Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Virus slowing Down PC


  • Please log in to reply
8 replies to this topic

#1 stratsp

stratsp

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 16 June 2010 - 10:39 PM

Hello Sir,
I had infected my PC earlier so I formatted my PC and it was working fine but a few days later the problem has restarted. though my net is working in the PC but everything has slowed down drastically. I installed Symantec corporate edition and did a scan. It took almost an hour to remove many .dll from C:\windows\temp folder stating them to be virus and then pointed at almost all the exe's in other drives to be infected and it cleaned them all.

There were two threats that it detected -
1)Infostealer.Gampass
2)W32.Wapomi!inf

I have scanned it again in both normal and safe mode and the anti-virus doesn't detect anything but still the PC is slowed down too much. I also have doubt that I got the infection from my office PC as I use USB flash to move data here and there. though the symptoms are not same there the PC is slow only at start-up and my LAN doesn't work for more than an hour daily. I have to disable/enable/remove LAN cable etc.. to get it to function

Could you suggest me something.

Thank for your patience
stratsp

Edited by Orange Blossom, 16 June 2010 - 10:59 PM.
Move to AII as no logs posted and prep. guide not followed. ~ OB


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:06 AM

Posted 17 June 2010 - 10:19 AM

Please download TFC (Temp File Cleaner) by Old Timer and save it to your desktop.
alternate download link
  • Save any unsaved work. TFC will close ALL open programs including your browser!
  • Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
  • Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
  • TFC will clear out all temp folders for all user accounts (temp, IE temp, Java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.
  • Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.
Note: It is normal for the computer to be slow to boot after running TFC cleaner the first time.

Please download Malwarebytes Anti-Malware (v1.46) and save it to your desktop.Download Link 1
Download Link 2
MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.Please download Norman Malware Cleaner and save to your desktop.
alternate download link
  • Be sure to read all the information Norman provides on the same page.
  • Double-click on Norman_Malware_Cleaner.exe to start the program.
  • Read the End User License Agreement and click the Accept button to open the scanning window.
  • Click Start Scan to begin.
  • In some cases Norman Malware Cleaner may require that you restart the computer to completely remove an infection. If prompted, reboot and run the tool again to ensure that all infections are removed.
  • After the scan has finished, a log file a log file named NFix_date_time (i.e. NFix_2009-06-22_07-08-56.log) will be created on your desktop with the results.
  • Copy and paste the contents of that file in your next reply.
Note: For usb flash drives and/or other removable drives to scan, use the Add button to browse to the drives location, click on the drive to highlight and choose Ok.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 stratsp

stratsp
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 17 June 2010 - 10:48 PM

Can't download TFC

IT says "Firefox can't find the server at oldtimer.geekstogo.com"

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:06 AM

Posted 18 June 2010 - 05:57 AM

Both links work for me. If you still cannot download it, then do this instead.

Please download ATF Cleaner by Atribune & save it to your desktop. alternate download link
  • Close all open browsers before using, especially FireFox. <-Important!!!
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Notes: On Vista, "Windows Temp" is disabled. To empty Temp, ATF-Cleaner must be Run As Administrator.
The Prefetch cleaning feature has been disabled for Vista Users. Tabs for applications that are not installed are grayed out.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 stratsp

stratsp
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 18 June 2010 - 08:39 AM

Hi I downloaded TFC must have been some server problem earlier.
I used TFC and MBAM as per your instructions and am attaching its log. Though Norman malware remover is giving error.
that
"Unable to extract resource: nsak.sys.Error(0x00000002)"
I will retry downloading it again once though

I have attached MBAM's log along with this reply.
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4211

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

6/18/2010 6:57:53 PM
mbam-log-2010-06-18 (18-57-53).txt

Scan type: Quick scan
Objects scanned: 124459
Time elapsed: 4 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 60
Registry Values Infected: 7
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{fd301436-732e-4f47-8da0-fbd8720c1e0b} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360hotfix.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360sd.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360se.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360softmgrsvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360speedld.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ast.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avmailc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwebgrd.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccenter.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavstart.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kissvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kmailmon.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfw32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfwsvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\krnl360svc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kswebshield.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvmonxp.kxp (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvsrvxp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kwatch.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcagent.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcmscsvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcnasvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcods.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcproxy.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcsacore.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcshield.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcsysmon.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcvsshld.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpfsrv.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpmon.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpsvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpsvc1.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpsvc2.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msksrver.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qutmserv.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ravmond.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ravtask.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rsagent.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rsnetsvr.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstray.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxtray.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scanfrm.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sched.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sfctlcom.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tmbmsrv.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tmproxy.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ufseagnt.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zhudongfangyu.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ms-tl_Srv (Spyware.OnLineGames) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{fd301436-732e-4f47-8da0-fbd8720c1e0b} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdAgent.exe\debugger (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\debugger (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe\debugger (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\livesrv.exe\debugger (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\seccenter.exe\debugger (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsserv.exe\debugger (Security.Hijack) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\mysafe.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zydxc1.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zydxc2.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zydxc3.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zydxc4.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\ctfmon.exe (Trojan.Agent) -> Quarantined and deleted successfully.

I couldn't find the attachment option for the log so am using to differentiate the log

#6 stratsp

stratsp
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 18 June 2010 - 11:34 AM

I have downloaded norman and scanned but the file is too large and i can't post here plus I can't see the attachment option wt do i do

Please help....

also I thought this may help A few days earlier I had the same problem but I formatted my C: then and reinstalled windows. this is the thread I created then
http://www.bleepingcomputer.com/forums/t/317539/infected-with-wwwzuc32-probably/

Edited by stratsp, 18 June 2010 - 11:37 AM.


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:06 AM

Posted 18 June 2010 - 01:45 PM

Now rescan again with Malwarebytes Anti-Malware, but this time perform a Full Scan in normal mode and check all items found for removal. Don't forgot to check for database definition updates through the program's interface (preferable method) before scanning and to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 stratsp

stratsp
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 18 June 2010 - 09:33 PM

I did that also the log is below bur Symantec still is showing some detections with the name bloodhound

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4211

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

6/18/2010 7:55:42 PM
mbam-log-2010-06-18 (19-55-42).txt

Scan type: Full scan (C:\|D:\|E:\|)
Objects scanned: 187451
Time elapsed: 43 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 81

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP26\A0012226.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP26\A0012230.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP27\A0012231.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP27\A0012232.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP27\A0013226.dll (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP27\A0013227.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP27\A0013486.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP27\A0013487.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP27\A0013490.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP27\A0013230.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP27\A0013488.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP28\A0016514.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP28\A0014393.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP28\A0014396.sys (RootKit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP28\A0014397.sys (RootKit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP28\A0014398.dll (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP28\A0014402.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP28\A0014403.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP28\A0014407.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP28\A0014432.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP28\A0014433.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP28\A0014434.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP28\A0014435.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP28\A0014436.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP28\A0014437.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP28\A0014438.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP28\A0014439.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP28\A0014440.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP28\A0014441.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP28\A0014442.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP28\A0014443.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP28\A0014444.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP28\A0014445.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP28\A0014446.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP28\A0014447.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP28\A0014448.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP28\A0014451.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP28\A0014459.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP28\A0014460.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP28\A0014476.dll (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP28\A0014477.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP28\A0014498.sys (RootKit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP28\A0014499.sys (RootKit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP28\A0014508.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP28\A0016507.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP28\A0016522.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP28\A0016530.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP29\A0016633.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP30\A0016651.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP30\A0017649.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP30\A0018649.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP30\A0018654.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP30\A0018668.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP30\A0019668.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP30\A0019680.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP30\A0019686.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP30\A0020713.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP30\A0021713.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP30\A0021718.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP31\A0022718.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP31\A0024765.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP31\A0025765.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP31\A0023765.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP31\A0025775.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP34\A0025909.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP34\A0025917.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP34\A0026929.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP35\A0026941.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP35\A0026947.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP35\A0026952.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP35\A0026969.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP35\A0027973.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP35\A0028009.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP35\A0029014.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP35\A0029042.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP35\A0029050.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP35\A0029055.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP36\A0030059.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP36\A0030064.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP36\A0030073.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{35241961-E012-4114-9FB3-155F991F4E4D}\RP41\A0056650.exe (Trojan.Dropper) -> Quarantined and deleted successfully.


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:06 AM

Posted 18 June 2010 - 10:41 PM

The detected _restore{GUID}\RP***\A00*****.xxx file(s) identified by your scan were in the System Volume Information Folder (SVI) which is a part of System Restore. The *** after RP represents a sequential number automatically assigned by the operating system. The ***** after A00 represents a sequential number where the original file was backed up and renamed except for its extension. To learn more about this, refer to:System Restore is the feature that protects your computer by monitoring a core set of system and application files and by creating backups (snapshots saved as restore points) of vital system configurations and files before changes are made. These restore points can be used to "roll back" your computer to a clean working state in the event of a problem. This makes it possible to undo harmful changes to your system configurations including registry modifications made by software or malware by reverting the operating systems configuration to an earlier date. See What's Restored when using System Restore and What's Not.

System Restore is enabled by default and will back up the good as well as malevolent files, so when malware is present on the system it gets included in restore points as an A00***** file. If you only get a detection on a file in the SVI folder, that means the original file was on your system in another location at some point and probably has been removed. However, when you scan your system with anti-virus or anti-malware tools, you may receive an alert that a malicious file was detected in the SVI folder (in System Restore points) and moved into quarantine. When a security program quarantines a file, that file is essentially disabled and prevented from causing any harm to your system. The quarantined file is safely held there and no longer a threat. Thereafter, you can delete it at any time.

Norton Internet Security/Norton Anti-virus has the ability to detect unknown viruses of various types using heuristic algorithms known as Bloodhound Technology. An example of such a detection is shown here. According to Symantec, files that are detected as Bloodhound or Bloodhound.Exploit may or may not be malicious and asks that you submit virus samples detected as this threat to the Symantec Security Response Team.Symantec's technology uses an specialized system to analyze the cataloged behaviors and assess the likelihood of viral infection. Bloodhound is not the name of a virus, but an alert displayed by NAV when it thinks it may have found a new virus which is categorized as an Exploit (usually followed by a number, i.e. Bloodhound.Exploit.213) in their defintion files. Knowing the full exploit name with its numerical designation may yield further information from Symantec's website.

Heuristic analysis is the ability of an anti-virus program to detect possible new variants of malware before the vendor can get samples and update the program's definitions for detection. Heuristics uses non-specific detection methods to find new or unknown malware which allows the anti-virus to detect and stop if before doing any harm to your system. Heuristic scanning methods vary depending on the vendor. Some claim to allow emulation of the file's activities in a virtual sandbox. Others scan the file more intensively, searching line by line inspecting the code in a file to see if it contains virus-like characteristics. If the number of these characteristics/instructions exceeds a pre-defined threshold, the file is flagged as a possible virus.

The disadvantage to using heuristics is that it is not as reliable as signature-based detection (blacklisting) and can potentially increase the chances that a non-malicious program is flagged as malicious. With heuristics, there is always a potential risk for a "False Positive" if virus detection technology (AutoProtect Settings) are set to High for Bloodhound and the heuristic analysis flags a file as suspicious or infected that contains no malware. You may want to Reset Bloodhound to default settings and try scanning again.

Norton is doing its job when alerting to a Bloodhound exploit but from personal experience and testing, I have found some of these alerts to be a false positive. In any case, you need to investigate further and follow Symantec's instructions for submitting samples.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users