Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can not get rid of what I think is an XML virus...please HELP!


  • Please log in to reply
9 replies to this topic

#1 laynie

laynie

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:20 AM

Posted 25 April 2010 - 12:51 AM

I would be grateful for any help I can get with my computer here is what is going on:

I have scanned my computer with SpyNoMore, Avira, Avg, Malwarebytes, and SUPERAnitspyware each one of these scan produce some type of detection and I do as instructed. When I go back to my Recently Chanced folder in Windows Vista I can see all of this pictures and updates from files that say,

RefreshSchedule XML document, hom_data, hot_data, won_data and much more followed by an enourmous about of pictures.

I am not sure what you call what is going on with my computer as nothing seems to be working to remove this from my computer. I just know after I delete all the pictures than I go back in and there is a ton again. I was having problems with clicking on my desktop icons until I ran one of the scans mentioned above.

Can someone please help me?

BC AdBot (Login to Remove)

 


#2 certifiedgeek

certifiedgeek

  • Members
  • 172 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 25 April 2010 - 11:15 AM

Hi there laynie,

Would you please post your scanning logs from Malwarebytes, SUPERAntispyware, Avira and AVG?

Are these pictures you're talking about your own pictures or are they totally strange as in you don't know where they are coming from? Have you tried manually deleting them by going to the folder directly? Have you used TFC by Old Timer which will clean out some of your temp files?

If you have any questions about how to get to your logs, please let me know and i will post some more detailed instructions. :thumbsup:

#3 laynie

laynie
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:20 AM

Posted 30 April 2010 - 08:57 PM

Thanks for your response!

The pictures that are in my recently changed folder are that of celebrities, advertisments etc. When I clean them off my computer there are usually around 500-800 pictures. Below I provided what happens when I click on the information in the folder:

TC:\Users\Claudia\AppData\Local\Microsoft\Toolbar\IsolatedStorage\MsnApp\4.0.379.0\content\Entertainment\gsp_data.xml


This is also in my recently deleted folder, mus_data.xml,gsp_data.xml, jin_data.xml, Log.txt, mov_data.xml,wom_data.xml,men_data.xml.

Not sure if this is what you are looking for but here is the Avira log:


Avira AntiVir Personal
Report file date: Tuesday, April 27, 2010 01:05

Scanning for 2044309 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows Vista
Windows version : (Service Pack 2) [6.0.6002]
Boot mode : Normally booted
Username : SYSTEM
Computer name : CLAUDIA-PC

Version information:
BUILD.DAT : 10.0.0.567 32097 Bytes 4/19/2010 15:07:00
AVSCAN.EXE : 10.0.3.0 433832 Bytes 4/1/2010 18:37:38
AVSCAN.DLL : 10.0.3.0 46440 Bytes 4/1/2010 18:57:04
LUKE.DLL : 10.0.2.3 104296 Bytes 3/8/2010 00:33:04
LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 05:40:49
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 15:05:36
VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 01:27:49
VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 23:37:42
VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 22:37:42
VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 17:29:03
VBASE005.VDF : 7.10.6.82 2494464 Bytes 4/15/2010 07:24:35
VBASE006.VDF : 7.10.6.83 2048 Bytes 4/15/2010 07:24:35
VBASE007.VDF : 7.10.6.84 2048 Bytes 4/15/2010 07:24:36
VBASE008.VDF : 7.10.6.85 2048 Bytes 4/15/2010 07:24:36
VBASE009.VDF : 7.10.6.86 2048 Bytes 4/15/2010 07:24:36
VBASE010.VDF : 7.10.6.87 2048 Bytes 4/15/2010 07:24:36
VBASE011.VDF : 7.10.6.88 2048 Bytes 4/15/2010 07:24:36
VBASE012.VDF : 7.10.6.89 2048 Bytes 4/15/2010 07:24:37
VBASE013.VDF : 7.10.6.90 2048 Bytes 4/15/2010 07:24:37
VBASE014.VDF : 7.10.6.123 126464 Bytes 4/19/2010 07:24:37
VBASE015.VDF : 7.10.6.152 123392 Bytes 4/21/2010 07:24:38
VBASE016.VDF : 7.10.6.178 122880 Bytes 4/22/2010 07:24:39
VBASE017.VDF : 7.10.6.206 120320 Bytes 4/26/2010 04:13:44
VBASE018.VDF : 7.10.6.207 2048 Bytes 4/26/2010 04:13:44
VBASE019.VDF : 7.10.6.208 2048 Bytes 4/26/2010 04:13:44
VBASE020.VDF : 7.10.6.209 2048 Bytes 4/26/2010 04:13:44
VBASE021.VDF : 7.10.6.210 2048 Bytes 4/26/2010 04:13:45
VBASE022.VDF : 7.10.6.211 2048 Bytes 4/26/2010 04:13:45
VBASE023.VDF : 7.10.6.212 2048 Bytes 4/26/2010 04:13:45
VBASE024.VDF : 7.10.6.213 2048 Bytes 4/26/2010 04:13:45
VBASE025.VDF : 7.10.6.214 2048 Bytes 4/26/2010 04:13:45
VBASE026.VDF : 7.10.6.215 2048 Bytes 4/26/2010 04:13:46
VBASE027.VDF : 7.10.6.216 2048 Bytes 4/26/2010 04:13:46
VBASE028.VDF : 7.10.6.217 2048 Bytes 4/26/2010 04:13:46
VBASE029.VDF : 7.10.6.218 2048 Bytes 4/26/2010 04:13:46
VBASE030.VDF : 7.10.6.219 2048 Bytes 4/26/2010 04:13:47
VBASE031.VDF : 7.10.6.220 38912 Bytes 4/26/2010 04:13:47
Engineversion : 8.2.1.224
AEVDF.DLL : 8.1.2.0 106868 Bytes 4/24/2010 07:24:54
AESCRIPT.DLL : 8.1.3.27 1294714 Bytes 4/24/2010 07:24:53
AESCN.DLL : 8.1.5.0 127347 Bytes 2/26/2010 00:38:41
AESBX.DLL : 8.1.3.1 254324 Bytes 4/24/2010 07:24:54
AERDL.DLL : 8.1.4.6 541043 Bytes 4/24/2010 07:24:51
AEPACK.DLL : 8.2.1.1 426358 Bytes 3/19/2010 18:34:51
AEOFFICE.DLL : 8.1.0.41 201083 Bytes 3/17/2010 17:09:46
AEHEUR.DLL : 8.1.1.24 2613623 Bytes 4/24/2010 07:24:50
AEHELP.DLL : 8.1.11.3 242039 Bytes 4/1/2010 22:05:25
AEGEN.DLL : 8.1.3.7 373106 Bytes 4/24/2010 07:24:46
AEEMU.DLL : 8.1.2.0 393588 Bytes 4/24/2010 07:24:45
AECORE.DLL : 8.1.13.1 188790 Bytes 4/1/2010 22:05:25
AEBB.DLL : 8.1.1.0 53618 Bytes 4/24/2010 07:24:43
AVWINLL.DLL : 10.0.0.0 19304 Bytes 1/14/2010 18:03:38
AVPREF.DLL : 10.0.0.0 44904 Bytes 1/14/2010 18:03:35
AVREP.DLL : 10.0.0.8 62209 Bytes 2/18/2010 22:47:40
AVREG.DLL : 10.0.3.0 53096 Bytes 4/1/2010 18:35:46
AVSCPLR.DLL : 10.0.3.0 83816 Bytes 4/1/2010 18:39:51
AVARKT.DLL : 10.0.0.14 227176 Bytes 4/1/2010 18:22:13
AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 1/26/2010 15:53:30
SQLITE3.DLL : 3.6.19.0 355688 Bytes 1/28/2010 18:57:58
AVSMTP.DLL : 10.0.0.17 63848 Bytes 3/16/2010 21:38:56
NETNT.DLL : 10.0.0.0 11624 Bytes 2/19/2010 20:41:00
RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 1/28/2010 19:10:20
RCTEXT.DLL : 10.0.53.0 97128 Bytes 4/9/2010 20:14:29

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: C:\Program Files\Avira\AntiVir Desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:,
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Tuesday, April 27, 2010 01:05

Starting search for hidden objects.
c:\program files\internet explorer\iexplore.exe
c:\Program Files\Internet Explorer\iexplore.exe
[NOTE] The process is not visible.
c:\program files\internet explorer\iexplore.exe
c:\program files\internet explorer\iexplore.exe
c:\program files\internet explorer\iexplore.exe
c:\program files\java\jre6\bin\java.exe
c:\Program Files\Java\jre6\bin\java.exe
[NOTE] The process is not visible.
c:\program files\java\jre6\bin\java.exe

The scan of running processes will be started
Scan process 'Bubbles.scr' - '26' Module(s) have been scanned
Scan process 'svchost.exe' - '31' Module(s) have been scanned
Scan process 'vssvc.exe' - '50' Module(s) have been scanned
Scan process 'avscan.exe' - '82' Module(s) have been scanned
Scan process 'avscan.exe' - '30' Module(s) have been scanned
Scan process 'avcenter.exe' - '67' Module(s) have been scanned
Scan process 'SNM.exe' - '64' Module(s) have been scanned
Scan process 'shellmon.exe' - '29' Module(s) have been scanned
Scan process 'mswinext.exe' - '84' Module(s) have been scanned
Scan process 'iPodService.exe' - '31' Module(s) have been scanned
Scan process 'waol.exe' - '140' Module(s) have been scanned
Scan process 'wmpnscfg.exe' - '30' Module(s) have been scanned
Scan process 'SFlyStudio.exe' - '55' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '76' Module(s) have been scanned
Scan process 'avgtray.exe' - '34' Module(s) have been scanned
Scan process 'wmpnetwk.exe' - '90' Module(s) have been scanned
Scan process 'taskeng.exe' - '50' Module(s) have been scanned
Scan process 'WLIDSvcM.exe' - '17' Module(s) have been scanned
Scan process 'avgnsx.exe' - '32' Module(s) have been scanned
Scan process 'SearchIndexer.exe' - '66' Module(s) have been scanned
Scan process 'WLIDSVC.EXE' - '53' Module(s) have been scanned
Scan process 'svchost.exe' - '7' Module(s) have been scanned
Scan process 'svchost.exe' - '47' Module(s) have been scanned
Scan process 'sqlwriter.exe' - '32' Module(s) have been scanned
Scan process 'sqlbrowser.exe' - '21' Module(s) have been scanned
Scan process 'SeaPort.exe' - '58' Module(s) have been scanned
Scan process 'svchost.exe' - '43' Module(s) have been scanned
Scan process 'sqlservr.exe' - '51' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '34' Module(s) have been scanned
Scan process 'avgwdsvc.exe' - '37' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '32' Module(s) have been scanned
Scan process 'avshadow.exe' - '34' Module(s) have been scanned
Scan process 'AOLAcsd.exe' - '57' Module(s) have been scanned
Scan process 'avguard.exe' - '69' Module(s) have been scanned
Scan process 'PhotoshopElementsFileAgent.exe' - '29' Module(s) have been scanned
Scan process 'svchost.exe' - '58' Module(s) have been scanned
Scan process 'sched.exe' - '57' Module(s) have been scanned
Scan process 'spoolsv.exe' - '100' Module(s) have been scanned
Scan process 'taskeng.exe' - '81' Module(s) have been scanned
Scan process 'Explorer.EXE' - '140' Module(s) have been scanned
Scan process 'Dwm.exe' - '33' Module(s) have been scanned
Scan process 'svchost.exe' - '95' Module(s) have been scanned
Scan process 'svchost.exe' - '92' Module(s) have been scanned
Scan process 'SLsvc.exe' - '23' Module(s) have been scanned
Scan process 'svchost.exe' - '38' Module(s) have been scanned
Scan process 'svchost.exe' - '150' Module(s) have been scanned
Scan process 'svchost.exe' - '115' Module(s) have been scanned
Scan process 'svchost.exe' - '67' Module(s) have been scanned
Scan process 'MsMpEng.exe' - '59' Module(s) have been scanned
Scan process 'svchost.exe' - '42' Module(s) have been scanned
Scan process 'svchost.exe' - '46' Module(s) have been scanned
Scan process 'avgcsrvx.exe' - '11' Module(s) have been scanned
Scan process 'lsm.exe' - '23' Module(s) have been scanned
Scan process 'lsass.exe' - '66' Module(s) have been scanned
Scan process 'services.exe' - '34' Module(s) have been scanned
Scan process 'winlogon.exe' - '32' Module(s) have been scanned
Scan process 'avgrsx.exe' - '24' Module(s) have been scanned
Scan process 'avgchsvx.exe' - '18' Module(s) have been scanned
Scan process 'csrss.exe' - '14' Module(s) have been scanned
Scan process 'wininit.exe' - '27' Module(s) have been scanned
Scan process 'csrss.exe' - '14' Module(s) have been scanned
Scan process 'smss.exe' - '2' Module(s) have been scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '1639' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\Users\Claudia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\4E9ANDFC\cd[2].htm
[DETECTION] Contains recognition pattern of the HTML/Crypted.Gen HTML script virus
Begin scan in 'D:\' <RECOVERY>

Beginning disinfection:
C:\Users\Claudia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\4E9ANDFC\cd[2].htm
[DETECTION] Contains recognition pattern of the HTML/Crypted.Gen HTML script virus
[NOTE] The file was moved to the quarantine directory under the name '4822dde1.qua'.


End of the scan: Tuesday, April 27, 2010 18:53
Used time: 5:29:05 Hour(s)

The scan has been done completely.

45232 Scanned directories
965002 Files were scanned
1 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
1 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
965001 Files not concerned
5687 Archives were scanned
0 Warnings
1 Notes
842987 Objects were scanned with rootkit scan
6 Hidden objects were found

I am not sure what to pull on the other scans but just let me know and I can provide them for you....Thanks so much!!!!!! :thumbsup:

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:20 PM

Posted 01 May 2010 - 09:49 AM

Hello,
certifiedgeek is unavailable right now, so I am taking over this thread.

Could you please tell me what exactly the problem is (what symptoms of malware do you have, like redirects, pop ups, strange behaviour, random freezes).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 laynie

laynie
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:20 AM

Posted 01 May 2010 - 08:50 PM

Thanks, Elsie!

The symptoms that I am having is my system is slower and every time I check my recently changed file in Windows Vista there is over 500 + photos of celebrates, male, females, advertisements and then updates to keep the pictures coming back after I delete them off of my machine. After deleting the pictures and updates I will check it again about 20 minutes to 30 minutes later and there is an update followed by pictures. The updates states Refreshschedule.

Thanks!
Laynie

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:20 PM

Posted 02 May 2010 - 01:57 AM

Please do a full scan with MBAM (update first) and post me the log.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 laynie

laynie
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:20 AM

Posted 04 May 2010 - 10:45 PM

Here is my scan...thanks


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4063

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18904

5/4/2010 11:39:45 PM
mbam-log-2010-05-04 (23-39-45).txt

Scan type: Full scan (C:\|)
Objects scanned: 395740
Time elapsed: 5 hour(s), 18 minute(s), 10 second(s)

Memory Processes Infected: 0


Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\shopathome.ietoolbar (Adware.SelectRebates) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shopathome.ietoolbar.1 (Adware.SelectRebates) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:20 PM

Posted 05 May 2010 - 05:08 AM

It seems a part of your log is missing (it shows a file was deleted, could you please copy that part of the log as well?).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 laynie

laynie
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:20 AM

Posted 05 May 2010 - 11:44 PM

I hope this is what you need! Thanks!

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4063

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18904

5/4/2010 11:39:45 PM
mbam-log-2010-05-04 (23-39-45).txt

Scan type: Full scan (C:\|)
Objects scanned: 395740
Time elapsed: 5 hour(s), 18 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\shopathome.ietoolbar (Adware.SelectRebates) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shopathome.ietoolbar.1 (Adware.SelectRebates) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Cheat Engine\Systemcallretriever.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:20 PM

Posted 06 May 2010 - 03:14 AM

Hello again,

TFC
--------
Download TFC by OldTimer to your desktop.
(TFC only cleans temp folders. It will not clean URL history, prefetch, or cookies).
Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job.
Once its finished it should automatically reboot your machine, if it doesn't, manually reboot to ensure a complete clean

NOTE:
It's normal after running TFC cleaner that the PC will be slower to boot the first time.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.



Please download Kenco.exe and save it to your desktop.
  • Double-click on Kenco.exe to run it (if you get a security warning, click run).
  • You will see a black command window and shortly a logfile will be opened. Note - Kenco.log will be saved on your desktop.
  • In order to complete the cleaning process, Kenco.exe may need to reboot your computer.
Please copy/paste the contents of kenco.log in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users