TechSpot

Windows command processor and possibly more

Solved
By Nereth
Nov 2, 2012
Topic Status:
Not open for further replies.
  1. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    I doubt that. If the virus is going to spread, it'll spread via files. The only way that it won't spread to your flash drive when it's connected to the PC, is if it is write protected. But you'd still have to turn write protection off just to save files, so you'll throw yourself in a loop, if that makes sense. :(
  2. Nereth

    Nereth Newcomer, in training Topic Starter Posts: 24

    Hi there,

    Kapersky Labs first scan crashed, so I started it again - it slowed down really hard at 50% and has been there for about 3 hours. It's now about 5 hours into the scan. It's still incrementing through files though, but I'll have to leave it while I get some sleep. It has currently found 8 threats. 6 are 'vulnerabilities', 2 are 'win32.Nimnul.e'

    Oh, and there was no "OS" tick box available under scan scope in Kapersky. I ticked everything except optical drives though

    So I'll post the log of the Norman Malware Cleaner Scan first incase it is useful to you on its own. The rest of the logs will come when their scan is complete.

    By the way the NMC log was not named precisely as you described it would be, not sure if this is just a newer version or something.

    Normal Malware Cleaner log:

    Norman Malware Cleaner v2.06.01
    Copyright © 1990 - 2012, Norman ASA.

    Norman Scanner Engine Version: 7.00.12
    nvcbin.def: Version: 7.00.1803, Date: 2012/11/08 14:20:42, Variants: 15294968
    nvcmacro.def: Version: 0.00.00, Date: 1970/01/01 08:00:00, Variants: 0

    Operating System: Windows 7 x64

    Switches: /iagree

    Scan started: 2012/11/08 17:59:35

    Running pre-scan cleanup routine...

    Number of malicious objects found: 0
    Number of malicious objects cleaned: 0
    Scanning time: 0s

    Scanning running processes and process memory...

    Number of objects found: 2016
    Number of objects scanned: 2016
    Number of objects not scanned: 0
    Number of malicious memory objects found: 0
    Number of malicious objects cleaned: 0
    Number of malicious files found: 0
    Number of malicious files cleaned: 0
    Scanning time: 17s

    Scanning system for FakeAV...

    Number of malicious objects found: 0
    Number of malicious objects cleaned: 0
    Number of malicious files found: 0
    Number of malicious files cleaned: 0
    Scanning time: 0s

    Running full scan...
    C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\DATA\master.mdf: Error opening file for read: 0x00000020
    C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\DATA\mastlog.ldf: Error opening file for read: 0x00000020
    C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\DATA\model.mdf: Error opening file for read: 0x00000020
    C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\DATA\modellog.ldf: Error opening file for read: 0x00000020
    C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\DATA\MSDBData.mdf: Error opening file for read: 0x00000020
    C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\DATA\MSDBLog.ldf: Error opening file for read: 0x00000020
    C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\DATA\tempdb.mdf: Error opening file for read: 0x00000020
    C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\DATA\templog.ldf: Error opening file for read: 0x00000020
    C:\Program Files (x86)\Altium\AD 10\HS-AD10.exe: File infected with winpe/Suspicious_Gen2.JJFPG
    Delete file: C:\Program Files (x86)\Altium\AD 10\HS-AD10.exe
    Cleaning successful
    C:\System Volume Information\Syscache.hve: Error opening file for read: 0x00000020
    C:\System Volume Information\Syscache.hve.LOG1: Error opening file for read: 0x00000020
    C:\System Volume Information\Syscache.hve.LOG2: Error opening file for read: 0x00000020
    C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat: Error opening file for read: 0x00000020
    C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat: Error opening file for read: 0x00000020
    C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\PeerNetworking\48f599bc7394900b6b5b3925722d724750599fab.HomeGroupClassifier\027edd5e419cdf88462bec34151cbabd\grouping\db.mdb: Error opening file for read: 0x00000020
    C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\PeerNetworking\48f599bc7394900b6b5b3925722d724750599fab.HomeGroupClassifier\027edd5e419cdf88462bec34151cbabd\grouping\edb.log: Error opening file for read: 0x00000020
    C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\PeerNetworking\48f599bc7394900b6b5b3925722d724750599fab.HomeGroupClassifier\027edd5e419cdf88462bec34151cbabd\grouping\tmp.edb: Error opening file for read: 0x00000020
    C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT: Error opening file for read: 0x00000020
    C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT.LOG1: Error opening file for read: 0x00000020
    C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT.LOG2: Error opening file for read: 0x00000020
    C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT: Error opening file for read: 0x00000020
    C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT.LOG1: Error opening file for read: 0x00000020
    C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT.LOG2: Error opening file for read: 0x00000020
    C:\Windows\System32\catroot2\edb.log: Error opening file for read: 0x00000020
    C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb: Error opening file for read: 0x00000020
    C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb: Error opening file for read: 0x00000020
    C:\Windows\System32\config\DEFAULT: Error opening file for read: 0x00000020
    C:\Windows\System32\config\DEFAULT.LOG1: Error opening file for read: 0x00000020
    C:\Windows\System32\config\DEFAULT.LOG2: Error opening file for read: 0x00000020
    C:\Windows\System32\config\RegBack\DEFAULT: Error opening file for read: 0x00000020
    C:\Windows\System32\config\RegBack\SAM: Error opening file for read: 0x00000020
    C:\Windows\System32\config\RegBack\SECURITY: Error opening file for read: 0x00000020
    C:\Windows\System32\config\RegBack\SOFTWARE: Error opening file for read: 0x00000020
    C:\Windows\System32\config\RegBack\SYSTEM: Error opening file for read: 0x00000020
    C:\Windows\System32\config\SAM: Error opening file for read: 0x00000020
    C:\Windows\System32\config\SAM.LOG1: Error opening file for read: 0x00000020
    C:\Windows\System32\config\SECURITY: Error opening file for read: 0x00000020
    C:\Windows\System32\config\SAM.LOG2: Error opening file for read: 0x00000020
    C:\Windows\System32\config\SECURITY.LOG1: Error opening file for read: 0x00000020
    C:\Windows\System32\config\SECURITY.LOG2: Error opening file for read: 0x00000020
    C:\Windows\System32\config\SOFTWARE: Error opening file for read: 0x00000020
    C:\Windows\System32\config\SOFTWARE.LOG2: Error opening file for read: 0x00000020
    C:\Windows\System32\config\SOFTWARE.LOG1: Error opening file for read: 0x00000020
    C:\Windows\System32\config\SYSTEM.LOG2: Error opening file for read: 0x00000020
    C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTSteam Event Tracing.etl: Error opening file for read: 0x00000020
    C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl: Error opening file for read: 0x00000020
    C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTUBPM.etl: Error opening file for read: 0x00000020
    D:\ProgramData\Microsoft\Microsoft Antimalware\Scans\History\CacheManager\MpScanCache-1.bin: Error opening file for read: 0x00000020
    D:\ProgramData\Microsoft\Microsoft Antimalware\IMpServiceEDB4FA23-53B8-4AFA-8C5D-99752CCA7094.lock: Error opening file for read: 0x00000020
    D:\ProgramData\Microsoft\Microsoft Antimalware\Scans\mpcache-4DA27D2F0496EC4CB8747BB6B36172DF8114BAC3.bin.67: Error opening file for read: 0x00000020
    D:\ProgramData\Microsoft\Microsoft Antimalware\Scans\mpcache-4DA27D2F0496EC4CB8747BB6B36172DF8114BAC3.bin.7E: Error opening file for read: 0x00000020
    D:\ProgramData\Microsoft\Microsoft Antimalware\Scans\mpcache-4DA27D2F0496EC4CB8747BB6B36172DF8114BAC3.bin.80: Error opening file for read: 0x00000020
    D:\ProgramData\Microsoft\Microsoft Antimalware\Scans\mpcache-4DA27D2F0496EC4CB8747BB6B36172DF8114BAC3.bin.87: Error opening file for read: 0x00000020
    D:\ProgramData\Microsoft\Microsoft Antimalware\Scans\mpcache-4DA27D2F0496EC4CB8747BB6B36172DF8114BAC3.bin.A0: Error opening file for read: 0x00000020
    D:\ProgramData\Microsoft\Microsoft Antimalware\Scans\mpcache-4DA27D2F0496EC4CB8747BB6B36172DF8114BAC3.bin.VE0: Error opening file for read: 0x00000020
    D:\ProgramData\Microsoft\Microsoft Antimalware\Scans\mpcache-4DA27D2F0496EC4CB8747BB6B36172DF8114BAC3.bin.VE1: Error opening file for read: 0x00000020
    D:\ProgramData\Microsoft\Microsoft Antimalware\Scans\mpcache-4DA27D2F0496EC4CB8747BB6B36172DF8114BAC3.bin.VE2: Error opening file for read: 0x00000020
    D:\ProgramData\Microsoft\Microsoft Antimalware\Scans\mpcache-4DA27D2F0496EC4CB8747BB6B36172DF8114BAC3.bin.VF: Error opening file for read: 0x00000020
    D:\ProgramData\Microsoft\Microsoft Antimalware\Scans\MpDiag.bin: Error opening file for read: 0x00000020
    D:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log: Error opening file for read: 0x00000020
    D:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSStmp.log: Error opening file for read: 0x00000020
    D:\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edb: Error opening file for read: 0x00000020
    D:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb: Error opening file for read: 0x00000020
    D:\Users\Ahmad\AppData\Local\Microsoft\Windows\UsrClass.dat: Error opening file for read: 0x00000020
    D:\Users\Ahmad\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1: Error opening file for read: 0x00000020
    D:\Users\Ahmad\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2: Error opening file for read: 0x00000020
    D:\Users\Ahmad\AppData\Local\Temp\acro_rd_dir\fla5028.tmp: Error opening file for read: 0x00000020
    D:\Users\Ahmad\AppData\Local\Temp\acro_rd_dir\flaC861.tmp: Error opening file for read: 0x00000020
    D:\Users\Ahmad\AppData\Roaming\Mozilla\Firefox\Profiles\uot65xz2.default\parent.lock: Error opening file for read: 0x00000020
    D:\Users\Ahmad\AppData\Roaming\Skype\nereth1\bistats.lock: Error opening file for read: 0x00000020
    D:\Users\Ahmad\AppData\Roaming\Skype\nereth1\keyval.lock: Error opening file for read: 0x00000020
    D:\Users\Ahmad\AppData\Roaming\Skype\nereth1\main.lock: Error opening file for read: 0x00000020
    D:\Users\Ahmad\AppData\Roaming\Skype\nereth1\msn.lock: Error opening file for read: 0x00000020
    D:\Users\Ahmad\AppData\Roaming\Skype\shared_dynco\dc.lock: Error opening file for read: 0x00000020
    D:\Users\Ahmad\AppData\Roaming\Skype\shared_httpfe\queue.lock: Error opening file for read: 0x00000020
    D:\Users\Ahmad\Desktop\cleaning\dds.com: File infected with winpe/Rootkit.ENBI
    Delete file: D:\Users\Ahmad\Desktop\cleaning\dds.com
    Cleaning successful
    D:\Users\Ahmad\Desktop\Downloaded youtube songs\ComboFix.exe: File infected with winpe/Suspicious_Gen4.BKROE
    Delete file: D:\Users\Ahmad\Desktop\Downloaded youtube songs\ComboFix.exe
    Cleaning successful
    D:\Users\Ahmad\Desktop\ISOs\ADOBE.CREATIVE.SUITE.5.5.MASTER.COLLECTION.ESD-ISO\CORE_CS_5.5.rar: Archive infected
    D:\Users\Ahmad\Desktop\ISOs\ADOBE.CREATIVE.SUITE.5.5.MASTER.COLLECTION.ESD-ISO\CORE_CS_5.5.rar/CORE\cr-adpp0\Keygen.exe: File infected with doslegacy/Sality.AW
    Delete archive object: D:\Users\Ahmad\Desktop\ISOs\ADOBE.CREATIVE.SUITE.5.5.MASTER.COLLECTION.ESD-ISO\CORE_CS_5.5.rar\CORE\cr-adpp0\Keygen.exe
    Cleaning successful
    D:\Users\Ahmad\Desktop\ISOs\Altium.Designer.v10.0.iSO-HS\Altium\Private License Server Setup\Setup\instmsiw.exe/noname.cab/instmsi.msi/file30: Not scanned: 0x00000001
    D:\Users\Ahmad\Desktop\ISOs\Keil_4\keil4.rar: Archive infected
    D:\Users\Ahmad\Desktop\ISOs\Keil_4\keil4.rar/keil_arm_4\Keygen\keygen.exe: File infected with generic/Packed_spybot_gen6.A
    Delete archive object: D:\Users\Ahmad\Desktop\ISOs\Keil_4\keil4.rar\keil_arm_4\Keygen\keygen.exe
    Cleaning successful
    D:\Users\Ahmad\Downloads\Sony Vegas Pro 12 Build 367 (64 bit patch-KHG) [ChingLiu]\patch - KHG\vegas.pro.12.-patch.exe: File infected with winpe/App_Generic.AIPIY
    Delete file: D:\Users\Ahmad\Downloads\Sony Vegas Pro 12 Build 367 (64 bit patch-KHG) [ChingLiu]\patch - KHG\vegas.pro.12.-patch.exe
    Cleaning successful
    D:\Users\Ahmad\NTUSER.DAT: Error opening file for read: 0x00000020
    D:\Users\Ahmad\ntuser.dat.LOG1: Error opening file for read: 0x00000020
    D:\Users\Ahmad\ntuser.dat.LOG2: Error opening file for read: 0x00000020
    D:\Users\UpdatusUser\AppData\Local\Microsoft\Windows\UsrClass.dat: Error opening file for read: 0x00000020
    D:\Users\UpdatusUser\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1: Error opening file for read: 0x00000020
    D:\Users\UpdatusUser\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2: Error opening file for read: 0x00000020
    D:\Users\UpdatusUser\NTUSER.DAT: Error opening file for read: 0x00000020
    D:\Users\UpdatusUser\ntuser.dat.LOG1: Error opening file for read: 0x00000020
    D:\Users\UpdatusUser\ntuser.dat.LOG2: Error opening file for read: 0x00000020

    Number of files found: 284029
    Number of archives unpacked: 9009
    Number of objects found: 1355895
    Number of objects scanned: 1355806
    Number of objects not scanned: 89
    Number of malicious objects found: 6
    Number of malicious objects cleaned: 6
    Number of malicious files found: 6
    Number of malicious files cleaned: 6
    Scanning time: 48m 6s

    Running post-scan cleanup routine...

    Number of malicious objects found: 0
    Number of malicious objects cleaned: 0
    Scanning time: 0s

    Results:
    Total number of files found: 284029
    Total number of archives unpacked: 9009
    Total number of objects found: 1357911
    Total number of objects scanned: 1357822
    Total number of objects not scanned: 89
    Total number of malicious objects found: 6
    Total number of malicious objects cleaned: 6
    Total number of malicious files found: 6
    Total number of malicious files cleaned: 6
    Total number of objects quarantined: 4
    Total scanning time: 48m 23s
  3. Nereth

    Nereth Newcomer, in training Topic Starter Posts: 24

    Hey,

    The other scans are done.

    However, the kapersky automatic scan file took something like 5-10 minutes to save and ended up being 600 megs. I assume something went wrong with it because that seems a bit big :p. I can't even open it up with notepad, notepad opens then stops responding before displaying anything. I wander if something went wrong with the kapersky scan in general. I do have the detected threats report though.

    Kapersky detected threats:

    Status: Vulnerability (events: 9)
    8/11/2012 9:36:52 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/44681 C:\Program Files (x86)\Altium\AD 10\Subversion Client\svn.exe Low
    8/11/2012 9:37:23 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/50949 C:\Program Files (x86)\Java\jre7\bin\java.exe Low
    8/11/2012 9:38:21 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/51183 C:\Program Files (x86)\Opera\opera.exe Low
    8/11/2012 9:41:34 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/51213 C:\Windows\System32\Macromed\Flash\NPSWF64_11_4_402_287.dll Low
    8/11/2012 9:41:39 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/0 C:\Windows\SysWOW64\msxml4.dll Low
    8/11/2012 9:41:43 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/51213 C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_287.dll Low
    9/11/2012 3:06:17 AM Vulnerability vulnerability http://www.securelist.com/en/advisories/51183 c:\Program Files (x86)\Opera\opera.exe Low
    9/11/2012 3:06:33 AM Vulnerability vulnerability http://www.securelist.com/en/advisories/50949 c:\Program Files (x86)\Java\jre7\bin\java.exe Low
    9/11/2012 3:06:50 AM Vulnerability vulnerability http://www.securelist.com/en/advisories/51213 c:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_287.dll Low
    Status: Disinfected (events: 2)
    8/11/2012 10:37:30 PM Disinfected virus Virus.Win32.Nimnul.e D:\Program Files (x86)\Alcohol Soft\Alcohol 120\pidalc.dll High
    8/11/2012 10:37:32 PM Disinfected virus Virus.Win32.Nimnul.e D:\Program Files (x86)\FreeTime\FormatFactory\FFModules\Encoder\codecs\xanlib.dll High


    Kapersky automatic scan report:

    600 meg, too large to post or upload unless you reaaaaally want it (aussie internet, will likely take on the order of a day to upload :( ).

    Panda ActiveScan

    ;***********************************************************************************************************************************************************************************
    ANALYSIS: 2012-11-09 14:19:05
    PROTECTIONS: 2
    MALWARE: 6
    SUSPECTS: 0
    ;***********************************************************************************************************************************************************************************
    PROTECTIONS
    Description Version Active Updated
    ;===================================================================================================================================================================================
    ESET NOD32 Antivirus 5.2 Yes No
    Microsoft Security Essentials No Yes
    ;===================================================================================================================================================================================
    MALWARE
    Id Description Type Active Severity Disinfectable Disinfected Location
    ;===================================================================================================================================================================================
    00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No d:\users\ahmad\appdata\local\cdgijwjg.log[ie cookies/smd1quay.txt]
    00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No d:\users\ahmad\appdata\roaming\microsoft\windows\cookies\low\3l6lwuie.txt
    00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No c:\qoobox\quarantine\d\users\ahmad\appdata\local\cdgijwjg.log.vir[ie cookies/low/vnzccgm0.txt]
    00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No d:\users\ahmad\appdata\local\cdgijwjg.log[ie cookies/low/vnzccgm0.txt]
    00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No d:\users\ahmad\appdata\roaming\microsoft\windows\cookies\smd1quay.txt
    00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No c:\qoobox\quarantine\d\users\ahmad\appdata\local\cdgijwjg.log.vir[ie cookies/smd1quay.txt]
    00168056 Cookie/YieldManager TrackingCookie No 0 Yes No d:\users\ahmad\appdata\roaming\microsoft\windows\cookies\low\2fg8v783.txt
    00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No d:\users\ahmad\appdata\roaming\microsoft\windows\cookies\low\50w143bv.txt
    00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No c:\qoobox\quarantine\d\users\ahmad\appdata\local\cdgijwjg.log.vir[ie cookies/low/qn2fqagz.txt]
    00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No d:\users\ahmad\appdata\local\cdgijwjg.log[ie cookies/low/5u0ljkus.txt]
    00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No d:\users\ahmad\appdata\roaming\microsoft\windows\cookies\nw3u5tbc.txt
    00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No c:\qoobox\quarantine\d\users\ahmad\appdata\local\cdgijwjg.log.vir[ie cookies/nw3u5tbc.txt]
    00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No d:\users\ahmad\appdata\local\cdgijwjg.log[ie cookies/nw3u5tbc.txt]
    00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No c:\qoobox\quarantine\d\users\ahmad\appdata\local\cdgijwjg.log.vir[ie cookies/xwt3tmx7.txt]
    00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No d:\users\ahmad\appdata\roaming\microsoft\windows\cookies\xwt3tmx7.txt
    00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No d:\users\ahmad\appdata\local\cdgijwjg.log[ie cookies/xwt3tmx7.txt]
    00170554 Cookie/Overture TrackingCookie No 0 Yes No d:\users\ahmad\appdata\local\cdgijwjg.log[ie cookies/low/3ryl2eo9.txt]
    00170554 Cookie/Overture TrackingCookie No 0 Yes No c:\qoobox\quarantine\d\users\ahmad\appdata\local\cdgijwjg.log.vir[ie cookies/low/02ih20hg.txt]
    00170554 Cookie/Overture TrackingCookie No 0 Yes No d:\users\ahmad\appdata\roaming\microsoft\windows\cookies\low\p0r5n58b.txt
    00170554 Cookie/Overture TrackingCookie No 0 Yes No c:\qoobox\quarantine\d\users\ahmad\appdata\local\cdgijwjg.log.vir[ie cookies/q80b4rgi.txt]
    00170554 Cookie/Overture TrackingCookie No 0 Yes No d:\users\ahmad\appdata\roaming\microsoft\windows\cookies\q80b4rgi.txt
    00170554 Cookie/Overture TrackingCookie No 0 Yes No d:\users\ahmad\appdata\local\cdgijwjg.log[ie cookies/q80b4rgi.txt]
    03009106 W32/Xor-encoded.A Virus No 0 Yes No d:\programdata\microsoft\windows defender\localcopy\{63c29f66-2041-5298-3e2f-969df3a6eeba}-maintenanceservice_tmp.exe
    03009106 W32/Xor-encoded.A Virus No 0 Yes No d:\programdata\microsoft\windows defender\localcopy\{80e32ccc-04bd-e09f-09b6-e7eca3f59afe}-plugin-container.exe
    ;===================================================================================================================================================================================
    SUSPECTS
    Sent Location
    ;===================================================================================================================================================================================
    ;===================================================================================================================================================================================
    VULNERABILITIES
    Id Severity Description
    ;===================================================================================================================================================================================
    ;===================================================================================================================================================================================
  4. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

  5. Nereth

    Nereth Newcomer, in training Topic Starter Posts: 24

    Is it ok with you if I use the USB flash disk version of that? I don't even have an optical disk around I think.
  6. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

  7. Nereth

    Nereth Newcomer, in training Topic Starter Posts: 24

    Hrmmm I tried it twice, went to the "boot from" menu in my MOBO and chose, there were two options: 1) my flash disk and 2) something like "UEFA flash disk" (I don't remember the acronym) Tried the first one first and it said no boot partition found, I tried the second one second and it tried to boot into windows but failed IIRC and I just powered down (it was super late and I guess I wasn't paying enough attention, sorry!). Anyway the next day when I tried to start up normally windows complained that it couldn't boot properly and had to repair stuff (which it failed to do according to it, but it started up properly anyway after a restart).

    Anyway I'm kind of scared that I came close to an unbootable PC just now D: I'll have a look over the instructions a bit more and if I can't find what I did wrong perhaps I will try the normal kapersky scan again instead of the rescue disk, maybe it will work this time XD
    DragonMaster Jay likes this.
  8. Nereth

    Nereth Newcomer, in training Topic Starter Posts: 24

    Hi again,

    So I didn't want to risk the flash drive again and I had to wait till tomorrow to get a CD ROM, so instead I've just finished trying the normal scan again. This time it completed in a much more reasonable 4 hours and 17 minutes.

    Now, I once again have the detected threats scan (will post after thiis note), but the automatic scan report is now 607 megs. I managed to open it in word pad by being patient - actually it's still opening now, page by page, it's not corrupt or anything it's literally just a couple of lines for every single file on my computer, so it's no real surprise that it's so big.

    Is this not normal? Have I saved the log incorrectly?

    I haven't run the panda activescan yet, pending your instructions regarding Kapersky.

    Kapersky Detected threats report:

    Status: Vulnerability (events: 8)
    12/11/2012 9:15:57 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/44681 C:\Program Files (x86)\Altium\AD 10\Subversion Client\svn.exe Low
    12/11/2012 9:16:45 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/50949 C:\Program Files (x86)\Java\jre7\bin\java.exe Low
    12/11/2012 9:18:19 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/51183 C:\Program Files (x86)\Opera\opera.exe Low
    12/11/2012 9:23:55 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/51213 C:\Windows\System32\Macromed\Flash\NPSWF64_11_4_402_287.dll Low
    12/11/2012 9:24:04 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/0 C:\Windows\SysWOW64\msxml4.dll Low
    12/11/2012 9:24:16 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/51213 C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_287.dll Low
    12/11/2012 11:15:42 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/51183 c:\Program Files (x86)\Opera\opera.exe Low
    12/11/2012 11:15:53 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/51213 c:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_287.dll Low

    Thanks for your time,
    Nereth
  9. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Looks fine. How does the operating system operate, in general?
  10. Nereth

    Nereth Newcomer, in training Topic Starter Posts: 24

    It has run perfectly fine ever since that second cleaning script you made for me, although given how despite this, every second scan has been uncovering stuff, I don't know if that means it is OK or not.
  11. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hi there. It all appears to be good, so we will finish up to make sure your computer is protected from malware in the future.

    Clean up System Restore

    Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

    To manually create a new Restore Point
    • Go to Control Panel and select System and Maintenance
    • Select System
    • On the left select Advance System Settings and accept the warning if you get one
    • Select System Protection Tab
    • Select Create at the bottom
    • Type in a name I.e. Clean
    • Select Create
    Now we can purge the infected ones
    • Go back to the System and Maintenance page
    • Select Performance Information and Tools
    • On the left select Open Disk Cleanup
    • Select Files from all users and accept the warning if you get one
    • In the drop down box select your main drive I.e. C
    • For a few moments the system will make some calculations:
      [​IMG]
    • Select the More Options tab
      [​IMG]
    • In the System Restore and Shadow Backups select Clean up
      [​IMG]
    • Select Delete on the pop up
    • Select OK
    • Select Delete
    Run OTC to remove our tools

    To remove all of the tools we used and the files and folders they created, please do the following:
    Please download OTC.exe by OldTimer:
    • Save it to your Desktop.
    • Double click OTC.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    Note:If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

    Purge old temporary files

    NOTE: If you already have this installed, you don't have to reinstall it.

    Please download CCleaner Slim and save it to your Desktop - Alternate download link

    When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
    Follow the prompts to install the program.

    • Double-click the CCleaner shortcut on the desktop to start the program.
    • A prompt will ask you if you want CCleaner to do a check to see what cookies it needs to keep. Allow that operation.
    • On the Cleaner tab, click on Run Cleaner on the bottom-right to run the program.
    • Important: Make sure that ALL browser windows are closed before selecting Run Cleaner, or it will ask if you want the program to close them for you (when you do this, all unsaved data may be lost in the browser).

    Caution: Only use the Registry feature if you are very familiar with the registry.
    Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.

    Security Check

    Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
     
  12. Nereth

    Nereth Newcomer, in training Topic Starter Posts: 24

    I think the guide for the restore point cleanup might be outdated:

    I managed to get to Performance Information and Tools Using the win7 start->search functionality (couldn't find it under system and security, which is what I assumed was meant when you said system and maintenance), once there I clicked open disk cleanup, there was no setting, menu, or drop down box pertaining to selecting 'files from all users', although I did immediately get a drop down box in which I selected the C drive. After that, there was no "more options" tab in the dialog box that opened, which pretty much stopped me short on continuing your guide :(.
  13. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    It's not outdated. Just some people's computers, for some reason, do not show that option. :p I'm thinking about changing my guide so people can just delete the old restore points with OTL or CCleaner...

    Just go in to CCleaner, press the Tools tab...System Restore. Delete all listed.

    Once that's done, continue on cleanup. :p
  14. Nereth

    Nereth Newcomer, in training Topic Starter Posts: 24

    Hey there,

    All done, here is the contents of checkup.txt:

    Results of screen317's Security Check version 0.99.54
    Windows 7 x64 (UAC is enabled)
    Out of date service pack!!
    Internet Explorer 8 Out of date!
    ``````````````Antivirus/Firewall Check:``````````````
    Windows Firewall Enabled!
    ESET NOD32 Antivirus 5.2
    Microsoft Security Essentials
    Antivirus out of date! (On Access scanning disabled!)
    `````````Anti-malware/Other Utilities Check:`````````
    Spyder3Pro
    Malwarebytes Anti-Malware version 1.65.1.1000
    JavaFX 2.1.1
    Java(TM) 7 Update 5
    Java version out of Date!
    Adobe Flash Player 11.4.402.287
    Adobe Reader X (10.1.4)
    Mozilla Firefox (16.0.2)
    ````````Process Check: objlist.exe by Laurent````````
    Microsoft Security Essentials MSMpEng.exe
    Microsoft Security Essentials msseces.exe
    ESET NOD32 Antivirus egui.exe
    ESET NOD32 Antivirus ekrn.exe
    Malwarebytes' Anti-Malware mbamscheduler.exe
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C: 1%
    ````````````````````End of Log``````````````````````


    It doesn't look very pretty does it XD
  15. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Update service pack, if you can: http://windows.microsoft.com/en-US/windows7/install-windows-7-service-pack-1

    If you have trouble with the service pack, we can provide help in the Windows OS section of this site. :)

    Java Update!

    Please download the newest version of Java from Java.com.

    Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
    Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
    Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). Please uninstall/remove each of them.

    Once old versions are gone, please install the newest version.

    Read more about Java exploit problems


    Personal Tips on Preventing Malware

    See this page for more info about malware and prevention.


    Any other questions before I mark this topic solved?
  16. Nereth

    Nereth Newcomer, in training Topic Starter Posts: 24

    I installed win 7 sp1.

    Regarding java, I installed the new java update and it seemed to remove the old one automatically. There was nothing in add/remove programs called 'j2se runtime environment' The only things related to jave were "JavaFX 2.1.1" and "Java 7 update 5", but now that I installed update 9, update 5 is gone and replaced with "Java update 9". Is there a problem here?

    In terms of any other questions, I have two: First, is there any other scan I can run to double check that it's clean? Since kapersky was a little sketchy. Perhaps another Nod32 scan?

    Second, in your opinion, have we negated the need for a reformat? Earlier the plan was to clean the computer and then reformat to deal with all the brokenness but still transfer across important documents and working programs. Some programs are broken but outside of that it seems OK, if I just reinstall these programs would it be OK? Or would you still suggest the reformat?
  17. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Good on the Java update. :)

    Altogether, if you can reformat and reinstall the operating system soon, it'll be a good idea.

    You can test the files at this time, and see if they will function. But, as for reinstalling programs, and doing other stuff, it's at your own risk. I cannot say the computer is 100% clean. This is because technically the damage makes the files unclean in the first place. However, is it infected anymore? Probably not.

    Here are a small list of scanners to run at your convenience:

    ESET Online Scan www.eset.com/onlinescan
    SUPERAntiSpyware www.superantispyware.com
    Dr. Web CureIt! www.freedrweb.com/cureit/?lng=en

    Other than that, there are no other big suggestions.

    Topic marked solved. :)
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.