Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't access Internet, virus protection disabled, think I have a virus


  • This topic is locked This topic is locked
17 replies to this topic

#1 scouter

scouter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:05:11 PM

Posted 27 June 2009 - 06:03 PM

My computer is a very old, very “full” one running Windows XP Home Edition version 5.1.2600 with Service Pack 2.0. About 6 months ago, my computer quit working, and I had a new hard drive put in, but the technician partitioned it. I am very computer illiterate, so I’ve just been managing with the part of the hard drive that had my files on it so my Drive C has an error message of “Low Disk Space” flashing on the lower right of my desktop. I also have a 1 TB Maxtor External Hard Drive which we just got a couple of months ago. We attempted to back up my computer to the external hard drive right after we got it, but I’m not sure we did it successfully.

I believe I have a virus, but I don't know what it is on my home computer. Several weeks ago, my home computer was attacked repeatedly, but NIS 2009 blocked it over & over again. However, a virus was detected and removed later that day. Also, a week or so later, my son downloaded some stuff from the Internet.

My computer began acting up & I couldn't access the Internet. These are the steps I’ve attempted so far:
  • I restarted the computer several times with no change.
  • I attempted to use System Restore, but the computer wouldn’t reset to any of the dates I tried.
  • I attempted to uninstall & then reinstall NIS 2009. I got the following message at one point: The file “Sym\M.sys” on Symantec Network Driver Disk is needed. Type the path where the file is located, and then click OK. Copy files from: Files\NortonInternetSecurity\Engine\16.5.0135\Sym\M. I clicked “OK” and my computer did nothing so I clicked “Ignore” or something like that. I then got the message “Sonar Advanced Protection failed to load.” I turned the SONAR protection on manually, but it still didn’t work.
  • I have contacted Bleeping Computers several times & performed the steps I’ve been given successfully in the past, so I went back & looked for some of the programs I’ve been instructed to use in the past such as Spybot S & D. I had deleted them from my computer though, so I used a very old laptop we have to access the Internet & downloaded the start up files for the latest version of Spybot S & D to a CD & attempted unsuccessfully to install it on my home computer. When I attempted to install it, I put the set up files on my Desktop & attempted to install from there. I got an “error sending message” & this popped up too “The server name on address could not be resolved.” I could choose to either “retry” or “cancel.” I clicked on “retry” but it didn’t work so I clicked “ignore.” However, I still couldn’t install it.
  • I did still have Spyware Blaster installed on my computer, but the last database loaded was 1-28-08. I did go ahead & run it and it didn’t come up with anything, but then with the database being so old, it probably wouldn’t anyway.
  • I also went ahead and finally agreed to update to Windows Internet Explorer 8 so I could use its malicious software checker. It didn’t catch anything though. I guess that update had been on my computer or something waiting for me to go ahead & download it as I don’t understand how I was able to download it if I can’t access the Internet.
  • This week I called Symantec & spent 45 minutes online to India with their tech guy who had me do a lot of steps. He finally had me uninstall NIS 2009, and had me try & access the Internet which was still unsuccessful. He instructed me to contact my ISP & have them reset the Internet connection, and then after that, I was supposed to call Symantec back.
  • When I called my ISP, they attempted to reset the internet connection and had me do a lot of steps to check my computer and something called “Ping” pong & said something about only half of my Internet Connection was getting through. They told me that I had a virus. I was instructed to either reformat my computer or to take it to a PC Technician.
  • Since I still can’t access the internet, I haven’t called Symantec back.
I do not want to have to reformat my computer because I have 8 years of volunteer work on my computer as well as digital pictures, etc. My husband backed up all of our pictures to CD’s before we attempted to do the external hard drive back up thankfully. Still who wants to lose all their hard work you know?

Currently, I do not have my computer connected to the Internet at all. We have a splitter so that you can access the Internet in other parts of the house, so my husband’s and son’s computers are working just fine, so it’s just my computer that is having problems. My ISP is also our cable provider, and the cable works just fine too.

I would appreciate it if someone could please give me some direction on what to do. Also, remember that I am computer illiterate, so please be gentle. :thumbsup: Thanks in advance! Scouter

BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:06:11 PM

Posted 27 June 2009 - 08:32 PM

Hi scouter and welcome to BC :thumbsup:

We are going to have to download files and transfer them to the infected computer. Let's start with malwarebytes. You will have to tranfer it and its updates and then install them on the infected machine. Also. rename the .exe installer file to qwerty.com. Install the program and then add the updates. Here is the procedure...

The process of cleaning your computer may require temporarily disabliling some security programs. If you are using SpyBot Search and Destroy, please refer to Note 2 at the bottom of this page.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note:
-- If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Note 2:
-- MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes (like Spybot's Teatimer), they may interfere with the fix or alert you after scanning with MBAM. Please disable such programs until disinfection is complete or permit them to allow the changes. To disable these programs, please view this topic: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

If you have any problems, please let us know.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. – Will Smith


#3 scouter

scouter
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:05:11 PM

Posted 28 June 2009 - 09:17 PM

Hi Rigel. Thanks for your help!! Okay, I attempted to follow your instructions, but the MalwareBytes Anti-Malware program did not start. Normally, I print out ALL of the instructions I'm given to make sure I follow the Bleeping Computer person's instructions exactly so I don't make a mistake, but I don't currently have printer access. (I have a huge binder with 2 inches of BC instructions I've printed out in the past. Remember I told you I'm seriously computer illiterate! LOL.) So Let me review what I did to make sure I didn't do something wrong.
  • Regarding "temporarily disabliling some security programs to clean my computer." First, I turned the Windows Firewall off on the infected computer. I don't have my Norton Internet Security 2009 program installed right now, and I was unable to download Spybot S&D the other day, so I figured I was ready to begin with your instructions.
  • Then, using another computer, I downloaded MalwareBytes & the updates to a CD remembering to change both names to "qwerty.com" and the updates to "qwerty-rules.com".
  • Then I took the CD to the infected computer & put the files on the desktop & double-clicked on the "qwerty.com" Malware Bytes Anti-Malware to begin installation.
  • I followed the prompts & didn't change any of the default settings.
  • After installation, I unchecked the "Update Malwarebytes' Anti-Malware" box since I am not currently connected to the Internet, but I left the "Launch Malwarebytes' Anti-Malware" box checked, and clicked "Finish".
    The program did not automatically start however.
  • Then I double-clicked on the "qwerty-rules.com" to load the updates to the Malware Bytes Anti-Malware program.
  • However, the program still didn't start.
  • I went to the desktop and double-clicked on the Malware Bytes Anti-Malware Icon, but the program still didn't start.
By the way, this same thing happened when I attempted to install the Spybot S & D previously, so I assumed the virus was preventing me from installing the program.

Can you tell me if I did something wrong or what else I can do please?

Thanks so much for taking the time to help me! I really appreciate it. Scouter

#4 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:06:11 PM

Posted 28 June 2009 - 09:32 PM

No scouter, you did fine. Your infection is preventing certain things. Let's try this and we will return to Malwarebytes.

Install RootRepeal

Click here - Official Rootrepeal Site, and download RootRepeal.zip. I recommend downloading to your desktop.
Fatdcuk at Malwarebytes posted a comprehensive tutorial - Self Help guide can be found here if needed.: Malwarebytes Removal and Self Help Guides.
Click RootRepeal.exe to open the scanner.
Click the Report tab, now click on Scan. A Window will open asking what to include in the scan.
Check the following items:
Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services

Click OK
Scan your C Drive (Or your current system drive) and click OK. The scan will begin. This my take a moment, so please be patient. When the scan completes, click Save Report.
Name the log RootRepeal.txt and save it to your Documents folder - (Default folder).
Paste the log into your next reply.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. – Will Smith


#5 scouter

scouter
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:05:11 PM

Posted 05 July 2009 - 01:25 AM

Hi Rigel--thanks again for your help! I was able to install RootRepeal to the Desktop of my infected computer; however, I couldn't get it to run.
I received the following messages:
  • Initializing, please wait . . .
  • Windows Virutal memory too low, increasing virtual memory.
  • MSVisual Ctt Runtime Library Runtime Error!
  • Program: C:\ProgramFiles\Symantec\LiveUpdate\AluSchedulerSvc.exe
  • This application has requested the Runtime to terminate it in an unusual way. Please contact the applications support team for more information.
  • I clicked OK.
  • Then I went in and deleted the Symantec LiveUpdate file that I guess was left over from where the Symantec tech had me uninstall NIS 2009 the other day.
  • Next I deleted some more stuff from my computer, and the Low Disk Space on Drive C icon that was flashing disappeared.

I tried starting RootRepeal again. This time, I got the following messages:
  • Initializing, please wait . . .
  • Windows Virtual Memory too low, increasing virtual memory.
  • SyncServices.exe-Application error.
  • The exception unknown software exception (0x4000001S) occurred in the application at location 0x781346b4.
  • Click on OK to terminate the program. So I clicked OK.
  • I noticed also at this point that the icon for my Maxtor External Hard Drive, which is normally red, was now gray which indicates that the program is not working correctly.
I restarted my computer & deleted some more files.
Then I tried RootRepeal several more times, again with these same results. When I restarted my computer though, the Maxtor External Hard Drive icon would be red again, indicated that it was now working correctly, but it would turn grary each time I tried starting RootRepeal.

I know next to nothing about computers, but let me ask you this. Remember I told you my hard drive C is partitioned into I think C & E. Drive E is not formatted though because that was how the guy who replaced my former "broken" hard drive left it when he installed the new one. I have been scared to try & format it to be able to use it because I didn't know exactly how to format it. When I got to a point with my volunteer work where I could spare my computer, he was going to attempt to unpartition it for me so I could just use it as Drive C. But, would it maybe be possible for me to format the Drive E & install RootRepeal on Drive E & run it from there or would the virus probably then just also attack Drive E????? Or would that even work? Just a thought.

Is there something else I can try?

Thanks once again for your time & valuable knowledge and assistance!

Scouter :thumbsup:

#6 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:06:11 PM

Posted 05 July 2009 - 04:48 PM

Since drive is is unformatted, I don't feel it would be infected. Let's try another program and the revisit RootRepeal.

Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. – Will Smith


#7 scouter

scouter
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:05:11 PM

Posted 05 July 2009 - 07:29 PM

Yea! SmitFraudFix worked. Here is the Rapport file:. Thanks! Scouter

SmitFraudFix v2.423

Scan done at 19:05:28.60, Sun 07/05/2009
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINNT\system32\crypserv.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\wscntfy.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\Ultra MP4 Converter\groupmanager.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\ituness\iTunesHelper.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Owner\Desktop\SmitfraudFix\Policies.exe
C:\WINNT\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT

C:\WINNT\logo.gif FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\LOCALS~1\Temp


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINNT\\system32\\userinit.exe"

»»»»»»»»»»»»»»»»»»»»»»»» RK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""




»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer=85.255.112.7,85.255.112.88
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer=85.255.112.7,85.255.112.88
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: NameServer=85.255.112.7,85.255.112.88


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

#8 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:06:11 PM

Posted 05 July 2009 - 08:12 PM

Did you run option 2?

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. – Will Smith


#9 scouter

scouter
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:05:11 PM

Posted 06 July 2009 - 01:25 AM

I initially ran & posted Option 1 per your instructions. I have now run Option 2. Below is the SmitFraudFix report from Option 2.
  • I should also tell you that under my Program Files there is a file called "popcornTerms.html" left over from a previous virus/spyware (?) infection circa 2006, that Bleeping Computers expert Buckeye Sam helped me with. If I try & delete that file, it loads whichever virus or spyware again that was associated with it. Whatever problem that I was having with my computer at the time, did not reappear, so I haven't messed with the file since that time.
Thanks so much! Scouter



SmitFraudFix v2.423

Scan done at 0:22:20.25, Mon 07/06/2009
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
...

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINNT\logo.gif Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» RK


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer=85.255.112.7,85.255.112.88
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer=85.255.112.7,85.255.112.88
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: NameServer=85.255.112.7,85.255.112.88


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» RK.2



»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

#10 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:06:11 PM

Posted 06 July 2009 - 06:54 AM

Our next step...

Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. – Will Smith


#11 scouter

scouter
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:05:11 PM

Posted 06 July 2009 - 07:55 PM

Hi Rigel,

I forgot to tell you in my last post, that I noticed something peculiar after I started my computer in Safe Mode and ran SmitFraudFix,.
  • I noticed some changes in the clock that is in the Notification Area of my Desktop. At that time, it looked like it was counting time by seconds.
  • When I rebooted the computer into Normal Mode , after SmitFraudFix was complete, the clock was then showing the correct time.
  • Today, after running SDFix, I now notice that the clock is messed up again where it is showing time in the military format.
I downloaded, installed, & ran SDFix successfully. It did find & delete a trojan. :thumbsup:

Following is the SDFix report.

Thanks very much! Scouter


SDFix: Version 1.240
Run by Owner on Mon 07/06/2009 at 12:44

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINNT\MSBBI.EXE - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-06 13:24:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

disk error: C:\WINNT\system32\config\system, 1381
scanning hidden registry entries ...

disk error: C:\WINNT\system32\config\software, 1381
disk error: C:\Documents and Settings\Owner\ntuser.dat, 1381
scanning hidden files ...

disk error: C:\WINNT\

please note that you need administrator rights to perform deep scan

Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\My Music\\iPhone Tunnel Suite 2.7 BETA\\iPhone Tunnel Suite 2.7.exe"="C:\\My Music\\iPhone Tunnel Suite 2.7 BETA\\iPhone Tunnel Suite 2.7.exe:*:Enabled:iPhone Tunnel Suite 2.7"
"C:\\My Music\\New Folder\\iPhone Tunnel Suite 2.7 BETA\\iPhone Tunnel Suite 2.7.exe"="C:\\My Music\\New Folder\\iPhone Tunnel Suite 2.7 BETA\\iPhone Tunnel Suite 2.7.exe:*:Enabled:iPhone Tunnel Suite 2.7"
"G:\\uTorrent.exe"="G:\\uTorrent.exe:*:Enabled:æTorrent"
"G:\\Itunes, iphone\\uTorrent.exe"="G:\\Itunes, iphone\\uTorrent.exe:*:Enabled:æTorrent"
"H:\\uTorrent.exe"="H:\\uTorrent.exe:*:Enabled:æTorrent"
"F:\\uTorrent.exe"="F:\\uTorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\ituness\\iTunes.exe"="C:\\Program Files\\ituness\\iTunes.exe:*:Enabled:iTunes"
"F:\\Other\\uTorrent.exe"="F:\\Other\\uTorrent.exe:*:Enabled:æTorrent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Tue 24 Jul 2007 4 A..H. --- "C:\WINNT\uccspecb.sys"
Wed 13 Oct 2004 1,694,208 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Wed 4 Aug 2004 1,028,096 ..SH. --- "C:\WINNT\system32\mfc42.dll"
Wed 4 Aug 2004 413,696 A.SH. --- "C:\WINNT\system32\msvcp60.dll"
Wed 4 Aug 2004 343,040 A.SH. --- "C:\WINNT\system32\msvcrt.dll"
Wed 4 Aug 2004 83,456 A.SH. --- "C:\WINNT\system32\olepro32.dll"
Wed 4 Aug 2004 11,776 ..SH. --- "C:\WINNT\system32\regsvr32.exe"
Fri 22 Aug 2003 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 22 Aug 2003 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv12.bak"
Tue 12 Jul 2005 400 ..SH. --- "C:\Documents and Settings\All Users\DRM\v2ks.bla.bak"
Tue 12 Jul 2005 48 ..SH. --- "C:\Documents and Settings\All Users\DRM\v2ks.sec.bak"
Tue 12 Jul 2005 400 A.SH. --- "C:\Documents and Settings\All Users\DRM\v3ks.bla.bak"
Mon 6 Dec 2004 27,648 ...H. --- "C:\Program Files\Microsoft Office\Templates\~WRL2083.tmp"
Wed 15 Apr 2009 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Sat 26 Apr 2008 22,016 ...H. --- "C:\Documents and Settings\Owner\My Documents\Boy Scout Troop 531\~WRL1657.tmp"
Wed 29 Jan 2003 1,206 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\ccReg.reg"
Wed 29 Jan 2003 12,368 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\CommonClient.reg"
Wed 19 Feb 2003 10,678 A..H. --- "C:\Program Files\Microsoft Office\Office\Shortcut Bar\Off2.tmp"
Sat 15 Feb 2003 8,246 A..H. --- "C:\Program Files\Microsoft Office\Office\Shortcut Bar\Off2h.tmp"
Sat 15 Feb 2003 8,246 A..H. --- "C:\Program Files\Microsoft Office\Office\Shortcut Bar\Off2s.tmp"
Sat 18 Jan 2003 8,246 A..H. --- "C:\Program Files\Microsoft Office\Office\Shortcut Bar\Officeh.tmp"
Sat 18 Jan 2003 8,246 A..H. --- "C:\Program Files\Microsoft Office\Office\Shortcut Bar\Offices.tmp"
Tue 16 Jun 2009 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\6468021b2765d1cbe95cbb4632ff65b7\BITF5.tmp"
Thu 25 Dec 2003 764 ...HR --- "C:\WINNT\system32\drivers\etc\Hosts.bak"
Mon 12 Feb 2007 3,096,576 A..H. --- "C:\Documents and Settings\Owner\Application Data\U3\temp\Launchpad Removal.exe"
Mon 28 Apr 2008 94,208 ...H. --- "C:\Documents and Settings\Owner\Desktop\Girl Scouts\Girl Scouts Ang-Dan\~WRL1986.tmp"
Tue 18 Sep 2007 14,848 ...H. --- "C:\Documents and Settings\Owner\My Documents\Angleton Danbury Girl Scouts\Fall Product Sales\~WRL0607.tmp"
Tue 18 Sep 2007 21,504 ...H. --- "C:\Documents and Settings\Owner\My Documents\Angleton Danbury Girl Scouts\Fall Product Sales\~WRL0782.tmp"
Tue 18 Sep 2007 107,008 ...H. --- "C:\Documents and Settings\Owner\My Documents\Angleton Danbury Girl Scouts\Fall Product Sales\~WRL1549.tmp"
Tue 18 Sep 2007 106,496 ...H. --- "C:\Documents and Settings\Owner\My Documents\Angleton Danbury Girl Scouts\Fall Product Sales\~WRL1616.tmp"
Tue 18 Sep 2007 106,496 ...H. --- "C:\Documents and Settings\Owner\My Documents\Angleton Danbury Girl Scouts\Fall Product Sales\~WRL2254.tmp"
Tue 18 Sep 2007 22,016 ...H. --- "C:\Documents and Settings\Owner\My Documents\Angleton Danbury Girl Scouts\Fall Product Sales\~WRL3132.tmp"
Tue 18 Sep 2007 98,816 ...H. --- "C:\Documents and Settings\Owner\My Documents\Angleton Danbury Girl Scouts\Fall Product Sales\~WRL3180.tmp"
Tue 18 Sep 2007 105,472 ...H. --- "C:\Documents and Settings\Owner\My Documents\Angleton Danbury Girl Scouts\Fall Product Sales\~WRL3361.tmp"
Tue 18 Sep 2007 105,984 ...H. --- "C:\Documents and Settings\Owner\My Documents\Angleton Danbury Girl Scouts\Fall Product Sales\~WRL3572.tmp"
Tue 18 Sep 2007 21,504 ...H. --- "C:\Documents and Settings\Owner\My Documents\Angleton Danbury Girl Scouts\Fall Product Sales\~WRL4071.tmp"
Wed 4 Jan 2006 20,480 ...H. --- "C:\Documents and Settings\Owner\My Documents\Angleton Danbury Girl Scouts\Troop Meeting Sites\~WRL1945.tmp"
Thu 10 Apr 2008 49,152 ...H. --- "C:\Documents and Settings\Owner\My Documents\Christopher 11th Grade\College History\~WRL0032.tmp"
Thu 10 Apr 2008 41,984 ...H. --- "C:\Documents and Settings\Owner\My Documents\Christopher 11th Grade\College History\~WRL0036.tmp"
Thu 10 Apr 2008 41,984 ...H. --- "C:\Documents and Settings\Owner\My Documents\Christopher 11th Grade\College History\~WRL0184.tmp"
Thu 10 Apr 2008 50,176 ...H. --- "C:\Documents and Settings\Owner\My Documents\Christopher 11th Grade\College History\~WRL0668.tmp"
Thu 10 Apr 2008 41,472 ...H. --- "C:\Documents and Settings\Owner\My Documents\Christopher 11th Grade\College History\~WRL0694.tmp"
Thu 10 Apr 2008 44,032 ...H. --- "C:\Documents and Settings\Owner\My Documents\Christopher 11th Grade\College History\~WRL0706.tmp"
Thu 10 Apr 2008 39,936 ...H. --- "C:\Documents and Settings\Owner\My Documents\Christopher 11th Grade\College History\~WRL0727.tmp"
Thu 10 Apr 2008 42,496 ...H. --- "C:\Documents and Settings\Owner\My Documents\Christopher 11th Grade\College History\~WRL0842.tmp"
Thu 10 Apr 2008 48,640 ...H. --- "C:\Documents and Settings\Owner\My Documents\Christopher 11th Grade\College History\~WRL0919.tmp"
Thu 10 Apr 2008 44,544 ...H. --- "C:\Documents and Settings\Owner\My Documents\Christopher 11th Grade\College History\~WRL0956.tmp"
Thu 10 Apr 2008 41,984 ...H. --- "C:\Documents and Settings\Owner\My Documents\Christopher 11th Grade\College History\~WRL1141.tmp"
Thu 10 Apr 2008 44,544 ...H. --- "C:\Documents and Settings\Owner\My Documents\Christopher 11th Grade\College History\~WRL1160.tmp"
Thu 10 Apr 2008 41,984 ...H. --- "C:\Documents and Settings\Owner\My Documents\Christopher 11th Grade\College History\~WRL1230.tmp"
Thu 10 Apr 2008 51,712 ...H. --- "C:\Documents and Settings\Owner\My Documents\Christopher 11th Grade\College History\~WRL1322.tmp"
Thu 10 Apr 2008 38,912 ...H. --- "C:\Documents and Settings\Owner\My Documents\Christopher 11th Grade\College History\~WRL1393.tmp"
Thu 10 Apr 2008 38,912 ...H. --- "C:\Documents and Settings\Owner\My Documents\Christopher 11th Grade\College History\~WRL1394.tmp"
Thu 10 Apr 2008 41,984 ...H. --- "C:\Documents and Settings\Owner\My Documents\Christopher 11th Grade\College History\~WRL1592.tmp"
Thu 10 Apr 2008 39,424 ...H. --- "C:\Documents and Settings\Owner\My Documents\Christopher 11th Grade\College History\~WRL1598.tmp"
Thu 10 Apr 2008 41,984 ...H. --- "C:\Documents and Settings\Owner\My Documents\Christopher 11th Grade\College History\~WRL1956.tmp"
Thu 10 Apr 2008 38,400 ...H. --- "C:\Documents and Settings\Owner\My Documents\Christopher 11th Grade\College History\~WRL1986.tmp"
Thu 10 Apr 2008 40,960 ...H. --- "C:\Documents and Settings\Owner\My Documents\Christopher 11th Grade\College History\~WRL1990.tmp"
Thu 10 Apr 2008 40,448 ...H. --- "C:\Documents and Settings\Owner\My Documents\Christopher 11th Grade\College History\~WRL2081.tmp"
Thu 10 Apr 2008 41,984 ...H. --- "C:\Documents and Settings\Owner\My Documents\Christopher 11th Grade\College History\~WRL2174.tmp"
Thu 10 Apr 2008 46,080 ...H. --- "C:\Documents and Settings\Owner\My Documents\Christopher 11th Grade\College History\~WRL2289.tmp"
Thu 10 Apr 2008 45,056 ...H. --- "C:\Documents and Settings\Owner\My Documents\Christopher 11th Grade\College History\~WRL2364.tmp"
Thu 10 Apr 2008 42,496 ...H. --- "C:\Documents and Settings\Owner\My Documents\Christopher 11th Grade\College History\~WRL2420.tmp"
Thu 10 Apr 2008 43,008 ...H. --- "C:\Documents and Settings\Owner\My Documents\Christopher 11th Grade\College History\~WRL2673.tmp"
Thu 10 Apr 2008 52,736 ...H. --- "C:\Documents and Settings\Owner\My Documents\Christopher 11th Grade\College History\~WRL2801.tmp"
Thu 10 Apr 2008 41,472 ...H. --- "C:\Documents and Settings\Owner\My Documents\Christopher 11th Grade\College History\~WRL2903.tmp"
Thu 10 Apr 2008 50,688 ...H. --- "C:\Documents and Settings\Owner\My Documents\Christopher 11th Grade\College History\~WRL3649.tmp"
Thu 10 Apr 2008 42,496 ...H. --- "C:\Documents and Settings\Owner\My Documents\Christopher 11th Grade\College History\~WRL3651.tmp"
Thu 10 Apr 2008 43,520 ...H. --- "C:\Documents and Settings\Owner\My Documents\Christopher 11th Grade\College History\~WRL3659.tmp"
Thu 10 Apr 2008 41,984 ...H. --- "C:\Documents and Settings\Owner\My Documents\Christopher 11th Grade\College History\~WRL3711.tmp"
Thu 10 Apr 2008 52,224 ...H. --- "C:\Documents and Settings\Owner\My Documents\Christopher 11th Grade\College History\~WRL3927.tmp"
Thu 10 Apr 2008 41,984 ...H. --- "C:\Documents and Settings\Owner\My Documents\Christopher 11th Grade\College History\~WRL4011.tmp"
Mon 11 Jun 2007 27,136 ...H. --- "C:\Documents and Settings\Owner\My Documents\Chris's\Boy Scouts\~WRL2276.tmp"
Mon 11 Jun 2007 19,968 ...H. --- "C:\Documents and Settings\Owner\My Documents\Girl Scouts Personal\Training Record for Diane\~WRL0130.tmp"
Thu 12 May 2005 20,480 ...H. --- "C:\Documents and Settings\Owner\My Documents\Girl Scouts Personal\Training Record for Diane\~WRL1322.tmp"
Mon 11 Jun 2007 20,992 ...H. --- "C:\Documents and Settings\Owner\My Documents\Girl Scouts Personal\Training Record for Diane\~WRL1841.tmp"
Mon 11 Jun 2007 21,504 ...H. --- "C:\Documents and Settings\Owner\My Documents\Girl Scouts Personal\Training Record for Diane\~WRL3245.tmp"
Mon 11 Jun 2007 19,968 ...H. --- "C:\Documents and Settings\Owner\My Documents\Girl Scouts Personal\Training Record for Diane\~WRL3361.tmp"
Wed 9 Apr 2008 35,840 ...H. --- "C:\Documents and Settings\Owner\My Documents\Kimberly Bloomberg\Frederick Douglass Research Paper April 2008\~WRL0042.tmp"
Wed 9 Apr 2008 33,792 ...H. --- "C:\Documents and Settings\Owner\My Documents\Kimberly Bloomberg\Frederick Douglass Research Paper April 2008\~WRL0169.tmp"
Wed 9 Apr 2008 31,744 ...H. --- "C:\Documents and Settings\Owner\My Documents\Kimberly Bloomberg\Frederick Douglass Research Paper April 2008\~WRL0295.tmp"
Wed 9 Apr 2008 34,816 ...H. --- "C:\Documents and Settings\Owner\My Documents\Kimberly Bloomberg\Frederick Douglass Research Paper April 2008\~WRL0357.tmp"
Wed 9 Apr 2008 35,328 ...H. --- "C:\Documents and Settings\Owner\My Documents\Kimberly Bloomberg\Frederick Douglass Research Paper April 2008\~WRL0927.tmp"
Wed 9 Apr 2008 34,816 ...H. --- "C:\Documents and Settings\Owner\My Documents\Kimberly Bloomberg\Frederick Douglass Research Paper April 2008\~WRL1617.tmp"
Wed 9 Apr 2008 34,816 ...H. --- "C:\Documents and Settings\Owner\My Documents\Kimberly Bloomberg\Frederick Douglass Research Paper April 2008\~WRL2529.tmp"
Wed 9 Apr 2008 35,840 ...H. --- "C:\Documents and Settings\Owner\My Documents\Kimberly Bloomberg\Frederick Douglass Research Paper April 2008\~WRL2824.tmp"
Wed 9 Apr 2008 34,816 ...H. --- "C:\Documents and Settings\Owner\My Documents\Kimberly Bloomberg\Frederick Douglass Research Paper April 2008\~WRL3080.tmp"
Sat 3 May 2008 80,896 ...H. --- "C:\Documents and Settings\Owner\My Documents\Angleton Danbury Girl Scouts\Leader Appreciation Dinner\2007-2008\~WRL3950.tmp"
Mon 1 Jun 2009 937,984 ...H. --- "C:\Documents and Settings\Owner\My Documents\Angleton Danbury Girl Scouts\Leader Appreciation Dinner\2009\~WRL0089.tmp"
Mon 1 Jun 2009 937,984 ...H. --- "C:\Documents and Settings\Owner\My Documents\Angleton Danbury Girl Scouts\Leader Appreciation Dinner\2009\~WRL0172.tmp"
Mon 1 Jun 2009 937,984 ...H. --- "C:\Documents and Settings\Owner\My Documents\Angleton Danbury Girl Scouts\Leader Appreciation Dinner\2009\~WRL1959.tmp"
Mon 1 Jun 2009 19,968 ...H. --- "C:\Documents and Settings\Owner\My Documents\Angleton Danbury Girl Scouts\Leader Appreciation Dinner\2009\~WRL2196.tmp"
Mon 1 Jun 2009 937,472 ...H. --- "C:\Documents and Settings\Owner\My Documents\Angleton Danbury Girl Scouts\Leader Appreciation Dinner\2009\~WRL2473.tmp"
Mon 1 Jun 2009 19,968 ...H. --- "C:\Documents and Settings\Owner\My Documents\Angleton Danbury Girl Scouts\Leader Appreciation Dinner\2009\~WRL3018.tmp"
Mon 1 Jun 2009 937,984 ...H. --- "C:\Documents and Settings\Owner\My Documents\Angleton Danbury Girl Scouts\Leader Appreciation Dinner\2009\~WRL3031.tmp"
Mon 1 Jun 2009 19,968 ...H. --- "C:\Documents and Settings\Owner\My Documents\Angleton Danbury Girl Scouts\Leader Appreciation Dinner\2009\~WRL3130.tmp"
Mon 1 Jun 2009 20,480 ...H. --- "C:\Documents and Settings\Owner\My Documents\Angleton Danbury Girl Scouts\Leader Appreciation Dinner\2009\~WRL3518.tmp"
Mon 1 Jun 2009 19,968 ...H. --- "C:\Documents and Settings\Owner\My Documents\Angleton Danbury Girl Scouts\Leader Appreciation Dinner\2009\~WRL3576.tmp"
Thu 1 May 2008 28,672 ...H. --- "C:\Documents and Settings\Owner\My Documents\Angleton Danbury Girl Scouts\Mailing Labels\Mailing Labels Leaders 2006 to 2007\~WRL3386.tmp"
Tue 13 Sep 2005 47,104 ...H. --- "C:\Documents and Settings\Owner\My Documents\Angleton Danbury Girl Scouts\Recruitment Rally\Training\~WRL0254.tmp"
Tue 13 Sep 2005 37,376 ...H. --- "C:\Documents and Settings\Owner\My Documents\Angleton Danbury Girl Scouts\Recruitment Rally\Training\~WRL1164.tmp"
Tue 13 Sep 2005 36,864 ...H. --- "C:\Documents and Settings\Owner\My Documents\Angleton Danbury Girl Scouts\Recruitment Rally\Training\~WRL1868.tmp"
Tue 13 Sep 2005 36,864 ...H. --- "C:\Documents and Settings\Owner\My Documents\Angleton Danbury Girl Scouts\Recruitment Rally\Training\~WRL3646.tmp"
Mon 19 Sep 2005 30,208 ...H. --- "C:\Documents and Settings\Owner\My Documents\Angleton Danbury Girl Scouts\Service Unit\Service Team\~WRL1349.tmp"
Mon 19 Sep 2005 28,160 ...H. --- "C:\Documents and Settings\Owner\My Documents\Angleton Danbury Girl Scouts\Service Unit\Service Team\~WRL3161.tmp"
Sat 23 May 2009 25,088 ...H. --- "C:\Documents and Settings\Owner\My Documents\Christopher 12th Grade\Pictures\Donna Quarles Proofs Diane's Favorites 5.14.09\~WRL0184.tmp"
Sat 23 May 2009 19,968 ...H. --- "C:\Documents and Settings\Owner\My Documents\Christopher 12th Grade\Pictures\Donna Quarles Proofs Diane's Favorites 5.14.09\~WRL0211.tmp"
Sat 23 May 2009 23,040 ...H. --- "C:\Documents and Settings\Owner\My Documents\Christopher 12th Grade\Pictures\Donna Quarles Proofs Diane's Favorites 5.14.09\~WRL0872.tmp"
Sat 23 May 2009 28,160 ...H. --- "C:\Documents and Settings\Owner\My Documents\Christopher 12th Grade\Pictures\Donna Quarles Proofs Diane's Favorites 5.14.09\~WRL1158.tmp"
Sat 23 May 2009 34,816 ...H. --- "C:\Documents and Settings\Owner\My Documents\Christopher 12th Grade\Pictures\Donna Quarles Proofs Diane's Favorites 5.14.09\~WRL2128.tmp"
Sat 23 May 2009 19,968 ...H. --- "C:\Documents and Settings\Owner\My Documents\Christopher 12th Grade\Pictures\Donna Quarles Proofs Diane's Favorites 5.14.09\~WRL2293.tmp"
Sat 23 May 2009 27,136 ...H. --- "C:\Documents and Settings\Owner\My Documents\Christopher 12th Grade\Pictures\Donna Quarles Proofs Diane's Favorites 5.14.09\~WRL2915.tmp"
Sat 23 May 2009 25,600 ...H. --- "C:\Documents and Settings\Owner\My Documents\Christopher 12th Grade\Pictures\Donna Quarles Proofs Diane's Favorites 5.14.09\~WRL2996.tmp"
Sat 23 May 2009 22,016 ...H. --- "C:\Documents and Settings\Owner\My Documents\Christopher 12th Grade\Pictures\Donna Quarles Proofs Diane's Favorites 5.14.09\~WRL3409.tmp"
Mon 22 Dec 2008 20,480 ...H. --- "C:\Documents and Settings\Owner\My Documents\Diane\Heroes\Army Specialist Bradley Thomas\~WRL0315.tmp"
Mon 22 Dec 2008 20,992 ...H. --- "C:\Documents and Settings\Owner\My Documents\Diane\Heroes\Army Specialist Bradley Thomas\~WRL1586.tmp"
Mon 22 Dec 2008 22,016 ...H. --- "C:\Documents and Settings\Owner\My Documents\Diane\Heroes\Army Specialist Bradley Thomas\~WRL3981.tmp"
Tue 2 Jun 2009 188,416 ...H. --- "C:\Documents and Settings\Owner\My Documents\Diane\Project Graduation 2009\Prize Committee\~WRL0586.tmp"
Tue 2 Jun 2009 188,416 ...H. --- "C:\Documents and Settings\Owner\My Documents\Diane\Project Graduation 2009\Prize Committee\~WRL1457.tmp"
Tue 2 Jun 2009 188,928 ...H. --- "C:\Documents and Settings\Owner\My Documents\Diane\Project Graduation 2009\Prize Committee\~WRL2618.tmp"
Tue 2 Jun 2009 188,928 ...H. --- "C:\Documents and Settings\Owner\My Documents\Diane\Project Graduation 2009\Prize Committee\~WRL2694.tmp"
Tue 2 Jun 2009 188,416 ...H. --- "C:\Documents and Settings\Owner\My Documents\Diane\Project Graduation 2009\Prize Committee\~WRL2767.tmp"
Tue 20 Dec 2005 44,544 A..H. --- "C:\Documents and Settings\Owner\Desktop\Girl Scouts\Girl Scouts General\2006 GS Spring Registration Disk\Troop Rosters--New troops and additions to existing troops\~WRL0658.tmp"
Sun 4 May 2008 22,016 ...H. --- "C:\Documents and Settings\Owner\My Documents\Angleton Danbury Girl Scouts\Leader Appreciation Dinner\2007-2008\Agenda 2008\~WRL0223.tmp"
Sun 4 May 2008 22,016 ...H. --- "C:\Documents and Settings\Owner\My Documents\Angleton Danbury Girl Scouts\Leader Appreciation Dinner\2007-2008\Agenda 2008\~WRL0755.tmp"
Sun 4 May 2008 21,504 ...H. --- "C:\Documents and Settings\Owner\My Documents\Angleton Danbury Girl Scouts\Leader Appreciation Dinner\2007-2008\Agenda 2008\~WRL0835.tmp"
Sun 4 May 2008 20,992 ...H. --- "C:\Documents and Settings\Owner\My Documents\Angleton Danbury Girl Scouts\Leader Appreciation Dinner\2007-2008\Agenda 2008\~WRL0881.tmp"
Sun 4 May 2008 22,528 ...H. --- "C:\Documents and Settings\Owner\My Documents\Angleton Danbury Girl Scouts\Leader Appreciation Dinner\2007-2008\Agenda 2008\~WRL0947.tmp"
Sun 4 May 2008 22,016 ...H. --- "C:\Documents and Settings\Owner\My Documents\Angleton Danbury Girl Scouts\Leader Appreciation Dinner\2007-2008\Agenda 2008\~WRL1108.tmp"
Sun 4 May 2008 21,504 ...H. --- "C:\Documents and Settings\Owner\My Documents\Angleton Danbury Girl Scouts\Leader Appreciation Dinner\2007-2008\Agenda 2008\~WRL1419.tmp"
Sun 4 May 2008 21,504 ...H. --- "C:\Documents and Settings\Owner\My Documents\Angleton Danbury Girl Scouts\Leader Appreciation Dinner\2007-2008\Agenda 2008\~WRL1999.tmp"
Sun 4 May 2008 22,016 ...H. --- "C:\Documents and Settings\Owner\My Documents\Angleton Danbury Girl Scouts\Leader Appreciation Dinner\2007-2008\Agenda 2008\~WRL2440.tmp"
Sun 4 May 2008 20,480 ...H. --- "C:\Documents and Settings\Owner\My Documents\Angleton Danbury Girl Scouts\Leader Appreciation Dinner\2007-2008\Agenda 2008\~WRL2544.tmp"
Sun 4 May 2008 22,528 ...H. --- "C:\Documents and Settings\Owner\My Documents\Angleton Danbury Girl Scouts\Leader Appreciation Dinner\2007-2008\Agenda 2008\~WRL2848.tmp"
Sun 4 May 2008 22,016 ...H. --- "C:\Documents and Settings\Owner\My Documents\Angleton Danbury Girl Scouts\Leader Appreciation Dinner\2007-2008\Agenda 2008\~WRL3364.tmp"
Sun 4 May 2008 21,504 ...H. --- "C:\Documents and Settings\Owner\My Documents\Angleton Danbury Girl Scouts\Leader Appreciation Dinner\2007-2008\Agenda 2008\~WRL3915.tmp"
Mon 7 Feb 2005 23,552 ...H. --- "C:\Documents and Settings\Owner\My Documents\Angleton Danbury Girl Scouts\Service Unit\Adult Volunteer Recognition\2005 Recognition Applications\~WRL3506.tmp"
Fri 23 May 2008 26,112 ...H. --- "C:\Documents and Settings\Owner\My Documents\Kimberly Bloomberg\Gold Award\Gold Award--Kim\Gold Award Speech\~WRL0986.tmp"
Tue 10 Jun 2008 26,624 ...H. --- "C:\Documents and Settings\Owner\My Documents\Kimberly Bloomberg\Gold Award\Gold Award--Kim\Gold Award Speech\~WRL3493.tmp"
Thu 2 Aug 2007 74,752 ...H. --- "C:\Documents and Settings\Owner\My Documents\Kimberly Bloomberg\Gold Award\Gold Award--Kim\Gold Award Application GSSJC\~WRL0326.tmp"
Wed 7 May 2008 23,040 A..H. --- "C:\Documents and Settings\Owner\My Documents\Chris's\school\High School\Language Arts\11th\~WRL1346.tmp"
Sat 10 Sep 2005 19,456 A..H. --- "C:\Documents and Settings\Owner\My Documents\Chris's\school\High School\Spanish\spanish 1\~WRL3777.tmp"
Wed 8 Feb 2006 28,160 A..H. --- "C:\Documents and Settings\Owner\My Documents\Kimberly Bloomberg\Angleton High School\Kimberly 11th Grade\US History\notes-handout\~WRL0425.tmp"
Wed 8 Feb 2006 29,696 A..H. --- "C:\Documents and Settings\Owner\My Documents\Kimberly Bloomberg\Angleton High School\Kimberly 11th Grade\US History\notes-handout\~WRL1771.tmp"
Wed 8 Feb 2006 28,160 A..H. --- "C:\Documents and Settings\Owner\My Documents\Kimberly Bloomberg\Angleton High School\Kimberly 11th Grade\US History\notes-handout\~WRL2485.tmp"
Thu 19 Jun 2008 19,968 A..H. --- "C:\Documents and Settings\Owner\My Documents\Kimberly Bloomberg\Gold Award\Gold Award--Kim\Letters of Appreciation to those who helped with earning the Gold Award\Gold Award Thank You Notes List\~WRL0860.tmp"
Thu 19 Jun 2008 20,480 A..H. --- "C:\Documents and Settings\Owner\My Documents\Kimberly Bloomberg\Gold Award\Gold Award--Kim\Letters of Appreciation to those who helped with earning the Gold Award\Gold Award Thank You Notes List\~WRL2435.tmp"
Thu 27 Nov 2008 25,600 A..H. --- "C:\Documents and Settings\Owner\My Documents\Chris's\school\College\English 4\English 1301\Essay 4\~WRL0234.tmp"
Thu 27 Nov 2008 24,576 A..H. --- "C:\Documents and Settings\Owner\My Documents\Chris's\school\College\English 4\English 1301\Essay 4\~WRL1268.tmp"

Finished!

#12 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:06:11 PM

Posted 06 July 2009 - 08:59 PM

Good. I am glad we are making headway. Please try to run Malwarebytes now. Lets get a log and go from there. Do you know how to reset the clock?

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. – Will Smith


#13 scouter

scouter
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:05:11 PM

Posted 06 July 2009 - 11:17 PM

Thanks for the quick reply. Unfortunately, I still can't run Malwarebytes.

Another thing I forgot to tell you is that I haven't been able to use the proper shut down feature from the "Start, then Turn Off" part of shutting down my computer since my computer became infected. I have to use the button on my CPU & hold it down to turn the computer off/restart it.

And no, I'm sorry, but I don't know how to reset the computer clock :thumbsup: . I attempted to do that yesterday, but I couldn't figure it out. I was thinking (?) that this might also be another symptom of the infection, so I thought I'd mention it.

Oopps! I also forgot to tell you that when I was running SmitFraudFix, the following message popped up:
C:\PROGRAM~1\Symantec\S32EVNT1.DLL.An installable Virtual De vice Driver failed DLL initialization. Choose 'Close' to terminate the application or 'Ignore'.

I clicked close 4-5 times and the Close prompt disappeared, but then reappeared, and I clicked "close" another 9 times before it disappeared again, then reappeared, so I chose "Ignore" and then "Ignore" again when it popped up once more. Then SmitFraudFix went ahead & ran its program.


Sorry about those 2 slip ups! Thanks again!

Scouter

Edited by scouter, 06 July 2009 - 11:49 PM.


#14 scouter

scouter
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:05:11 PM

Posted 09 July 2009 - 12:23 AM

FYI:

In addition to MalwareBytes . . .

I also tried running RootRepeal again. I got the same message as before:

1.Initializing, please wait . . .
2.Windows Virtual Memory too low, increasing virtual memory.
3.Then it just hung up on that "Initializing, please wait" message again.

So I can't run either the MalwareBytes or the RootRepeal programs.

Thanks again! Scouter
:thumbsup:

#15 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:06:11 PM

Posted 09 July 2009 - 02:13 PM

I think the best thing I can do, at this point, is point you the the HJT forum. They have more advanced tools to aid in cleaning. I am sorry we couldn't clean this infection here. Please follow this guide from step (6). Post a HJT log to the HJT forum and a Team member will be along to help you as soon as possible. You may wish to post a link back to this topic to see what was discussed thus far.

If you need any help with the guide, please let me know. Best wishes - you are in good hands...

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. – Will Smith





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users