BleepingComputer.com: Infected with "Windows XP Recovery"

Were you able to get the scan to run?

I have been running the new scan you mentioned since monday evening and it is still scanning with a 42% completion. So it is taking longer than expected.

Did you remember to completely disable your Symantec when you started the scan? Even a long scan should finish overnight.

I actually uninstalled symantec from my computer entirely since it was downloaded from my university. It was locked by the administrator and I couldn't make any manual changes to the settings, so it was useless to me. I am going to rerun the scan and hopefully, it will run fine.

Thanks for letting me know. I'll cross my fingers that it goes quickly

I ran the scan at around 9pm last night and just checked on it now and it is at 38% completion. However, it was able to detect 21 infected files, 2 suspicious files, and 4 vulnerabilities so far. I highly doubt it will finish today at the rate the scan is going..but I'll keep you posted!

That's fine. I'll leave this open until I hear back from you.

I've been checking the scan periodically but the percentage of completion has not changed for the past 2 days (at 42%). The number for files scanned increases but it doesn't seem to be going anywhere. Is there another alternative scanning program and do you recommend me waiting it out?

I would have preferred an online scan, but since that doesn't appear to be working, let's just use a different tool.



Please download and install SUPERAntiSpyware Home Edition (free edition)

• Load SUPERAntiSpyware and click the Check for Updates button.
  
• Once the update has finished, exit SUPERAntiSpyware. Please do NOT run a scan yet!

IMPORTANT: Do NOT open any other windows or programs while SUPERAntiSpyware is scanning, it may interfere with the scanning process.

• Open SUPERAntiSpyware and click the Scan your Computer button.
  
• Check Perform Complete Scan and then click Next.
  
• SUPERAntiSpyware will now scan your computer and when it’s finished it will list all the infections it has found.
  
• Make sure that they all have a check next to them, and then click Next.
  
• Click Finish and you will be taken back to the main interface.
  
• It could be possible that it will ask you to reboot your computer in order to delete some files after reboot.
  
• I'll need a log afterwards of what has been found.
  
• To get the log, click Preferences and then click the Statistics/Logs tab. Click the dated log and press View Log and a text file will appear.
  
• Please post the results of the SUPERAntiSpyware log in your next reply.

Halleluja~! It finally finished! Below are the results:

;***********************************************************************************************************************************************************************************
ANALYSIS: 2011-06-25 22:33:34
PROTECTIONS: 0
MALWARE: 17
SUSPECTS: 2
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00035328 Application/KillApp.A HackTools No 0 Yes No c:\hp\bin\terminator.exe
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No c:\documents and settings\owner\cookies\owner@trafficmp[2].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No c:\documents and settings\owner\cookies\owner@doubleclick[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No c:\documents and settings\owner\cookies\owner@atdmt[1].txt
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No c:\documents and settings\owner\cookies\owner@247realmedia[1].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No c:\documents and settings\owner\cookies\owner@fastclick[1].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No c:\documents and settings\owner\cookies\owner@tribalfusion[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No c:\documents and settings\owner\cookies\owner@ad.yieldmanager[4].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No c:\documents and settings\owner\cookies\owner@ad.yieldmanager[1].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No c:\documents and settings\owner\cookies\owner@serving-sys[3].txt
00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No c:\documents and settings\guest\cookies\guest@www.burstbeacon[1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No c:\documents and settings\owner\cookies\owner@advertising[4].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No c:\documents and settings\owner\cookies\owner@advertising[1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No c:\documents and settings\owner\cookies\owner@advertising[3].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No c:\documents and settings\owner\cookies\owner@zedo[2].txt
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No c:\documents and settings\owner\cookies\owner@adultfriendfinder[1].txt
00549245 Joke/HauntPc.A Jokes No 0 No No c:\documents and settings\owner\desktop\vincent's files\ebooks\pre step 1\pre step 1\physical diagnosis\diagnosis pro5\windows\data1.cab[harlink.exe]
05639701 Trj/Agent.MZR Virus/Trojan No 1 Yes No c:\documents and settings\default user\start menu\programs\startup\autoplay.exe
05639701 Trj/Agent.MZR Virus/Trojan No 1 Yes No c:\hp\bin\autoplay.exe
05642551 Generic Trojan Virus/Trojan No 0 Yes No c:\program files\detto\intellimover\imcompuserve.im
05643591 Generic Trojan Virus/Trojan No 0 Yes No c:\program files\detto\intellimover\imaol.im
;===================================================================================================================================================================================
SUSPECTS
Sent Location
;===================================================================================================================================================================================
No c:\my downloads\adobe_acrobat_professional_v7[1].0_incl_keygens_retail_french_read_nfobs.zip[adobe_acrobat_professional_v7.0_incl._keygens_retail_french_read_nfo-bs/keygen_activation.exe]
No c:\program files\internet\blubster\blubster.exe
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description
;===================================================================================================================================================================================
1000574 HIGH MS11-010
1000562 HIGH MS11-002
179553 HIGH MS07-061
114666 HIGH MS06-015
;===================================================================================================================================================================================

Most of what was found are tracking cookies. They are not malware in and of themselves. I checked the other items out and I don't think you have anything to worry about from them. Sometimes files have characteristics of malware even when they aren't. The last steps we have are to clean up our tools and for me to give you some additional tips to stay malware free in the future.

Quote

appears that it may be a crack for an illegal copy of Adobe.

We do not support the use of illegal Pirated/Warez/Cracked software.
Helping a person who insists on using such software, could be construed in the eyes of the law to be aiding and abetting a crime.

You must remove any such software if you wish to receive additional help.

The adobe has been removed although I specifically remember downloading it from adobe's website and not sure why it would be listed as a crack...But anyway it's not problem, are there additional steps that needs to be completed?

The following will implement some cleanup procedures as well as reset System Restore points:

• Click Start > Run
  
• Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
• 

If there are any remaining tools or logs on your desktop you can right-click and delete them. I would advise keeping Malwarebytes as it is a program you'll want to run regularly.


You should reinstall your Symantec now if your university requires it. If you are able or wish to switch to a free alternative that isn't so restrictive, feel free to let me know and I can give you some alternatives.


Great job! Your logs appear to be malware free and you do not appear to be experiencing any malware related problems.
Please follow these simple steps in order to keep your computer malware free and secure:

Visit Microsoft's Windows Update Site Frequently
It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Use and Update your AntiVirus Software
It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall
I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this. Simply using a Firewall in its default configuration can lower your risk greatly.

Use only one antivirus and one firewall on your machine
Having more than one anti-virus program and one firewall on your machine, even if only one is running, can cause conflicts and slowdowns in the performance of the machine.

If you need more information on free anti-virus or firewall options please let me know and I will give you some recommendations.

Make your Internet Explorer more secure
This can be done by following these simple instructions:
1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click once on the Security tab
3. Click once on the Internet icon so it becomes highlighted.
4. Click once on the Custom Level button.
5. Change the Download signed ActiveX controls to Prompt
6. Change the Download unsigned ActiveX controls to Disable
7. Change the Initialize and script ActiveX controls not marked as safe to Disable
8. Change the Installation of desktop items to Prompt
9. Change the Launching programs and files in an IFRAME to Prompt
10. Change the Navigate sub-frames across different domains to Prompt
11. When all these settings have been made, click on the OK button.
12. If it prompts you as to whether or not you want to save the settings, press the Yes button.
13. Next press the Apply button and then the OK to exit the Internet Properties page.

Keep your Java, Adobe Reader and Adobe Flash Up to Date
Older versions of these programs can contain security vulnerabilities. It is very important to keep them updated.

Update and Run Malwarebytes Anti-Malware
Scan your computer with this program on a regular basis just as you would an antivirus software making sure you update definitions each time you scan.

To simplify making sure you have the latest version of many of your security programs and applications, you may want to consider:
Secunia's Personal Software Inspector (PSI). It is a free utility that scans your computer for installed applications and checks to see if they have the latest security patches and updates. If it finds any applications with possible security issues, links and/or instructions are provided for the necessariy updates.

Filehippo's Update Checker. It is free utilitiy that scan your computer for installed software, checks the versions and then sends this information to see if there are any newer releases. Available software updates are displayed and you can decide which ones to download and install. Among many other types of programs, they includes a number of the Anti-Spyware, Firewall/Security and Anti-Virus programs that have been recommended (though not all of them). Note: Definition files should be updated from within the programs themselves. The Update Checker look for newer versions of the software program, not definition files.

I would suggest you read:
Tony Klein's excellent article: How I got Infected in the First Place
PC Safety and Security--What Do I Need?
How to Prevent Malware

Good luck & Happy surfing!

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.