Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Unknown Virus


  • This topic is locked This topic is locked
27 replies to this topic

#1 WillyJ

WillyJ

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 09 June 2010 - 10:38 PM

I had to post this from a different computer. I think the virus won’t let me post from my computer. This is the second time I’m trying to post. When I finished the first time I clicked on “Post” and I got a screen that said “unable to connect”. So I wasn’t sure my post went through. When I looked at my account control just now, it said there were 0 posts! Hopefully I’m not duplicating. I do see that the files I uploaded are there.
The problem started about a week ago. I wandered to a website that I probably shouldn’t have and all of a sudden I got an AVAST warning that something was trying to invade my computer. But it said that the virus had been blocked. When I tried to close the AVAST warning screen, it just kept popping up again. I finally decided to do a hard shut down of the computer.
When I restarted the computer it was obvious that something had gotten through. When I went into Explorer, I was redirected to another website.
At that point I downloaded SuperAnitSpyware and ran a scan of my computer. The scan came up with quite a few things which is why I don’t know exactly what the problem is. The scan came up with:
Adware.Flash Tracking Cookie – (and more)
Adware Tracking Cookine
Malware.trace
Rogue.AntivirusSoft
Trojan.Agent/Gen-CDesc[Gen]
SuperantiSpyware also noted that there were 3 Disabled Security Center Options. They were:
Security Center#ANTIVIRUSDISABLENOTIFY
Security Center#FIREWALLDISABLENOTIFY
Security Center#UPDATESDISABLENOTIFY


I used SuperantiSpyware to quarantine the items found and then rebooted. But it keeps coming back. I noticed one thing strange. Even if I scan again immediately after scanning and then rebooting, the one Tracking Cooking bills @atwola[2] will be there. And if I open Explorer there will be many more in a short time.

DDS (Ver_10-03-17.01) - NTFSx86
Run by bills at 20:56:08.90 on Tue 06/08/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3069.1820 [GMT -4:00]

AV: avast! antivirus 4.8.1368 [VPS 100608-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe
c:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe
C:\Program Files\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe
C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
C:\Program Files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spider.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\bills\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.live.com
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [DellControlPoint] "c:\program files\dell\dell controlpoint\Dell.ControlPoint.exe"
mRun: [DellConnectionManager] "c:\program files\dell\dell controlpoint\connection manager\Dell.UCM.exe"
mRun: [<NO NAME>]
mRun: [ChangeTPMAuth] c:\program files\wave systems corp\common\ChangeTPMAuth.exe /T:NTRU12
mRun: [WavXMgr] c:\program files\wave systems corp\services manager\docmgr\bin\WavXDocMgr.exe
mRun: [USCService] c:\program files\dell\dell controlpoint\security manager\BcmDeviceAndTaskStatusService.exe
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dellco~1.lnk - c:\program files\dell\dell controlpoint\system manager\DCPSysMgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {88EB38EF-4D2C-436D-ABD3-56B232674062} - c:\program files\icq7.0\ICQ.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1263221666962
DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - hxxp://saalfeldencam.xlink.at//activex/AMC.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - hxxp://80.75.240.242/activex/AxisCamControl.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {22B864C9-8131-484B-8376-E0346AB3A113} = 192.168.1.2
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 wvauth

============= SERVICES / DRIVERS ===============

R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2009-12-10 24064]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2010-1-11 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-1-11 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2010-1-11 138680]
R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\dell\dell controlpoint\system manager\DCPSysMgrSvc.exe [2009-7-16 376096]
R2 NVIDIA Performance Driver Service;NVIDIA Performance Driver Service;c:\program files\nvidia corporation\performance drivers\nvPDsvc.exe [2009-12-8 5241448]
R2 SMManager;Smith Micro Connection Manager Service;c:\program files\dell\dell controlpoint\connection manager\SMManager.exe [2009-7-22 76288]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2010-1-11 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2010-1-11 352920]
S3 NvtSp50;NvtSp50 NDIS Protocol Driver;c:\windows\system32\drivers\nvtsp50.sys --> c:\windows\system32\drivers\NvtSp50.sys [?]

=============== Created Last 30 ================

2010-06-09 00:54:15 0 ----a-w- c:\documents and settings\bills\defogger_reenable
2010-06-08 02:13:44 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-06-08 02:13:44 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-06-08 00:39:21 0 d-----w- c:\docume~1\bills\applic~1\SUPERAntiSpyware.com
2010-06-08 00:39:21 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-06-08 00:39:15 0 d-----w- c:\program files\SUPERAntiSpyware

==================== Find3M ====================

2010-04-16 18:28:06 278120 ----a-w- c:\windows\system32\nvmccs.dll
2010-04-16 18:28:06 154216 ----a-w- c:\windows\system32\nvsvc32.exe
2010-04-16 18:28:06 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-04-16 18:28:06 13671528 ----a-w- c:\windows\system32\nvcpl.dll
2010-04-16 18:28:06 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-04-16 18:28:04 81920 ----a-w- c:\windows\system32\nvwddi.dll
2010-04-14 15:19:52 600680 ----a-w- c:\windows\system32\nvuninst.exe

============= FINISH: 20:57:01.75 ===============


Attached Files



BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:11:06 AM

Posted 12 June 2010 - 09:50 AM

Hello and welcome to Bleeping Computer. smile.gif

*Please Subscribe to this Thread to get immediate notification of replies. See HERE

*It is important not to make any further changes or run any other tools/updates unless instructed to. This may hinder the cleaning process of your machine.

*Please be patient, all Bleeping Computer helpers are volunteers and have lives outside this forum.

*You must reply within 5 days otherwise this topic will be closed.



=====================================


QUOTE
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)

Did you created this policy?


=====================================


1. We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  1. Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  2. If prompted with a legal dialog, accept the warning.
  3. Click and then on "Advanced Mode"
  4. You may be presented with a warning dialog. If so, press
  5. Click on
  6. Click on
  7. Uncheck this checkbox:
  8. Close/Exit Spybot Search and Destroy



2. Download Combofix (by Subs) from any of the links below, make sure that you save it to your desktop.
Link 1
Link 2

  • It's important to temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. See HERE
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
*It's strongly recommended to have this pre-installed on your machine before doing any malware removal.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
*This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. If you did not have it installed, you will see the prompt below. Choose YES.


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Important notes:
  1. Leave your computer alone while ComboFix is running.
  2. ComboFix will restart your computer if malware is found; allow it to do so.
  3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  4. Please do not mouseclick combofix's window while its running because it may call it to stall.
  5. ComboFix SHOULD NOT be used unless requested by a forum helper. See HERE.





~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 WillyJ

WillyJ
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 14 June 2010 - 08:33 PM

I'm not sure I understand the question: Did you create this policy.......mPolicies-explorer: NoWelcomeScreen = 1 (0x1). If that was a question, I would have to say that the answer is no since I don't even know what it is.

Hopefully followed your instructions to the letter. Here is the contents of the log (C:\ComboFix.txt).

I hope I remember all the things I have to turn back on when we're done.

I can't thank you enough for your help.

WillJ


ComboFix 10-06-14.02 - bills 06/14/2010 21:17:20.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3069.2464 [GMT -4:00]
Running from: c:\documents and settings\bills\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100614-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\drivers\disk.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-05-15 to 2010-06-15 )))))))))))))))))))))))))))))))
.

2010-06-08 02:13 . 2010-06-15 01:02 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-08 02:13 . 2010-06-15 01:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-08 00:39 . 2010-06-08 00:39 63488 ----a-w- c:\documents and settings\bills\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-06-08 00:39 . 2010-06-08 00:39 52224 ----a-w- c:\documents and settings\bills\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-06-08 00:39 . 2010-06-08 00:39 117760 ----a-w- c:\documents and settings\bills\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-08 00:39 . 2010-06-08 00:39 -------- d-----w- c:\documents and settings\bills\Application Data\SUPERAntiSpyware.com
2010-06-08 00:39 . 2010-06-08 00:39 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-06-08 00:39 . 2010-06-14 23:58 -------- d-----w- c:\program files\SUPERAntiSpyware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-15 01:03 . 2010-01-11 15:28 0 ----a-w- c:\documents and settings\bills\Local Settings\Application Data\WavXMapDrive.bat
2010-06-01 20:59 . 2010-01-11 16:49 -------- d-----w- c:\program files\ACAD2000
2010-05-21 18:58 . 2009-12-10 09:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-20 21:28 . 2010-01-25 22:31 -------- d-----w- c:\documents and settings\bills\Application Data\ICQ
2010-05-13 20:34 . 2010-03-31 15:03 -------- d-----w- c:\documents and settings\bills\Application Data\EDrawings
2010-05-11 03:02 . 2010-05-06 16:39 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-06 16:41 . 2010-05-06 16:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2010-05-06 16:36 . 2009-12-10 15:26 -------- d-----w- c:\program files\NVIDIA Corporation
2010-05-06 16:35 . 2010-05-06 16:35 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2010-05-06 16:33 . 2010-05-06 16:33 -------- d-----w- c:\program files\SystemRequirementsLab
2010-04-29 00:43 . 2010-01-25 22:31 -------- d-----w- c:\program files\ICQ7.0
2010-04-16 18:28 . 2010-04-16 18:28 278120 ----a-w- c:\windows\system32\nvmccs.dll
2010-04-16 18:28 . 2010-04-16 18:28 154216 ----a-w- c:\windows\system32\nvsvc32.exe
2010-04-16 18:28 . 2010-04-16 18:28 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-04-16 18:28 . 2010-04-16 18:28 13671528 ----a-w- c:\windows\system32\nvcpl.dll
2010-04-16 18:28 . 2010-04-16 18:28 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-04-16 18:28 . 2010-04-16 18:28 81920 ----a-w- c:\windows\system32\nvwddi.dll
2010-04-14 15:19 . 2009-12-10 15:26 600680 ----a-w- c:\windows\system32\nvuninst.exe
2010-03-26 00:25 . 2009-12-10 09:50 102816 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-26 00:22 . 2010-03-26 00:22 1956656 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
@="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
[HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]
2009-06-12 00:41 49152 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
@="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
[HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]
2009-06-12 00:41 49152 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-06-14 2403568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-01-19 1044480]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-02-11 186904]
"DellControlPoint"="c:\program files\Dell\Dell ControlPoint\Dell.ControlPoint.exe" [2009-06-12 656384]
"DellConnectionManager"="c:\program files\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe" [2009-07-23 1796096]
"ChangeTPMAuth"="c:\program files\Wave Systems Corp\Common\ChangeTPMAuth.exe" [2009-06-03 184320]
"WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2009-05-18 145920]
"USCService"="c:\program files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe" [2009-07-05 15872]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-10-03 38768]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-10-03 640376]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-05 128232]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-16 13671528]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-04-16 110696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Dell ControlPoint System Manager.lnk - c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe [2009-7-16 1253152]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-27 123904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\ICQ7.0\\ICQ.exe"=
"c:\\Program Files\\ICQ7.0\\aolload.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [12/10/2009 7:22 AM 24064]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [1/11/2010 12:24 PM 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [1/11/2010 12:24 PM 20560]
R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe [7/16/2009 2:04 PM 376096]
R2 NVIDIA Performance Driver Service;NVIDIA Performance Driver Service;c:\program files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe [12/8/2009 7:14 AM 5241448]
R2 SMManager;Smith Micro Connection Manager Service;c:\program files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe [7/22/2009 8:13 PM 76288]
S3 NvtSp50;NvtSp50 NDIS Protocol Driver;c:\windows\system32\Drivers\NvtSp50.sys --> c:\windows\system32\Drivers\NvtSp50.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {22B864C9-8131-484B-8376-E0346AB3A113} = 192.168.1.2
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-nwiz - nwiz.exe
AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-14 21:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(740)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\documents and settings\bills\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
c:\documents and settings\bills\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
c:\documents and settings\bills\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll

- - - - - - - > 'lsass.exe'(796)
c:\windows\system32\wvauth.dll
c:\windows\system32\WININET.dll
.
Completion time: 2010-06-14 21:22:48
ComboFix-quarantined-files.txt 2010-06-15 01:22

Pre-Run: 295,434,539,008 bytes free
Post-Run: 295,999,205,376 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 1716C4BD4571A2B338F06F929606A72B


#4 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:11:06 AM

Posted 15 June 2010 - 08:58 AM

Hi WillyJ,


QUOTE
I hope I remember all the things I have to turn back on when we're done.

Don't worry, I've listed them all. smile.gif


=================================


Please download Malwarebytes' Anti-Malware from here:
MalwareBytes' AntiMalware download link

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#5 WillyJ

WillyJ
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 15 June 2010 - 09:18 AM

I clicked OK but there were no items to check and Remove. I'm a happy man! MBAM log posted here:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4199

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/15/2010 10:10:47 AM
mbam-log-2010-06-15 (10-10-47).txt

Scan type: Quick scan
Objects scanned: 154891
Time elapsed: 2 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#6 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:11:06 AM

Posted 15 June 2010 - 09:31 AM

Hi,

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

Edited by sempai, 15 June 2010 - 09:35 AM.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#7 WillyJ

WillyJ
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 15 June 2010 - 02:09 PM

Sempai,

I ran ESET Online Scan it came up with nothing found. So there is no "List of Found Threats" to report.

I must admit though that I jumped the gun and I apologize if I did something wrong. After the last scan, I was curious as to whether SuperAntiSpyware would find anthing. So I ran the SuperAntiSpyware "Quick Scan". It did find 14 threats in the form of Tracking Cookies. The one tracking cookie that I recognized immediately was C:\Documents and Settings\bills\Cookies\bills@atwola[2].txt. I'm almost postive that SuperAntiSpyware said that there were 14 Tracking Cookies, but I just looked at the Quarantine Log and it only shows the one above.

I think I told you early on that I found it strange that no matter how many times I ran SuperAntiSpyware it would come up with Tracking Cookies. Some had strange names, but the one above was always there.

O.K. So before I sent this reply, I decided to run SuperAntiSpyware one more time. This is just after running ESET Online Scan. And SuperAntiSpyware is still showing threats in the form of Tracking cookies. This time it came up with 11! They are:

C:\Documents and Settings\bills\Cookies\bills@ad.wsod[2].txt.
C:\Documents and Settings\bills\Cookies\bills@adecn[1].txt
C:\Documents and Settings\bills\Cookies\bills@advertising[2].txt
C:\Documents and Settings\bills\Cookies\bills@at.atwola[2].txt
C:\Documents and Settings\bills\Cookies\bills@atdmt[1].txt
C:\Documents and Settings\bills\Cookies\bills@atwola[2].txt
C:\Documents and Settings\bills\Cookies\bills@ehg-eset.hitbox[2].txt
C:\Documents and Settings\bills\Cookies\bills@hitbox[2].txt
C:\Documents and Settings\bills\Cookies\bills@kanoodle[2].txt
C:\Documents and Settings\bills\Cookies\bills@msnbc.112.2o7[1]txt
C:\Documents and Settings\bills\Cookies\bills@tacoda[1]txt

I was curious as to whether or not my Firewall was on. I checked by going to Control Panel and Windows Firewall. It says that it is on. One thing I find curious though is that on the exceptions page there is a program called aolload.exe. Should that be checked?

I thought we were making progress. Now I'm not sure.

WillyJ



#8 WillyJ

WillyJ
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 15 June 2010 - 03:06 PM

SuperAntiSpyware keeps finding C:\Documents and Settings\bills\Cookies\bills@atwola[2].txt but can't get rid of it. I ran SuperantiSpyware 2 times in a row. It found it the first time and said it processed and removed it. But when I ran it again after doing nothing, it was still showing as being there.

the problem seems to be that I always start with just bills@atwola[2].txt, but it won't take long and there will be more.

WillyJ

#9 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:11:06 AM

Posted 16 June 2010 - 05:40 AM

Hi,

Tracking cookies are just text file, they are not executable and totally harmless. They are created when you visited certain web sites.

You can block cookies from your browser but rejecting cookies makes some websites unusable.


Firefox
To delete all cookies:
Open Firefox > Tools > Options > Privacy > Show cookies > Remove all cookies.

To block cookies:
Open Firefox > Tools > Options > Privacy > unchecked "Accept cookies from sites" > OK.

To disable third party cookies (Recommended).
Open Firefox > Tools > Options > Privacy > unchecked "Accept third-party cookies from sites" > OK.

Under "Keep until:" > choose "I close firefox" so they will automatically deleted when you close firefox.

To automatically delete browsing history:
Open Firefox > Tools > Options > Privacy > put a check mark on "Clear history when firefox closes" > Click OK.



Internet Explorer
To delete all cookies:
Open I-E > Tools > Internet Options > General > Under "Browsing History" click Delete > Put a check mark on "cookies" and click delete.

To block cookies:
Open I-E > Tools > Internet Options > Privacy > Advanced > Put a check mark on "Override automatic cookie handling" > "Block" cookies and click OK.

To disable third party cookies (Recommended).
Open I-E > Tools > Internet Options > Privacy > Advanced > Put a check mark on "Override automatic cookie handling" > "Block Third-party cookies" and click OK.

To automatically delete browsing history:
Open I-E > Tools > Internet Options > General > Put a check mark on "Delete browsing history on exit" > click Apply > click OK.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#10 WillyJ

WillyJ
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 16 June 2010 - 08:16 AM

sempai,

I understand that, but there is still something going on here. Yesterday I tried to go into Mapquest (I have the website saved in favorites) and I was directed to a different website. When I tried a second time, it took to the correct site.

I understand that Cookies are not executable, but why does this one cookie "bills@atwola[2].txt" keep showing up? And why can't I get rid of it?

I think one of the ways that my computer got infected in the first place was that I got curious about this Cookie. So I googled "@atwola[2].txt". Google came up with up with a website that seemed to confirm my fears saying that "@atwola[2].txt" was attached to Malware, etc. I wanted to learn more so I clicked on the website. As soon as I got to the website, an Avast warning came up saying that my computer was being attacked.

In the future I won't be so curious!

WillyJ

#11 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:11:06 AM

Posted 16 June 2010 - 08:43 AM

ATWOLA = AOL Time Warner Online Advertising

If you're using AOL then it's the reason why it keeps coming back. Try to block atwola.com on your browser or try not to use AOL and see if there's any changes.


==========================================


Please go to Kaspersky website and perform an online antivirus scan.
  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply .
Note: Kaspersky online scan may take time to complete, please be patient.




~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#12 WillyJ

WillyJ
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 16 June 2010 - 10:51 AM

I have been unable to run the Kaspersky Online Scan. I keep getting the message "Launch of Java Application Interupted. Please establish an uninterupted internet connection with this process."

How do I do that?

#13 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:11:06 AM

Posted 16 June 2010 - 05:28 PM

Hi,

Please update your Java, then try Kaspersky scan once more.

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of  Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 20 (JDK or JRE)...allows end-users to run Java applications".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586-p.exe to install the newest version.

Edited by sempai, 18 June 2010 - 10:53 AM.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#14 WillyJ

WillyJ
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 17 June 2010 - 09:08 AM

sempai,

OK. Got rid of old version of Java and downloaded new version. YOu were right.............Kaspersky now ran. Wow.........that took a long time! Report is below. A new question. If I go to Explore my computer why is it that I can't see a "Cookies" folder in my Documents and Settings\bills folder? When I ran Superantispyware and it said it found those tracking cookies, it said that they were in the C:\Documents and Settings\bills\Cookies folder. But I don't see that folder.

After I was done running the Kaspersky, I ran Superantispyware again just to see if it still came up with that atwola[2].txt file. It did. It says that it deletes the file, but as I said, it never goes away. As far as I know I do not use AOL and never have.

WillyJ

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, June 17, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, June 16, 2010 16:21:16
Records in database: 4286134
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
P:\
S:\
V:\
W:\

Scan statistics:
Objects scanned: 138363
Threats found: 2
Infected objects found: 2
Suspicious objects found: 0
Scan duration: 02:28:03


File name / Threat / Threats count
P:\Dave\Refrog\MpkNetInstall.exe Infected: not-a-virus:Monitor.Win32.KGBSpy.hv 1
P:\Dave\Refrog\MpkNetInstall.exe Infected: not-a-virus:Monitor.Win32.KGBSpy.hu 1

Selected area has been scanned.


#15 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:11:06 AM

Posted 18 June 2010 - 05:25 AM

Hi,

QUOTE
A new question. If I go to Explore my computer why is it that I can't see a "Cookies" folder in my Documents and Settings\bills folder? When I ran Superantispyware and it said it found those tracking cookies, it said that they were in the C:\Documents and Settings\bills\Cookies folder. But I don't see that folder.

Because they are hidden, to view them:
  1. Open My computer
  2. Click Tools > Folder Options > View
  3. Check Show hidden files and folders
  4. Unchecked Hide protected operating system file
  5. Click Apply > click OK.


Just like what I've said, there's nothing to worry about this.

Did you follow my advice to block 3rd party cookies and to automatically delete browsing history after closing your browser?
Did you block atwola.com? If not please do so:
  1. Click Start > Control Panel > Network and internet connections > Privacy > Sites
  2. Input atwola.com into the address of website box
  3. Click Block
  4. Click OK

Navigate to C:\WINDOWS\system32\drivers\etc
  1. Right click on Hosts > click properties
  2. Unchecked Read-only
  3. Click apply > OK
  4. Open Hosts file with a notepad
  5. Add the following lines to the end of the text file. (do not include the word code).
    CODE
    127.0.0.1 ar1. atwola .com
    127.0.0.1 ar2. atwola .com
    127.0.0.1 ar3. atwola .com
    127.0.0.1 ar4. atwola .com
    127.0.0.1 ar5. atwola .com
    127.0.0.1 ar6. atwola .com
    127.0.0.1 ar7. atwola .com
    127.0.0.1 ar8. atwola .com
    127.0.0.1 ar9. atwola .com
  6. Save and close the file.
  7. Right click on Hosts again > click properties
  8. check Read-only
  9. Click apply > OK





~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users