Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

dll file


  • Please log in to reply
13 replies to this topic

#1 Evice

Evice

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 10 September 2010 - 01:10 PM

I was recently infected with the security suite virus, and used a combination of spybot and malwarebytes to get rid of it. However i am not completely sure it is all gone, plus another scan (by panda and i didnt purchase it) told me i have Trj/CI.A and patched.AC infections which Mcafee, malwarebytes and spybot all dont see.

When i start up now i get the message that WINDOWS/phecdi.dll cant be found, anyone know what this is? Is it perhaps fallout from my infections? I did delete two dll files that i thought were part of the trojan as they were created on the day and time the trojan hit me and have similar names to other files i saw at that time, these are still in my recycle bin.

Also is anyone able to recommend a safe free program that will get rid of patched.AC and Trj/CI.A

Any help will be appreciated, thanks :thumbsup:

Edited by Andrew, 10 September 2010 - 01:48 PM.
Mod Edit: Moved From Tips & Tricks - AA


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:09 PM

Posted 10 September 2010 - 01:53 PM

Hello,I moved this to the Am I Infected forum for further scans.

On the DLLL issue. Its not unusual to receive such an error after using specialized fix tools.

A "Cannot find...", "Could not run...", "Error loading... or "specific module could not be found" message is usually related to malware that was set to run at startup but has been deleted. Windows is trying to load this file but cannot locate it since the file was mostly likely removed during an anti-virus or anti-malware scan. However, an associated orphaned registry entry remains and is telling Windows to load the file when you boot up. Since the file no longer exists, Windows will display an error message. You need to remove this registry entry so Windows stops searching for the file when it loads.

To resolve this, download Autoruns, search for the related entry and then delete it.

Create a new folder on your hard drive called AutoRuns (C:\AutoRuns) and extract (unzip) the file there. (click here if you're not sure how to do this.)
Open the folder and double-click on autoruns.exe to launch it.
Please be patient as it scans and populates the entries.
When done scanning, it will say Ready at the bottom.
Scroll through the list and look for a startup entry related to the file(s) in the error message. Such as -->>phecdi.dll
Right-click on the entry and choose delete.
Reboot your computer and see if the startup error returns.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal/regular mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


Do an Online scan and let me know how it is after tose.
ESET
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the ESET Online Scanner button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Export to text file... to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Eset Smart Installer icon on your desktop.
  • Check the "YES, I accept the Terms of Use"
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push "List of found threats"
  • Push "Export to text file", and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the "<<Back" button.
  • Push Finish
In your next reply, please include the following:
  • Eset Scan Log


NOTE: In some instances if no malware is found there will be no log produced.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Evice

Evice
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 10 September 2010 - 08:31 PM

Hi thank you very much for your help.

I ran through all the things you mentioned, malwarebytes still didnt come up with anything. ESET came up with two that i havent seen before though! Not the two that panda showed up, they seem to be stacking up lol ESET log:

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinMuollo1.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
C:\WINDOWS\system32\hlp.dat Win32/Bamital.DZ trojan cleaned by deleting - quarantined


Thanks again for your help :thumbsup:

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:09 PM

Posted 11 September 2010 - 10:16 AM

Hello did Panda say it deleted,removed or quarantined it? Do you have 2 active AV's running,Panda and McAfee?

Also I want you to knw this about the Panda and last ESEt finds.
These malwares take screenshots and send them home.
This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Evice

Evice
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 11 September 2010 - 10:24 AM

Panda wanted me to buy it to clean the files, i didnt do this and so they were not cleaned.
I did download a trial of something else which said it removed patched.AC but im not certain if this is true or not

I dont really want to start over although i have most of my stuff backed up i still stand to loose too much, plus if i format and start over i cant guarantee i wont get these things again a week later as i dont know where i got them from to start with.

I never open email links unless the person sending it writes something to make me know its them, i dont download music or films etc. I appeared to get security suite from looking up a walkthrough for a game. The others i dont know.

I would like to try and wipe the infections rather than start over.

Edited by Evice, 11 September 2010 - 10:35 AM.


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:09 PM

Posted 11 September 2010 - 04:30 PM

Ok, let's run one more scan, It IS long but we want to be sure. I think you are in good shape.

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the anti-virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Evice

Evice
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 12 September 2010 - 09:57 AM

boopme you are my hero for walking me through all this mess, thank you :thumbsup:

Here is what happened when i followed the steps, Dr Web log:

RegUBP2b-Jenny.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;

After the scan finished i had a windows message come up to say that C/??? had corrupt files and on reboot it insisted on doing check disk. Check disk deleted a ton of corrupt, orphaned and index files before windows would start up.

Now that i am online Mcafee is telling me it is not protecting me because it has No ID, if i press fix, nothing happens and windows keeps telling me that Mcafee virus is off. I am guessing something to do with the scan i just did caused this but i am not sure what to do about it.


Update: I reinstalled Mcafee from the disc and it is working now

Other than that things seem to be working although i notice it didnt find the Trj/CI.A that panda said i had.

Edited by Evice, 12 September 2010 - 11:06 AM.


#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:09 PM

Posted 12 September 2010 - 11:49 AM

Hello and you are welcome. This is an XP system? W may have gotten it under adifferent name as mab=ny tools have different names for the malwares.
We could still run another scan if you would spend the 2 hours.

Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 Evice

Evice
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 14 September 2010 - 10:38 AM

I followed the list again and got this log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/14/2010 at 03:47 PM

Application Version : 4.42.1000

Core Rules Database Version : 5502
Trace Rules Database Version: 3314

Scan type : Complete Scan
Total Scan Time : 00:39:24

Memory items scanned : 274
Memory threats detected : 0
Registry items scanned : 8531
Registry threats detected : 2
File items scanned : 29758
File threats detected : 65

Adware.Tracking Cookie
C:\Documents and Settings\Jenny\Cookies\jenny@122.2o7[1].txt
C:\Documents and Settings\Jenny\Cookies\jenny@serving-sys[1].txt
C:\Documents and Settings\Jenny\Cookies\jenny@content.yieldmanager[1].txt
C:\Documents and Settings\Jenny\Cookies\jenny@invitemedia[2].txt
C:\Documents and Settings\Jenny\Cookies\jenny@revsci[1].txt
C:\Documents and Settings\Jenny\Cookies\jenny@bs.serving-sys[1].txt
C:\Documents and Settings\Jenny\Cookies\jenny@clicksor[2].txt
assets.bravenet.com [ C:\Documents and Settings\Chris\Application Data\Macromedia\Flash Player\#SharedObjects\VV8ZRZY2 ]
2mdn.net [ C:\Documents and Settings\Jenny\Application Data\Macromedia\Flash Player\#SharedObjects\ZE5T3M8U ]
acvs.mediaonenetwork.net [ C:\Documents and Settings\Jenny\Application Data\Macromedia\Flash Player\#SharedObjects\ZE5T3M8U ]
ad.uk.doubleclick.net [ C:\Documents and Settings\Jenny\Application Data\Macromedia\Flash Player\#SharedObjects\ZE5T3M8U ]
addynamix.com [ C:\Documents and Settings\Jenny\Application Data\Macromedia\Flash Player\#SharedObjects\ZE5T3M8U ]
assets.bravenet.com [ C:\Documents and Settings\Jenny\Application Data\Macromedia\Flash Player\#SharedObjects\ZE5T3M8U ]
atdmt.com [ C:\Documents and Settings\Jenny\Application Data\Macromedia\Flash Player\#SharedObjects\ZE5T3M8U ]
cdn.insights.gravity.com [ C:\Documents and Settings\Jenny\Application Data\Macromedia\Flash Player\#SharedObjects\ZE5T3M8U ]
cdn5.specificclick.net [ C:\Documents and Settings\Jenny\Application Data\Macromedia\Flash Player\#SharedObjects\ZE5T3M8U ]
cdn5.tribalfusion.com [ C:\Documents and Settings\Jenny\Application Data\Macromedia\Flash Player\#SharedObjects\ZE5T3M8U ]
cloud.video.unrulymedia.com [ C:\Documents and Settings\Jenny\Application Data\Macromedia\Flash Player\#SharedObjects\ZE5T3M8U ]
content.oddcast.com [ C:\Documents and Settings\Jenny\Application Data\Macromedia\Flash Player\#SharedObjects\ZE5T3M8U ]
core.insightexpressai.com [ C:\Documents and Settings\Jenny\Application Data\Macromedia\Flash Player\#SharedObjects\ZE5T3M8U ]
ec.atdmt.com [ C:\Documents and Settings\Jenny\Application Data\Macromedia\Flash Player\#SharedObjects\ZE5T3M8U ]
googleads.g.doubleclick.net [ C:\Documents and Settings\Jenny\Application Data\Macromedia\Flash Player\#SharedObjects\ZE5T3M8U ]
ia.media-imdb.com [ C:\Documents and Settings\Jenny\Application Data\Macromedia\Flash Player\#SharedObjects\ZE5T3M8U ]
img-cdn.mediaplex.com [ C:\Documents and Settings\Jenny\Application Data\Macromedia\Flash Player\#SharedObjects\ZE5T3M8U ]
interclick.com [ C:\Documents and Settings\Jenny\Application Data\Macromedia\Flash Player\#SharedObjects\ZE5T3M8U ]
liveperson.com [ C:\Documents and Settings\Jenny\Application Data\Macromedia\Flash Player\#SharedObjects\ZE5T3M8U ]
m.uk.2mdn.net [ C:\Documents and Settings\Jenny\Application Data\Macromedia\Flash Player\#SharedObjects\ZE5T3M8U ]
m1.2mdn.net [ C:\Documents and Settings\Jenny\Application Data\Macromedia\Flash Player\#SharedObjects\ZE5T3M8U ]
m1.emea.2mdn.net [ C:\Documents and Settings\Jenny\Application Data\Macromedia\Flash Player\#SharedObjects\ZE5T3M8U ]
m3.2mdn.net [ C:\Documents and Settings\Jenny\Application Data\Macromedia\Flash Player\#SharedObjects\ZE5T3M8U ]
macromedia.com [ C:\Documents and Settings\Jenny\Application Data\Macromedia\Flash Player\#SharedObjects\ZE5T3M8U ]
media.disneyinternational.com [ C:\Documents and Settings\Jenny\Application Data\Macromedia\Flash Player\#SharedObjects\ZE5T3M8U ]
media.mtvnservices.com [ C:\Documents and Settings\Jenny\Application Data\Macromedia\Flash Player\#SharedObjects\ZE5T3M8U ]
media.scanscout.com [ C:\Documents and Settings\Jenny\Application Data\Macromedia\Flash Player\#SharedObjects\ZE5T3M8U ]
media.tattomedia.com [ C:\Documents and Settings\Jenny\Application Data\Macromedia\Flash Player\#SharedObjects\ZE5T3M8U ]
media01.kyte.tv [ C:\Documents and Settings\Jenny\Application Data\Macromedia\Flash Player\#SharedObjects\ZE5T3M8U ]
media1.break.com [ C:\Documents and Settings\Jenny\Application Data\Macromedia\Flash Player\#SharedObjects\ZE5T3M8U ]
mediaforgews.com [ C:\Documents and Settings\Jenny\Application Data\Macromedia\Flash Player\#SharedObjects\ZE5T3M8U ]
mediaonenetwork.net [ C:\Documents and Settings\Jenny\Application Data\Macromedia\Flash Player\#SharedObjects\ZE5T3M8U ]
mediaplex.com [ C:\Documents and Settings\Jenny\Application Data\Macromedia\Flash Player\#SharedObjects\ZE5T3M8U ]
msnbcmedia.msn.com [ C:\Documents and Settings\Jenny\Application Data\Macromedia\Flash Player\#SharedObjects\ZE5T3M8U ]
msntest.serving-sys.com [ C:\Documents and Settings\Jenny\Application Data\Macromedia\Flash Player\#SharedObjects\ZE5T3M8U ]
oddcast.com [ C:\Documents and Settings\Jenny\Application Data\Macromedia\Flash Player\#SharedObjects\ZE5T3M8U ]
pointroll.com [ C:\Documents and Settings\Jenny\Application Data\Macromedia\Flash Player\#SharedObjects\ZE5T3M8U ]
rmd.atdmt.com [ C:\Documents and Settings\Jenny\Application Data\Macromedia\Flash Player\#SharedObjects\ZE5T3M8U ]
s0.2mdn.net [ C:\Documents and Settings\Jenny\Application Data\Macromedia\Flash Player\#SharedObjects\ZE5T3M8U ]
secure-us.imrworldwide.com [ C:\Documents and Settings\Jenny\Application Data\Macromedia\Flash Player\#SharedObjects\ZE5T3M8U ]
serving-sys.com [ C:\Documents and Settings\Jenny\Application Data\Macromedia\Flash Player\#SharedObjects\ZE5T3M8U ]
spe.atdmt.com [ C:\Documents and Settings\Jenny\Application Data\Macromedia\Flash Player\#SharedObjects\ZE5T3M8U ]
static.2mdn.net [ C:\Documents and Settings\Jenny\Application Data\Macromedia\Flash Player\#SharedObjects\ZE5T3M8U ]
track.webgains.com [ C:\Documents and Settings\Jenny\Application Data\Macromedia\Flash Player\#SharedObjects\ZE5T3M8U ]
tracking.onefeed.co.uk [ C:\Documents and Settings\Jenny\Application Data\Macromedia\Flash Player\#SharedObjects\ZE5T3M8U ]
uk.2mdn.net [ C:\Documents and Settings\Jenny\Application Data\Macromedia\Flash Player\#SharedObjects\ZE5T3M8U ]
www.liveperson.com [ C:\Documents and Settings\Jenny\Application Data\Macromedia\Flash Player\#SharedObjects\ZE5T3M8U ]
www.oddcast.com [ C:\Documents and Settings\Jenny\Application Data\Macromedia\Flash Player\#SharedObjects\ZE5T3M8U ]
www.pornhub.com [ C:\Documents and Settings\Jenny\Application Data\Macromedia\Flash Player\#SharedObjects\ZE5T3M8U ]
wwwstatic.megaporn.com [ C:\Documents and Settings\Jenny\Application Data\Macromedia\Flash Player\#SharedObjects\ZE5T3M8U ]
.questionpro.com [ C:\Program Files\Sony\EverQuest\mozilla\cookies.txt ]
.questionpro.com [ C:\Program Files\Sony\EverQuest\mozilla\cookies.txt ]
.questionpro.com [ C:\Program Files\Sony\EverQuest\mozilla\cookies.txt ]
.sonyonlineentertainment.112.2o7.net [ C:\Program Files\Sony\EverQuest\mozilla\cookies.txt ]
.cgm.adbureau.net [ C:\Program Files\Sony\EverQuest\mozilla\cookies.txt ]
.cgm.adbureau.net [ C:\Program Files\Sony\EverQuest\mozilla\cookies.txt ]

Disabled.SecurityCenterOption
HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER#ANTIVIRUSDISABLENOTIFY
HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER#FIREWALLDISABLENOTIFY

Application.PowerReg Scheduler
C:\DOCUMENTS AND SETTINGS\JENNY\START MENU\PROGRAMS\STARTUP\POWERREG SCHEDULER V3.EXE

Rogue.Agent/Gen-Nullo[DLL]
C:\WINDOWS\IXECUZUH.DLL


The computer seems to be running ok, i was hoping it would seem faster once everything had been removed but it is the same, however its about 5 years old so maybe i am expecting too much from it. After we did the first scan i am no longer being re-directed to other sites when i try and use the internet, although it still boggles me how each new program i scan with finds something different each time, it's scarey.
Do you think i am clear now? Thanks again.

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:09 PM

Posted 14 September 2010 - 10:50 AM

Hello we can do a couple of things yet. Have you defragmented the hard drive lately?
Let's pull off some junk files and do an Online scan.

TFC by OT
Please download TFC by Old Timer and save it to your desktop.
alternate download link
Save any unsaved work. TFC will close ALL open programs including your browser!
Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.



ESET
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the ESET Online Scanner button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Export to text file... to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Eset Smart Installer icon on your desktop.
  • Check the "YES, I accept the Terms of Use"
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push "List of found threats"
  • Push "Export to text file", and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the "<<Back" button.
  • Push Finish
In your next reply, please include the following:
  • Eset Scan Log


NOTE: In some instances if no malware is found there will be no log produced.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 Evice

Evice
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 15 September 2010 - 12:41 PM

Hi there, yes i defraged over the weekend. Also forgot to mention i have Windows XP. I followed your instructions and was quite surprised at how much TFC deleted.

The ESET scan came up with no threats and so there was no log. I am thinking that Panda may be the only ones who seem able to spot the Trj trojan though?

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:09 PM

Posted 16 September 2010 - 09:59 PM

Hello, sorry for the delay a family emergency came up.

Other Common Detection Aliases
Company Names Detection Names
Avast... Win32:Patched-OQ [Trj]
Avira ...TR/Crypt.ASPM.Gen
Kaspersky.... Trojan.Win32.Patched.iv
ClamAV..... PUA.Packed.ASPack
Microsoft virus:.....win32/ruirui.gen!a [generic]
Symantec..... Suspicious.Insight
Eset .....Win32/Agent.NAT virus
Panda ....Trj/CI.A
Rising..... Win32.RuiRui.f
McAfee ....W32/Fujacks.bh

So i think we should let Kaspersky run, probably the best malware detection scanner... Only this will not remove anything.
Also let's disable your AV while we run it.

Please perform a scan with Kaspersky Online Virus Scanner.
-- Requires free Java Runtime Environment (JRE) to be installed before scanning for malware as ActiveX is no longer being used.
-- This scan will not remove any detected file threats but it will show where they are located so they can be cleaned with other tools.
  • Vista users need to right-click the IE or FF Start Menu or Quick Launch Bar icons and Run As Administrator from the context menu.
  • Read the "Advantages - Requirements and Limitations" then press the Posted Image... button.
  • You will be prompted to install an application from Kaspersky. Click the Run button. It will start downloading and installing the scanner and virus definitions.
  • When the downloads have finished, you should see 'Database is updated. Ready to scan'. Click on the Posted Image... button.
  • Make sure these boxes are checked. By default, they should be. If not, please check them and click on the Posted Image... button afterwards:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
  • Click on My Computer under the Scan section. OK any warnings from your protection programs.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • Once the scan is complete (the 'status' will show complete), click on View Scan Report and any infected objects will be shown.
  • Click on Save Report As... and change the Files of type to Text file (.txt)
  • Name the file KAVScan_ddmmyy (day, month, year) before clicking on the Save button and save it to your Desktop.
  • Copy and paste (Ctrl+C) the saved scan results from that file in your next reply.
-- Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 Evice

Evice
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 20 September 2010 - 10:14 AM

Hey there, hope that your family are ok, thanks for yout reply.

I did before scan using Kaspersky shortly after i scanned with Panda, i am loathe to run it again as it made me take Mcafee completely out causing all kinds of problems, and now that i have put Mcafee back in it no longer updates and keeps telling me that my Mcafee is not supported any more and is out of date. I need to get onto them to fix this as i get Mcafee with my broadband provider and so payments are up to date.

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:09 PM

Posted 20 September 2010 - 11:44 AM

Unfortunately McAffee doesn't play nice with other tools. After you get it sorted rescan and see.

This link mat be of help to get all McAfee off before reinstalling. Make sure you close it in the taskbar by the clock first.
http://service.mcafee.com/FAQDocument.aspx?id=TS100507
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users