Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93104 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

w32.Trats!inf infection, Vundo seems gone


  • Please log in to reply
53 replies to this topic

#46 patnhank

patnhank

    Authentic Member

  • Authentic Member
  • PipPip
  • 31 posts

Posted 19 January 2008 - 11:28 PM

Simon, OK, late into the night and I was out of ideas. THe system would NOT boot up to windows. I installed a fresh version of XP onto a partioned drive that was empty. I used that to get bac kto kaspersky and run it on the "C" drive where the original version of XP was installed. I will post results. Most importantly is it possible to restore the OS on the "C" drive and continue to clean up the virus? I would like to clean up C and then remove the OS I added tonight.

    Advertisements

Register to Remove


#47 patnhank

patnhank

    Authentic Member

  • Authentic Member
  • PipPip
  • 31 posts

Posted 20 January 2008 - 12:31 AM

Simon,
From HiJack This

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:28:36 AM, on 1/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
K:\WINDOWS\System32\smss.exe
K:\WINDOWS\system32\winlogon.exe
K:\WINDOWS\system32\services.exe
K:\WINDOWS\system32\lsass.exe
K:\WINDOWS\system32\svchost.exe
K:\WINDOWS\System32\svchost.exe
K:\WINDOWS\system32\spoolsv.exe
K:\WINDOWS\Explorer.EXE
K:\WINDOWS\system32\wscntfy.exe
K:\Program Files\Messenger\msmsgs.exe
K:\Program Files\Internet Explorer\iexplore.exe
H:\Downloads\Computer Maintenance\HJTInstall.exe
c:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKCU\..\Run: [MSMSGS] "K:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - K:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - K:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1200804071656

--
End of file - 1376 bytes

---------------------------

Kaspersky results, I scanned the drives indivdiually to avoid crashes

C Drive
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, January 19, 2008 11:39:36 PM
Operating System: Microsoft Windows XP Professional, (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 20/01/2008
Kaspersky Anti-Virus database records: 524340
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Folders:
C:\

Scan Statistics:
Total number of scanned objects: 46017
Number of viruses found: 6
Number of infected objects: 23
Number of suspicious objects: 0
Duration of the scan process: 00:26:32

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\511a0f3f9e960fa97de3d0b74adfc574_73110072-fe08-441d-b3da-689ae3f80fab Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\df0d961ccfb186fee077d99c127f979c_73110072-fe08-441d-b3da-689ae3f80fab Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\mama\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db Object is locked skipped
C:\Documents and Settings\mama\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db.shadow Object is locked skipped
C:\Documents and Settings\pops\Local Settings\Temp\hsperfdata_pops\3952 Object is locked skipped
C:\Documents and Settings\pops\My Documents\Pops\Downloaded Shareware\RevelationV2.zip/SetupRevelationV2.exe/WISE0012.BIN Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\Documents and Settings\pops\My Documents\Pops\Downloaded Shareware\RevelationV2.zip/SetupRevelationV2.exe/WISE0013.BIN Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\Documents and Settings\pops\My Documents\Pops\Downloaded Shareware\RevelationV2.zip/SetupRevelationV2.exe Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\Documents and Settings\pops\My Documents\Pops\Downloaded Shareware\RevelationV2.zip ZIP: infected - 3 skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1848OinUninstaller.exe.vir/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1848OinUninstaller.exe.vir NSIS: infected - 1 skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ctfmon.exe.tmp.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ddccd.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\catchme2008-01-18_202332.82.zip/ddccd.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dgy skipped
C:\QooBox\Quarantine\catchme2008-01-18_202332.82.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{34C07D2B-8B48-4EF4-9EFC-506A4B76E79C}\RP0\A0000008.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{34C07D2B-8B48-4EF4-9EFC-506A4B76E79C}\RP11\A0005364.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\System Volume Information\_restore{34C07D2B-8B48-4EF4-9EFC-506A4B76E79C}\RP2\A0000051.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{34C07D2B-8B48-4EF4-9EFC-506A4B76E79C}\RP2\A0000054.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{34C07D2B-8B48-4EF4-9EFC-506A4B76E79C}\RP2\A0001083.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{34C07D2B-8B48-4EF4-9EFC-506A4B76E79C}\RP2\A0002094.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{34C07D2B-8B48-4EF4-9EFC-506A4B76E79C}\RP2\A0002102.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{34C07D2B-8B48-4EF4-9EFC-506A4B76E79C}\RP2\A0002105.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{34C07D2B-8B48-4EF4-9EFC-506A4B76E79C}\RP3\A0002137.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{34C07D2B-8B48-4EF4-9EFC-506A4B76E79C}\RP3\A0002141.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{34C07D2B-8B48-4EF4-9EFC-506A4B76E79C}\RP3\A0002141.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{34C07D2B-8B48-4EF4-9EFC-506A4B76E79C}\RP3\A0002154.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dgy skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\colbact.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comadmin.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comrepl.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comuid.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\es.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\migregdb.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\ole32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\txflog.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\browser.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\callcont.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\cmdevtgprov.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\evtgprov.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\gdi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323.tsp Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323msp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\helpctr.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mf3216.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msasn1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msgina.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mst120.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\netapi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\nmcom.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\schannel.dll Object is locked skipped

Scan process completed.
-----------------------------------------
H Drive results

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, January 20, 2008 12:22:12 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 20/01/2008
Kaspersky Anti-Virus database records: 524340
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Folders:
H:\

Scan Statistics:
Total number of scanned objects: 48839
Number of viruses found: 20
Number of infected objects: 77
Number of suspicious objects: 8
Duration of the scan process: 00:13:21

Infected Object Name / Virus Name / Last Action
H:\Downloads\Computer Maintenance\revealpw.zip/SetupRevelationV2.exe/WISE0012.BIN Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
H:\Downloads\Computer Maintenance\revealpw.zip/SetupRevelationV2.exe/WISE0013.BIN Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
H:\Downloads\Computer Maintenance\revealpw.zip/SetupRevelationV2.exe Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
H:\Downloads\Computer Maintenance\revealpw.zip ZIP: infected - 3 skipped
H:\Downloads\Computer Maintenance\XBMC\mirc621.exe/stream/data0008 Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped
H:\Downloads\Computer Maintenance\XBMC\mirc621.exe/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped
H:\Downloads\Computer Maintenance\XBMC\mirc621.exe NSIS: infected - 2 skipped
H:\Downloads\Computer Maintenance\jellybean.zip/keyfinder.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
H:\Downloads\Computer Maintenance\jellybean.zip/keyfinder.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
H:\Downloads\Computer Maintenance\jellybean.zip/keyfinder.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
H:\Downloads\Computer Maintenance\jellybean.zip ZIP: infected - 3 skipped
H:\System Volume Information\_restore{14010B59-50B0-4A8C-8411-F068898862CB}\RP6\change.log Object is locked skipped
H:\18_Feb_WinXP Reload\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08700000.VBN Infected: Backdoor.Win32.Codbot.ax skipped
H:\18_Feb_WinXP Reload\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\099C0000.VBN/Setup.exe Infected: Backdoor.Win32.IRCBot.dd skipped
H:\18_Feb_WinXP Reload\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\099C0000.VBN ZIP: infected - 1 skipped
H:\18_Feb_WinXP Reload\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\099C0000.VBN CryptZ: infected - 1 skipped
H:\18_Feb_WinXP Reload\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\099C0001.VBN/Setup.exe Infected: Backdoor.Win32.IRCBot.dd skipped
H:\18_Feb_WinXP Reload\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\099C0001.VBN ZIP: infected - 1 skipped
H:\18_Feb_WinXP Reload\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\099C0001.VBN CryptZ: infected - 1 skipped
H:\18_Feb_WinXP Reload\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09F80000.VBN Infected: Trojan-Downloader.HTML.Agent.aq skipped
H:\18_Feb_WinXP Reload\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A600000.VBN/Setup.exe Infected: Worm.Win32.VB.an skipped
H:\18_Feb_WinXP Reload\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A600000.VBN ZIP: infected - 1 skipped
H:\18_Feb_WinXP Reload\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A600000.VBN CryptZ: infected - 1 skipped
H:\18_Feb_WinXP Reload\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A600001.VBN/Setup.exe Infected: Worm.Win32.VB.an skipped
H:\18_Feb_WinXP Reload\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A600001.VBN ZIP: infected - 1 skipped
H:\18_Feb_WinXP Reload\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A600001.VBN CryptZ: infected - 1 skipped
H:\18_Feb_WinXP Reload\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A840000.VBN/Setup.exe Infected: Worm.Win32.VB.an skipped
H:\18_Feb_WinXP Reload\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A840000.VBN ZIP: infected - 1 skipped
H:\18_Feb_WinXP Reload\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A840000.VBN CryptZ: infected - 1 skipped
H:\18_Feb_WinXP Reload\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0BC80000.VBN/Setup.exe Infected: Worm.Win32.VB.an skipped
H:\18_Feb_WinXP Reload\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0BC80000.VBN ZIP: infected - 1 skipped
H:\18_Feb_WinXP Reload\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0BC80000.VBN CryptZ: infected - 1 skipped
H:\18_Feb_WinXP Reload\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0BC80001.VBN/Setup.exe Infected: Worm.Win32.VB.an skipped
H:\18_Feb_WinXP Reload\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0BC80001.VBN ZIP: infected - 1 skipped
H:\18_Feb_WinXP Reload\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0BC80001.VBN CryptZ: infected - 1 skipped
H:\18_Feb_WinXP Reload\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0ED00000.VBN/Setup.exe Infected: Worm.Win32.VB.an skipped
H:\18_Feb_WinXP Reload\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0ED00000.VBN ZIP: infected - 1 skipped
H:\18_Feb_WinXP Reload\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0ED00000.VBN CryptZ: infected - 1 skipped
H:\18_Feb_WinXP Reload\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0F940000.VBN/Setup.exe Infected: Backdoor.Win32.IRCBot.tk skipped
H:\18_Feb_WinXP Reload\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0F940000.VBN ZIP: infected - 1 skipped
H:\18_Feb_WinXP Reload\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0F940000.VBN CryptZ: infected - 1 skipped
H:\18_Feb_WinXP Reload\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0F940001.VBN/Setup.exe Infected: Backdoor.Win32.IRCBot.tk skipped
H:\18_Feb_WinXP Reload\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0F940001.VBN ZIP: infected - 1 skipped
H:\18_Feb_WinXP Reload\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0F940001.VBN CryptZ: infected - 1 skipped
H:\18_Feb_WinXP Reload\Documents and Settings\Mama\Local Settings\Temp\couponsandoffers.exe/data0120 Infected: not-a-virus:AdWare.Win32.TopMoxie.f skipped
H:\18_Feb_WinXP Reload\Documents and Settings\Mama\Local Settings\Temp\couponsandoffers.exe NSIS: infected - 1 skipped
H:\18_Feb_WinXP Reload\Documents and Settings\Alek\Local Settings\Temporary Internet Files\Content.IE5\NUO3Z58L\dl[1].htm Infected: Trojan-Downloader.JS.Holistyc.a skipped
H:\18_Feb_WinXP Reload\Documents and Settings\Alek\Local Settings\Temporary Internet Files\Content.IE5\IK1BRIXN\dl[2].htm Infected: Trojan-Downloader.JS.Holistyc.a skipped
H:\18_Feb_WinXP Reload\Documents and Settings\Alek\Local Settings\Temporary Internet Files\Content.IE5\HN3719OA\cam2[1].htm Infected: Trojan-Clicker.JS.Linker.j skipped
H:\18_Feb_WinXP Reload\Documents and Settings\All Users\Documents\Outlook\archive.pst/Archive Folders/Saudi Stuff/04 Sep 1999 19:10 to Hank & Patricia Castelain; Macut Steven Maj/ACONTI~1.DOC Infected: Virus.MSWord.Class.d skipped
H:\18_Feb_WinXP Reload\Documents and Settings\All Users\Documents\Outlook\archive.pst/Archive Folders/Saudi Stuff/10 Jun 1999 14:30 to 'Hank Castelain':Welcome to the Big Sand Co/CHECKL~1.DOC Infected: Virus.MSWord.Class.d skipped
H:\18_Feb_WinXP Reload\Documents and Settings\All Users\Documents\Outlook\archive.pst Mail MS Mail: infected - 2 skipped
H:\18_Feb_WinXP Reload\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\00A80000.VBN Infected: Exploit.Win32.MS04-028.gen skipped
H:\18_Feb_WinXP Reload\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\00A80001.VBN Infected: Exploit.Win32.MS04-028.gen skipped
H:\18_Feb_WinXP Reload\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\00A80002.VBN Infected: Exploit.Win32.MS04-028.gen skipped
H:\18_Feb_WinXP Reload\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\00A80003.VBN Infected: Exploit.Win32.MS04-028.gen skipped
H:\18_Feb_WinXP Reload\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01400000.VBN Infected: Trojan-Clicker.Win32.VB.dn skipped
H:\18_Feb_WinXP Reload\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01A40000.VBN Infected: Email-Worm.Win32.Sober.p skipped
H:\18_Feb_WinXP Reload\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02240000.VBN Infected: Net-Worm.Win32.Welchia.a skipped
H:\18_Feb_WinXP Reload\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06280000.VBN Infected: Exploit.Win32.MS04-028.gen skipped
H:\18_Feb_WinXP Reload\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07980000.VBN Infected: Exploit.JS.ActiveXComponent skipped
H:\18_Feb_WinXP Reload\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07BC0000.VBN Infected: Exploit.JS.ActiveXComponent skipped
H:\18_Feb_WinXP Reload\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09500000.VBN Infected: Net-Worm.Win32.Welchia.a skipped
H:\18_Feb_WinXP Reload\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09540000.VBN Infected: Net-Worm.Win32.Welchia.a skipped
H:\18_Feb_WinXP Reload\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0B740000.VBN Suspicious: Exploit.HTML.Mht skipped
H:\18_Feb_WinXP Reload\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0B740001.VBN Suspicious: Exploit.HTML.Mht skipped
H:\18_Feb_WinXP Reload\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0B740002.VBN Suspicious: Exploit.HTML.Mht skipped
H:\18_Feb_WinXP Reload\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0B740003.VBN Suspicious: Exploit.HTML.Mht skipped
H:\18_Feb_WinXP Reload\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0B740004.VBN Suspicious: Exploit.HTML.Mht skipped
H:\18_Feb_WinXP Reload\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0B740005.VBN Suspicious: Exploit.HTML.Mht skipped
H:\18_Feb_WinXP Reload\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0B740006.VBN Suspicious: Exploit.HTML.Mht skipped
H:\18_Feb_WinXP Reload\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0B740007.VBN Suspicious: Exploit.HTML.Mht skipped
H:\18_Feb_WinXP Reload\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0BEC0000.VBN/setup.exe Infected: P2P-Worm.Win32.Alcan.a skipped
H:\18_Feb_WinXP Reload\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0BEC0000.VBN ZIP: infected - 1 skipped
H:\18_Feb_WinXP Reload\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0BEC0000.VBN CryptZ: infected - 1 skipped
H:\18_Feb_WinXP Reload\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0BEC0001.VBN/setup.exe Infected: P2P-Worm.Win32.Alcan.a skipped
H:\18_Feb_WinXP Reload\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0BEC0001.VBN ZIP: infected - 1 skipped
H:\18_Feb_WinXP Reload\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0BEC0001.VBN CryptZ: infected - 1 skipped
H:\18_Feb_WinXP Reload\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0D640000.VBN Infected: Trojan-Downloader.JS.Inor.a skipped
H:\18_Feb_WinXP Reload\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0D640001.VBN Infected: Trojan-Downloader.JS.Inor.a skipped
H:\18_Feb_WinXP Reload\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0EB00000.VBN Infected: Exploit.HTML.Mht skipped
H:\18_Feb_WinXP Reload\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0EB00001.VBN Infected: Exploit.HTML.Mht skipped
H:\18_Feb_WinXP Reload\Documents and Settings\Pops\My Documents\Pops\Downloaded Shareware\RevelationV2.zip/SetupRevelationV2.exe/WISE0012.BIN Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
H:\18_Feb_WinXP Reload\Documents and Settings\Pops\My Documents\Pops\Downloaded Shareware\RevelationV2.zip/SetupRevelationV2.exe/WISE0013.BIN Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
H:\18_Feb_WinXP Reload\Documents and Settings\Pops\My Documents\Pops\Downloaded Shareware\RevelationV2.zip/SetupRevelationV2.exe Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
H:\18_Feb_WinXP Reload\Documents and Settings\Pops\My Documents\Pops\Downloaded Shareware\RevelationV2.zip ZIP: infected - 3 skipped

Scan process completed.

Don't know if this is able to be fixed????

#48 Simon V.

Simon V.

    MRU Emeritus

  • Authentic Member
  • PipPipPipPip
  • 897 posts

Posted 20 January 2008 - 05:27 AM

Hi :)

I doubt very much that all problems will be resolved. Let's try this:

Please copy and paste the text in the code box into Notepad (Go to Start > Run, type Notepad and hit Enter)

@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"
for %%g in (
"C:\Documents and Settings\pops\My Documents\Pops\Downloaded Shareware\RevelationV2.zip"
"H:\Downloads\Computer Maintenance\revealpw.zip"
"H:\Downloads\Computer Maintenance\jellybean.zip"
"H:\18_Feb_WinXP Reload\Documents and Settings\Mama\Local Settings\Temp\couponsandoffers.exe"
"H:\18_Feb_WinXP Reload\Documents and Settings\Alek\Local Settings\Temporary Internet Files\Content.IE5\NUO3Z58L\dl[1].htm"
"H:\18_Feb_WinXP Reload\Documents and Settings\Alek\Local Settings\Temporary Internet Files\Content.IE5\IK1BRIXN\dl[2].htm"
"H:\18_Feb_WinXP Reload\Documents and Settings\Alek\Local Settings\Temporary Internet Files\Content.IE5\HN3719OA\cam2[1].htm"
"H:\18_Feb_WinXP Reload\Documents and Settings\Pops\My Documents\Pops\Downloaded Shareware\RevelationV2.zip"
) do (
del /a/f/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)
if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!
nircmd wait 7000
del %0

Go to File > Save As:. Save the file as "Fix.bat" (Including the quotes)

Double-click on Fix.bat to run the file.

If a Notepad windows pops up, please post its contents in your next reply. Also tell me what problems you are currently experiencing.

Edited by Simon V., 20 January 2008 - 07:37 AM.


#49 patnhank

patnhank

    Authentic Member

  • Authentic Member
  • PipPip
  • 31 posts

Posted 20 January 2008 - 09:12 AM

Good Morning Simon V, I ran the Fix.Bat file and it flashed by and no Notepad window appeared. Currently I have a WinXP on the C drive, it is the version that is infected and was running the system. After our efforts yesterday it became more and more difficult to boot the computer and access Windows and the system until eventually the system would attempt to boot and then "fall off" and resume the POST and BIos repeatedly. My system, as you may be aware has many 20GB partioned drives within one hard drive. I eventually reloaded WinXP on the "K" drive and am working with you from there. I ran Kaspersky, and hi-jack this by "back-dooring" the C drive if you will. My goal, if that is possible, is to clean up the C-drive, repair and resolve issues then uninstall the WinXP(K-drive) and resume operations from the C-drive. My system is partioned so Photos, Music, SOME programs are on separate drives so chances of losing everything are reduced (unless the HD fails). Please let me know what is possible and a course of action if there is one at this point :( THanks

#50 Simon V.

Simon V.

    MRU Emeritus

  • Authentic Member
  • PipPipPipPip
  • 897 posts

Posted 20 January 2008 - 09:51 AM

Hi :) I'm afraid that at this point, I can't help you any further. It seems that the problems are not only malware related (we've cleaned all that I can see), and it would be time consuming for both you and me to try and solve them. Can you still access the C partition? If so, you could transfer all your important data to another partition, format C, then reinstall Windows. I think this will be the best course of actions, as starting anew should solve all the problems you are having.

#51 patnhank

patnhank

    Authentic Member

  • Authentic Member
  • PipPip
  • 31 posts

Posted 20 January 2008 - 10:20 AM

Simon V, Thanks for all your help yesterday, progress was made but I think the OS was headed towards disaster weeks ago. Bad timing. I was told that FireFox has less vulnerabilities than IE, would you recommend FireFox? DOes "What the Tech" have articles or information on an XP reload or can you recommend a site that has good info on doing what I am trying to do? Kaspersky found 6-8 viruses and 20-30 warnings on two drives; did it quarantine or remove those or does it just ID them? Again thank you and if you could take an additional 3-5 minutes to answer the above questions I would be most grateful. Thanks Hank

#52 Simon V.

Simon V.

    MRU Emeritus

  • Authentic Member
  • PipPipPipPip
  • 897 posts

Posted 20 January 2008 - 10:57 AM

Hi :)

I recommend FireFox. Especially the lack of ActiveX objects makes it a more secure browser; you can also personalize it with a lot of add-ons.

Here are a few links that will propably help when reinstalling Windows:

Reformatting Windows XP by wng_z3r0
When should I re-format? How should I reinstall?
Windows XP Clean install

Kaspersky found 6-8 viruses and 20-30 warnings on two drives; did it quarantine or remove those or does it just ID them?

We've deleted them by running Fix.bat.

After you've reformatted your drive, here are some tips to keep your computer clean in the future:

Make your Internet Explorer More Secure

  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab.
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.

  • Change the Download signed ActiveX controls to Prompt.
  • Change the Download unsigned ActiveX controls to Disable.
  • Change the Initialise and script ActiveX controls not marked as safe to Disable.
  • Change the Installation of desktop items to Prompt.
  • Change the Launching programs and files in an IFRAME to Prompt.
  • Change the Navigate sub-frames across different domains to Prompt.
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.

  • Next press the Apply button and then the OK to exit the Internet Properties page.

Use a Firewall - Without a firewall your computer is susceptible to being hacked and taken over. The Windows firewall isn't sufficient as it only monitors incoming connections.

Here are a few (free) firewalls, please download and install one of them:


Visit Microsoft's Update Site Frequently - It is important that you visit http://update.microsoft.com/ regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install Spybot - Search and Destroy - Download and install Spybot - Search and Destroy with its TeaTimer option (if you have an older version than 1.5, please update it). This will provide real time spyware and hijacker protection on your computer alongside your virus protection. You should scan your computer with the program on a regular basis just as you would with your anti-virus software. A tutorial on installing and using this product can be found here: http://www.bleepingc...tutorial43.html

Install Ad-Aware - Download and install Ad-Aware (if you have Ad-Aware SE note that it is outdated, and you should update to Ad-Aware 2007). You should scan your computer with the program on a regular basis just as you would with your anti-virus software. A tutorial on installing and using this product can be found here: http://www.bleepingc...tutorial48.html

Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. A tutorial can be found here: http://www.bleepingc...tutorial49.html

Install IE-Spyad - IE-Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here: http://www.spywarewa...rce.htm#IESPYAD

Update All Your Security Programs Regularly - Make sure you update all your security programs (Anti-Virus, Firewall, Anti-Spyware) regularly (once a weak, at least). Without regular updates you WILL NOT be protected when new malicious programs are released.

You can also read this excellent article by TonyKlein: So how did I get infected in the first place?

Follow this list and your potential for being infected again will reduce dramatically.

#53 patnhank

patnhank

    Authentic Member

  • Authentic Member
  • PipPip
  • 31 posts

Posted 20 January 2008 - 11:38 AM

Simon, THanks I will apply these. also using FireFox again appreciate all the help Hank

#54 Simon V.

Simon V.

    MRU Emeritus

  • Authentic Member
  • PipPipPipPip
  • 897 posts

Posted 20 January 2008 - 12:06 PM

Simon,
THanks I will apply these. also using FireFox

again appreciate all the help
Hank

You're very welcome. Happy surfing and stay safe! :thumbup:

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users