Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Norton online virus scan found these - can you help me remove them?


  • Please log in to reply
18 replies to this topic

#1 burnselk

burnselk

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 09 October 2009 - 06:52 AM

My daughter's computer has been VERY slow in loading the desktop and task bar icons when turned on. Yesterday evening I ran a scan using Norton's Free Online Virus scan. Below is what it found:

C:\qacUgwXx.bat is infected with Trojan Horse
C:\rVd.bat is infected with Trojan Horse
C:\VFZHp.bat is infected with Trojan Horse
C:\Documents and Settings\Maggie Pettigrew\Local Settings\Temporary Internet Files\Content.IE5\7VXETQ2U\Soft_16[2].exe is infected with Packed.Generic.187
C:\Documents and Settings\Maggie Pettigrew\Local Settings\Temporary Internet Files\Content.IE5\7VXETQ2U\Soft_16[3].exe is infected with Packed.Generic.187
C:\Documents and Settings\Maggie Pettigrew\Local Settings\Temporary Internet Files\Content.IE5\7VXETQ2U\Soft_16[4].exe is infected with Packed.Generic.187
C:\Documents and Settings\Maggie Pettigrew\Local Settings\Temporary Internet Files\Content.IE5\7VXETQ2U\Soft_16[5].exe is infected with Packed.Generic.187

But unlike bitdefender and eset's online scanners, Norton did not offer an option to remove these viruses short of buying their program......at least not that I could find. Here's their website where the viruses were reported after the scan:

http://security.symantec.com/sscv6/vc_resu...GCQH&bhcp=1

I'd really like to remove these 7 viruses if at all possible. Can some help me please?

She's running Windows XP Home and IE 8.0 on her older Dell computer (DIM2400 with 768 of RAM). She's also running Avast free.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,942 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:33 AM

Posted 09 October 2009 - 07:41 AM

Please download OTM by OldTimer and save to your Desktop.
  • Double-click on OTM.exe to launch the program. (If using Windows Vista, be sure to Run As Administrator)
  • Copy the file(s)/folder(s) paths listed below - highlight everything in the code box and press CTRL+C or right-click and choose Copy.
:Processes
explorer.exe

:Services

:Reg

:Files
C:\qacUgwXx.bat
C:\rVd.bat
C:\VFZHp.bat 

:Commands
[emptytemp]
[start explorer]
[Reboot]
  • Return to OTM, right-click in the open text box labeled "Paste Instructions for Items to be Moved" (under the yellow bar) and choose Paste.
  • Click the red MoveIt! button.
  • The list will be processed and the results will be displayed in the right-hand pane.
  • Highlight everything in the Results window (under the green bar), press CTRL+C or right-click, choose Copy, right-click again and Paste it in your next reply.
  • Click Exit when done.
  • A log of the results is automatically created and saved to C:\_OTM\MovedFiles \mmddyyyy_hhmmss.log <- the date/time the tool was run.
-- Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. After the reboot, open Notepad, click File > Open, in the File Name box type *.log and press the Enter key. Navigate to the C:\_OTM\MovedFiles folder, open the newest .log file and copy/paste the contents in your next reply. If not asked, reboot anyway.

Caution: Be careful of what you copy and paste with this tool. OTM is a powerful program, designed to move highly persistent files and folders and is intended by the developer to be used under the guidance and supervision of a trained malware removal expert.


Please download Norman Malware Cleaner and save to your desktop.
alternate download link
  • Be sure to print out the instructions provided on the same page.
  • Restart your computer in "Safe Mode".
  • Double-click on Norman_Malware_Cleaner.exe to start the program.
  • Read the End User License Agreement and click the Accept button to open the scanning window.
  • Click Start Scan to begin.
  • In some cases Norman Malware Cleaner may require that you restart the computer to completely remove an infection. If prompted, reboot and run the tool again to ensure that all infections are removed.
  • After the scan has finished, a log file with the date (i.e. NFix_2009-06-22_07-08-56.log) will be created on your desktop with the results.
Note: For usb flash drives and/or other removable drives to scan, use the Add button to browse to the drives location, click on the drive to highlight and choose Ok.

Please download Malwarebytes Anti-Malware (v1.41) and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 burnselk

burnselk
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 09 October 2009 - 10:13 AM

Please download OTM by OldTimer and save to your Desktop.

  • Double-click on OTM.exe to launch the program. (If using Windows Vista, be sure to Run As Administrator)
  • Copy the file(s)/folder(s) paths listed below - highlight everything in the code box and press CTRL+C or right-click and choose Copy.
:Processes
explorer.exe

:Services

:Reg

:Files
C:\qacUgwXx.bat
C:\rVd.bat
C:\VFZHp.bat 

:Commands
[emptytemp]
[start explorer]
[Reboot]
  • Return to OTM, right-click in the open text box labeled "Paste Instructions for Items to be Moved" (under the yellow bar) and choose Paste.
  • Click the red MoveIt! button.
  • The list will be processed and the results will be displayed in the right-hand pane.
  • Highlight everything in the Results window (under the green bar), press CTRL+C or right-click, choose Copy, right-click again and Paste it in your next reply.
  • Click Exit when done.
  • A log of the results is automatically created and saved to C:\_OTM\MovedFiles \mmddyyyy_hhmmss.log <- the date/time the tool was run.
-- Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. After the reboot, open Notepad, click File > Open, in the File Name box type *.log and press the Enter key. Navigate to the C:\_OTM\MovedFiles folder, open the newest .log file and copy/paste the contents in your next reply. If not asked, reboot anyway.

Caution: Be careful of what you copy and paste with this tool. OTM is a powerful program, designed to move highly persistent files and folders and is intended by the developer to be used under the guidance and supervision of a trained malware removal expert.


Please download Norman Malware Cleaner and save to your desktop.
alternate download link
  • Be sure to print out the instructions provided on the same page.
  • Restart your computer in "Safe Mode".
  • Double-click on Norman_Malware_Cleaner.exe to start the program.
  • Read the End User License Agreement and click the Accept button to open the scanning window.
  • Click Start Scan to begin.
  • In some cases Norman Malware Cleaner may require that you restart the computer to completely remove an infection. If prompted, reboot and run the tool again to ensure that all infections are removed.
  • After the scan has finished, a log file with the date (i.e. NFix_2009-06-22_07-08-56.log) will be created on your desktop with the results.
Note: For usb flash drives and/or other removable drives to scan, use the Add button to browse to the drives location, click on the drive to highlight and choose Ok.

Please download Malwarebytes Anti-Malware (v1.41) and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


I was told to reboot when OTM finished running. After the boot, I have a blue screen and a "Open File - Security Warning" dialog box asking me to Run or Cancel OTM.exe. I cannot view notepad until I take some sort of action at this point.

Please advise we what to do. Thank you quietman7.....I really appreciate your help on this.

I'm using another computer to send this.......

Edited by burnselk, 09 October 2009 - 10:17 AM.


#4 tman 1

tman 1

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:LA
  • Local time:07:33 AM

Posted 09 October 2009 - 11:20 AM

use malwarebytes and avria antivirus

#5 burnselk

burnselk
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 09 October 2009 - 12:11 PM

use malwarebytes and avria antivirus


I have ran malwarebytes a dozen times before today tman.

Where are you quietman7? I need your input to finish what we started this morning. I would appreciate hearing from you.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,942 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:33 AM

Posted 09 October 2009 - 12:41 PM

Please be patient. While I understand your frustration, staff members are all volunteers and we assist other members as well as you when time permits. We have jobs in the real world and families so we are not logged into the forums all day long.

Open file - security warning: Publisher could not be verified...
How to fix Publisher could not be verified message in Vista

Edited by quietman7, 09 October 2009 - 12:42 PM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 burnselk

burnselk
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 09 October 2009 - 01:31 PM

Please be patient. While I understand your frustration, staff members are all volunteers and we assist other members as well as you when time permits. We have jobs in the real world and families so we are not logged into the forums all day long.

Open file - security warning: Publisher could not be verified...
How to fix Publisher could not be verified message in Vista


Thank you quietman7, I do understand. I am a patient person. Sorry if I lead you to think otherwise.

#8 burnselk

burnselk
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 10 October 2009 - 12:59 PM

quietman7, is this what you wanted me to post from the OTM run?

All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\qacUgwXx.bat moved successfully.
C:\rVd.bat moved successfully.
C:\VFZHp.bat moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: Administrator.DF8G1641
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: Administrator.DF8G1641.000
->Temp folder emptied: 323600 bytes
->Temporary Internet Files folder emptied: 7398900 bytes
->FireFox cache emptied: 10194729 bytes

User: All Users

User: Annie &MAggie
->Temp folder emptied: 329714 bytes
->Temporary Internet Files folder emptied: 134 bytes
->Java cache emptied: 215280 bytes

User: Casey Pettigrew

User: Chris Pettigrew
->Temp folder emptied: 15159917 bytes
->Temporary Internet Files folder emptied: 16583964 bytes
->Java cache emptied: 13425503 bytes
->FireFox cache emptied: 58003059 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: Guest
->Temp folder emptied: 533083 bytes
->Temporary Internet Files folder emptied: 21226083 bytes
->Java cache emptied: 75002080 bytes
->FireFox cache emptied: 37793172 bytes

User: Jed Pettigrew

User: Jeni Pettigrew
->Temp folder emptied: 4230820 bytes
->Temporary Internet Files folder emptied: 71241877 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 37242918 bytes

User: LocalService
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 9422537 bytes
->Java cache emptied: 235600 bytes

User: LogMeInRemoteUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: Maggie Pettigrew
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 132885663 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\PJL932YM\33tCANFK4NW.htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\PJL932YM\33tCAVJCB2V.htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\PJL932YM\33t[10].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\PJL932YM\33t[11].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\BLIYH4BB\33tCA9JVTTE.htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\BLIYH4BB\33tCAQLZZUB.htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\BLIYH4BB\33t[10].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\BLIYH4BB\33t[11].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\54F59LSW\33tCA2KUNX2.htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\54F59LSW\33tCAWGTN84.htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\54F59LSW\33t[10].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\54F59LSW\33t[11].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\45UZ8XMV\33tCAQE901W.htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\45UZ8XMV\33t[10].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\45UZ8XMV\33t[11].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\45UZ8XMV\33t[9].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 1471897 bytes

C:\GLF32.tmp folder deleted successfully.
C:\~QTWTMP.TMP folder deleted successfully.
%systemdrive% .tmp files removed: 9709079 bytes
%systemroot% .tmp files removed: 39097 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
File delete failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_584.dat scheduled to be deleted on reboot.
Windows Temp folder emptied: 565821 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 499.19 mb


OTM by OldTimer - Version 3.0.0.6 log created on 10092009_093349

Files moved on Reboot...
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\PJL932YM\33tCANFK4NW.htm moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\PJL932YM\33tCAVJCB2V.htm moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\PJL932YM\33t[10].htm moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\PJL932YM\33t[11].htm moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\BLIYH4BB\33tCA9JVTTE.htm moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\BLIYH4BB\33tCAQLZZUB.htm moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\BLIYH4BB\33t[10].htm moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\BLIYH4BB\33t[11].htm moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\54F59LSW\33tCA2KUNX2.htm moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\54F59LSW\33tCAWGTN84.htm moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\54F59LSW\33t[10].htm moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\54F59LSW\33t[11].htm moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\45UZ8XMV\33tCAQE901W.htm moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\45UZ8XMV\33t[10].htm moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\45UZ8XMV\33t[11].htm moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\45UZ8XMV\33t[9].htm moved successfully.
File C:\WINDOWS\temp\_avast4_\Webshlock.txt not found!
File C:\WINDOWS\temp\Perflib_Perfdata_584.dat not found!

Registry entries deleted on Reboot...

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,942 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:33 AM

Posted 10 October 2009 - 01:14 PM

Looks like you don't empty your temp files too often.

After rebooting, continue with the instructions for scanning with Norman Malware Cleaner and Malwarebytes Anti-Malware, then post those logs.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 burnselk

burnselk
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 10 October 2009 - 02:41 PM

Looks like you don't empty your temp files too often.

This doesn't make sense, I've ran CCleaner numerous times??????

After rebooting, continue with the instructions for scanning with Norman Malware Cleaner and Malwarebytes Anti-Malware, then post those logs.


I'm running "Norman" in Safe Mode right now......will repeat in normal mode then will run Malwarebytes again.

A defrag seemed to help some but it still takes far too long for the desktop and task bar icons to load once I click on the users name. But once I get into a browser (IE or Firefox) things seem to come up in a decent time (Firefox seems faster) for this machine. But I believe there's still something slowing it down.

#11 burnselk

burnselk
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 10 October 2009 - 03:16 PM

Below are the results of my first "Norman" run.......in Safe Mode.

Norman Malware Cleaner
Version 1.5.0.5
Copyright 1990 - 2009, Norman ASA. Built 2009/10/09 03:55:55

Norman Scanner Engine Version: 6.01.09
Nvcbin.def Version: 6.01.00, Date: 2009/10/09 03:55:55, Variants: 4017892

Scan started: 10/10/2009 14:26:19

Running pre-scan cleanup routine:
Operating System: Microsoft Windows XP Home 5.1.2600(Safe mode with network) Service Pack 3
Logged on user: DF8G1641\Administrator



Scanning running processes and process memory...

Number of processes/threads found: 1295
Number of processes/threads scanned: 1295
Number of processes/threads not scanned: 0
Number of infected processes/threads terminated: 0
Total scanning time: 26s


Scanning file system...

Scanning: C:\*.*

C:\Documents and Settings\Chris Pettigrew\My Documents\HJT\backups\backup-20081126-004439-383.dll (Infected with W32/Megasearch.T)
Deleted file

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP8\A0003371.exe (Infected with W32/Virtumonde.CYPF)
Deleted file


Running post-scan cleanup routine:

Number of files found: 109546
Number of archives unpacked: 0
Number of files scanned: 109536
Number of files not scanned: 10
Number of files skipped due to exclude list: 0
Number of infected files found: 2
Number of infected files repaired/deleted: 2
Number of infections removed: 2
Total scanning time: 1h 21m 45s

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,942 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:33 AM

Posted 10 October 2009 - 10:21 PM

If your system is slow to load, you may have too many applications loading at startup when Windows boots. Almost all applications you install want to startup when Windows loads. If you allow all these startups, they will compete for and use system resources resulting in poor performance and a slow system. Many of these programs are not needed and disabling them can save resources and improve performance as they from Start > Programs or an icon on the desktop. Other reasons for slowness include disk fragmentation, disk errors, corrupt system files, unnecessary services running, not enough RAM, dirty hardware components, etc. As your system gets older it becomes filled with more files/programs and has a natural tendency to slow down so cleaning and regular maintenance is essential. For more information about trimming down the number of startup applications and other ways to improve performance, please refer to Slow Computer/Browser? Check here first; it may not be malware.

If you are unsure what any of the program entries are or if they are safe to disable, search the name using Google or the following databases:Optimizing FireFox:Note: Due to the way Firefox caches pages it will use more RAM the longer the browser is open. Closing and restarting more often will clear that out and should lower your resource usage dramatically.

Tweaks to make Firefox render pages quickly:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 burnselk

burnselk
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 11 October 2009 - 01:12 AM

MBAM log report follows: This doesn't look so good.

Malwarebytes' Anti-Malware 1.41
Database version: 2938
Windows 5.1.2600 Service Pack 3 (Safe Mode)

10/10/2009 7:04:41 PM
mbam-log-2009-10-10 (19-04-08).txt

Scan type: Quick Scan
Objects scanned: 171048
Time elapsed: 14 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 2
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\SafetyCenter (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SfX (Rootkit.Agent) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\ddnsfilter (Trojan.DNSChanger) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
C:\Program Files\DDnsFilter (Trojan.DNSChanger) -> No action taken.
C:\Program Files\SafetyCenter (Trojan.SafetyCenter) -> No action taken.

Files Infected:
C:\Program Files\SafetyCenter\main.ico (Trojan.SafetyCenter) -> No action taken.
C:\Program Files\SafetyCenter\sound.wav (Trojan.SafetyCenter) -> No action taken.
C:\WINDOWS\hpm2.dat (KoobFace.Trace) -> No action taken.
C:\WINDOWS\fdgg34353edfgdfdf (KoobFace.Trace) -> No action taken.
C:\WINDOWS\nlmark2.dat (KoobFace.Trace) -> No action taken.
C:\WINDOWS\0535251103110107106.yux (KoobFace.Trace) -> No action taken.
C:\WINDOWS\0101120101464950.xe (KoobFace.Trace) -> No action taken.
C:\WINDOWS\0101120101465149.xe (KoobFace.Trace) -> No action taken.
C:\WINDOWS\0101120101465154.xe (KoobFace.Trace) -> No action taken.
C:\WINDOWS\0101120101465249.xe (KoobFace.Trace) -> No action taken.
C:\WINDOWS\0101120101465349.xe (KoobFace.Trace) -> No action taken.
C:\WINDOWS\0101120101465449.xe (KoobFace.Trace) -> No action taken.
C:\WINDOWS\b4657.dat (Worm.KoobFace) -> No action taken.
C:\WINDOWS\tgmark2.dat (Worm.KoobFace) -> No action taken.

And the second MBAM scan log:

Malwarebytes' Anti-Malware 1.41
Database version: 2939
Windows 5.1.2600 Service Pack 3

10/11/2009 1:08:52 AM
mbam-log-2009-10-11 (01-08-52).txt

Scan type: Quick Scan
Objects scanned: 172535
Time elapsed: 2 hour(s), 11 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b8c60d42-9881-11de-b7c5-cd5255d89593} (Rogue.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#14 burnselk

burnselk
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 11 October 2009 - 01:34 AM

This "Norman" scan was done before the two MBAM scans. See log below:

Norman Malware Cleaner
Version 1.5.0.5
Copyright 1990 - 2009, Norman ASA. Built 2009/10/09 03:55:55

Norman Scanner Engine Version: 6.01.09
Nvcbin.def Version: 6.01.00, Date: 2009/10/09 03:55:55, Variants: 4017892

Scan started: 10/10/2009 14:26:19

Running pre-scan cleanup routine:
Operating System: Microsoft Windows XP Home 5.1.2600(Safe mode with network) Service Pack 3
Logged on user: DF8G1641\Administrator



Scanning running processes and process memory...

Number of processes/threads found: 1295
Number of processes/threads scanned: 1295
Number of processes/threads not scanned: 0
Number of infected processes/threads terminated: 0
Total scanning time: 26s


Scanning file system...

Scanning: C:\*.*

C:\Documents and Settings\Chris Pettigrew\My Documents\HJT\backups\backup-20081126-004439-383.dll (Infected with W32/Megasearch.T)
Deleted file

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP8\A0003371.exe (Infected with W32/Virtumonde.CYPF)
Deleted file


Running post-scan cleanup routine:

Number of files found: 109546
Number of archives unpacked: 0
Number of files scanned: 109536
Number of files not scanned: 10
Number of files skipped due to exclude list: 0
Number of infected files found: 2
Number of infected files repaired/deleted: 2
Number of infections removed: 2
Total scanning time: 1h 21m 45s

#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,942 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:33 AM

Posted 11 October 2009 - 06:17 AM

How is your computer running now? Are there any more reports/alerts, signs of infection or issues with your browser?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users