Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Psw .x-vir Trojan, Spyware.cyberlog-x And Trojan-spy.win32@mx


  • This topic is locked This topic is locked
22 replies to this topic

#1 happycow

happycow

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:UK
  • Local time:08:57 PM

Posted 11 April 2008 - 05:34 PM

Sorry if this is in the wrong place or if I haven't explained something which I should have.

In the toolbar there is a yellow triangle with an exclamation mark that keeps showing a bubble saying:

Security Alert: Spyware found
Your computer is infected with the last version of PSW .x-Vir trojan. PSW trojans steal your private information such as: passwords, IP-address, credit card information, registration details, documents, etc.
Click this baloon to remove PSW .x-Vir spyware.

There is also a shield shape in the toolbar that flashes red with a cross on and blue with a question mark. It keeps showing a bubble saying:

System Alert!
System has detected a number of active spyware applications that may impact the performance of the computer. Click the icon to get rid of unwanted spyware by downloading an up-to-date antispyware solution.

When I go on the internet it has changed my homepage and tries to divert me to a page to download a antispyware protection thing... winspy killer or virusheat.

ALSO I have been getting multiple popups saying how my computer is slow and the internet connection speed has slowed, about unwanted popups and a critical system warning saying:

Your system is probably infected with the latest version of Spyware.Cyberlog-X.
Type: Spyware
Infected length: 266, 129 bytes
Risk: High
Systems Affected: Windows 95, 98, 200, NT, 2003 Server, Windows XP, Windows Vista
Behavior: Spyware.Cyberlog-X is a spyware program that monitors user activity, log keystrokes, and tracks Web sites visited.
Symptoms: Low Internet connection speed
Low system performance
Security centre alerts
Strange popup windows
Protection: Click ok to donwload antispyware software

Argh I'm getting more popups as I write! This one says:

System Alert: Trojan-Spy.Win32@mx
Type: Spyware/Trojan
Vulnerabe: Windows 95/98/ME/NT/2003/Windows XP/Windows Vista
Description: Spyware program that sends confidential information to a remote attacker
Protection: Click this baloon to download official security software.

I also got a popup before about TJ/BZ spyware or virus trying to attack the computer but I can't remember exactly what it said.

So can someone please help a computer illiterate person with this? Or tell me what you need to know to be able to help me? This is my dad's laptop and he's going to go nuts! Is it as bad as it sounds?! What exactly is wrong? Is there anything I can do? If I took the laptop to a computer person would they be able to sort it out?

BC AdBot (Login to Remove)

 


#2 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:03:57 PM

Posted 11 April 2008 - 06:19 PM

Hello and welcome happycow


Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

#3 happycow

happycow
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:UK
  • Local time:08:57 PM

Posted 12 April 2008 - 06:07 AM

oh

Edited by happycow, 12 April 2008 - 08:11 AM.


#4 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:03:57 PM

Posted 12 April 2008 - 08:15 AM

was it able to run ?

#5 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:03:57 PM

Posted 12 April 2008 - 10:40 AM

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

#6 happycow

happycow
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:UK
  • Local time:08:57 PM

Posted 12 April 2008 - 12:25 PM

SmitFraudFix v2.311

Scan done at 18:07:25.85, 12/04/2008
Run from C:\Documents and Settings\Grace\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{65bbf06c-ea06-4818-92a3-f3550d0e1004}"="asparagine"

[HKEY_CLASSES_ROOT\CLSID\{65bbf06c-ea06-4818-92a3-f3550d0e1004}\InProcServer32]
@="C:\WINDOWS\system32\rkvdr.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{65bbf06c-ea06-4818-92a3-f3550d0e1004}\InProcServer32]
@="C:\WINDOWS\system32\rkvdr.dll"


Killing process


hosts


127.0.0.1 localhost

VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


Generic Renos Fix

GenericRenosFix by S!Ri

C:\WINDOWS\system32\rkvdr.dll -> Hoax.Win32.Renos.gen.o
C:\WINDOWS\system32\rkvdr.dll -> Deleted


Deleting infected files

C:\WINDOWS\system32\215651\ Deleted
C:\Program Files\NetProject\ Deleted
C:\Program Files\Video Add-on\ Deleted

IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{2810EB22-763D-4D0C-9450-64BBD1758685}: DhcpNameServer=85.255.114.59,85.255.112.80
HKLM\SYSTEM\CCS\Services\Tcpip\..\{3EACD287-FAB0-4305-8C1C-62AC9FE56DE1}: NameServer=85.255.114.59,85.255.112.80
HKLM\SYSTEM\CCS\Services\Tcpip\..\{571B6D9B-3DA7-40FC-AAC4-F4A96D59521A}: NameServer=85.255.114.59,85.255.112.80
HKLM\SYSTEM\CCS\Services\Tcpip\..\{571D917A-B92E-47F2-A94C-175B1312937B}: DhcpNameServer=85.255.114.59,85.255.112.80
HKLM\SYSTEM\CCS\Services\Tcpip\..\{571D917A-B92E-47F2-A94C-175B1312937B}: NameServer=85.255.114.59,85.255.112.80
HKLM\SYSTEM\CCS\Services\Tcpip\..\{EBA041E9-8F64-44B3-972D-382A5931838E}: DhcpNameServer=85.255.114.59,85.255.112.80
HKLM\SYSTEM\CCS\Services\Tcpip\..\{EBA041E9-8F64-44B3-972D-382A5931838E}: NameServer=85.255.114.59,85.255.112.80
HKLM\SYSTEM\CS1\Services\Tcpip\..\{2810EB22-763D-4D0C-9450-64BBD1758685}: DhcpNameServer=85.255.114.59,85.255.112.80
HKLM\SYSTEM\CS1\Services\Tcpip\..\{3EACD287-FAB0-4305-8C1C-62AC9FE56DE1}: NameServer=85.255.114.59,85.255.112.80
HKLM\SYSTEM\CS1\Services\Tcpip\..\{571B6D9B-3DA7-40FC-AAC4-F4A96D59521A}: NameServer=85.255.114.59,85.255.112.80
HKLM\SYSTEM\CS1\Services\Tcpip\..\{571D917A-B92E-47F2-A94C-175B1312937B}: DhcpNameServer=85.255.114.59,85.255.112.80
HKLM\SYSTEM\CS1\Services\Tcpip\..\{571D917A-B92E-47F2-A94C-175B1312937B}: NameServer=85.255.114.59,85.255.112.80
HKLM\SYSTEM\CS1\Services\Tcpip\..\{EBA041E9-8F64-44B3-972D-382A5931838E}: DhcpNameServer=85.255.114.59,85.255.112.80
HKLM\SYSTEM\CS1\Services\Tcpip\..\{EBA041E9-8F64-44B3-972D-382A5931838E}: NameServer=85.255.114.59,85.255.112.80
HKLM\SYSTEM\CS2\Services\Tcpip\..\{2810EB22-763D-4D0C-9450-64BBD1758685}: DhcpNameServer=85.255.114.59,85.255.112.80
HKLM\SYSTEM\CS2\Services\Tcpip\..\{3EACD287-FAB0-4305-8C1C-62AC9FE56DE1}: NameServer=85.255.114.59,85.255.112.80
HKLM\SYSTEM\CS2\Services\Tcpip\..\{571B6D9B-3DA7-40FC-AAC4-F4A96D59521A}: NameServer=85.255.114.59,85.255.112.80
HKLM\SYSTEM\CS2\Services\Tcpip\..\{571D917A-B92E-47F2-A94C-175B1312937B}: DhcpNameServer=85.255.114.59,85.255.112.80
HKLM\SYSTEM\CS2\Services\Tcpip\..\{571D917A-B92E-47F2-A94C-175B1312937B}: NameServer=85.255.114.59,85.255.112.80
HKLM\SYSTEM\CS2\Services\Tcpip\..\{EBA041E9-8F64-44B3-972D-382A5931838E}: DhcpNameServer=85.255.114.59,85.255.112.80
HKLM\SYSTEM\CS2\Services\Tcpip\..\{EBA041E9-8F64-44B3-972D-382A5931838E}: NameServer=85.255.114.59,85.255.112.80
HKLM\SYSTEM\CS3\Services\Tcpip\..\{2810EB22-763D-4D0C-9450-64BBD1758685}: DhcpNameServer=85.255.114.59,85.255.112.80
HKLM\SYSTEM\CS3\Services\Tcpip\..\{3EACD287-FAB0-4305-8C1C-62AC9FE56DE1}: NameServer=85.255.114.59,85.255.112.80
HKLM\SYSTEM\CS3\Services\Tcpip\..\{571B6D9B-3DA7-40FC-AAC4-F4A96D59521A}: NameServer=85.255.114.59,85.255.112.80
HKLM\SYSTEM\CS3\Services\Tcpip\..\{571D917A-B92E-47F2-A94C-175B1312937B}: DhcpNameServer=85.255.114.59,85.255.112.80
HKLM\SYSTEM\CS3\Services\Tcpip\..\{571D917A-B92E-47F2-A94C-175B1312937B}: NameServer=85.255.114.59,85.255.112.80
HKLM\SYSTEM\CS3\Services\Tcpip\..\{EBA041E9-8F64-44B3-972D-382A5931838E}: DhcpNameServer=85.255.114.59,85.255.112.80
HKLM\SYSTEM\CS3\Services\Tcpip\..\{EBA041E9-8F64-44B3-972D-382A5931838E}: NameServer=85.255.114.59,85.255.112.80
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer=85.255.114.59 85.255.112.80
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer=85.255.114.59 85.255.112.80
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: NameServer=85.255.114.59 85.255.112.80
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: NameServer=85.255.114.59 85.255.112.80


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End


Well I don't have the annoying popups now and my homepage is back to normal so does that mean everything is ok? Do I have to do anything else? Thank you for your help :thumbsup:

#7 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:03:57 PM

Posted 12 April 2008 - 04:36 PM

:thumbsup:
Nice work

Could you double click on Smitfraudfix again please, Press any key to continue, typye in the # 5 hit enter.
Make sure all other programs are closed as the computer may need to reboot... please post the new rapport txt back please

#8 happycow

happycow
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:UK
  • Local time:08:57 PM

Posted 12 April 2008 - 04:46 PM

When I did that I got a box that said:

Your computer may be victim of a DNS Hijack: 85.255.x.x Broadcom 440x 10/100 Integrated Controller - Packet Scheduler Miniport
Do you want to set your network to dynamic - DHCP-Server?

Should I click yes or no?

#9 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:03:57 PM

Posted 12 April 2008 - 05:03 PM

opps please click Yes forgot to add that piece in there

#10 happycow

happycow
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:UK
  • Local time:08:57 PM

Posted 13 April 2008 - 04:23 AM

SmitFraudFix v2.311

Scan done at 10:21:01.18, 13/04/2008
Run from C:\Documents and Settings\Grace\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

DNS Before Fix


DNS After Fix

#11 happycow

happycow
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:UK
  • Local time:08:57 PM

Posted 13 April 2008 - 04:25 AM

Um what was that last bit for?

#12 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:03:57 PM

Posted 13 April 2008 - 03:13 PM

Thats fine wanted to make sure it was clean.

Please do an online scan with Kaspersky WebScanner

Click on Accept Button

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


#13 happycow

happycow
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:UK
  • Local time:08:57 PM

Posted 14 April 2008 - 07:12 AM

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, April 14, 2008 12:58:32 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 14/04/2008
Kaspersky Anti-Virus database records: 703463
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 90783
Number of viruses found: 20
Number of infected objects: 61
Number of suspicious objects: 0
Duration of the scan process: 01:22:22

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Kontiki\error.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\Logs\TaskScheduler\McTskshd000.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee.com\VSO\OASLogs\OAS.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp Object is locked skipped
C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped
C:\Documents and Settings\Grace\Application Data\install_en[1].exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Documents and Settings\Grace\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Grace\Local Settings\Application Data\BVRP Software\NetWaiting\MoHlog.txt Object is locked skipped
C:\Documents and Settings\Grace\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped
C:\Documents and Settings\Grace\Local Settings\Application Data\Microsoft\Messenger\me@hotmail.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Documents and Settings\Grace\Local Settings\Application Data\Microsoft\Messenger\me@hotmail.com\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\Grace\Local Settings\Application Data\Microsoft\Messenger\me@hotmail.com\SharingMetadata\Working\database_CCF8_40F5_F840_DEF8\dfsr.db Object is locked skipped
C:\Documents and Settings\Grace\Local Settings\Application Data\Microsoft\Messenger\me@hotmail.com\SharingMetadata\Working\database_CCF8_40F5_F840_DEF8\fsr.log Object is locked skipped
C:\Documents and Settings\Grace\Local Settings\Application Data\Microsoft\Messenger\me@hotmail.com\SharingMetadata\Working\database_CCF8_40F5_F840_DEF8\fsrtmp.log Object is locked skipped
C:\Documents and Settings\Grace\Local Settings\Application Data\Microsoft\Messenger\me@hotmail.com\SharingMetadata\Working\database_CCF8_40F5_F840_DEF8\tmp.edb Object is locked skipped
C:\Documents and Settings\Grace\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Grace\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Grace\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Grace\Local Settings\History\History.IE5\MSHist012008041420080415\index.dat Object is locked skipped
C:\Documents and Settings\Grace\Local Settings\Temp\fla26.tmp Object is locked skipped
C:\Documents and Settings\Grace\Local Settings\Temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\Grace\Local Settings\Temp\NI.UGA6P_0001_N122M2802\setup.exe Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\Documents and Settings\Grace\Local Settings\Temp\Perflib_Perfdata_a64.dat Object is locked skipped
C:\Documents and Settings\Grace\Local Settings\Temporary Internet Files\Content.IE5\GPOR078J\asecureforum[1].htm Infected: not-virus:Hoax.HTML.Secureinvites.a skipped
C:\Documents and Settings\Grace\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Grace\Local Settings\Temporary Internet Files\Content.IE5\UQA1T1SQ\ct[2].htm Object is locked skipped
C:\Documents and Settings\Grace\My Documents\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Grace\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Grace\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Jo\Local Settings\Temp\zfe2.exe Infected: Trojan-Downloader.Win32.Zlob.kzv skipped
C:\Documents and Settings\Jo\Local Settings\Temp\zfe3.exe Infected: not-virus:Hoax.Win32.Renos.bmq skipped
C:\Documents and Settings\Jo\Local Settings\Temporary Internet Files\Content.IE5\3F53BX0W\ice[1].htm Infected: Trojan-Downloader.JS.Agent.amm skipped
C:\Documents and Settings\Jo\Local Settings\Temporary Internet Files\Content.IE5\4RZJA8D9\asecureforum[1].htm Infected: not-virus:Hoax.HTML.Secureinvites.a skipped
C:\Documents and Settings\Jo\Local Settings\Temporary Internet Files\Content.IE5\4RZJA8D9\asecureforum[2].htm Infected: not-virus:Hoax.HTML.Secureinvites.a skipped
C:\Documents and Settings\Jo\Local Settings\Temporary Internet Files\Content.IE5\WLETSP2R\setup[1].exe Infected: Trojan-Downloader.Win32.Zlob.kyx skipped
C:\Documents and Settings\Jo\My Documents\LimeWire\Saved\06 Track 6.wma Infected: Trojan-Downloader.WMA.Wimad.l skipped
C:\Documents and Settings\Jo\My Documents\LimeWire\Saved\graf bus up.mp3 Infected: Trojan-Downloader.WMA.Wimad.n skipped
C:\Documents and Settings\Jo\My Documents\LimeWire\Saved\Wicked Remix.wma Infected: Trojan-Downloader.WMA.Wimad.l skipped
C:\Documents and Settings\Jo\My Documents\My Music\active x.exe Infected: Trojan-Downloader.Win32.Zlob.kyx skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\RECYCLER\S-1-5-21-1541471802-3365425679-2485643438-1008\Dc1\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP146\A0053581.dll Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP160\A0064922.dll Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP167\A0074443.exe Infected: Trojan-Downloader.Win32.Zlob.lco skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP167\A0074444.dll Infected: Trojan-Downloader.Win32.Zlob.laq skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP167\A0074445.exe Infected: Trojan-Downloader.Win32.Zlob.kzx skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP167\A0074471.exe Infected: Trojan-Downloader.Win32.Zlob.lco skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP167\A0074472.dll Infected: Trojan-Downloader.Win32.Zlob.laq skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP167\A0074473.exe Infected: Trojan-Downloader.Win32.Zlob.kzx skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP167\A0074487.exe Infected: Trojan-Downloader.Win32.Zlob.lco skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP167\A0074489.dll Infected: Trojan-Downloader.Win32.Zlob.laq skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP167\A0074490.exe Infected: Trojan-Downloader.Win32.Zlob.kzx skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP167\A0074500.exe Infected: not-a-virus:FraudTool.Win32.VirusProtectPro.ac skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP167\A0074503.exe Infected: not-a-virus:FraudTool.Win32.VirusProtectPro.ac skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP170\A0074705.sys Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP170\A0074747.exe Infected: not-a-virus:FraudTool.Win32.BestSeller.n skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP170\A0074773.exe Infected: not-a-virus:Downloader.Win32.WinFixer.cv skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP170\A0074778.exe Infected: Trojan-Downloader.Win32.Zlob.lco skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP170\A0074780.dll Infected: Trojan-Downloader.Win32.Zlob.laq skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP170\A0074781.exe Infected: Trojan-Downloader.Win32.Zlob.kzx skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP170\A0074802.exe Infected: Trojan-Downloader.Win32.Zlob.lco skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP170\A0074803.dll Infected: Trojan-Downloader.Win32.Zlob.laq skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP170\A0074804.exe Infected: Trojan-Downloader.Win32.Zlob.kzx skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP170\A0074833.exe Infected: Trojan-Downloader.Win32.Zlob.lco skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP170\A0074834.dll Infected: Trojan-Downloader.Win32.Zlob.laq skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP170\A0074835.exe Infected: Trojan-Downloader.Win32.Zlob.kzx skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP170\A0074863.exe Infected: Trojan-Downloader.Win32.Zlob.lco skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP170\A0074864.dll Infected: Trojan-Downloader.Win32.Zlob.laq skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP170\A0074865.exe Infected: Trojan-Downloader.Win32.Zlob.kzx skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP170\A0074883.exe Infected: Trojan-Downloader.Win32.Zlob.lco skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP170\A0074884.dll Infected: Trojan-Downloader.Win32.Zlob.laq skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP170\A0074885.exe Infected: Trojan-Downloader.Win32.Zlob.kzx skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP170\A0074904.exe Infected: Trojan-Downloader.Win32.Zlob.lco skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP170\A0074905.dll Infected: Trojan-Downloader.Win32.Zlob.laq skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP170\A0074906.exe Infected: Trojan-Downloader.Win32.Zlob.kzx skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP170\A0074925.exe Infected: Trojan-Downloader.Win32.Zlob.lco skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP170\A0074926.dll Infected: Trojan-Downloader.Win32.Zlob.laq skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP170\A0074928.exe Infected: Trojan-Downloader.Win32.Zlob.kzx skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP170\A0074943.exe Infected: Trojan-Downloader.Win32.Zlob.lco skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP170\A0074944.dll Infected: Trojan-Downloader.Win32.Zlob.laq skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP170\A0074945.exe Infected: Trojan-Downloader.Win32.Zlob.kzx skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP170\A0074964.dll Infected: not-virus:Hoax.Win32.Agent.bv skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP170\A0074966.dll Infected: not-a-virus:AdWare.Win32.E404.x skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP170\A0074968.dll Infected: Trojan-Downloader.Win32.Zlob.laq skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP170\A0074969.exe Infected: Trojan-Downloader.Win32.Zlob.lbf skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP170\A0074970.exe Infected: Trojan-Downloader.Win32.Zlob.kzx skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP170\A0074971.exe Infected: Trojan-Downloader.Win32.Zlob.lbf skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP170\A0074973.exe Infected: Trojan-Downloader.Win32.Zlob.lco skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP170\A0074974.exe Infected: Trojan-Downloader.Win32.Zlob.lcr skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP171\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_288.dat Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_ca0.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

#14 happycow

happycow
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:UK
  • Local time:08:57 PM

Posted 14 April 2008 - 07:13 AM

That looks bad to me and I don't understand any of it!

#15 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:03:57 PM

Posted 16 April 2008 - 07:24 PM

sorry for the delay

actually its not that bad at all




Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\Documents and Settings\Grace\Application Data\install_en[1].exe

  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Next

Please download ATF Cleaner by Atribune. (This program is for XP and Windows 2000 only)Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


Rescan with Kaspersky one more time please,,, most of the infections found are infected restore points which we will flush out once we get rid of a couple more items that running the above should take care of




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users