Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan-downloader.win32.tsupdate.d Virus


  • Please log in to reply
9 replies to this topic

#1 miniB

miniB

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 09 November 2007 - 06:46 AM

Hello well my computer has been running extremly slow I know I have malware I posted that log in a different forum on here also I had a STARR Keylogger on my external hardrive scary because I dont know how long that logger was on there.

Now Kaspersky has found the Trojan-Downloader.win32.TSUpdate.d
and virus packed.Win32.Morphine.a
I think Panda also found a browser watcher in Mozilla

Kaspersky wont let me delete it well disinfect and I dont know how to get rid of it any help would be helpful

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,726 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:59 AM

Posted 09 November 2007 - 11:28 AM

Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet.
Please download Dr.Web CureIt & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with Dr.Web CureIt as follows:
  • Double-click on cureit.exe to start the program. (ignore any prompts to update or check for a new version)
  • When the Dr.Web opens, an "Express Scan of your PC" notice will appear.
  • Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan tab" and UNcheck "Heuristic analysis"
  • Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
  • Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
  • When done, a message will be displayed at the bottom advising if any viruses were found.
  • Click "Yes to all" if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
    (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop. (You can use Notepad to open the DrWeb.cvs report)
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 miniB

miniB
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 09 November 2007 - 08:44 PM

Quietman thanks for responding so quickly okay I followed the steps and Dr. Web is saying I dont have any viruses so it didnt produce a log..What I did was copy my Kaspersky report at the bottom so you could see what its saying because i know I have trojans



Protection : running
--------------------
Total scanned: 5818
Detected: 10
Untreated: 2
Attacks blocked: 0
Start time: 11/9/2007 1:32:07 PM
Duration: 00:09:37


Detected
--------
Status Object
------ ------
detected: riskware Invader Running process: C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
detected: riskware Hidden data sending Running process: C:\Program Files\iCall\iCall.exe
detected: riskware Hidden data sending Running process: C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
quarantined: virus Packed.Win32.Morphine.a (modification) File: C:\system volume information\_restore{39c12724-d72b-4bde-8b27-4978fa4b8d03}\rp34\a0009995.dll
deleted: Trojan program Trojan-Downloader.Win32.TSUpdate.d File: C:\System Volume Information\_restore{39C12724-D72B-4BDE-8B27-4978FA4B8D03}\RP43\A0011311.exe//file4
detected: Trojan program Trojan-Downloader.Win32.TSUpdate.d File: C:\System Volume Information\_restore{39C12724-D72B-4BDE-8B27-4978FA4B8D03}\RP43\A0011315.exe
not found: Trojan program Trojan.Win32.Inject.jt File: C:\DOCUME~1\coco\LOCALS~1\Temp\lqraqqyyD591AD4.dll
not found: Trojan program Trojan.Win32.Inject.jt File: C:\DOCUME~1\coco\LOCALS~1\Temp\lqraqqyyD591AD4.dll
detected: riskware Hidden data sending Running process: C:\Program Files\Internet Explorer\IEXPLORE.EXE
detected: Trojan program Trojan-Downloader.Win32.TSUpdate.d File: c:\system volume information\_restore{39c12724-d72b-4bde-8b27-4978fa4b8d03}\rp43\a0011315.exe//file4


Events
------
Time Event
---- -----
11/6/2007 4:38:58 PM A full computer scan has never been performed. You are advised to perform a full scan as soon as possible.
11/6/2007 4:39:10 PM Protection of your computer started.
11/6/2007 4:39:10 PM Some protection components are disabled. You are advised to enable them.
11/6/2007 4:39:30 PM Process (PID 956) tried to access Kaspersky Internet Security process (PID 208), but the action has been blocked by the Self-Defense component. No action on your part is required.
11/6/2007 4:39:30 PM Process (PID 956) tried to access Kaspersky Internet Security process (PID 472), but the action has been blocked by the Self-Defense component. No action on your part is required.
11/6/2007 4:39:39 PM Running process C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe: detected modification of riskware 'Invader'.
11/6/2007 4:39:39 PM Process C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe (PID: 1916): attempt to embed itself into another process allowed.
11/6/2007 4:39:39 PM Running process C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe: detected modification of riskware 'Invader'.
11/6/2007 4:39:39 PM Process C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe (PID: 1916): attempt to embed itself into another process allowed.
11/6/2007 4:39:47 PM Running process C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe: detected modification of riskware 'Invader'.
11/6/2007 4:39:47 PM Process C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe (PID: 1916): attempt to embed itself into another process allowed.
11/6/2007 4:39:47 PM Running process C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe: detected modification of riskware 'Invader'.
11/6/2007 4:39:47 PM Process C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe (PID: 1916): attempt to embed itself into another process allowed.
11/6/2007 4:45:02 PM Please restart your computer to complete the installation of new or updated protection components.
11/6/2007 4:45:20 PM Please restart your computer to complete the installation of new or updated protection components.
11/6/2007 4:45:20 PM Update completed successfully
11/6/2007 5:00:15 PM Running process C:\Program Files\iCall\iCall.exe: detected modification of riskware 'Hidden data sending'.
11/6/2007 5:02:31 PM Process C:\Program Files\iCall\iCall.exe (PID: 2072): attempt to perform suspicious actions is allowed.
11/6/2007 6:47:28 PM Update completed successfully
11/6/2007 8:48:37 PM Popup window from page http://mycozo.com/view/tr.html has been blocked.
11/6/2007 8:48:39 PM Popup window from page dhtmled0: has been blocked.
11/6/2007 8:48:40 PM Popup window from page http://mycozo.com/view/tr.html has been blocked.
11/6/2007 8:48:49 PM Popup window from page http://mycozo.com/favicon.ico has been blocked.
11/6/2007 8:53:03 PM Update completed successfully
11/6/2007 10:06:49 PM A full computer scan has never been performed. You are advised to perform a full scan as soon as possible.
11/6/2007 10:06:57 PM Protection of your computer started.
11/6/2007 10:06:57 PM Some protection components are disabled. You are advised to enable them.
11/6/2007 10:07:21 PM Process (PID 956) tried to access Kaspersky Internet Security process (PID 304), but the action has been blocked by the Self-Defense component. No action on your part is required.
11/6/2007 10:07:21 PM Process (PID 956) tried to access Kaspersky Internet Security process (PID 2032), but the action has been blocked by the Self-Defense component. No action on your part is required.
11/6/2007 10:11:01 PM Running process C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe: detected modification of riskware 'Hidden data sending'.
11/6/2007 10:12:08 PM Process C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (PID: 3712): attempt to perform suspicious actions is allowed.
11/6/2007 11:07:09 PM Update error: The updates source cannot be found.
11/6/2007 11:27:01 PM Update error: The updates source cannot be found.
11/6/2007 11:48:26 PM Update completed successfully
11/6/2007 11:49:26 PM Running process C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe: detected modification of riskware 'Hidden data sending'.
11/6/2007 11:49:34 PM Process C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (PID: 3712): attempt to perform suspicious actions is allowed.
11/6/2007 11:49:52 PM Running process C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe: detected modification of riskware 'Hidden data sending'.
11/6/2007 11:50:00 PM Process C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (PID: 3712): attempt to perform suspicious actions is allowed.
11/7/2007 2:09:14 AM Update completed successfully
11/7/2007 3:40:18 AM Process (PID 2564) tried to access Kaspersky Internet Security process (PID 2032), but the action has been blocked by the Self-Defense component. No action on your part is required.
11/7/2007 4:38:50 AM Update completed successfully

11/7/2007 11:16:53 AM Update error: The updates source cannot be found.
11/7/2007 11:33:08 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentaaw.zip/ipv6mons.dll: is password protected.
11/7/2007 11:33:09 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentaaw.zip/sbRecovery.ini: is password protected.
11/7/2007 11:33:09 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentaaw1.zip/sbRecovery.reg: is password protected.
11/7/2007 11:33:09 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentaaw1.zip/sbRecovery.ini: is password protected.
11/7/2007 11:33:09 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentaaw2.zip/sbRecovery.reg: is password protected.
11/7/2007 11:33:09 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentaaw2.zip/sbRecovery.ini: is password protected.
11/7/2007 11:33:09 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentaaw3.zip/sbRecovery.reg: is password protected.
11/7/2007 11:33:09 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentaaw3.zip/sbRecovery.ini: is password protected.
11/7/2007 11:33:09 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentaaw4.zip/sbRecovery.reg: is password protected.
11/7/2007 11:33:09 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentaaw4.zip/sbRecovery.ini: is password protected.
11/7/2007 11:41:53 AM Update error: The updates source cannot be found.
11/7/2007 12:01:10 PM Update error: The updates source cannot be found.
11/7/2007 8:20:42 PM File D:\RECYCLER\S-1-5-21-507921405-1844237615-725345543-1003\Dd3\McAfee.com\Agent\uninst\screm.ui/agntcons.vbs: is password protected.
11/7/2007 8:20:42 PM File D:\RECYCLER\S-1-5-21-507921405-1844237615-725345543-1003\Dd3\McAfee.com\Agent\uninst\screm.ui/agntlang.vbs: is password protected.
11/7/2007 8:20:42 PM File D:\RECYCLER\S-1-5-21-507921405-1844237615-725345543-1003\Dd3\McAfee.com\Agent\uninst\screm.ui/comctl.lpk: is password protected.
11/7/2007 8:20:42 PM File D:\RECYCLER\S-1-5-21-507921405-1844237615-725345543-1003\Dd3\McAfee.com\Agent\uninst\screm.ui/config.ini: is password protected.
11/7/2007 8:20:42 PM File D:\RECYCLER\S-1-5-21-507921405-1844237615-725345543-1003\Dd3\McAfee.com\Agent\uninst\screm.ui/pbar.vbs: is password protected.
11/7/2007 8:20:42 PM File D:\RECYCLER\S-1-5-21-507921405-1844237615-725345543-1003\Dd3\McAfee.com\Agent\uninst\screm.ui/UnInsStr.vbs: is password protected.
11/7/2007 8:20:42 PM File D:\RECYCLER\S-1-5-21-507921405-1844237615-725345543-1003\Dd3\McAfee.com\Agent\uninst\screm.ui/uninst.vbs: is password protected.
11/7/2007 8:20:42 PM File D:\RECYCLER\S-1-5-21-507921405-1844237615-725345543-1003\Dd3\McAfee.com\Agent\uninst\screm.ui/uninstall.htm: is password protected.
11/7/2007 8:41:23 PM Update error: The updates source cannot be found.
11/7/2007 8:44:53 PM File D:\WINDOWS\Temp\mist90enus.tmp\Apps\MSC\msclgmis.cab/screm.ui/agntcons.vbs: is password protected.
11/7/2007 8:44:53 PM File D:\WINDOWS\Temp\mist90enus.tmp\Apps\MSC\msclgmis.cab/screm.ui/agntlang.vbs: is password protected.
11/7/2007 8:44:53 PM File D:\WINDOWS\Temp\mist90enus.tmp\Apps\MSC\msclgmis.cab/screm.ui/comctl.lpk: is password protected.
11/7/2007 8:44:53 PM File D:\WINDOWS\Temp\mist90enus.tmp\Apps\MSC\msclgmis.cab/screm.ui/config.ini: is password protected.
11/7/2007 8:44:53 PM File D:\WINDOWS\Temp\mist90enus.tmp\Apps\MSC\msclgmis.cab/screm.ui/pbar.vbs: is password protected.
11/7/2007 8:44:53 PM File D:\WINDOWS\Temp\mist90enus.tmp\Apps\MSC\msclgmis.cab/screm.ui/UnInsStr.vbs: is password protected.
11/7/2007 8:44:53 PM File D:\WINDOWS\Temp\mist90enus.tmp\Apps\MSC\msclgmis.cab/screm.ui/uninst.vbs: is password protected.
11/7/2007 8:44:53 PM File D:\WINDOWS\Temp\mist90enus.tmp\Apps\MSC\msclgmis.cab/screm.ui/uninstall.htm: is password protected.
11/7/2007 8:57:27 PM Update error: The updates source cannot be found.
11/7/2007 9:23:03 PM Update error: The updates source cannot be found.
11/7/2007 9:42:41 PM Update error: The updates source cannot be found.
11/7/2007 9:57:33 PM Update error: The updates source cannot be found.
11/7/2007 10:04:23 PM File C:\system volume information\_restore{39c12724-d72b-4bde-8b27-4978fa4b8d03}\rp34\a0009995.dll: detected modification of virus 'Packed.Win32.Morphine.a'. User: WORKGROUP\V-7D61A1D591AD4$, computer: localhost.
11/7/2007 10:04:23 PM Security threats have been detected. You are advised to neutralize them immediately.
11/7/2007 10:17:20 PM Update error: The updates source cannot be found.
11/7/2007 10:37:45 PM Update error: The updates source cannot be found.
11/7/2007 10:57:34 PM Update error: The updates source cannot be found.
11/7/2007 11:17:48 PM Update error: The updates source cannot be found.
11/7/2007 11:37:52 PM Update error: The updates source cannot be found.
11/7/2007 11:59:24 PM Not all components were updated
11/8/2007 1:29:18 AM A full computer scan has never been performed. You are advised to perform a full scan as soon as possible.
11/8/2007 1:29:31 AM Protection of your computer started.
11/8/2007 1:29:31 AM Some protection components are disabled. You are advised to enable them.
11/8/2007 1:30:47 AM Security threats have been detected. You are advised to neutralize them immediately.
11/8/2007 1:35:10 AM Running process C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe: detected modification of riskware 'Hidden data sending'.
11/8/2007 1:35:14 AM Process C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (PID: 780): attempt to perform suspicious actions is allowed.
11/8/2007 1:35:27 AM Running process C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe: detected modification of riskware 'Hidden data sending'.
11/8/2007 1:42:23 AM Process C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (PID 780) successfully completed.
11/8/2007 1:42:26 AM C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe quarantined.
11/8/2007 1:58:01 AM Process (PID 424) tried to access Kaspersky Internet Security process (PID 728), but the action has been blocked by the Self-Defense component. No action on your part is required.
11/8/2007 2:11:36 AM Update completed successfully
11/8/2007 3:40:39 AM Quarantine: File c:\system volume information\_restore{39c12724-d72b-4bde-8b27-4978fa4b8d03}\rp34\a0009995.dll: detected modification of virus 'Packed.Win32.Morphine.a'.
11/8/2007 3:43:54 AM Quarantine: File c:\system volume information\_restore{39c12724-d72b-4bde-8b27-4978fa4b8d03}\rp34\a0009995.dll: detected modification of virus 'Packed.Win32.Morphine.a'.
11/8/2007 4:09:22 AM The application EXPLORER.EXE has been changed
11/8/2007 4:34:04 AM Quarantine: File c:\system volume information\_restore{39c12724-d72b-4bde-8b27-4978fa4b8d03}\rp34\a0009995.dll: detected modification of virus 'Packed.Win32.Morphine.a'.
11/8/2007 4:34:05 AM Update completed successfully
11/8/2007 4:49:46 AM File C:\System Volume Information\_restore{39C12724-D72B-4BDE-8B27-4978FA4B8D03}\RP43\A0011311.exe//file4: detected Trojan program 'Trojan-Downloader.Win32.TSUpdate.d'.
11/8/2007 4:49:46 AM Security threats have been detected. You are advised to neutralize them immediately.
11/8/2007 4:49:46 AM File C:\System Volume Information\_restore{39C12724-D72B-4BDE-8B27-4978FA4B8D03}\RP43\A0011311.exe//file4: is still infected, postponed.
11/8/2007 4:50:26 AM File C:\System Volume Information\_restore{39C12724-D72B-4BDE-8B27-4978FA4B8D03}\RP43\A0011315.exe: detected Trojan program 'Trojan-Downloader.Win32.TSUpdate.d'.
11/8/2007 5:15:27 AM Running process C:\ComboFix\handle.cfexe: added to exclusion list.
11/8/2007 5:16:06 AM File C:\DOCUME~1\coco\LOCALS~1\Temp\lqraqqyyD591AD4.dll: detected Trojan program 'Trojan.Win32.Inject.jt'. User: V-7D61A1D591AD4\coco, computer: localhost.
11/8/2007 5:16:31 AM File C:\DOCUME~1\coco\LOCALS~1\Temp\lqraqqyyD591AD4.dll: is still infected, skipped by user.
11/8/2007 5:36:48 AM File C:\DOCUME~1\coco\LOCALS~1\Temp\lqraqqyyD591AD4.dll: detected Trojan program 'Trojan.Win32.Inject.jt'. User: V-7D61A1D591AD4\coco, computer: localhost.
11/8/2007 5:37:08 AM File C:\DOCUME~1\coco\LOCALS~1\Temp\lqraqqyyD591AD4.dll: is still infected, skipped by user.
11/8/2007 5:44:02 AM File C:\DOCUME~1\coco\LOCALS~1\Temp\lqraqqyyD591AD4.dll: detected Trojan program 'Trojan.Win32.Inject.jt'. User: V-7D61A1D591AD4\coco, computer: localhost.
11/8/2007 5:44:34 AM File C:\DOCUME~1\coco\LOCALS~1\Temp\lqraqqyyD591AD4.dll: is still infected, skipped by user.
11/8/2007 5:57:11 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentaaw.zip/ipv6mons.dll: is password protected.
11/8/2007 5:57:11 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentaaw.zip/sbRecovery.ini: is password protected.
11/8/2007 5:57:11 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentaaw1.zip/sbRecovery.reg: is password protected.
11/8/2007 5:57:11 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentaaw1.zip/sbRecovery.ini: is password protected.
11/8/2007 5:57:11 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentaaw2.zip/sbRecovery.reg: is password protected.
11/8/2007 5:57:11 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentaaw2.zip/sbRecovery.ini: is password protected.
11/8/2007 5:57:11 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentaaw3.zip/sbRecovery.reg: is password protected.
11/8/2007 5:57:11 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentaaw3.zip/sbRecovery.ini: is password protected.
11/8/2007 5:57:11 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentaaw4.zip/sbRecovery.reg: is password protected.
11/8/2007 5:57:11 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentaaw4.zip/sbRecovery.ini: is password protected.
11/8/2007 6:40:29 AM Quarantine: File c:\system volume information\_restore{39c12724-d72b-4bde-8b27-4978fa4b8d03}\rp34\a0009995.dll: detected modification of virus 'Packed.Win32.Morphine.a'.
11/8/2007 6:40:33 AM Update completed successfully
11/8/2007 7:06:28 AM Process (PID 29104) tried to access Kaspersky Internet Security process (PID 728), but the action has been blocked by the Self-Defense component. No action on your part is required.
11/8/2007 7:06:29 AM Process (PID 29104) tried to access Kaspersky Internet Security process (PID 9288), but the action has been blocked by the Self-Defense component. No action on your part is required.
11/8/2007 7:06:29 AM Process (PID 29104) tried to access Kaspersky Internet Security process (PID 1788), but the action has been blocked by the Self-Defense component. No action on your part is required.
11/8/2007 8:57:56 AM Update error: The updates source cannot be found.
11/8/2007 9:17:36 AM Update error: The updates source cannot be found.
11/8/2007 9:39:28 AM Update error: The updates source cannot be found.
11/8/2007 9:57:30 AM Update error: The updates source cannot be found.
11/8/2007 10:17:48 AM Update error: The updates source cannot be found.
11/8/2007 10:37:41 AM Update error: The updates source cannot be found.
11/8/2007 10:58:41 AM Update error: The updates source cannot be found.
11/8/2007 11:19:21 AM Update error: The updates source cannot be found.
11/8/2007 11:45:40 AM Update completed successfully
11/8/2007 11:45:42 AM Quarantine: File c:\system volume information\_restore{39c12724-d72b-4bde-8b27-4978fa4b8d03}\rp34\a0009995.dll: detected modification of virus 'Packed.Win32.Morphine.a'.
11/8/2007 2:18:51 PM Update completed successfully
11/8/2007 2:18:51 PM Quarantine: File c:\system volume information\_restore{39c12724-d72b-4bde-8b27-4978fa4b8d03}\rp34\a0009995.dll: detected modification of virus 'Packed.Win32.Morphine.a'.
11/8/2007 2:19:11 PM Process (PID 26604) tried to access Kaspersky Internet Security process (PID 728), but the action has been blocked by the Self-Defense component. No action on your part is required.
11/8/2007 4:02:37 PM The application EXPLORER.EXE has been changed
11/8/2007 5:02:16 PM Quarantine: File c:\system volume information\_restore{39c12724-d72b-4bde-8b27-4978fa4b8d03}\rp34\a0009995.dll: detected modification of virus 'Packed.Win32.Morphine.a'.
11/8/2007 5:02:23 PM Update completed successfully
11/8/2007 7:24:22 PM Update completed successfully
11/8/2007 7:24:24 PM Quarantine: File c:\system volume information\_restore{39c12724-d72b-4bde-8b27-4978fa4b8d03}\rp34\a0009995.dll: detected modification of virus 'Packed.Win32.Morphine.a'.
11/8/2007 9:43:53 PM Update completed successfully
11/8/2007 9:43:55 PM Quarantine: File c:\system volume information\_restore{39c12724-d72b-4bde-8b27-4978fa4b8d03}\rp34\a0009995.dll: detected modification of virus 'Packed.Win32.Morphine.a'.
11/8/2007 9:48:57 PM File D:\RECYCLER\S-1-5-21-507921405-1844237615-725345543-1003\Dd3\McAfee.com\Agent\uninst\screm.ui/agntcons.vbs: is password protected.
11/8/2007 9:48:58 PM File D:\RECYCLER\S-1-5-21-507921405-1844237615-725345543-1003\Dd3\McAfee.com\Agent\uninst\screm.ui/agntlang.vbs: is password protected.
11/8/2007 9:48:58 PM File D:\RECYCLER\S-1-5-21-507921405-1844237615-725345543-1003\Dd3\McAfee.com\Agent\uninst\screm.ui/comctl.lpk: is password protected.
11/8/2007 9:48:58 PM File D:\RECYCLER\S-1-5-21-507921405-1844237615-725345543-1003\Dd3\McAfee.com\Agent\uninst\screm.ui/config.ini: is password protected.
11/8/2007 9:48:58 PM File D:\RECYCLER\S-1-5-21-507921405-1844237615-725345543-1003\Dd3\McAfee.com\Agent\uninst\screm.ui/pbar.vbs: is password protected.
11/8/2007 9:48:58 PM File D:\RECYCLER\S-1-5-21-507921405-1844237615-725345543-1003\Dd3\McAfee.com\Agent\uninst\screm.ui/UnInsStr.vbs: is password protected.
11/8/2007 9:48:58 PM File D:\RECYCLER\S-1-5-21-507921405-1844237615-725345543-1003\Dd3\McAfee.com\Agent\uninst\screm.ui/uninst.vbs: is password protected.
11/8/2007 9:48:58 PM File D:\RECYCLER\S-1-5-21-507921405-1844237615-725345543-1003\Dd3\McAfee.com\Agent\uninst\screm.ui/uninstall.htm: is password protected.
11/8/2007 11:13:31 PM File D:\WINDOWS\Temp\mist90enus.tmp\Apps\MSC\msclgmis.cab/screm.ui/agntcons.vbs: is password protected.
11/8/2007 11:13:32 PM File D:\WINDOWS\Temp\mist90enus.tmp\Apps\MSC\msclgmis.cab/screm.ui/agntlang.vbs: is password protected.
11/8/2007 11:13:32 PM File D:\WINDOWS\Temp\mist90enus.tmp\Apps\MSC\msclgmis.cab/screm.ui/comctl.lpk: is password protected.
11/8/2007 11:13:32 PM File D:\WINDOWS\Temp\mist90enus.tmp\Apps\MSC\msclgmis.cab/screm.ui/config.ini: is password protected.
11/8/2007 11:13:32 PM File D:\WINDOWS\Temp\mist90enus.tmp\Apps\MSC\msclgmis.cab/screm.ui/pbar.vbs: is password protected.
11/8/2007 11:13:32 PM File D:\WINDOWS\Temp\mist90enus.tmp\Apps\MSC\msclgmis.cab/screm.ui/UnInsStr.vbs: is password protected.
11/8/2007 11:13:32 PM File D:\WINDOWS\Temp\mist90enus.tmp\Apps\MSC\msclgmis.cab/screm.ui/uninst.vbs: is password protected.
11/8/2007 11:13:32 PM File D:\WINDOWS\Temp\mist90enus.tmp\Apps\MSC\msclgmis.cab/screm.ui/uninstall.htm: is password protected.
11/9/2007 12:04:48 AM Update completed successfully
11/9/2007 12:04:51 AM Quarantine: File c:\system volume information\_restore{39c12724-d72b-4bde-8b27-4978fa4b8d03}\rp34\a0009995.dll: detected modification of virus 'Packed.Win32.Morphine.a'.
11/9/2007 1:47:40 AM Quarantine: File c:\system volume information\_restore{39c12724-d72b-4bde-8b27-4978fa4b8d03}\rp34\a0009995.dll: detected modification of virus 'Packed.Win32.Morphine.a'.
11/9/2007 1:48:24 AM Quarantine: File c:\system volume information\_restore{39c12724-d72b-4bde-8b27-4978fa4b8d03}\rp34\a0009995.dll: detected modification of virus 'Packed.Win32.Morphine.a'.
11/9/2007 2:22:04 AM Update error: The updates source cannot be found.
11/9/2007 2:38:05 AM Update error: The updates source cannot be found.
11/9/2007 3:00:25 AM Update completed successfully
11/9/2007 3:00:25 AM Quarantine: File c:\system volume information\_restore{39c12724-d72b-4bde-8b27-4978fa4b8d03}\rp34\a0009995.dll: detected modification of virus 'Packed.Win32.Morphine.a'.
11/9/2007 5:39:34 AM Update error: The updates source cannot be found.
11/9/2007 6:09:07 AM Update completed successfully
11/9/2007 6:09:07 AM Quarantine: File c:\system volume information\_restore{39c12724-d72b-4bde-8b27-4978fa4b8d03}\rp34\a0009995.dll: detected modification of virus 'Packed.Win32.Morphine.a'.
11/9/2007 6:16:07 AM A full computer scan has never been performed. You are advised to perform a full scan as soon as possible.
11/9/2007 6:16:08 AM Protection of your computer started.
11/9/2007 6:16:08 AM Some protection components are disabled. You are advised to enable them.
11/9/2007 6:17:22 AM Security threats have been detected. You are advised to neutralize them immediately.
11/9/2007 6:33:42 AM Running process C:\Program Files\Internet Explorer\IEXPLORE.EXE: detected modification of riskware 'Hidden data sending'.
11/9/2007 6:33:58 AM Process C:\Program Files\Internet Explorer\IEXPLORE.EXE (PID: 3852): attempt to perform suspicious actions is allowed.
11/9/2007 6:51:53 AM Running process C:\Program Files\Internet Explorer\IEXPLORE.EXE: detected modification of riskware 'Hidden data sending'.
11/9/2007 6:52:01 AM Process C:\Program Files\Internet Explorer\IEXPLORE.EXE (PID: 3852): attempt to perform suspicious actions is allowed.
11/9/2007 7:41:09 AM Process (PID 4512) tried to access Kaspersky Internet Security process (PID 2408), but the action has been blocked by the Self-Defense component. No action on your part is required.
11/9/2007 7:41:15 AM Process (PID 4512) tried to access Kaspersky Internet Security process (PID 1776), but the action has been blocked by the Self-Defense component. No action on your part is required.
11/9/2007 8:30:31 AM Quarantine: File c:\system volume information\_restore{39c12724-d72b-4bde-8b27-4978fa4b8d03}\rp34\a0009995.dll: detected modification of virus 'Packed.Win32.Morphine.a'.
11/9/2007 8:30:32 AM Update completed successfully
11/9/2007 11:40:22 AM Not all components were updated
11/9/2007 11:42:52 AM Process (PID 17032) tried to access Kaspersky Internet Security process (PID 2408), but the action has been blocked by the Self-Defense component. No action on your part is required.
11/9/2007 11:42:53 AM Process (PID 17032) tried to access Kaspersky Internet Security process (PID 1776), but the action has been blocked by the Self-Defense component. No action on your part is required.
11/9/2007 1:32:06 PM A full computer scan has never been performed. You are advised to perform a full scan as soon as possible.
11/9/2007 1:32:07 PM Protection of your computer started.
11/9/2007 1:32:07 PM Some protection components are disabled. You are advised to enable them.
11/9/2007 1:32:38 PM Security threats have been detected. You are advised to neutralize them immediately.
11/9/2007 1:40:25 PM Process (PID 888) tried to access Kaspersky Internet Security process (PID 1776), but the action has been blocked by the Self-Defense component. No action on your part is required.


Reports
-------
Component Status Start Finish Size
--------- ------ ----- ------ ----
Firewall completed 11/6/2007 4:39:10 PM 11/6/2007 10:04:33 PM 0 bytes
Anti-Spam completed 11/6/2007 4:39:10 PM 11/6/2007 10:04:29 PM 0 bytes
Update completed 11/6/2007 4:39:12 PM 11/6/2007 4:45:20 PM 0 bytes
Proactive Defense completed 11/6/2007 4:39:11 PM 11/6/2007 10:04:42 PM 0 bytes
Privacy Control completed 11/6/2007 4:39:11 PM 11/6/2007 10:04:31 PM 0 bytes
File Anti-Virus completed 11/6/2007 4:39:11 PM 11/6/2007 10:04:36 PM 0 bytes
Mail Anti-Virus completed 11/6/2007 4:39:11 PM 11/6/2007 10:04:30 PM 0 bytes
Web Anti-Virus completed 11/6/2007 4:39:11 PM 11/6/2007 10:04:36 PM 0 bytes
Scan startup objects completed 11/6/2007 4:41:24 PM 11/6/2007 4:44:50 PM 0 bytes
Update completed 11/6/2007 6:45:25 PM 11/6/2007 6:47:28 PM 0 bytes
Update completed 11/6/2007 8:51:39 PM 11/6/2007 8:53:02 PM 0 bytes
Firewall failed (the task was stopped) 11/6/2007 10:06:57 PM 0 bytes
Anti-Spam failed (the task was stopped) 11/6/2007 10:06:57 PM 0 bytes
Privacy Control failed (the task was stopped) 11/6/2007 10:06:57 PM 0 bytes
Proactive Defense failed (the task was stopped) 11/6/2007 10:06:57 PM 0 bytes
File Anti-Virus failed (the task was stopped) 11/6/2007 10:06:57 PM 0 bytes
Mail Anti-Virus failed (the task was stopped) 11/6/2007 10:06:57 PM 0 bytes
Web Anti-Virus failed (the task was stopped) 11/6/2007 10:06:58 PM 0 bytes
Scan startup objects completed 11/6/2007 10:09:00 PM 11/6/2007 10:18:38 PM 0 bytes
Update completed 11/6/2007 11:46:59 PM 11/6/2007 11:48:25 PM 0 bytes
Update completed 11/7/2007 2:07:30 AM 11/7/2007 2:09:14 AM 0 bytes
Update completed 11/7/2007 4:27:32 AM 11/7/2007 4:38:50 AM 0 bytes
Update Not all components were updated 11/7/2007 11:57:32 PM 11/7/2007 11:59:24 PM 0 bytes
Scan My Computer stopped 11/8/2007 3:42:44 AM 11/9/2007 3:25:17 AM 99.3 MB
Scan failed (the task was stopped) 11/7/2007 7:01:05 AM 0 bytes
Firewall failed (the task was stopped) 11/8/2007 1:29:31 AM 0 bytes
Anti-Spam failed (the task was stopped) 11/8/2007 1:29:31 AM 0 bytes
Privacy Control failed (the task was stopped) 11/8/2007 1:29:33 AM 0 bytes
Proactive Defense failed (the task was stopped) 11/8/2007 1:29:33 AM 0 bytes
File Anti-Virus failed (the task was stopped) 11/8/2007 1:29:33 AM 0 bytes
Mail Anti-Virus failed (the task was stopped) 11/8/2007 1:29:33 AM 0 bytes
Web Anti-Virus failed (the task was stopped) 11/8/2007 1:29:33 AM 0 bytes
Scan startup objects completed 11/8/2007 1:31:45 AM 11/8/2007 1:32:23 AM 0 bytes
Scan critical areas completed 11/8/2007 1:54:46 AM 11/8/2007 2:03:47 AM 865.5 KB
Update completed 11/8/2007 2:09:48 AM 11/8/2007 2:11:35 AM 0 bytes
Quarantine completed 11/8/2007 2:11:35 AM 11/8/2007 2:11:37 AM 0 bytes
Quarantine completed 11/8/2007 3:38:25 AM 11/8/2007 3:38:28 AM 0 bytes
Quarantine completed 11/8/2007 3:40:38 AM 11/8/2007 3:40:39 AM 0 bytes
Quarantine completed 11/8/2007 3:41:29 AM 11/8/2007 3:41:30 AM 4.2 KB
Quarantine completed 11/8/2007 3:43:53 AM 11/8/2007 3:43:54 AM 8.6 KB
Update completed 11/8/2007 4:30:32 AM 11/8/2007 4:34:04 AM 0 bytes
Quarantine completed 11/8/2007 4:34:04 AM 11/8/2007 4:34:08 AM 0 bytes
Scan completed 11/8/2007 5:06:38 AM 11/8/2007 5:07:38 AM 23.2 KB
Update completed 11/8/2007 6:36:34 AM 11/8/2007 6:40:26 AM 0 bytes
Quarantine completed 11/8/2007 6:40:26 AM 11/8/2007 6:40:35 AM 0 bytes
Update completed 11/8/2007 11:37:06 AM 11/8/2007 11:45:40 AM 0 bytes
Quarantine completed 11/8/2007 11:45:40 AM 11/8/2007 11:45:45 AM 0 bytes
Update completed 11/8/2007 1:57:31 PM 11/8/2007 2:18:49 PM 0 bytes
Quarantine completed 11/8/2007 2:18:47 PM 11/8/2007 2:18:59 PM 0 bytes
Update completed 11/8/2007 4:37:24 PM 11/8/2007 5:02:19 PM 0 bytes
Quarantine completed 11/8/2007 5:02:14 PM 11/8/2007 5:02:25 PM 0 bytes
Update completed 11/8/2007 7:17:35 PM 11/8/2007 7:24:19 PM 0 bytes
Quarantine completed 11/8/2007 7:24:19 PM 11/8/2007 7:24:26 PM 0 bytes
Update completed 11/8/2007 9:37:52 PM 11/8/2007 9:43:51 PM 0 bytes
Quarantine completed 11/8/2007 9:43:53 PM 11/8/2007 9:44:01 PM 0 bytes
Update completed 11/8/2007 11:58:22 PM 11/9/2007 12:04:46 AM 0 bytes
Quarantine completed 11/9/2007 12:04:48 AM 11/9/2007 12:05:01 AM 0 bytes
Scan completed 11/9/2007 1:41:48 AM 11/9/2007 1:41:49 AM 4.2 KB
Quarantine completed 11/9/2007 1:47:39 AM 11/9/2007 1:47:42 AM 0 bytes
Quarantine completed 11/9/2007 1:48:23 AM 11/9/2007 1:48:25 AM 0 bytes
Scan completed 11/9/2007 1:49:21 AM 11/9/2007 1:49:24 AM 4.2 KB
Scan completed 11/9/2007 1:49:40 AM 11/9/2007 1:49:44 AM 4.6 KB
Update completed 11/9/2007 2:58:05 AM 11/9/2007 3:00:24 AM 0 bytes
Quarantine completed 11/9/2007 3:00:24 AM 11/9/2007 3:00:28 AM 0 bytes
Scan failed (the task was stopped) 11/9/2007 3:25:31 AM 7.5 MB
Update completed 11/9/2007 5:58:57 AM 11/9/2007 6:09:07 AM 0 bytes
Quarantine completed 11/9/2007 6:09:07 AM 11/9/2007 6:12:15 AM 0 bytes
Firewall completed 11/9/2007 6:16:08 AM 11/9/2007 11:48:38 AM 0 bytes
Anti-Spam completed 11/9/2007 6:16:08 AM 11/9/2007 11:48:31 AM 0 bytes
Privacy Control completed 11/9/2007 6:16:08 AM 11/9/2007 11:48:33 AM 0 bytes
Proactive Defense completed 11/9/2007 6:16:08 AM 11/9/2007 11:48:57 AM 0 bytes
File Anti-Virus completed 11/9/2007 6:16:08 AM 11/9/2007 11:48:46 AM 0 bytes
Mail Anti-Virus completed 11/9/2007 6:16:09 AM 11/9/2007 11:48:31 AM 0 bytes
Web Anti-Virus completed 11/9/2007 6:16:10 AM 11/9/2007 11:48:47 AM 0 bytes
Scan startup objects completed 11/9/2007 6:18:21 AM 11/9/2007 6:22:50 AM 0 bytes
Update completed 11/9/2007 8:19:39 AM 11/9/2007 8:30:31 AM 0 bytes
Quarantine completed 11/9/2007 8:30:30 AM 11/9/2007 8:30:38 AM 8.7 KB
Update Not all components were updated 11/9/2007 10:40:03 AM 11/9/2007 11:40:10 AM 18 KB
Firewall running 11/9/2007 1:32:07 PM 8.6 KB
Anti-Spam running 11/9/2007 1:32:07 PM 0 bytes
Privacy Control running 11/9/2007 1:32:07 PM 0 bytes
Proactive Defense running 11/9/2007 1:32:07 PM 0 bytes
File Anti-Virus running 11/9/2007 1:32:07 PM 533.2 KB
Mail Anti-Virus running 11/9/2007 1:32:07 PM 0 bytes
Web Anti-Virus running 11/9/2007 1:32:08 PM 10.1 KB
Scan startup objects completed 11/9/2007 1:34:09 PM 11/9/2007 1:38:35 PM 505.6 KB


Quarantine
----------
Status Object Size Added
------ ------ ---- -----
Possibly infected: virus Packed.Win32.Morphine.a (modification) c:\system volume information\_restore{39c12724-d72b-4bde-8b27-4978fa4b8d03}\rp34\a0009995.dll 44 KB 11/8/2007 3:39:16 AM
Possibly infected: riskware Hidden data sending C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe 4.5 MB 11/8/2007 1:42:23 AM


Backup
------
Status Object Size
------ ------ ----
Infected: Trojan program Trojan-Downloader.Win32.TSUpdate.d c:\system volume information\_restore{39c12724-d72b-4bde-8b27-4978fa4b8d03}\rp43\a0011311.exe 419.7 KB


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,726 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:59 AM

Posted 09 November 2007 - 09:17 PM

LVPrcSrv.exe is related to Logitech QuickCam.
iCall.exe is related to iCall Internet Phone
YahooMessenger.exe is the executable for Yahoo! Messenger.

Kaspersky is flagging the second two files as riskware because they send data. I'm not sure what they mean by invader running process for LVPrcSrv.exe as it too is a legit file.

Kaspersky did flag some bad files in your in the System Volume Information Folder (SVI) which is a part of System Restore - the feature that allows you to set points in time to roll back your computer to a clean working state. This folder is protected by permissions that only allow the system to have access and is hidden by default unless you have reconfigured Windows to show it.

Keep in mind that System Restore will back up the good as well as the bad files so when malware is present on the system it gets included in any restore points. When you scan your system with anti-virus or anti-malware tools, you may receive an alert or notification that a virus was found in the System Volume Information folder (System Restore points).

To resolve this, you need to Set a New Restore Point to enable your computer to "roll-back" to a clean working state and then purge the old restore points.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recent Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 miniB

miniB
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 10 November 2007 - 12:16 AM

Hey

okay I did that I'll probably do another scan im actually doing that now thanks alot

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,726 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:59 AM

Posted 10 November 2007 - 07:32 AM

Post back and let us know how the scan goes.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 miniB

miniB
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 10 November 2007 - 11:18 PM

Hey Quietman in kasperky I'm still receiving this alert when I did my Panda scan it didnt detect any trojans I enclosed that report at the bottom..Also Panda found 3 Hacker tools and rootkits Im not sure if its in that report

11/10/2007 6:06:56 PM File: c:\system volume information\_restore{39c12724-d72b-4bde-8b27-4978fa4b8d03}\rp43\a0011315.exe//file4 detected Trojan program 'Trojan-Downloader.Win32.TSUpdate.d'








Incident Status Location

Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\coco\Application Data\Mozilla\Firefox\Profiles\qad8ulzy.default\cookies.txt[.com.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\coco\Application Data\Mozilla\Firefox\Profiles\qad8ulzy.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\coco\Application Data\Mozilla\Firefox\Profiles\qad8ulzy.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\coco\Application Data\Mozilla\Firefox\Profiles\qad8ulzy.default\cookies.txt[.did-it.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\coco\Application Data\Mozilla\Firefox\Profiles\qad8ulzy.default\cookies.txt[.overture.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\coco\Application Data\Mozilla\Firefox\Profiles\qad8ulzy.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\coco\Application Data\Mozilla\Firefox\Profiles\qad8ulzy.default\cookies.txt[.toplist.cz/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\coco\Application Data\Mozilla\Firefox\Profiles\qad8ulzy.default\cookies.txt[.xiti.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\coco\Application Data\Mozilla\Firefox\Profiles\qad8ulzy.default\cookies.txt[ad.yieldmanager.com/]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\coco\Desktop\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\coco\Desktop\ComboFix.exe[nircmd.cfexe]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\reese\Application Data\Mozilla\Firefox\Profiles\pxugmykt.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\reese\Application Data\Mozilla\Firefox\Profiles\pxugmykt.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\reese\Application Data\Mozilla\Firefox\Profiles\pxugmykt.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\reese\Application Data\Mozilla\Firefox\Profiles\pxugmykt.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\reese\Application Data\Mozilla\Firefox\Profiles\pxugmykt.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\reese\Application Data\Mozilla\Firefox\Profiles\pxugmykt.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\reese\Application Data\Mozilla\Firefox\Profiles\pxugmykt.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\reese\Application Data\Mozilla\Firefox\Profiles\pxugmykt.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\reese\Application Data\Mozilla\Firefox\Profiles\pxugmykt.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\reese\Application Data\Mozilla\Firefox\Profiles\pxugmykt.default\cookies.txt[c5.zedo.com/jsc/c5/]
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\reese\Application Data\Mozilla\Firefox\Profiles\pxugmykt.default\cookies.txt[.ads.addynamix.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\reese\Application Data\Mozilla\Firefox\Profiles\pxugmykt.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\reese\Application Data\Mozilla\Firefox\Profiles\pxugmykt.default\cookies.txt[.bluestreak.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\reese\Application Data\Mozilla\Firefox\Profiles\pxugmykt.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\reese\Application Data\Mozilla\Firefox\Profiles\pxugmykt.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Bridgetrack Not disinfected C:\Documents and Settings\reese\Application Data\Mozilla\Firefox\Profiles\pxugmykt.default\cookies.txt[citi.bridgetrack.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\reese\Application Data\Mozilla\Firefox\Profiles\pxugmykt.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\reese\Application Data\Mozilla\Firefox\Profiles\pxugmykt.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\reese\Application Data\Mozilla\Firefox\Profiles\pxugmykt.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\reese\Application Data\Mozilla\Firefox\Profiles\pxugmykt.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\reese\Application Data\Mozilla\Firefox\Profiles\pxugmykt.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\reese\Application Data\Mozilla\Firefox\Profiles\pxugmykt.default\cookies.txt[www.burstbeacon.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\reese\Application Data\Mozilla\Firefox\Profiles\pxugmykt.default\cookies.txt[.overture.com/]
Spyware:Cookie/Linksynergy Not disinfected C:\Documents and Settings\reese\Application Data\Mozilla\Firefox\Profiles\pxugmykt.default\cookies.txt[.linksynergy.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\reese\Application Data\Mozilla\Firefox\Profiles\pxugmykt.default\cookies.txt[statse.webtrendslive.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\reese\Application Data\Mozilla\Firefox\Profiles\pxugmykt.default\cookies.txt[.perf.overture.com/]
Spyware:Cookie/Tucows Not disinfected C:\Documents and Settings\reese\Application Data\Mozilla\Firefox\Profiles\pxugmykt.default\cookies.txt[.tucows.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\reese\Application Data\Mozilla\Firefox\Profiles\pxugmykt.default\cookies.txt[.com.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\reese\Application Data\Mozilla\Firefox\Profiles\pxugmykt.default\cookies.txt[.go.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\reese\Application Data\Mozilla\Firefox\Profiles\pxugmykt.default\cookies.txt[.ehg-dig.hitbox.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\reese\Application Data\Mozilla\Firefox\Profiles\pxugmykt.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\reese\Application Data\Mozilla\Firefox\Profiles\pxugmykt.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\reese\Application Data\Mozilla\Firefox\Profiles\pxugmykt.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\reese\Application Data\Mozilla\Firefox\Profiles\pxugmykt.default\cookies.txt[.tradedoubler.com/]
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\reese\Application Data\Mozilla\Firefox\Profiles\pxugmykt.default\cookies.txt[.clickbank.net/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\reese\Application Data\Mozilla\Firefox\Profiles\pxugmykt.default\cookies.txt[server.iad.liveperson.net/]
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\reese\Application Data\Mozilla\Firefox\Profiles\pxugmykt.default\cookies.txt[.drivecleaner.com/]
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\reese\Application Data\Mozilla\Firefox\Profiles\pxugmykt.default\cookies.txt[stats.drivecleaner.com/]
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\reese\Application Data\Mozilla\Firefox\Profiles\pxugmykt.default\cookies.txt[.drivecleaner.com/]
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\reese\Application Data\Mozilla\Firefox\Profiles\pxugmykt.default\cookies.txt[www.drivecleaner.com/]
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\reese\Application Data\Mozilla\Firefox\Profiles\pxugmykt.default\cookies.txt[.drivecleaner.com/]
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\reese\Application Data\Mozilla\Firefox\Profiles\pxugmykt.default\cookies.txt[.errorsafe.com/]
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\reese\Application Data\Mozilla\Firefox\Profiles\pxugmykt.default\cookies.txt[stat.onestat.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\reese\Application Data\Mozilla\Firefox\Profiles\pxugmykt.default\cookies.txt[.atwola.com/]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\R\NirCmd.exe
Adware:Adware/Sqwire Not disinfected C:\System Volume Information\_restore{39C12724-D72B-4BDE-8B27-4978FA4B8D03}\RP43\A0011315.exe
Spyware:Cookie/Doubleclick Not disinfected D:\Documents and Settings\Nephews\Application Data\Mozilla\Firefox\Profiles\rz8r4ie0.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/YieldManager Not disinfected D:\Documents and Settings\Nephews\Application Data\Mozilla\Firefox\Profiles\rz8r4ie0.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/2o7 Not disinfected D:\Documents and Settings\RERE\Application Data\Mozilla\Firefox\Profiles\zdhywc9p.default\cookies.txt[.2o7.net/]
Spyware:Cookie/YieldManager Not disinfected D:\Documents and Settings\RERE\Application Data\Mozilla\Firefox\Profiles\zdhywc9p.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/PointRoll Not disinfected D:\Documents and Settings\RERE\Application Data\Mozilla\Firefox\Profiles\zdhywc9p.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/YieldManager Not disinfected D:\Documents and Settings\RERE\Application Data\Mozilla\Firefox\Profiles\zdhywc9p.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/QuestionMarket Not disinfected D:\Documents and Settings\RERE\Application Data\Mozilla\Firefox\Profiles\zdhywc9p.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Atlas DMT Not disinfected D:\Documents and Settings\RERE\Application Data\Mozilla\Firefox\Profiles\zdhywc9p.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Doubleclick Not disinfected D:\Documents and Settings\RERE\Application Data\Mozilla\Firefox\Profiles\zdhywc9p.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Adrevolver Not disinfected D:\Documents and Settings\RERE\Application Data\Mozilla\Firefox\Profiles\zdhywc9p.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/Advertising Not disinfected D:\Documents and Settings\RERE\Application Data\Mozilla\Firefox\Profiles\zdhywc9p.default\cookies.txt[.advertising.com/]
Spyware:Cookie/RealMedia Not disinfected D:\Documents and Settings\RERE\Application Data\Mozilla\Firefox\Profiles\zdhywc9p.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/FastClick Not disinfected D:\Documents and Settings\RERE\Application Data\Mozilla\Firefox\Profiles\zdhywc9p.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/RealMedia Not disinfected D:\Documents and Settings\RERE\Application Data\Mozilla\Firefox\Profiles\zdhywc9p.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/FastClick Not disinfected D:\Documents and Settings\RERE\Application Data\Mozilla\Firefox\Profiles\zdhywc9p.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/FastClick Not disinfected D:\Documents and Settings\RERE\Application Data\Mozilla\Firefox\Profiles\zdhywc9p.default\cookies.txt[media.fastclick.net/]
Spyware:Cookie/RealMedia Not disinfected D:\Documents and Settings\RERE\Application Data\Mozilla\Firefox\Profiles\zdhywc9p.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/FastClick Not disinfected D:\Documents and Settings\RERE\Application Data\Mozilla\Firefox\Profiles\zdhywc9p.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Tribalfusion Not disinfected D:\Documents and Settings\RERE\Application Data\Mozilla\Firefox\Profiles\zdhywc9p.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Mediaplex Not disinfected D:\Documents and Settings\RERE\Application Data\Mozilla\Firefox\Profiles\zdhywc9p.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Overture Not disinfected D:\Documents and Settings\RERE\Application Data\Mozilla\Firefox\Profiles\zdhywc9p.default\cookies.txt[.overture.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected D:\Documents and Settings\RERE\Application Data\Mozilla\Firefox\Profiles\zdhywc9p.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Statcounter Not disinfected D:\Documents and Settings\RERE\Application Data\Mozilla\Firefox\Profiles\zdhywc9p.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/BurstNet Not disinfected D:\Documents and Settings\RERE\Application Data\Mozilla\Firefox\Profiles\zdhywc9p.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/Clickbank Not disinfected D:\Documents and Settings\RERE\Application Data\Mozilla\Firefox\Profiles\zdhywc9p.default\cookies.txt[.clickbank.net/]
Spyware:Cookie/Atwola Not disinfected D:\Documents and Settings\RERE\Application Data\Mozilla\Firefox\Profiles\zdhywc9p.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Com.com Not disinfected D:\Documents and Settings\RERE\Application Data\Mozilla\Firefox\Profiles\zdhywc9p.default\cookies.txt[.com.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected D:\Documents and Settings\RERE\Application Data\Mozilla\Firefox\Profiles\zdhywc9p.default\cookies.txt[server.iad.liveperson.net/hc/53320982]
Spyware:Cookie/Server.iad.Liveperson Not disinfected D:\Documents and Settings\RERE\Application Data\Mozilla\Firefox\Profiles\zdhywc9p.default\cookies.txt[server.iad.liveperson.net/]
Spyware:Cookie/Maxserving Not disinfected D:\Documents and Settings\RERE\Application Data\Mozilla\Firefox\Profiles\zdhywc9p.default\cookies.txt[.maxserving.com/]
Spyware:Cookie/Tickle Not disinfected D:\Documents and Settings\RERE\Application Data\Mozilla\Firefox\Profiles\zdhywc9p.default\cookies.txt[.tickle.com/]
Spyware:Cookie/Falkag Not disinfected D:\Documents and Settings\RERE\Application Data\Mozilla\Firefox\Profiles\zdhywc9p.default\cookies.txt[.as-us.falkag.net/]
Spyware:Cookie/Casalemedia Not disinfected D:\Documents and Settings\RERE\Application Data\Mozilla\Firefox\Profiles\zdhywc9p.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Tradedoubler Not disinfected D:\Documents and Settings\RERE\Application Data\Mozilla\Firefox\Profiles\zdhywc9p.default\cookies.txt[.tradedoubler.com/]
Spyware:Cookie/Bluestreak Not disinfected D:\Documents and Settings\RERE\Application Data\Mozilla\Firefox\Profiles\zdhywc9p.default\cookies.txt[.bluestreak.com/]
Spyware:Cookie/Zedo Not disinfected D:\Documents and Settings\RERE\Application Data\Mozilla\Firefox\Profiles\zdhywc9p.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Serving-sys Not disinfected D:\Documents and Settings\RERE\Application Data\Mozilla\Firefox\Profiles\zdhywc9p.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Ccbill Not disinfected D:\Documents and Settings\RERE\Cookies\rere@ccbill[1].txt
Spyware:Cookie/Go Not disinfected D:\Documents and Settings\RERE\Cookies\rere@go[2].txt
Spyware:Cookie/BurstBeacon Not disinfected D:\Documents and Settings\RERE\Cookies\rere@www.burstbeacon[2].txt
Spyware:Cookie/myaffiliateprogram Not disinfected D:\Documents and Settings\RERE\Cookies\rere@www.myaffiliateprogram[1].txt


#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,726 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:59 AM

Posted 11 November 2007 - 07:30 AM

Most of these are tracking cookies. Run ATF Cleaner again.

Cookies are text string messages given to a Web browser by a Web server. Whenever you visit a web page or navigate different pages with your browser, the web site generates a unique ID number which your browser stores in a text (cookie) file that is sent back to the server each time the browser requests a page from that server. Cookies allow third-party providers such as ad serving networks, spyware or adware providers to track personal information. The main purpose of cookies is to identify users and prepare customized Web pages for them.

Cookies can be categorized as:
• Trusted cookies are from sites you trust, use often, and want to be able to identify and personalize content for you.
• Nuisance cookies are from those sites you do not recognize or often use but somehow it's put a cookie on your machine.
• Bad cookies are those that can be linked to an ad company or something that tracks your movements across the web. They are called "profiling cookies," "persistent cookies," "long term tracking cookies," "third party tracking cookies" or "tracking cookies”.

The type of cookie that is a cause for concern is the last category because they can be considered a privacy risk. These types of cookies are used to track your Web browsing habits (your movement from site to site). Ad companies use them to record your activity on all sites where they have placed ads. They can keep count of how many times you visited a web page, store your username and password so you don't have to log in and retain your custom settings. When you visit one of these sites, a cookie is placed on your computer. Each time you visit another site that hosts one of their ads, that same cookie is read, and soon they have assembled a list of which of their sites you have visited and which of their ads that you have clicked on. They are used all over the Internet and advertisement companies often plant them whenever your browser loads one of their banners. Cookies are NOT a "threat". As text files they cannot be executed to cause any damage. Cookies do not cause any pop ups nor do they install malware.

As long as you surf the Internet, you are going to get cookies and some of your security programs will flag them for removal. However, you can minimize this by reading "Blocking & Managing Unwanted Cookies"

Certain embedded files that are part of legitimate programs or specialized fix tools such as process.exe, restart.exe, SmiUpdate.exe, and reboot.exe, may at times be detected by some anti-virus/anti-malware scanners as a "RiskTool", "Hacking tool", "Potentially unwanted tool", not-a-virus, or even "Spyware-Adware". I see that you downloaded ComboFix.exe which uses NirCmd, a command-line utility that allows writing to and deletion of values and keys in the registry.

Such programs have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. Potentially unwanted does not necessarily mean the file is malware or a bad program. It means it has the potential for being misused by others. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 miniB

miniB
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 11 November 2007 - 01:24 PM

Thanks for all of your help I greatly appreciate it

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,726 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:59 AM

Posted 11 November 2007 - 03:02 PM

To protect yourself against malware and reduce the potential for re-infection, be sure to read:
• "Simple and easy ways to keep your computer safe".
• "How did I get infected?, With steps so it does not happen again!".
• "The Ten Most Dangerous Things Users Do Online".
• "The 10 Biggest Security Risks".
• "Hardening Windows Security - Part 1" and "Hardening Windows Security - Part 2".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users