Used Remove Internet Security 2010 Question, please?

Hello,
I used the instructions to remove the title mentioned (Internet security 2010) virus/trojan and it went ok until it was creating the "log report!
The only thing that was not normal was just before the prepare report script was on the page it said that it could not find 2 modules.
C:windows\system32\joranafe.dll
error loading gekuvami.dll

What I did after several hours is Xed out these two boxes saying the 2 modules and hoped that would let the report log to continue but......now it ...

It seems hung on the "preparing log report", top of page it says "Find3M"

Can someone tell me if it is OK to now that it won't finish, it never produced the log report, to continue?
Or what am I to do otherwise?
thank you for reading, and I hope I was concise in my problem!

regards, cardnal

Edited by cardnal, 17 January 2010 - 09:12 AM.

As no logs have been posted, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.

==>PLEASE DO NOT NOW POST LOGS<== unless a log is specifically requested.

Well, thanks for reading my post but I am not sure why you moved it but never the less....I was / am sure that I had trojan and possibly more so I didn't figure it should be here, but I defer to you, respectively! I also thought that I wasn't supposed to post a log "unless" requested to by a helper, so that is why I didn't.
Anyway, I have more info on the problem that I was working on when I posted that might help someone else.
I simply love this forum!
It has the resources to do pitched battles with the malware and viruses out there in the wild! No joke using info I got from here I do think that I defeated my infestations.
I had at least the following virus/trojan issues;
Internet security 2010
vundo.H trojan
Trojan.fakealert
Trojan.DNSChanger

Using the rKil, combofix and highjackthis programs and a lot of reading research on these forums I was able to bring my computer back from the brink of format.
I am now able to run Malwarebytes, which I couldn't before because of the trojan defeating the install so that it would lose its' abilities.
So, I am just getting to the point of connecting back to the internet. I have run several of these multiple times, and eventually cleaned malware out until i came up nothing else found.
I run avast and IObit Security 360, and these didn't stop getting the malware and virus stuff....so I am going to have to add more protection.
I think some of it came in through a java update that I clicked on to install hurriedly and didn't notice it wasn't authentic. My AVAST did catch about 5 Trojans when this first started but evidently it got slammed and couldn't deal with it all.
Oh, I also googled some questions about dll files to figure out what was false.

So if somebody wants me to give an update after I connect back to the internet, i will give more feedback about how things are going!
Just post that you do and I will try to give more ....as to how my case was defeated witht he help of this web site and the helpers doing what they do.
Again, thanks to the helpers and all who post various experiences in dealing with computer problems.

best regards,
cardnal

I also thought that I wasn't supposed to post a log "unless" requested to by a helper, so that is why I didn't.

You probably have that confused with ComboFix logs. Please read the pinned topic ComboFix usage, Questions, Help? - Look here.

You started a topic in the HijackThis Logs and Malware Removal forum and did not post the required logs. Again, you probably missed reading the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log. Since you did not do that, your topic was moved here.

How is your computer running now? Are there any more reports/alerts, signs of infection or issues with your browser?

Yes thank you for pointing this out.
I did later re-read the forum rules and noticed what I said did not reconcile with the rules! Sorry I can only promise to try and do better.
I do understand after further review as they say! I can also say that I was up late and a bit embattled, and upset with how things were going for me.....not trying to excuse myself but letting you know that it wasn't flagrant either.

Anyway, ATM, I have connected the ethernet cable and browsed around some and DL email. So far I can say that all is well. I use Firefox and outlook express for email.
Those 2 RUNDLL errors were what was stopping the combofix from creating it's log....I figured out. So when I used highjackthis to locate them again i fixed them gone and re-ran the combofix and this time the log was created. I also got malwarebytes to finally run after I installed it.
I had been burning it to CD then trying to install it from the CD rather than being connected to the internet...trying to isolate my problem.... it would install but the vundo.H or other trojans were blocking a component from installing and it would not exe. Those guys are smart little fellows.
So I have not had any pop ups or any other of the odd behavior that had affected my computer....but I won't know for sure until I reboot a couple times, eh?
I ended up using rKill, combofix, highjackthis, malwarebytes, running some several times and then ran system scan for errors and defragged, then again....last time nothing was found! the tricky thing for me was to identify the HJT log items!

I am serious about the forum having a wealth of information for doing the battle with these nasty buggers. Of course you know this but I had almost given up until I ran across this place. I had already called the local computer repair shop to bring it in on Monday......BTW, thank you for the help you give people!

best regards,
cardnal
============"Be kinder than necessary because everyone is fighting some kind of battle"=========


You started a topic in the HijackThis Logs and Malware Removal forum and did not post the required logs. Again, you probably missed reading the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log. Since you did not do that, your topic was moved here.

How is your computer running now? Are there any more reports/alerts, signs of infection or issues with your browser?
[/quote]

You're welcome.

If there are no more problems or signs of infection, don't forget to Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:

• Go to Start > Programs > Accessories > System Tools and click "System Restore".
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

• Then use Disk Cleanup to remove all but the most recently created Restore Point.
• Go to > Run... and type: Cleanmgr
• Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
• Click the "More Options" tab, then click the "Clean up" button under System Restore.
• Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
• Click Yes, then click Ok.
• Click Yes again when prompted with "Are you sure you want to perform these actions?"
• Disk Cleanup will remove the files and close automatically.

Vista and Windows 7 users can refer to these links: Create a New Restore Point in Vista or Windows 7 and Disk Cleanup in Vista.

Thanks again for the great tip/reminders.
I am going to wait for several days and reboots to think that I am totally clear. Then I will do the restore point and I also will need to clear off all the programs that I DownLoaded to try and fix my issues.
BTW do you analyze start up logs ?
I have an older computer that maxes out on ram at 512MB and I think I have too many start up programs running in the system tray but when I look at it there are only a few that I felt like I could remove , the others might have something that needs to be there...?


best regards, Cardnal
'Be kinder than necessary because everyone
you meet is fighting some kind of battle.'


=====================

You're welcome.

If there are no more problems or signs of infection, don't forget to Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:

• Go to Start > Programs > Accessories > System Tools and click "System Restore".
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

• Then use Disk Cleanup to remove all but the most recently created Restore Point.
• Go to > Run... and type: Cleanmgr
• Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
• Click the "More Options" tab, then click the "Clean up" button under System Restore.
• Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
• Click Yes, then click Ok.
• Click Yes again when prompted with "Are you sure you want to perform these actions?"
• Disk Cleanup will remove the files and close automatically.

Vista and Windows 7 users can refer to these links: Create a New Restore Point in Vista or Windows 7 and Disk Cleanup in Vista.

Determining whether a file is malware or a legitimate process sometimes depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a critical system file. However, it then places itself in a different location (folder) than where the legitimate file resides and runs from there. Another techinique is for the process to alter the registry and add itself as a Startup program so that it can run automatically each time the computer is booted. A file's properties may give a clue to identifying it. Right-click on the file, choose Properties and examine the General and Version tabs.

Tools to investigate running processes and gather additional information to identify them and resolve problems:

• AnVir TaskManager Free
• Process Explorer
• System Explorer
• ProcessHacker - (requires Microsoft .NET Framework 2.0 or above to use)
• Autoruns
• svchostViewer

These tools will provide information about each process, CPU usage, file description and its path location.

Anytime you come across a suspicious file or one that you do not recognize, search the name using Google <- click here for an example.

Or search the following databases:

• BC's Startup Programs Database
• SystemLookup StartupList Index
• ProcessLibrary.com
• File Research Center

If you cannot find any information, the file has a legitimate name but is not located where it is supposed to be, or you want a second opinion, submit it to Jotti's virusscan or VirusTotal. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.
-- Post back with the results of the file analysis.

For more information about ways to improve performance, please refer to Slow Computer/Browser? Check here first; it may not be malware.

Edited by quietman7, 20 January 2010 - 01:16 PM.

Well I started a deep virus scan when I left for work today and came back at 6 PM and it was stopped at 20% waiting for an answer from me as to what to do with a found virus! I told it to put the Infected files in the virus chest.
I noticed one was the same name as I deleted via HJT the other day. I think I have only reboted once maybe twice since the major problem day last Saturday 1-16-10
I use avast 4.8 1368, with 1-20-10 file update.
It found total of 14.
7 were alpha numeric xxxxxxxx.dll and 7 had a name with the .dll at the end
Below are the 7;
A0000040.dll located in the C:\System Volume Information\_restore
A0000041.dll "
A0000044.dll "
A0000047.dll "
A0000049.dll "
A0000050.dll "
A0000052.dll "

8 said this>win32:MoPack ....all had this [cryp] at the end of the line in the virus chest of the avast program.

Below are the ones that had a name;
bodizeya.dll.vir Qoobox\Quarantine\C\Windows\System32
dorulelo.dll.vir "
joranafe.dll.vir "
rehejizi.dll.vir "
supekede.dll.vir "
tukeweji.dll.vir "
wofuhipe.dll.vir "

So like you said some of these are hiding and are going to try and re-emerge.....ugh.

Should I delete all the restore points? You know I had been waiting to deal with the good restore point until I thought I was clean.

I had run the malwarebytes before I did the deep avast scan and it didn't find any problems.
I tried to copy the virus chest file and add it here but that didn't seem to be an option , so that is why I hand wrote the results.
So I will investigate some more and report back to you, quietman7

regards, cardnal

*Be Fair, Be Safe
Just don't be fairly safe*

Edited by cardnal, 21 January 2010 - 05:21 AM.

The detected _restore{GUID}\RP***\A00*****.xxx file(s) identified by your scan are in the System Volume Information Folder (SVI) which is a part of System Restore. The *** after RP represents a sequential number automatically assigned by the operating system. The ***** after A00 represents a sequential number where the original file was backed up and renamed except for its extension. To learn more about this, refer to:

• Restore Point Forensics
• Forensic Analysis of System Restore Points in Microsoft Windows XP

System Restore is the feature that protects your computer by monitoring a core set of system and application files and by creating backups (snapshots saved as restore points) of vital system configurations and files before changes are made. These restore points can be used to "roll back" your computer to a clean working state in the event of a problem. This makes it possible to undo harmful changes to your system configurations including registry modifications made by software or malware by reverting the operating systems configuration to an earlier date. See What's Restored when using System Restore and What's Not.

System Restore is enabled by default and will back up the good as well as malicious files, so when malware is present on the system it gets included in restore points as an A00***** file. If you only get a detection on a file in the SVI folder, that means the original file was on your system in another location at some point and probably has been removed. However, when you scan your system with anti-virus or anti-malware tools, you may receive an alert that a malicious file was detected in the SVI folder (in System Restore points) and moved into quarantine. When a security program quarantines a file, that file is essentially disabled and prevented from causing any harm to your system. The quarantined file is safely held there and no longer a threat. Thereafter, you can delete it at any time.

If your anti-virus or anti-malware tool cannot move the files to quarantine, they sometimes can reinfect your system if you accidentally use an old restore point. In order to avoid reinfection and remove these file(s) if your security tools cannot remove them, the easiest thing to do after disinfection is Create a New Restore Point to enable your computer to "roll-back" to a clean working state and use Disk Cleanup to remove all but the most recent restore point. Vista and Windows 7 users can refer to these links: Create a New Restore Point in Vista or Windows 7 and Disk Cleanup in Vista.

If your anti-virus or anti-malware tool was able to move the file(s), I still recommend creating a new restore point and using disk cleanup as the last step after removing malware from an infected computer.

The detected files in Qoobox\Quarantine are threats previously removed by ComboFix, copies renamed and sent to its quarantine folder. ComboFix is a specialized tool you should not be using unless instructed to do so by a Malware Removal Expert. Please read the pinned topic ComboFix usage, Questions, Help? - Look here.

When an anti-virus or security program quarantines a file by moving it into a virus vault (chest) or a dedicated quarantine folder where it is renamed, that file is essentially disabled and prevented from causing any harm to your system. The quarantined file is safely held there and no longer a threat until you take action to delete it. One reason for doing this is to prevent deletion of a crucial file that may have been flagged as a "false positive" especially if the scanner uses heuristic analysis technology. Heuristics is the ability of a scanning program to detect possible new variants of malware before the vendor can get samples and update the program's definitions for detection. Heuristics uses non-specific detection methods to find new or unknown malware which allows the anti-virus to detect and stop if before doing any harm to your system. The disadvantage to using heuristics is that it is not as reliable as signature-based detection (blacklisting) and can potentially increase the chances that a non-malicious program is flagged as suspicious or infected. If that is the case, then you can restore the file and add it to the exclusion or ignore list. Doing this also allows you to view and investigate the files while keeping them from harming your computer. Quarantine is just an added safety measure. When the quarantined file is known to be malicious, you can delete it at any time.

Keep in mind, however, that if these files are left in quarantine, other scanning programs and security tools may flag them as a threat while in the quarantined area so don't be alarmed if you see such an alert. Just delete the quarantined items after confirming they are malware and subsequent scans should no longer detect them.

To uninstall ComboFix, press the Windows Key + R keys on your keyboard or go to > Run... and in the Open dialog box, type: ComboFix /Uninstall

• 
• Press OK.
• This will delete ComboFix's related folders/files, reset the clock settings, hide file extensions/system files, clear the System Restore cache to prevent possible reinfection and create a new Restore point.

-- Vista users, users can refer to these instructions: How to Enable Run Command in Vista