Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Paranoia Wins

  • Please log in to reply
4 replies to this topic

#1 Beach Plum

Beach Plum

  • Members
  • 32 posts
  • Local time:04:52 PM

Posted 14 May 2008 - 08:43 PM

Hi, I am new here. Since I turned the virus scan on at 2 pm (9:30 local now), I have done little of what I had wanted to be doing.

I seem to have had these conditions, but I had to download my virus definitions twice due to an original error:

C:\Documents and Settings\Owner\Desktop\ToDDrive\Autoruns.zip
C:\Program Files\AutoRuns\autoruns.exe

C:\Program Files\Adobe\Acrobat 6.0\Reader\AdobeUpdateManager.exe

I downloaded a new autoruns.zip and it was clean and both programs use access so I think those were true.

I am not really vigilant about scans, though I think maybe I should run scans at night now, I have run some 'very 3rd party' programs installed while learning about my computer and in association with creative ventures.

I had yesterday installed/ran Blender, which at first glance I believe needs to be understood completely. That Python scripting, and that Python always was there coiled on my C: drive with HP software packages, but I had never removed it. I like to code and it impressed me in a just-in-case kind of way, and it is aptly named. Still I don't think Python is to blame. (I have something called Wrye Mash which I love, using it too).

I did get briefly hooked into a Bit Torrents thing that I don't understand in the least, but I allowed the adventure with wide eyes. I closed the browser after a moment; it had been the web page, not the Bit Torrents, I thought to escape from.

I don't think I can know who did these viruses, and don't regret any installs, as I had at least interested reasons for all.

This is a nice web site, the name is cool but when I stopped by here in Today's hunt for information I thought, 'Is this a safe and serious place?'. Still the information about what to do with bad programs gave me a way to go forward. The tricky thing was not running autoruns in safemode, but autoruns.exe is not a start program itself so I was not really worried. Neither of those programs has asked for permission recently, which I hope makes me clear.

New Autoruns shows nothing unexpected. Rootkit Revealer reports the three old nuisances (enigmas I think, not malware). One of those I suppose is the MS Recover program is malfunctioning, I think it can't write it's file path now (maybe my fault). I never use it though.

I feel safe again anyway.

Thanks BleepingComputer.com for helping.

I think I may check out spyware removers. I am doing little about cookies.

Edit: Moved topic from XP to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)


#2 Beach Plum

Beach Plum
  • Topic Starter

  • Members
  • 32 posts
  • Local time:04:52 PM

Posted 15 May 2008 - 10:55 AM

I checked back to this post and there is a blue text admonishment above. It reads:

When posting your problem, do not run and post a ComboFix logs. ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer. Any posts containing CF Logs will be ignored.

To receive help, you should instead provide a detailed description of your problem, detailed word-for-word error messages that you are receiving, screenshots of strange behaviour, and your operating system. This information is much more useful to our helpers than a ComboFix log.

If this is specifically directed to me, perhaps by embedding my virus scanner info in code tags this looked like a ComboFix thing. I only did that because in my view those paths were potentially dangerous executables and I felt they needed a special presentation. I apologize, I am often confusing.

I am not using anything automatic that I can think of, most of my programs are very polite, though many are low level snoops I am using to learn Windows better. My virus scanner has perhaps unlikely vulnerabilities, so I did not show the literal output to be secretive.

As an aside I think I know how I got those virus, it was from an 'You need to update Adobe Acrobat to view this document' phish. I actually did need to update Acrobat so thought nothing of it. New policy, update everything at their own website. Still looking back, that seems naive to think I could not view a pdf.

Then the updater program installed the fake autoruns which I assume was writing a startup order for a virus still on my system. Well, it wont be doing that Today, but what was it? I think the two worked together, updater made autoruns which ran updater?

I know nothing about virus but I will use that explanation to explain why I can't find the last hidden virus.

Edited by Beach Plum, 15 May 2008 - 11:06 AM.

#3 DaChew


    Visiting Alien

  • Members
  • 10,317 posts
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:52 PM

Posted 15 May 2008 - 11:05 AM


run this scan and post a log

let's get a second opinion

Edited by DaChew, 15 May 2008 - 11:05 AM.


No. Try not. Do... or do not. There is no try.

#4 Beach Plum

Beach Plum
  • Topic Starter

  • Members
  • 32 posts
  • Local time:04:52 PM

Posted 15 May 2008 - 11:12 AM

Doing it, though I suppose I will make a little odd enumerating as it is scanning now. later

That was fast. :thumbsup:

Malwarebytes' Anti-Malware 1.12
Database version: 752

Scan type: Quick Scan
Objects scanned: 36932
Time elapsed: 4 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by Beach Plum, 15 May 2008 - 11:17 AM.

#5 boopme


    To Insanity and Beyond

  • Global Moderator
  • 73,428 posts
  • Gender:Male
  • Location:NJ USA
  • Local time:04:52 PM

Posted 15 May 2008 - 08:13 PM

Hello first off,you must have just not noticed the Blue box the first time as it is there as a reminder to all.
Second you look clean in that log but run one more scan here and post that log,thanks. Has some AV program confirmed the removal of the W32.Sality-10 downloader trojan?

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users