Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help!!! HTML/FakeAV


  • Please log in to reply
15 replies to this topic

#1 myPRONEpc

myPRONEpc

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:02:22 AM

Posted 16 November 2009 - 09:34 PM

Ok, so I've been cruzing along nicely. And I get a message about acrobat not being compatible. I wasn't using it at the time and saw the JAVA icon pop up in the bottom. So I go to use task manager, and it wont allow me. Turn off the pc, reboot and MCAfee come's up with "HTML/FakeAV". Needless to say, I'm pissed and I need your help fixing my problem. I'm getting all sorts of "activate this antivirus" popups. Please help....

OK, tried DDS and no go... I get an error message "Application cannot be executed. The file is corrupted. Please activate your antivirus software".

Gabe

Edited by myPRONEpc, 16 November 2009 - 09:36 PM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:22 AM

Posted 17 November 2009 - 08:26 AM

Please download Malwarebytes Anti-Malware (v1.41) and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

-- If Malwarebytes Anti-Malware results in any error messages, please refer to Fixes for common problems and Error Codes. Some issues with errors can be related to malware infection but others are not.

-- Some types of malware will disable Malwarebytes Anti-Malware and other security tools to keep them from running properly. If MBAM will not install, try renaming it first.
  • Right-click on the mbam-setup.exe file file and rename it to mysetup.exe. If that did not work, rename it explorer.exe.
  • Double-click on the renamed file to start the installation.
  • If that still did not work, then try changing the file extension. <- click this link if you do not see the file extension
    If using Windows Vista, refer to these instructions.
  • Right-click on explorer.exe and change the .exe extension to .scr, .com, .pif, or .bat.
  • Then double-click on explorer.com (or whatever extension you renamed it) to begin installation.
If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files.
  • Right-click on mbam.exe and rename it to wuauclt.exe.
  • Double-click on wuauclt.exe to launch the program.
  • If that did not work, then change the .exe extension in the same way as noted above.
  • Double-click on wuauclt.com (or whatever extension you renamed it) to launch the program.
Note: If installation coninues to fail in normal mode, try installing and performing a Quick Scan in "safe mode". Doing this is usually not advised as MBAM is designed to be at full power when running in normal mode and loses some effectiveness for detection & removal when used in safe mode. Further, scanning in safe mode prevents some types of malware from running so it may be missed during the detection process. For optimal removal, normal mode is recommended so it does not limit the abilities of MBAM. Therefore, after completing a safe mode scan, reboot normally, uninstall MBAM, then reinstall it and perform another Quick Scan.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 myPRONEpc

myPRONEpc
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:02:22 AM

Posted 17 November 2009 - 10:58 AM

Thanks for the help Quietman7. Here's the Malwarebytes log


Malwarebytes' Anti-Malware 1.41
Database version: 3187
Windows 5.1.2600 Service Pack 3

11/17/2009 7:49:32 AM
mbam-log-2009-11-17 (07-49-32).txt

Scan type: Quick Scan
Objects scanned: 110226
Time elapsed: 12 minute(s), 23 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 3
Registry Data Items Infected: 8
Folders Infected: 1
Files Infected: 8

Memory Processes Infected:
C:\Program Files\AdvancedVirusRemover\AVR.exe (Rogue.Multiple) -> Unloaded process successfully.
C:\WINDOWS\system32\winupdate86.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\AVR (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\fias4051 (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\advanced virus remover (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdate86.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\AdvancedVirusRemover (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\AdvancedVirusRemover\AVR.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winupdate86.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winhelper86.dll (Trojan.Fakeinit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Gabe\Local Settings\temp\itOn.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Gabe\Local Settings\Temporary Internet Files\Content.IE5\0KKHG8SS\cf4c1642ffd07ee0f0574c6a65a16d34[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Gabe\Local Settings\Temporary Internet Files\Content.IE5\GA0E35X3\SetupAdvancedVirusRemover[2].exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Gabe\Local Settings\Temporary Internet Files\Content.IE5\X8NDMHD9\dfghfghgfj[1].dll (Trojan.Fakeinit) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\41.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:22 AM

Posted 17 November 2009 - 11:19 AM

Now rescan again with Malwarebytes Anti-Malware, but this time perform a Full Scan in normal mode and check all items found for removal. Don't forgot to check for database definition updates through the program's interface (preferable method) before scanning and to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.

Please download TFC by Old Timer and save it to your desktop.
alternate download link
  • Save any unsaved work. TFC will close ALL open programs including your browser!
  • Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
  • Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
  • Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.
Please download and scan with Dr.Web CureIt - alternate download link.
Follow these instructions for performing a scan in "safe mode".
If you cannot boot into safe mode or complete a scan, then try doing it in normal mode. Be aware, this scan could take a long time to complete.
-- Post the log in your next reply. If you can't find the log, try to write down what was detected/removed before exiting Dr.WebCureIt so you can provide that information.

Then perform a scan with Eset Online Antiivirus Scanner.
(Requires Internet Explorer to work. If given the option, choose "Quarantine" instead of delete.)
Vista users need to run Internet Explorer as Administrator. Right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.
  • Click the green ESET Online Scanner button.
  • Read the End User License Agreement and check the box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then click Insall ActiveX component.
  • A new window will appear asking "Do you want to install this software?"".
  • Answer Yes to download and install the ActiveX controls that allows the scan to run.
  • Click Start.
  • Check Remove found threats and Scan potentially unwanted applications.
  • Click Scan to start. (please be patient as the scan could take some time to complete)
  • If offered the option to get information or buy software. Just close the window.
  • When the scan has finished, a log.txt file will be created and automatically saved in the C:\Program Files\EsetOnlineScanner\ folder.
  • Click Posted Image > Run..., then type or copy and paste everything in the code box below into the open dialogue box:
    C:\Program Files\EsetOnlineScanner\log.txt
  • The scan results will open in Notepad. Copy and paste the contents of log.txt in your next reply.
Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 myPRONEpc

myPRONEpc
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:02:22 AM

Posted 17 November 2009 - 10:19 PM

OK, here's the new Malwarebytes file

Malwarebytes' Anti-Malware 1.41
Database version: 3187
Windows 5.1.2600 Service Pack 3

11/17/2009 12:55:49 PM
mbam-log-2009-11-17 (12-55-49).txt

Scan type: Full Scan (C:\|F:\|G:\|)
Objects scanned: 306798
Time elapsed: 2 hour(s), 9 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{AC0AF988-1E8B-4DDB-960A-65D59CBCB525}\RP217\A0021206.dll (Trojan.Fakeinit) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{AC0AF988-1E8B-4DDB-960A-65D59CBCB525}\RP217\A0021207.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{AC0AF988-1E8B-4DDB-960A-65D59CBCB525}\RP217\A0021255.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{AC0AF988-1E8B-4DDB-960A-65D59CBCB525}\RP217\A0021256.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{AC0AF988-1E8B-4DDB-960A-65D59CBCB525}\RP217\A0021257.dll (Trojan.Fakeinit) -> Quarantined and deleted successfully.

Ran TFC, worked fine...
Tried Dr. Web, would restart itself in safe mode, so I ran the express one in normal mode, no virus, only thing that came up was a changed Host which was reset to default.
Eset Anti-virus get's hung up on initializing in IE. Asks for proxy config.

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:22 AM

Posted 18 November 2009 - 09:39 AM

Please download Norman Malware Cleaner and save to your desktop.
alternate download link
  • Be sure to print out the instructions provided on the same page.
  • Restart your computer in "Safe Mode".
  • Double-click on Norman_Malware_Cleaner.exe to start the program.
  • Read the End User License Agreement and click the Accept button to open the scanning window.
  • Click Start Scan to begin.
  • In some cases Norman Malware Cleaner may require that you restart the computer to completely remove an infection. If prompted, reboot and run the tool again to ensure that all infections are removed.
  • After the scan has finished, a log file with the date (i.e. NFix_2009-06-22_07-08-56.log) will be created on your desktop with the results.
Note: For usb flash drives and/or other removable drives to scan, use the Add button to browse to the drives location, click on the drive to highlight and choose Ok.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 myPRONEpc

myPRONEpc
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:02:22 AM

Posted 18 November 2009 - 08:46 PM

Thanks, here's my Norman Malware Log


Norman Malware Cleaner
Version 1.5.0.5
Copyright 1990 - 2009, Norman ASA. Built 2009/11/18 00:07:39

Norman Scanner Engine Version: 6.03.02
Nvcbin.def Version: 6.03.00, Date: 2009/11/18 00:07:39, Variants: 4372455

Scan started: 18/11/2009 07:47:32

Running pre-scan cleanup routine:
Operating System: Microsoft Windows XP Professional 5.1.2600(Safe mode) Service Pack 3
Logged on user: PENA\Gabe

Set registry value: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLS = -> ""
Removed registry value: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools = 0x00000000
Removed registry value: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools = 0x00000000
Removed registry value: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableTaskMgr = 0x00000000
Removed registry value: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoActiveDesktopChanges = 0x00000000
Removed registry value: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoActiveDesktopChanges = 0x00000000
Removed registry value: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoDrives = 0x00000000
Removed registry value: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoDrives = 0x00000000
Removed registry value: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop -> NoChangingWallPaper = 0x00000000
Removed registry value: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop -> NoChangingWallPaper = 0x00000000


Scanning running processes and process memory...

Number of processes/threads found: 937
Number of processes/threads scanned: 937
Number of processes/threads not scanned: 0
Number of infected processes/threads terminated: 0
Total scanning time: 40s


Scanning file system...

Scanning: C:\*.*

C:\Documents and Settings\Gabe\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP1.48940 (Infected with LNK/FakeAV.N)
Deleted file

C:\Documents and Settings\Gabe\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP4.87459 (Infected with LNK/FakeAV.N)
Deleted file

C:\Program Files\Adobe\Illustrator 10\Support Files\Contents\Windows\Patch.exe (Infected with W32/Suspicious_Gen2.ASK)
Deleted file

C:\System Volume Information\_restore{AC0AF988-1E8B-4DDB-960A-65D59CBCB525}\RP217\A0021209.lnk (Infected with LNK/FakeAV.N)
Deleted file

C:\System Volume Information\_restore{AC0AF988-1E8B-4DDB-960A-65D59CBCB525}\RP218\A0021311.lnk (Infected with LNK/FakeAV.N)
Deleted file

C:\System Volume Information\_restore{AC0AF988-1E8B-4DDB-960A-65D59CBCB525}\RP218\A0021312.lnk (Infected with LNK/FakeAV.N)
Deleted file

C:\System Volume Information\_restore{AC0AF988-1E8B-4DDB-960A-65D59CBCB525}\RP218\A0023374.exe (Infected with W32/Suspicious_Gen2.ASK)
Deleted file

C:\WINDOWS\system32\spool\drivers\w32x86\3\E_DI06CE.DLL (Infected with W32/Virtumonde.dam)
Deleted file

C:\WINDOWS\system32\spool\drivers\w32x86\epsonstylus_photo_821d1d\E_DI06CE.DLL (Infected with W32/Virtumonde.dam)
Deleted file

Scanning: F:\*.*

Scanning: C:\System Volume Information\*.*

C:\System Volume Information\_restore{AC0AF988-1E8B-4DDB-960A-65D59CBCB525}\RP218\A0023375.DLL (Infected with W32/Virtumonde.dam)
Deleted file

C:\System Volume Information\_restore{AC0AF988-1E8B-4DDB-960A-65D59CBCB525}\RP218\A0023376.DLL (Infected with W32/Virtumonde.dam)
Deleted file


Running post-scan cleanup routine:

Number of files found: 194234
Number of archives unpacked: 0
Number of files scanned: 194224
Number of files not scanned: 10
Number of files skipped due to exclude list: 0
Number of infected files found: 11
Number of infected files repaired/deleted: 11
Number of infections removed: 11
Total scanning time: 2h 44m 24s

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:22 AM

Posted 19 November 2009 - 07:59 AM

How is your computer running now? Are there any more reports/alerts, signs of infection or issues with your browser?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 myPRONEpc

myPRONEpc
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:02:22 AM

Posted 19 November 2009 - 10:04 AM

No problems that I can see so far. Apps are opening up normally. Browser (firefox) seems normal. Are there any other steps to perform just to double check that everything is cool?
Thanks very much by the way.

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:22 AM

Posted 19 November 2009 - 10:22 AM

You can always get a second opinion by performing an Online Virus Scan.

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Posted Image > Run... and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista and Windows 7 users can refer to these links: Create a New Restore Point in Vista or Windows 7 and Disk Cleanup in Vista.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 myPRONEpc

myPRONEpc
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:02:22 AM

Posted 19 November 2009 - 10:38 AM

Cool, I'll run the online virus scan before I take off for work and then do as you suggested. I'll post any results later.

Thanks

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:22 AM

Posted 19 November 2009 - 10:54 AM

Not a problem.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 myPRONEpc

myPRONEpc
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:02:22 AM

Posted 20 November 2009 - 10:04 AM

Ok, ran the online McAfee, it found this
C:\Documents and Settings\...\Quarantine\hosts Redirected HOSTS

So I ran my McAfee and got this...
11/20/2009 12:29:04 AM Cleaned Gabe ODS(Full Scan) c:\Documents and Settings\Gabe\DoctorWeb\Quarantine\hosts Redirected HOSTS (Potentially Unwanted Program)

Anything else I need to do before setting a new restoring point?

Also, my McAfee log had stuff like this....
12:22:30 AM Not scanned (The file is encrypted) c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TargetNet.zip
11/20/2009 12:22:30 AM Not scanned (The file is encrypted) c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ValueClick.zip
11/20/2009 12:22:30 AM Not scanned (The file is encrypted) c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip
11/20/2009 12:22:30 AM Not scanned (The file is encrypted) c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsMediaPlayer.zip
11/20/2009 12:22:30 AM Not scanned (The file is encrypted) c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsMediaPlayer1.zip
11/20/2009 12:22:30 AM Not scanned (The file is encrypted) c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsMediaPlayer2.zip
11/20/2009 12:22:30 AM Not scanned (The file is encrypted) c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsMediaPlayer3.zip
11/20/2009 12:22:30 AM Not scanned (The file is encrypted) c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsMediaPlayer4.zip
11/20/2009 12:22:30 AM Not scanned (The file is encrypted) c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsMediaPlayer5.zip

All in the spybot S&D, are these potential problems?

Thanks

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:22 AM

Posted 20 November 2009 - 10:30 AM

The McAfee scan detected on Dr.Web's quarantine. When an anti-virus or security program quarantines a file by moving it into a virus vault (chest), that file is essentially disabled and prevented from causing any harm to your system. The quarantined file is safely held there and no longer a threat until you take action to delete it. One reason for doing this is to prevent deletion of a crucial file that may have been flagged as a "false positive" especially if the scanner uses heuristic analysis technology. Heuristics is the ability of a scanning program to detect possible new variants of malware before the vendor can get samples and update the program's definitions for detection. Heuristics uses non-specific detection methods to find new or unknown malware which allows the anti-virus to detect and stop if before doing any harm to your system. The disadvantage to using heuristics is that it is not as reliable as signature-based detection (blacklisting) and can potentially increase the chances that a non-malicious program is flagged as suspicious or infected. If that is the case, then you can restore the file and add it to the exclusion or ignore list. Doing this also allows you to view and investigate the files while keeping them from harming your computer. Quarantine is just an added safety measure. When the quarantined file is known to be malicious, you can delete it at any time.

Keep in mind, however, that if these files are left in quarantine, other scanning programs and security tools may flag them as a threat while in the quarantined area so don't be alarmed if you see such an alert as you just found out. Just delete the quarantined items and subsequent scans should no longer detect them.

Further a Potentially Unwanted Program (PUP) is a very broad threat category that can include any number of different programs to include those which are benign as well as malicious.I have not used Spybot S&D in ages but those findings appear to indicate encrypted zipped files not scanned in Spybots Recovery Feature.

It is not unusal for an anti-virus or anti-malware scanner to be suspicious of some compressed, archived, .cab and packed files because they have difficulty reading what is inside them. These kind of files often trigger alerts by security software using heuristic detection because they are resistant to scanning (difficult to read) or they may even be ignored (not scanned). This resistance may also result in some scanners to stall (hang) on these particular types of files. Certain files in the System Volume Information Folder like the Tracking.log which is created by the Distributed Link Tracking Service to store maintenance information have also been reported as a source causing some scanners to hang.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 myPRONEpc

myPRONEpc
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:02:22 AM

Posted 20 November 2009 - 10:49 AM

Cool. Thanks for the informative responce.
So I guess, I'm good to go then.
Thank you so much for the help.

G




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users