 0x00000020
C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTUBPM.etl: Error opening file for read: 0x00000020
D:\ProgramData\Microsoft\Microsoft Antimalware\Scans\History\CacheManager\MpScanCache-1.bin: Error opening file for read: 0x00000020
D:\ProgramData\Microsoft\Microsoft Antimalware\IMpServiceEDB4FA23-53B8-4AFA-8C5D-99752CCA7094.lock: Error opening file for read: 0x00000020
D:\ProgramData\Microsoft\Microsoft Antimalware\Scans\mpcache-4DA27D2F0496EC4CB8747BB6B36172DF8114BAC3.bin.67: Error opening file for read: 0x00000020
D:\ProgramData\Microsoft\Microsoft Antimalware\Scans\mpcache-4DA27D2F0496EC4CB8747BB6B36172DF8114BAC3.bin.7E: Error opening file for read: 0x00000020
D:\ProgramData\Microsoft\Microsoft Antimalware\Scans\mpcache-4DA27D2F0496EC4CB8747BB6B36172DF8114BAC3.bin.80: Error opening file for read: 0x00000020
D:\ProgramData\Microsoft\Microsoft Antimalware\Scans\mpcache-4DA27D2F0496EC4CB8747BB6B36172DF8114BAC3.bin.87: Error opening file for read: 0x00000020
D:\ProgramData\Microsoft\Microsoft Antimalware\Scans\mpcache-4DA27D2F0496EC4CB8747BB6B36172DF8114BAC3.bin.A0: Error opening file for read: 0x00000020
D:\ProgramData\Microsoft\Microsoft Antimalware\Scans\mpcache-4DA27D2F0496EC4CB8747BB6B36172DF8114BAC3.bin.VE0: Error opening file for read: 0x00000020
D:\ProgramData\Microsoft\Microsoft Antimalware\Scans\mpcache-4DA27D2F0496EC4CB8747BB6B36172DF8114BAC3.bin.VE1: Error opening file for read: 0x00000020
D:\ProgramData\Microsoft\Microsoft Antimalware\Scans\mpcache-4DA27D2F0496EC4CB8747BB6B36172DF8114BAC3.bin.VE2: Error opening file for read: 0x00000020
D:\ProgramData\Microsoft\Microsoft Antimalware\Scans\mpcache-4DA27D2F0496EC4CB8747BB6B36172DF8114BAC3.bin.VF: Error opening file for read: 0x00000020
D:\ProgramData\Microsoft\Microsoft Antimalware\Scans\MpDiag.bin: Error opening file for read: 0x00000020
D:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log: Error opening file for read: 0x00000020
D:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSStmp.log: Error opening file for read: 0x00000020
D:\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edb: Error opening file for read: 0x00000020
D:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb: Error opening file for read: 0x00000020
D:\Users\Ahmad\AppData\Local\Microsoft\Windows\UsrClass.dat: Error opening file for read: 0x00000020
D:\Users\Ahmad\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1: Error opening file for read: 0x00000020
D:\Users\Ahmad\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2: Error opening file for read: 0x00000020
D:\Users\Ahmad\AppData\Local\Temp\acro_rd_dir\fla5028.tmp: Error opening file for read: 0x00000020
D:\Users\Ahmad\AppData\Local\Temp\acro_rd_dir\flaC861.tmp: Error opening file for read: 0x00000020
D:\Users\Ahmad\AppData\Roaming\Mozilla\Firefox\Profiles\uot65xz2.default\parent.lock: Error opening file for read: 0x00000020
D:\Users\Ahmad\AppData\Roaming\Skype\nereth1\bistats.lock: Error opening file for read: 0x00000020
D:\Users\Ahmad\AppData\Roaming\Skype\nereth1\keyval.lock: Error opening file for read: 0x00000020
D:\Users\Ahmad\AppData\Roaming\Skype\nereth1\main.lock: Error opening file for read: 0x00000020
D:\Users\Ahmad\AppData\Roaming\Skype\nereth1\msn.lock: Error opening file for read: 0x00000020
D:\Users\Ahmad\AppData\Roaming\Skype\shared_dynco\dc.lock: Error opening file for read: 0x00000020
D:\Users\Ahmad\AppData\Roaming\Skype\shared_httpfe\queue.lock: Error opening file for read: 0x00000020
D:\Users\Ahmad\Desktop\cleaning\dds.com: File infected with winpe/Rootkit.ENBI
Delete file: D:\Users\Ahmad\Desktop\cleaning\dds.com
Cleaning successful
D:\Users\Ahmad\Desktop\Downloaded youtube songs\ComboFix.exe: File infected with winpe/Suspicious_Gen4.BKROE
Delete file: D:\Users\Ahmad\Desktop\Downloaded youtube songs\ComboFix.exe
Cleaning successful
D:\Users\Ahmad\Desktop\ISOs\ADOBE.CREATIVE.SUITE.5.5.MASTER.COLLECTION.ESD-ISO\CORE_CS_5.5.rar: Archive infected
D:\Users\Ahmad\Desktop\ISOs\ADOBE.CREATIVE.SUITE.5.5.MASTER.COLLECTION.ESD-ISO\CORE_CS_5.5.rar/CORE\cr-adpp0\Keygen.exe: File infected with doslegacy/Sality.AW
Delete archive object: D:\Users\Ahmad\Desktop\ISOs\ADOBE.CREATIVE.SUITE.5.5.MASTER.COLLECTION.ESD-ISO\CORE_CS_5.5.rar\CORE\cr-adpp0\Keygen.exe
Cleaning successful
D:\Users\Ahmad\Desktop\ISOs\Altium.Designer.v10.0.iSO-HS\Altium\Private License Server Setup\Setup\instmsiw.exe/noname.cab/instmsi.msi/file30: Not scanned: 0x00000001
D:\Users\Ahmad\Desktop\ISOs\Keil_4\keil4.rar: Archive infected
D:\Users\Ahmad\Desktop\ISOs\Keil_4\keil4.rar/keil_arm_4\Keygen\keygen.exe: File infected with generic/Packed_spybot_gen6.A
Delete archive object: D:\Users\Ahmad\Desktop\ISOs\Keil_4\keil4.rar\keil_arm_4\Keygen\keygen.exe
Cleaning successful
D:\Users\Ahmad\Downloads\Sony Vegas Pro 12 Build 367 (64 bit patch-KHG) [ChingLiu]\patch - KHG\vegas.pro.12.-patch.exe: File infected with winpe/App_Generic.AIPIY
Delete file: D:\Users\Ahmad\Downloads\Sony Vegas Pro 12 Build 367 (64 bit patch-KHG) [ChingLiu]\patch - KHG\vegas.pro.12.-patch.exe
Cleaning successful
D:\Users\Ahmad\NTUSER.DAT: Error opening file for read: 0x00000020
D:\Users\Ahmad\ntuser.dat.LOG1: Error opening file for read: 0x00000020
D:\Users\Ahmad\ntuser.dat.LOG2: Error opening file for read: 0x00000020
D:\Users\UpdatusUser\AppData\Local\Microsoft\Windows\UsrClass.dat: Error opening file for read: 0x00000020
D:\Users\UpdatusUser\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1: Error opening file for read: 0x00000020
D:\Users\UpdatusUser\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2: Error opening file for read: 0x00000020
D:\Users\UpdatusUser\NTUSER.DAT: Error opening file for read: 0x00000020
D:\Users\UpdatusUser\ntuser.dat.LOG1: Error opening file for read: 0x00000020
D:\Users\UpdatusUser\ntuser.dat.LOG2: Error opening file for read: 0x00000020

Number of files found: 284029
Number of archives unpacked: 9009
Number of objects found: 1355895
Number of objects scanned: 1355806
Number of objects not scanned: 89
Number of malicious objects found: 6
Number of malicious objects cleaned: 6
Number of malicious files found: 6
Number of malicious files cleaned: 6
Scanning time: 48m 6s

Running post-scan cleanup routine...

Number of malicious objects found: 0
Number of malicious objects cleaned: 0
Scanning time: 0s

Results:
Total number of files found: 284029
Total number of archives unpacked: 9009
Total number of objects found: 1357911
Total number of objects scanned: 1357822
Total number of objects not scanned: 89
Total number of malicious objects found: 6
Total number of malicious objects cleaned: 6
Total number of malicious files found: 6
Total number of malicious files cleaned: 6
Total number of objects quarantined: 4
Total scanning time: 48m 23s

Nereth, Nov 8, 2012

#27
Nereth Newcomer, in training Posts: 24

Hey,

The other scans are done.

However, the kapersky automatic scan file took something like 5-10 minutes to save and ended up being 600 megs. I assume something went wrong with it because that seems a bit big . I can't even open it up with notepad, notepad opens then stops responding before displaying anything. I wander if something went wrong with the kapersky scan in general. I do have the detected threats report though.

Kapersky detected threats:

Status: Vulnerability (events: 9)
8/11/2012 9:36:52 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/44681 C:\Program Files (x86)\Altium\AD 10\Subversion Client\svn.exe Low
8/11/2012 9:37:23 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/50949 C:\Program Files (x86)\Java\jre7\bin\java.exe Low
8/11/2012 9:38:21 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/51183 C:\Program Files (x86)\Opera\opera.exe Low
8/11/2012 9:41:34 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/51213 C:\Windows\System32\Macromed\Flash\NPSWF64_11_4_402_287.dll Low
8/11/2012 9:41:39 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/0 C:\Windows\SysWOW64\msxml4.dll Low
8/11/2012 9:41:43 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/51213 C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_287.dll Low
9/11/2012 3:06:17 AM Vulnerability vulnerability http://www.securelist.com/en/advisories/51183 c:\Program Files (x86)\Opera\opera.exe Low
9/11/2012 3:06:33 AM Vulnerability vulnerability http://www.securelist.com/en/advisories/50949 c:\Program Files (x86)\Java\jre7\bin\java.exe Low
9/11/2012 3:06:50 AM Vulnerability vulnerability http://www.securelist.com/en/advisories/51213 c:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_287.dll Low
Status: Disinfected (events: 2)
8/11/2012 10:37:30 PM Disinfected virus Virus.Win32.Nimnul.e D:\Program Files (x86)\Alcohol Soft\Alcohol 120\pidalc.dll High
8/11/2012 10:37:32 PM Disinfected virus Virus.Win32.Nimnul.e D:\Program Files (x86)\FreeTime\FormatFactory\FFModules\Encoder\codecs\xanlib.dll High

Kapersky automatic scan report:

600 meg, too large to post or upload unless you reaaaaally want it (aussie internet, will likely take on the order of a day to upload ).

Panda ActiveScan

;***********************************************************************************************************************************************************************************
ANALYSIS: 2012-11-09 14:19:05
PROTECTIONS: 2
MALWARE: 6
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
ESET NOD32 Antivirus 5.2 Yes No
Microsoft Security Essentials No Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No d:\users\ahmad\appdata\local\cdgijwjg.log[ie cookies/smd1quay.txt]
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No d:\users\ahmad\appdata\roaming\microsoft\windows\cookies\low\3l6lwuie.txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No c:\qoobox\quarantine\d\users\ahmad\appdata\local\cdgijwjg.log.vir[ie cookies/low/vnzccgm0.txt]
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No d:\users\ahmad\appdata\local\cdgijwjg.log[ie cookies/low/vnzccgm0.txt]
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No d:\users\ahmad\appdata\roaming\microsoft\windows\cookies\smd1quay.txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No c:\qoobox\quarantine\d\users\ahmad\appdata\local\cdgijwjg.log.vir[ie cookies/smd1quay.txt]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No d:\users\ahmad\appdata\roaming\microsoft\windows\cookies\low\2fg8v783.txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No d:\users\ahmad\appdata\roaming\microsoft\windows\cookies\low\50w143bv.txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No c:\qoobox\quarantine\d\users\ahmad\appdata\local\cdgijwjg.log.vir[ie cookies/low/qn2fqagz.txt]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No d:\users\ahmad\appdata\local\cdgijwjg.log[ie cookies/low/5u0ljkus.txt]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No d:\users\ahmad\appdata\roaming\microsoft\windows\cookies\nw3u5tbc.txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No c:\qoobox\quarantine\d\users\ahmad\appdata\local\cdgijwjg.log.vir[ie cookies/nw3u5tbc.txt]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No d:\users\ahmad\appdata\local\cdgijwjg.log[ie cookies/nw3u5tbc.txt]
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No c:\qoobox\quarantine\d\users\ahmad\appdata\local\cdgijwjg.log.vir[ie cookies/xwt3tmx7.txt]
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No d:\users\ahmad\appdata\roaming\microsoft\windows\cookies\xwt3tmx7.txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No d:\users\ahmad\appdata\local\cdgijwjg.log[ie cookies/xwt3tmx7.txt]
00170554 Cookie/Overture TrackingCookie No 0 Yes No d:\users\ahmad\appdata\local\cdgijwjg.log[ie cookies/low/3ryl2eo9.txt]
00170554 Cookie/Overture TrackingCookie No 0 Yes No c:\qoobox\quarantine\d\users\ahmad\appdata\local\cdgijwjg.log.vir[ie cookies/low/02ih20hg.txt]
00170554 Cookie/Overture TrackingCookie No 0 Yes No d:\users\ahmad\appdata\roaming\microsoft\windows\cookies\low\p0r5n58b.txt
00170554 Cookie/Overture TrackingCookie No 0 Yes No c:\qoobox\quarantine\d\users\ahmad\appdata\local\cdgijwjg.log.vir[ie cookies/q80b4rgi.txt]
00170554 Cookie/Overture TrackingCookie No 0 Yes No d:\users\ahmad\appdata\roaming\microsoft\windows\cookies\q80b4rgi.txt
00170554 Cookie/Overture TrackingCookie No 0 Yes No d:\users\ahmad\appdata\local\cdgijwjg.log[ie cookies/q80b4rgi.txt]
03009106 W32/Xor-encoded.A Virus No 0 Yes No d:\programdata\microsoft\windows defender\localcopy\{63c29f66-2041-5298-3e2f-969df3a6eeba}-maintenanceservice_tmp.exe
03009106 W32/Xor-encoded.A Virus No 0 Yes No d:\programdata\microsoft\windows defender\localcopy\{80e32ccc-04bd-e09f-09b6-e7eca3f59afe}-plugin-container.exe
;===================================================================================================================================================================================
SUSPECTS
Sent Location
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description
;===================================================================================================================================================================================
;===================================================================================================================================================================================

Nereth, Nov 9, 2012

#28
Jay Pfoutz Malware Helper Posts: 4,286 +49

Something tells me this didn't go well... let's do the following: http://www.howtogeek.com/howto/36403/how-to-use-the-kaspersky-rescue-disk-to-clean-your-infected-pc/

Jay Pfoutz, Nov 9, 2012

#29
Nereth Newcomer, in training Posts: 24

Is it ok with you if I use the USB flash disk version of that? I don't even have an optical disk around I think.

Nereth, Nov 9, 2012

#30
Jay Pfoutz Malware Helper Posts: 4,286 +49

Go for it.

Jay Pfoutz, Nov 10, 2012

#31
Nereth Newcomer, in training Posts: 24

Hrmmm I tried it twice, went to the "boot from" menu in my MOBO and chose, there were two options: 1) my flash disk and 2) something like "UEFA flash disk" (I don't remember the acronym) Tried the first one first and it said no boot partition found, I tried the second one second and it tried to boot into windows but failed IIRC and I just powered down (it was super late and I guess I wasn't paying enough attention, sorry!). Anyway the next day when I tried to start up normally windows complained that it couldn't boot properly and had to repair stuff (which it failed to do according to it, but it started up properly anyway after a restart).

Anyway I'm kind of scared that I came close to an unbootable PC just now D: I'll have a look over the instructions a bit more and if I can't find what I did wrong perhaps I will try the normal kapersky scan again instead of the rescue disk, maybe it will work this time XD

Nereth, Nov 11, 2012

#32

DragonMaster Jay likes this.
Nereth Newcomer, in training Posts: 24

Hi again,

So I didn't want to risk the flash drive again and I had to wait till tomorrow to get a CD ROM, so instead I've just finished trying the normal scan again. This time it completed in a much more reasonable 4 hours and 17 minutes.

Now, I once again have the detected threats scan (will post after thiis note), but the automatic scan report is now 607 megs. I managed to open it in word pad by being patient - actually it's still opening now, page by page, it's not corrupt or anything it's literally just a couple of lines for every single file on my computer, so it's no real surprise that it's so big.

Is this not normal? Have I saved the log incorrectly?

I haven't run the panda activescan yet, pending your instructions regarding Kapersky.

Kapersky Detected threats report:

Status: Vulnerability (events: 8)
12/11/2012 9:15:57 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/44681 C:\Program Files (x86)\Altium\AD 10\Subversion Client\svn.exe Low
12/11/2012 9:16:45 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/50949 C:\Program Files (x86)\Java\jre7\bin\java.exe Low
12/11/2012 9:18:19 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/51183 C:\Program Files (x86)\Opera\opera.exe Low
12/11/2012 9:23:55 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/51213 C:\Windows\System32\Macromed\Flash\NPSWF64_11_4_402_287.dll Low
12/11/2012 9:24:04 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/0 C:\Windows\SysWOW64\msxml4.dll Low
12/11/2012 9:24:16 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/51213 C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_287.dll Low
12/11/2012 11:15:42 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/51183 c:\Program Files (x86)\Opera\opera.exe Low
12/11/2012 11:15:53 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/51213 c:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_287.dll Low

Thanks for your time,
Nereth

Nereth, Nov 12, 2012

#33
Jay Pfoutz Malware Helper Posts: 4,286 +49

Looks fine. How does the operating system operate, in general?

Jay Pfoutz, Nov 13, 2012

#34
Nereth Newcomer, in training Posts: 24

It has run perfectly fine ever since that second cleaning script you made for me, although given how despite this, every second scan has been uncovering stuff, I don't know if that means it is OK or not.

Nereth, Nov 13, 2012

#35
Jay Pfoutz Malware Helper Posts: 4,286 +49
Hi there. It all appears to be good, so we will finish up to make sure your computer is protected from malware in the future.

Clean up System Restore

Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

To manually create a new Restore Point

Go to Control Panel and select System and Maintenance

Select System

On the left select Advance System Settings and accept the warning if you get one

Select System Protection Tab

Select Create at the bottom

Type in a name I.e. Clean

Select Create

Now we can purge the infected ones

Go back to the System and Maintenance page

Select Performance Information and Tools

On the left select Open Disk Cleanup

Select Files from all users and accept the warning if you get one

In the drop down box select your main drive I.e. C

For a few moments the system will make some calculations:

Select the More Options tab

In the System Restore and Shadow Backups select Clean up

Select Delete on the pop up

Select OK

Select Delete

Run OTC to remove our tools

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:

Save it to your Desktop.

Double click OTC.exe.

Click the CleanUp! button.

If you are prompted to Reboot during the cleanup, select Yes.

The tool will delete itself once it finishes.

Note:If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Purge old temporary files

NOTE: If you already have this installed, you don't have to reinstall it.

Please download CCleaner Slim and save it to your Desktop - Alternate download link

When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
Follow the prompts to install the program.

Double-click the CCleaner shortcut on the desktop to start the program.

A prompt will ask you if you want CCleaner to do a check to see what cookies it needs to keep. Allow that operation.

On the Cleaner tab, click on Run Cleaner on the bottom-right to run the program.

Important: Make sure that ALL browser windows are closed before selecting Run Cleaner, or it will ask if you want the program to close them for you (when you do this, all unsaved data may be lost in the browser).

Caution: Only use the Registry feature if you are very familiar with the registry.
Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.

Security Check

Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

Save it to your Desktop.

Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.

A Notepad document should open automatically called checkup.txt; please post the contents of that document.
Jay Pfoutz, Nov 13, 2012

#36
Nereth Newcomer, in training Posts: 24

I think the guide for the restore point cleanup might be outdated:

I managed to get to Performance Information and Tools Using the win7 start->search functionality (couldn't find it under system and security, which is what I assumed was meant when you said system and maintenance), once there I clicked open disk cleanup, there was no setting, menu, or drop down box pertaining to selecting 'files from all users', although I did immediately get a drop down box in which I selected the C drive. After that, there was no "more options" tab in the dialog box that opened, which pretty much stopped me short on continuing your guide .

Nereth, Nov 13, 2012

#37
Jay Pfoutz Malware Helper Posts: 4,286 +49

It's not outdated. Just some people's computers, for some reason, do not show that option. I'm thinking about changing my guide so people can just delete the old restore points with OTL or CCleaner...

Just go in to CCleaner, press the Tools tab...System Restore. Delete all listed.

Once that's done, continue on cleanup.

Jay Pfoutz, Nov 14, 2012

#38
Nereth Newcomer, in training Posts: 24

Hey there,

All done, here is the contents of checkup.txt:

Results of screen317's Security Check version 0.99.54
Windows 7 x64 (UAC is enabled)
Out of date service pack!!
Internet Explorer 8 Out of date!
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
ESET NOD32 Antivirus 5.2
Microsoft Security Essentials
Antivirus out of date! (On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
Spyder3Pro
Malwarebytes Anti-Malware version 1.65.1.1000
JavaFX 2.1.1
Java(TM) 7 Update 5
Java version out of Date!
Adobe Flash Player 11.4.402.287
Adobe Reader X (10.1.4)
Mozilla Firefox (16.0.2)
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
Microsoft Security Essentials msseces.exe
ESET NOD32 Antivirus egui.exe
ESET NOD32 Antivirus ekrn.exe
Malwarebytes' Anti-Malware mbamscheduler.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 1%
````````````````````End of Log``````````````````````

It doesn't look very pretty does it XD

Nereth, Nov 15, 2012

#39
Jay Pfoutz Malware Helper Posts: 4,286 +49

Update service pack, if you can: http://windows.microsoft.com/en-US/windows7/install-windows-7-service-pack-1

If you have trouble with the service pack, we can provide help in the Windows OS section of this site.

Java Update!

Please download the newest version of Java from Java.com.

Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). Please uninstall/remove each of them.

Once old versions are gone, please install the newest version.

Read more about Java exploit problems

Personal Tips on Preventing Malware

See this page for more info about malware and prevention.

Any other questions before I mark this topic solved?

Jay Pfoutz, Nov 15, 2012

#40

Page 2 of 3

Topic Status:: Not open for further replies.

Add New Comment

	Social Login & Guest Posting			TechSpot Members Login here or sign up for free, it takes about a minute.
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.