Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected please guide with ComboFix


  • Please log in to reply
7 replies to this topic

#1 stevinh

stevinh

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:39 AM

Posted 15 October 2010 - 09:00 PM

Hello All,

I am a new a member and I've been infected. I would very much appreciate some help on removing whatever that is infecting my computer. Its been a whole week of scanning with S&D, AdAware, TrendMicro etc. and nothing has helped. It seems like everyone suggest to use ComboFIX.

Would someone please take some time to guide me through this process to remove the virus. Thank you very much in advance.

Edited by Orange Blossom, 15 October 2010 - 10:37 PM.
Move to AII for initial assistance. ~ OB


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:39 PM

Posted 16 October 2010 - 03:13 PM

Please perform a scan with Malwarebytes Anti-Malware and follow these instructions for doing a Quick Scan in normal mode.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
-- If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

-- Some types of malware will target Malwarebytes Anti-Malware and other security tools to keep them from running properly. If that's the case, please refer to the suggestions provided in For those having trouble running Malwarebytes Anti-Malware as you may need to rename it or use RKill by Grinler.

Please download and scan with the Kaspersky Virus Removal Tool from one of the links provided below and save it to your desktop.Link 1
Link 2
Be sure to print out and read the instructions provided in:How to Install Kaspersky Virus Removal Tool
How to use the Kaspersky Virus Removal Tool
  • Double-click the setup file (i.e. setup_9.0.0.722_22.01.2010_10-04.exe) to install the utility.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If you receive a UAC prompt asking if you would like to continue running the program, you should press the Continue button.
  • Click Next to continue and it will install by default to your desktop folder. Click Next.
  • Click Ok at the prompt for scanning in Safe Mode if you booted into safe mode.
  • A window will open with a tab that says Autoscan and Manual disinfection.
  • Under Autoscan make sure these are checked.
  • System Memory
  • Startup Objects
  • Disk Boot Sectors
  • My Computer
  • Any other drives (except CD-ROM drives)
  • Click the green Start scan button on the Autoscan tab in the main window.
  • If malware is detected, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).
  • After the scan finishes, if any threats are left unneutralized in the Scan window (Red exclamation point), click the Neutralize all button.
  • In the window that opens, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).
  • If advised that a special disinfection procedure is required which demands system reboot, click the Ok button to close the window.
  • In the Scan window click the Reports button, name the report AVPT.txt and select Save to file.
  • Copy and paste the report results in your next reply. Do not include the longer list marked Events.
  • When done, follow these instructions on How to uninstall Kaspersky Virus Removal Tool 2010.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 stevinh

stevinh
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:39 AM

Posted 16 October 2010 - 07:15 PM

Quietman7,

Thank you so much for replying. I did the malwarebyte scan and here is the log.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4855

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

10/16/2010 5:05:36 PM
mbam-log-2010-10-16 (17-05-36).txt

Scan type: Quick scan
Objects scanned: 170216
Time elapsed: 7 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\RECYCLER\S-1-5-21-57989841-920026266-839522115-1003\Dc220.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\fvz7q18h.exe (Trojan.FakeAV) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Documents\Server\admin.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Documents\Server\server.dat (Malware.Trace) -> Quarantined and deleted successfully.

I am going to do the kasper scan now.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:39 PM

Posted 17 October 2010 - 09:03 AM

After running Kaspersky's tool, rescan again with Malwarebytes Anti-Malware, but this time perform a Full Scan in normal mode and check all items found for removal. Don't forgot to check for database definition updates through the program's interface (preferable method) before scanning and to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 stevinh

stevinh
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:39 AM

Posted 17 October 2010 - 11:23 AM

I really really appreciate this help. My computer is already functioning better.

Autoscan: completed 13 hours ago (events: 155, objects: 844311, time: 01:59:29)
10/16/2010 5:25:11 PM Task started
10/16/2010 5:25:12 PM Detected: MEM:Rootkit.Win32.TDSS.d Unknown application
10/16/2010 5:25:12 PM Untreated: MEM:Rootkit.Win32.TDSS.d Unknown application Postponed
10/16/2010 5:25:41 PM Detected: Trojan.Win32.Patched.kl C:\WINDOWS\Explorer.EXE
10/16/2010 5:25:42 PM Untreated: Trojan.Win32.Patched.kl C:\WINDOWS\Explorer.EXE Postponed
10/16/2010 5:41:07 PM Detected: Trojan.Win32.Patched.kl C:\WINDOWS\system32\winlogon.exe
10/16/2010 5:41:07 PM Untreated: Trojan.Win32.Patched.kl C:\WINDOWS\system32\winlogon.exe Postponed
10/16/2010 5:41:09 PM Detected: MEM:Rootkit.Win32.TDSS.d System Memory
10/16/2010 5:48:45 PM Task stopped
10/16/2010 5:55:43 PM Task started
10/16/2010 6:05:54 PM Detected: Exploit.Java.Agent.cw C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\12\20c3828c-4ab3dc74/KAK/NED/crime4u.class
10/16/2010 6:05:54 PM Untreated: Exploit.Java.Agent.cw C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\12\20c3828c-4ab3dc74/KAK/NED/crime4u.class Postponed
10/16/2010 6:05:54 PM Detected: Exploit.Java.Agent.cu C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\12\20c3828c-4ab3dc74/KAK/NED/sexxxy.class
10/16/2010 6:05:54 PM Untreated: Exploit.Java.Agent.cu C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\12\20c3828c-4ab3dc74/KAK/NED/sexxxy.class Postponed
10/16/2010 6:05:54 PM Detected: Exploit.Java.Agent.cv C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\12\20c3828c-4ab3dc74/KAK/NED/NOD32.class
10/16/2010 6:05:54 PM Untreated: Exploit.Java.Agent.cv C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\12\20c3828c-4ab3dc74/KAK/NED/NOD32.class Postponed
10/16/2010 6:05:54 PM Detected: Exploit.Java.CVE-2009-3867.j C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\53\2eb68b5-4d01d6be/seopack.class
10/16/2010 6:05:54 PM Untreated: Exploit.Java.CVE-2009-3867.j C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\53\2eb68b5-4d01d6be/seopack.class Postponed
10/16/2010 6:06:26 PM Detected: Exploit.Win32.CVE-2010-2883.a C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\BWIITXGE\xH8acce7c3V0100f070006R3595b43c102Tc675e6be201l0409327[1].pdf/data0000
10/16/2010 6:06:26 PM Untreated: Exploit.Win32.CVE-2010-2883.a C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\BWIITXGE\xH8acce7c3V0100f070006R3595b43c102Tc675e6be201l0409327[1].pdf/data0000 Postponed
10/16/2010 6:10:58 PM Detected: Trojan-Downloader.Java.Agent.fl C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\1\11e45981-23930813/dev/s/AdgredY.class
10/16/2010 6:10:58 PM Untreated: Trojan-Downloader.Java.Agent.fl C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\1\11e45981-23930813/dev/s/AdgredY.class Postponed
10/16/2010 6:10:58 PM Detected: Exploit.Java.Agent.du C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\1\4cb45281-62edc7c7/vmain.class
10/16/2010 6:10:58 PM Detected: Trojan-Downloader.Java.Agent.fk C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\1\11e45981-23930813/dev/s/DyesyasZ.class
10/16/2010 6:10:58 PM Untreated: Exploit.Java.Agent.du C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\1\4cb45281-62edc7c7/vmain.class Postponed
10/16/2010 6:10:58 PM Untreated: Trojan-Downloader.Java.Agent.fk C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\1\11e45981-23930813/dev/s/DyesyasZ.class Postponed
10/16/2010 6:10:58 PM Detected: Trojan-Downloader.Java.Agent.fj C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\1\11e45981-23930813/dev/s/LoaderX.class
10/16/2010 6:10:58 PM Untreated: Trojan-Downloader.Java.Agent.fj C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\1\11e45981-23930813/dev/s/LoaderX.class Postponed
10/16/2010 6:10:59 PM Detected: Exploit.Java.Agent.du C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\13\7efe204d-6220b799/vmain.class
10/16/2010 6:10:59 PM Untreated: Exploit.Java.Agent.du C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\13\7efe204d-6220b799/vmain.class Postponed
10/16/2010 6:11:00 PM Detected: Trojan-Downloader.Java.Agent.fx C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\15\25b8b8f-67fcec79/gogol/Emailer.class
10/16/2010 6:11:00 PM Untreated: Trojan-Downloader.Java.Agent.fx C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\15\25b8b8f-67fcec79/gogol/Emailer.class Postponed
10/16/2010 6:11:00 PM Detected: Exploit.Java.Agent.f C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\15\25b8b8f-67fcec79/gogol/Familie.class
10/16/2010 6:11:00 PM Untreated: Exploit.Java.Agent.f C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\15\25b8b8f-67fcec79/gogol/Familie.class Postponed
10/16/2010 6:11:00 PM Detected: Trojan-Downloader.Java.Agent.fy C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\15\25b8b8f-67fcec79/gogol/PhonBook.class
10/16/2010 6:11:00 PM Untreated: Trojan-Downloader.Java.Agent.fy C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\15\25b8b8f-67fcec79/gogol/PhonBook.class Postponed
10/16/2010 6:11:06 PM Detected: Exploit.Java.Agent.du C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\29\20db519d-1025d2c2/vmain.class
10/16/2010 6:11:06 PM Untreated: Exploit.Java.Agent.du C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\29\20db519d-1025d2c2/vmain.class Postponed
10/16/2010 6:11:07 PM Detected: Trojan.Java.Payphish.a C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\29\6fe7f45d-687da1c9/java2flash_plugin.class
10/16/2010 6:11:07 PM Untreated: Trojan.Java.Payphish.a C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\29\6fe7f45d-687da1c9/java2flash_plugin.class Postponed
10/16/2010 6:11:07 PM Detected: Trojan.Java.Agent.ab C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\29\7ad2f21d-7a3c1c18/Is.class
10/16/2010 6:11:07 PM Untreated: Trojan.Java.Agent.ab C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\29\7ad2f21d-7a3c1c18/Is.class Postponed
10/16/2010 6:11:07 PM Detected: Trojan.Java.Agent.aa C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\29\7ad2f21d-7a3c1c18/MyName.class
10/16/2010 6:11:07 PM Untreated: Trojan.Java.Agent.aa C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\29\7ad2f21d-7a3c1c18/MyName.class Postponed
10/16/2010 6:11:07 PM Detected: Trojan.Java.Agent.ac C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\29\7ad2f21d-7a3c1c18/Phone.class
10/16/2010 6:11:07 PM Untreated: Trojan.Java.Agent.ac C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\29\7ad2f21d-7a3c1c18/Phone.class Postponed
10/16/2010 6:11:10 PM Detected: Exploit.Java.Agent.du C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\37\6a0409a5-6f3d91bc/vmain.class
10/16/2010 6:11:10 PM Untreated: Exploit.Java.Agent.du C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\37\6a0409a5-6f3d91bc/vmain.class Postponed
10/16/2010 6:11:12 PM Detected: Exploit.Java.Agent.du C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\41\2b8379a9-2b674030/vmain.class
10/16/2010 6:11:12 PM Untreated: Exploit.Java.Agent.du C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\41\2b8379a9-2b674030/vmain.class Postponed
10/16/2010 6:11:13 PM Detected: Exploit.Java.Agent.du C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\43\7a0b54eb-1bfb8b68/vmain.class
10/16/2010 6:11:13 PM Untreated: Exploit.Java.Agent.du C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\43\7a0b54eb-1bfb8b68/vmain.class Postponed
10/16/2010 6:11:15 PM Detected: Trojan-Downloader.Java.Agent.gh C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\44\52ddf5ec-25152777/JavaUpdateApplication.class
10/16/2010 6:11:15 PM Untreated: Trojan-Downloader.Java.Agent.gh C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\44\52ddf5ec-25152777/JavaUpdateApplication.class Postponed
10/16/2010 6:11:15 PM Detected: Trojan-Downloader.Java.Agent.gh C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\44\52ddf5ec-25152777/JavaUpdateManager.class
10/16/2010 6:11:15 PM Untreated: Trojan-Downloader.Java.Agent.gh C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\44\52ddf5ec-25152777/JavaUpdateManager.class Postponed
10/16/2010 6:11:16 PM Detected: Trojan-Downloader.Java.Agent.fx C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\51\14f67773-2bcfba2f/gogol/Emailer.class
10/16/2010 6:11:16 PM Untreated: Trojan-Downloader.Java.Agent.fx C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\51\14f67773-2bcfba2f/gogol/Emailer.class Postponed
10/16/2010 6:11:16 PM Detected: Exploit.Java.Agent.f C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\51\14f67773-2bcfba2f/gogol/Familie.class
10/16/2010 6:11:16 PM Untreated: Exploit.Java.Agent.f C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\51\14f67773-2bcfba2f/gogol/Familie.class Postponed
10/16/2010 6:11:16 PM Detected: Trojan-Downloader.Java.Agent.fy C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\51\14f67773-2bcfba2f/gogol/PhonBook.class
10/16/2010 6:11:16 PM Untreated: Trojan-Downloader.Java.Agent.fy C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\51\14f67773-2bcfba2f/gogol/PhonBook.class Postponed
10/16/2010 6:11:16 PM Detected: Exploit.Java.Agent.du C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\52\4b361974-37892ee9/vmain.class
10/16/2010 6:11:16 PM Untreated: Exploit.Java.Agent.du C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\52\4b361974-37892ee9/vmain.class Postponed
10/16/2010 6:11:17 PM Detected: Trojan-Downloader.Java.Agent.ft C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\58\3334a5fa-6515a7c2/dev/s/AdgredY.class
10/16/2010 6:11:17 PM Untreated: Trojan-Downloader.Java.Agent.ft C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\58\3334a5fa-6515a7c2/dev/s/AdgredY.class Postponed
10/16/2010 6:11:17 PM Detected: Trojan-Downloader.Java.Agent.fu C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\58\3334a5fa-6515a7c2/dev/s/DyesyasZ.class
10/16/2010 6:11:17 PM Untreated: Trojan-Downloader.Java.Agent.fu C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\58\3334a5fa-6515a7c2/dev/s/DyesyasZ.class Postponed
10/16/2010 6:11:17 PM Detected: Trojan-Downloader.Java.Agent.fv C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\58\3334a5fa-6515a7c2/dev/s/LoaderX.class
10/16/2010 6:11:17 PM Untreated: Trojan-Downloader.Java.Agent.fv C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\58\3334a5fa-6515a7c2/dev/s/LoaderX.class Postponed
10/16/2010 6:11:19 PM Detected: Trojan.Java.Agent.ab C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\60\686c0d7c-2509e0d4/Is.class
10/16/2010 6:11:19 PM Untreated: Trojan.Java.Agent.ab C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\60\686c0d7c-2509e0d4/Is.class Postponed
10/16/2010 6:11:20 PM Detected: Trojan.Java.Agent.aa C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\60\686c0d7c-2509e0d4/MyName.class
10/16/2010 6:11:20 PM Untreated: Trojan.Java.Agent.aa C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\60\686c0d7c-2509e0d4/MyName.class Postponed
10/16/2010 6:11:20 PM Detected: Trojan.Java.Agent.ac C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\60\686c0d7c-2509e0d4/Phone.class
10/16/2010 6:11:20 PM Untreated: Trojan.Java.Agent.ac C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\60\686c0d7c-2509e0d4/Phone.class Postponed
10/16/2010 6:17:35 PM Detected: Trojan-Spy.Win32.Zbot.anpf C:\Documents and Settings\Vu\Local Settings\Temp\HouseCall\log\9BA560A9-5284-48EF-9D52-6CC12DF5254B\backup\0/PE-Crypt.XorPE/UPX
10/16/2010 6:17:35 PM Untreated: Trojan-Spy.Win32.Zbot.anpf C:\Documents and Settings\Vu\Local Settings\Temp\HouseCall\log\9BA560A9-5284-48EF-9D52-6CC12DF5254B\backup\0/PE-Crypt.XorPE/UPX Postponed
10/16/2010 6:18:15 PM Detected: Exploit.JS.Pdfka.cus C:\Documents and Settings\Vu\Local Settings\Temp\plugtmp-93\plugin-libtiff.pdf/data0002
10/16/2010 6:18:15 PM Untreated: Exploit.JS.Pdfka.cus C:\Documents and Settings\Vu\Local Settings\Temp\plugtmp-93\plugin-libtiff.pdf/data0002 Postponed
10/16/2010 6:18:15 PM Detected: Exploit.JS.Pdfka.cus C:\Documents and Settings\Vu\Local Settings\Temp\plugtmp-93\plugin-libtiff.pdf/data0010
10/16/2010 7:25:03 PM Detected: Trojan-Spy.Win32.Zbot.anpf C:\System Volume Information\_restore{BB39E62D-9D6A-40B4-86FE-6E826E24B7A4}\RP3\A0000051.exe/UPX
10/16/2010 7:25:03 PM Detected: Trojan-Spy.Win32.Zbot.anpf C:\System Volume Information\_restore{BB39E62D-9D6A-40B4-86FE-6E826E24B7A4}\RP3\A0000052.exe/UPX
10/16/2010 7:25:03 PM Untreated: Trojan-Spy.Win32.Zbot.anpf C:\System Volume Information\_restore{BB39E62D-9D6A-40B4-86FE-6E826E24B7A4}\RP3\A0000051.exe/UPX Postponed
10/16/2010 7:25:03 PM Untreated: Trojan-Spy.Win32.Zbot.anpf C:\System Volume Information\_restore{BB39E62D-9D6A-40B4-86FE-6E826E24B7A4}\RP3\A0000052.exe/UPX Postponed
10/16/2010 7:25:03 PM Detected: Trojan-Spy.Win32.Zbot.anpf C:\System Volume Information\_restore{BB39E62D-9D6A-40B4-86FE-6E826E24B7A4}\RP3\A0000053.exe/UPX
10/16/2010 7:25:03 PM Untreated: Trojan-Spy.Win32.Zbot.anpf C:\System Volume Information\_restore{BB39E62D-9D6A-40B4-86FE-6E826E24B7A4}\RP3\A0000053.exe/UPX Postponed
10/16/2010 7:25:03 PM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{BB39E62D-9D6A-40B4-86FE-6E826E24B7A4}\RP3\A0000054.exe
10/16/2010 7:25:03 PM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{BB39E62D-9D6A-40B4-86FE-6E826E24B7A4}\RP3\A0000054.exe Postponed
10/16/2010 7:25:05 PM Detected: Trojan.Win32.Patched.kl C:\System Volume Information\_restore{BB39E62D-9D6A-40B4-86FE-6E826E24B7A4}\RP3\A0000073.EXE
10/16/2010 7:25:05 PM Detected: Trojan.Win32.Patched.kl C:\System Volume Information\_restore{BB39E62D-9D6A-40B4-86FE-6E826E24B7A4}\RP3\A0000080.exe
10/16/2010 7:25:05 PM Untreated: Trojan.Win32.Patched.kl C:\System Volume Information\_restore{BB39E62D-9D6A-40B4-86FE-6E826E24B7A4}\RP3\A0000073.EXE Postponed
10/16/2010 7:25:05 PM Untreated: Trojan.Win32.Patched.kl C:\System Volume Information\_restore{BB39E62D-9D6A-40B4-86FE-6E826E24B7A4}\RP3\A0000080.exe Postponed
10/16/2010 7:25:06 PM Detected: Trojan.Win32.Patched.kl C:\System Volume Information\_restore{BB39E62D-9D6A-40B4-86FE-6E826E24B7A4}\RP4\A0003087.exe
10/16/2010 7:25:06 PM Untreated: Trojan.Win32.Patched.kl C:\System Volume Information\_restore{BB39E62D-9D6A-40B4-86FE-6E826E24B7A4}\RP4\A0003087.exe Postponed
10/16/2010 7:25:07 PM Detected: Trojan.Win32.Chifrax.d C:\System Volume Information\_restore{BB39E62D-9D6A-40B4-86FE-6E826E24B7A4}\RP4\A0003102.exe
10/16/2010 7:25:07 PM Untreated: Trojan.Win32.Chifrax.d C:\System Volume Information\_restore{BB39E62D-9D6A-40B4-86FE-6E826E24B7A4}\RP4\A0003102.exe Postponed
10/16/2010 7:25:07 PM Detected: Trojan-Spy.Win32.Zbot.anpf C:\System Volume Information\_restore{BB39E62D-9D6A-40B4-86FE-6E826E24B7A4}\RP4\A0003206.exe/UPX
10/16/2010 7:25:07 PM Untreated: Trojan-Spy.Win32.Zbot.anpf C:\System Volume Information\_restore{BB39E62D-9D6A-40B4-86FE-6E826E24B7A4}\RP4\A0003206.exe/UPX Postponed
10/16/2010 7:25:07 PM Detected: Trojan-Spy.Win32.Zbot.anpf C:\System Volume Information\_restore{BB39E62D-9D6A-40B4-86FE-6E826E24B7A4}\RP4\A0003223.exe/UPX
10/16/2010 7:25:07 PM Untreated: Trojan-Spy.Win32.Zbot.anpf C:\System Volume Information\_restore{BB39E62D-9D6A-40B4-86FE-6E826E24B7A4}\RP4\A0003223.exe/UPX Postponed
10/16/2010 7:25:07 PM Detected: Trojan-Spy.Win32.Zbot.anpf C:\System Volume Information\_restore{BB39E62D-9D6A-40B4-86FE-6E826E24B7A4}\RP4\A0003224.exe/UPX
10/16/2010 7:25:07 PM Untreated: Trojan-Spy.Win32.Zbot.anpf C:\System Volume Information\_restore{BB39E62D-9D6A-40B4-86FE-6E826E24B7A4}\RP4\A0003224.exe/UPX Postponed
10/16/2010 7:29:51 PM Detected: Trojan.Win32.Patched.kl C:\WINDOWS\OLD12.tmp
10/16/2010 7:29:51 PM Untreated: Trojan.Win32.Patched.kl C:\WINDOWS\OLD12.tmp Postponed
10/16/2010 7:48:12 PM Detected: Exploit.Win32.CVE-2010-2883.a C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\BWIITXGE\xH8acce7c3V0100f070006R3595b43c102Tc675e6be201l0409327[1].pdf/data0000
10/16/2010 7:50:31 PM Detected: Trojan-Spy.Win32.Zbot.anpf C:\Documents and Settings\Vu\Local Settings\Temp\HouseCall\log\9BA560A9-5284-48EF-9D52-6CC12DF5254B\backup\0/PE-Crypt.XorPE/UPX
10/16/2010 7:50:36 PM Detected: Exploit.JS.Pdfka.cus C:\Documents and Settings\Vu\Local Settings\Temp\plugtmp-93\plugin-libtiff.pdf/data0002
10/16/2010 7:50:40 PM Detected: Exploit.JS.Pdfka.cus C:\Documents and Settings\Vu\Local Settings\Temp\plugtmp-93\plugin-libtiff.pdf/data0010
10/16/2010 7:50:40 PM Detected: Trojan-Spy.Win32.Zbot.anpf C:\System Volume Information\_restore{BB39E62D-9D6A-40B4-86FE-6E826E24B7A4}\RP3\A0000051.exe/UPX
10/16/2010 7:50:45 PM Detected: Trojan-Spy.Win32.Zbot.anpf C:\System Volume Information\_restore{BB39E62D-9D6A-40B4-86FE-6E826E24B7A4}\RP3\A0000052.exe/UPX
10/16/2010 7:50:49 PM Detected: Trojan-Spy.Win32.Zbot.anpf C:\System Volume Information\_restore{BB39E62D-9D6A-40B4-86FE-6E826E24B7A4}\RP3\A0000053.exe/UPX
10/16/2010 7:50:53 PM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{BB39E62D-9D6A-40B4-86FE-6E826E24B7A4}\RP3\A0000054.exe
10/16/2010 7:54:25 PM Detected: Trojan.Win32.Patched.kl C:\System Volume Information\_restore{BB39E62D-9D6A-40B4-86FE-6E826E24B7A4}\RP3\A0000073.EXE
10/16/2010 7:54:34 PM Untreated: Trojan.Win32.Patched.kl C:\System Volume Information\_restore{BB39E62D-9D6A-40B4-86FE-6E826E24B7A4}\RP3\A0000073.EXE Skipped by user
10/16/2010 7:54:34 PM Detected: Trojan.Win32.Patched.kl C:\System Volume Information\_restore{BB39E62D-9D6A-40B4-86FE-6E826E24B7A4}\RP3\A0000080.exe
10/16/2010 7:54:43 PM Detected: Trojan.Win32.Patched.kl C:\System Volume Information\_restore{BB39E62D-9D6A-40B4-86FE-6E826E24B7A4}\RP4\A0003087.exe
10/16/2010 7:54:47 PM Detected: Trojan.Win32.Chifrax.d C:\System Volume Information\_restore{BB39E62D-9D6A-40B4-86FE-6E826E24B7A4}\RP4\A0003102.exe
10/16/2010 7:54:52 PM Detected: Trojan-Spy.Win32.Zbot.anpf C:\System Volume Information\_restore{BB39E62D-9D6A-40B4-86FE-6E826E24B7A4}\RP4\A0003206.exe/UPX
10/16/2010 7:54:56 PM Detected: Trojan-Spy.Win32.Zbot.anpf C:\System Volume Information\_restore{BB39E62D-9D6A-40B4-86FE-6E826E24B7A4}\RP4\A0003223.exe/UPX
10/16/2010 7:55:01 PM Detected: Trojan-Spy.Win32.Zbot.anpf C:\System Volume Information\_restore{BB39E62D-9D6A-40B4-86FE-6E826E24B7A4}\RP4\A0003224.exe/UPX
10/16/2010 7:55:05 PM Detected: Trojan.Win32.Patched.kl C:\WINDOWS\OLD12.tmp
10/16/2010 7:55:10 PM Detected: Exploit.Java.Agent.cv C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\12\20c3828c-4ab3dc74/KAK/NED/NOD32.class
10/16/2010 7:55:10 PM Detected: Exploit.Java.Agent.cw C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\12\20c3828c-4ab3dc74/KAK/NED/crime4u.class
10/16/2010 7:55:10 PM Detected: Exploit.Java.Agent.cu C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\12\20c3828c-4ab3dc74/KAK/NED/sexxxy.class
10/16/2010 7:55:10 PM Detected: Exploit.Java.CVE-2009-3867.j C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\53\2eb68b5-4d01d6be/seopack.class
10/16/2010 7:55:10 PM Detected: Exploit.Java.Agent.du C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\13\7efe204d-6220b799/vmain.class
10/16/2010 7:55:11 PM Detected: Trojan-Downloader.Java.Agent.fx C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\15\25b8b8f-67fcec79/gogol/Emailer.class
10/16/2010 7:55:11 PM Detected: Exploit.Java.Agent.f C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\15\25b8b8f-67fcec79/gogol/Familie.class
10/16/2010 7:55:11 PM Detected: Trojan-Downloader.Java.Agent.fy C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\15\25b8b8f-67fcec79/gogol/PhonBook.class
10/16/2010 7:55:11 PM Detected: Trojan-Downloader.Java.Agent.fl C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\1\11e45981-23930813/dev/s/AdgredY.class
10/16/2010 7:55:11 PM Detected: Trojan-Downloader.Java.Agent.fk C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\1\11e45981-23930813/dev/s/DyesyasZ.class
10/16/2010 7:55:11 PM Detected: Trojan-Downloader.Java.Agent.fj C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\1\11e45981-23930813/dev/s/LoaderX.class
10/16/2010 7:55:11 PM Detected: Exploit.Java.Agent.du C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\1\4cb45281-62edc7c7/vmain.class
10/16/2010 7:55:11 PM Detected: Exploit.Java.Agent.du C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\29\20db519d-1025d2c2/vmain.class
10/16/2010 7:55:11 PM Detected: Trojan.Java.Payphish.a C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\29\6fe7f45d-687da1c9/java2flash_plugin.class
10/16/2010 7:55:11 PM Detected: Trojan.Java.Agent.ab C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\29\7ad2f21d-7a3c1c18/Is.class
10/16/2010 7:55:11 PM Detected: Trojan.Java.Agent.aa C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\29\7ad2f21d-7a3c1c18/MyName.class
10/16/2010 7:55:11 PM Detected: Trojan.Java.Agent.ac C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\29\7ad2f21d-7a3c1c18/Phone.class
10/16/2010 7:55:12 PM Detected: Exploit.Java.Agent.du C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\37\6a0409a5-6f3d91bc/vmain.class
10/16/2010 7:55:12 PM Detected: Exploit.Java.Agent.du C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\41\2b8379a9-2b674030/vmain.class
10/16/2010 7:55:12 PM Detected: Exploit.Java.Agent.du C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\43\7a0b54eb-1bfb8b68/vmain.class
10/16/2010 7:55:12 PM Detected: Trojan-Downloader.Java.Agent.gh C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\44\52ddf5ec-25152777/JavaUpdateApplication.class
10/16/2010 7:55:12 PM Detected: Trojan-Downloader.Java.Agent.gh C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\44\52ddf5ec-25152777/JavaUpdateManager.class
10/16/2010 7:55:12 PM Detected: Trojan-Downloader.Java.Agent.fx C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\51\14f67773-2bcfba2f/gogol/Emailer.class
10/16/2010 7:55:12 PM Detected: Exploit.Java.Agent.f C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\51\14f67773-2bcfba2f/gogol/Familie.class
10/16/2010 7:55:12 PM Detected: Trojan-Downloader.Java.Agent.fy C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\51\14f67773-2bcfba2f/gogol/PhonBook.class
10/16/2010 7:55:12 PM Detected: Exploit.Java.Agent.du C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\52\4b361974-37892ee9/vmain.class
10/16/2010 7:55:12 PM Detected: Trojan-Downloader.Java.Agent.ft C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\58\3334a5fa-6515a7c2/dev/s/AdgredY.class
10/16/2010 7:55:13 PM Detected: Trojan-Downloader.Java.Agent.fu C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\58\3334a5fa-6515a7c2/dev/s/DyesyasZ.class
10/16/2010 7:55:13 PM Detected: Trojan-Downloader.Java.Agent.fv C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\58\3334a5fa-6515a7c2/dev/s/LoaderX.class
10/16/2010 7:55:13 PM Detected: Trojan.Java.Agent.ab C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\60\686c0d7c-2509e0d4/Is.class
10/16/2010 7:55:13 PM Detected: Trojan.Java.Agent.aa C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\60\686c0d7c-2509e0d4/MyName.class
10/16/2010 7:55:13 PM Detected: Trojan.Java.Agent.ac C:\Documents and Settings\Vu\Application Data\Sun\Java\Deployment\cache\6.0\60\686c0d7c-2509e0d4/Phone.class
10/16/2010 7:55:13 PM Task completed
Disinfect active threats: completed 15 hours ago (events: 13, objects: 3755, time: 00:03:15)
10/16/2010 5:52:00 PM Task completed
10/16/2010 5:51:40 PM Detected: Trojan.Win32.Patched.kl C:\WINDOWS\system32\winlogon.exe
10/16/2010 5:51:40 PM Detected: Trojan.Win32.Patched.kl C:\WINDOWS\system32\winlogon.exe
10/16/2010 5:50:27 PM Detected: Trojan.Win32.Patched.kl C:\WINDOWS\Explorer.EXE
10/16/2010 5:50:27 PM Detected: Trojan.Win32.Patched.kl C:\WINDOWS\Explorer.EXE
10/16/2010 5:49:55 PM Cannot be backed up: MEM:Rootkit.Win32.TDSS.d Unknown application
10/16/2010 5:49:51 PM Detected: MEM:Rootkit.Win32.TDSS.d Unknown application
10/16/2010 5:49:45 PM Detected: Trojan.Win32.Patched.kl C:\WINDOWS\Explorer.EXE
10/16/2010 5:49:44 PM Detected: Trojan.Win32.Patched.kl C:\WINDOWS\Explorer.EXE
10/16/2010 5:49:32 PM Detected: Trojan.Win32.Patched.kl C:\WINDOWS\system32\winlogon.exe
10/16/2010 5:48:47 PM Detected: Trojan.Win32.Patched.kl C:\WINDOWS\system32\winlogon.exe
10/16/2010 5:48:45 PM Detected: MEM:Rootkit.Win32.TDSS.d System Memory
10/16/2010 5:48:45 PM Task started

Edited by stevinh, 17 October 2010 - 11:28 AM.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:39 PM

Posted 17 October 2010 - 02:48 PM

Trojan.Win32.Patched.kl involves critical Windows files that are infected and need to be replaced. If these infected files are just deleted, you will not be able to start the computer.

IMPORTANT NOTE: The identified infection is related to a nasty variant of the TDSS, TDL3/TDL4 rootkit.

TDL3/TDL4 (Backdoor.Tidserv) is the third and fourth generation of TDSS which uses rootkit technology to hide itself on a system by infecting system files/drivers like atapi.sys which is a common target because it loads early during the boot process and is difficult to detect. Newer variants, however, can target a number of other legitimate drivers in the Windows drivers folder. Common symptoms/signs of this infection include:
  • Google search results redirected as TDL3 modifies DNS query results.
  • Infected (patched/forged) files in the Windows drivers folder.
  • Slowness of the computer and poor performance.
  • Multiple instances of IEXPLORE.exe in Task Manager.
  • Internet Explorer opens on its own.
  • BSODs as described in this article.
For more specific analysis and explanation of the infection, please refer to: TDL3: The Rootkit of All Evil?

Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to be used by the attacker for malicious purposes. Rootkits are used by backdoor Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bepasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and any online activities which require a username and password. You should consider them to be compromised and change all passwords from a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified immediately of the possible security breach. Failure to notify your financial institution and local law enforcement can result in refusal to reimburse funds lost due to fraud or similar criminal activity. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again.

Although the infection has been identified and the computer seems to be running better, your machine has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system

Backdoors and What They Mean to You

This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 stevinh

stevinh
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:39 AM

Posted 17 October 2010 - 11:22 PM

Darn! I have to reformat! That makes me sad. Damn them bad guys!

I don't know if I have the OS cd or the win key anymore. Sigh.

I really appreciate the help. If you ever need any IT training from http://www.UpperTraining.com, please let me know. I am a web designer there and I can offer you a great discount for your much appreciated help.

I have Acronis True Image back up. Would this work if I just did a system recover with Acronis back to when I didn't get infected?

Edited by stevinh, 17 October 2010 - 11:27 PM.


#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:39 PM

Posted 18 October 2010 - 06:50 AM

Your decision as to what action to take should be made by reading and asking yourself the questions presented in the "When should I re-format?" and "Help: I Got Hacked. Now What Do I Do?" links I previously provided. As I already said, in some instances an infection may have caused so much damage to your system that it cannot be successfully cleaned, repaired or trusted and the malware may leave so many remnants behind that security tools cannot find them. Security vendors that claim to be able to remove rootkits and backdoor Trojans cannot guarantee that all traces of it will be removed. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore with a vendor-specific Recovery Disk or Recovery Partition removes everything and is the safest action but I cannot make that decision for you.

If you have made a disk Image with an imaging tool before your system was infected, then using it is another option. Disk Imaging allows you to take a complete snapshot (image) of your hard disk. The image is an exact, byte-by-byte copy of an entire hard drive (partition or logical disk) which can be used to restore your system at a later time to the exact same state the system was when you imaged the disk or partition. Essentially, it will restore the computer to the state it was in when the image was made. You will then have to reinstall all programs that you added afterwards. This includes all security updates and patches from Microsoft.

I don't know if I have the OS cd or the win key anymore.

Note: If you're using an IBM, Sony, HP, Compaq, Toshiba, Gateway or Dell machine, you may not have an original CD Disk. By policy Microsoft no longer allows OEM manufactures to include the original Windows XP CD-ROM on computers sold with Windows preinstalled. Instead, most computers manufactured and sold by OEM vendors come with a vendor-specific Recovery Disk or Recovery Partition for performing a clean "factory restore" that will reformat your hard drive, remove all data and restore the computer to the state it was in when you first purchased it. Also be sure to read Technology Advisory Recovery Media. If the recovery partition has become infected, you will need to contact the manufacturer, explain what happened and ask them to send full recovery disks to use instead. If you lost or misplaced your recover disks, again you can contact and advise the manufacturer. In many cases they will send replacements as part of their support.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users