Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rogers Online Protection Detected a Virus


  • Please log in to reply
17 replies to this topic

#1 ArtistInNeed

ArtistInNeed

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 24 November 2010 - 07:09 PM

File name Infection Action Date
C:\System Volume Information\_restore{040E53B4-0C26-4F30-9BD8-314C38A3519F}\RP2\A0000188.EXE Trojan.Generic.5026061 Blocked 24/11/2010 6:58:08 PM

Recently I formatted my hard drive and re-installed windows XP. I'm been watching my browsing like a hawk, and I've been the only one on the computer for all of today. The only issue I was having was here http://www.bleepingcomputer.com/forums/topic362403.html

The above is the small log telling me where the virus was found and what infection it is. Rogers Online Protection is running it's own scan and I want to know if this is valid.

Thanks in advance to anyone. I strongly appreciate it :)

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:30 PM

Posted 24 November 2010 - 08:10 PM

Hello that infection is in your System Restore folder,C:\System Volume Information. Clean it like this and rerun the Roger.

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista and Windows 7 users can refer to these links: Create a New Restore Point in Vista or Windows 7 and Disk Cleanup in Vista.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 ArtistInNeed

ArtistInNeed
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 24 November 2010 - 08:32 PM

Thank you for the quick reply :)

The scan completed and I'll be following your instructions right away!
I'll get right back to you!

EDIT
Here are the results


Rogers Online Protection - Scan Report
Scan Date: 24/11/2010 8:28:23 PM Scan Type: Standard Definition file: 1290601137 Last Update on: 24/11/2010 7:06:37 PM

Folders and files selected to scan
C:\ J:\

Results
Master Boot Records and Fixed Disk Boot Sectors
Scanned 2 Master Boot Record(s).
Your Master Boot Record(s)/Boot Sector(s) are not infected.
Memory
Scanned: 762 item(s)
Infected files on Local Disk (C:)
Scanned: 63877 item(s) File: C:\System Volume Information\_restore{040E53B4-0C26-4F30-9BD8-314C38A3519F}\RP2\A0000188.EXE Action: This file could not be disinfected. It was quarantined instead.
Virus: Trojan.Generic.5026061

Infected files on FreeAgent GoFlex Drive (J:)
Scanned: 80974 item(s)
Startup programs
Scanned: 191 item(s)
Rootkits
Found: 0 item(s)
Cookies
Scanned: 37 item(s) File: C:\Documents and Settings\Kairyun Samuels\Cookies\kairyun_samuels@scorecardresearch[2].txt
From: scorecardresearch.com/ File: C:\Documents and Settings\Kairyun Samuels\Cookies\kairyun samuels@microsoftwindows.112.2o7[1].txt
From: microsoftwindows.112.2o7.net/ File: C:\Documents and Settings\Kairyun Samuels\Cookies\kairyun_samuels@bellcan.adbureau[2].txt
From: bellcan.adbureau.net/ File: C:\Documents and Settings\Kairyun Samuels\Cookies\kairyun samuels@doubleclick[1].txt
From: doubleclick.net/ File: C:\Documents and Settings\Kairyun Samuels\Cookies\kairyun_samuels@m.webtrends[1].txt
From: m.webtrends.com/ File: C:\Documents and Settings\Kairyun Samuels\Cookies\kairyun_samuels@ad.yieldmanager[1].txt
From: ad.yieldmanager.com/ File: C:\Documents and Settings\Kairyun Samuels\Cookies\kairyun_samuels@atdmt[2].txt
From: atdmt.com/ File: C:\Documents and Settings\Kairyun Samuels\Cookies\kairyun_samuels@eyereturn[1].txt
From: eyereturn.com/ File: C:\Documents and Settings\Kairyun Samuels\Cookies\kairyun_samuels@eloqua[2].txt
From: eloqua.com/ File: C:\Documents and Settings\Kairyun Samuels\Cookies\kairyun samuels@msnportal.112.2o7[1].txt
From: msnportal.112.2o7.net/

Edited by ArtistInNeed, 24 November 2010 - 08:32 PM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:30 PM

Posted 24 November 2010 - 08:47 PM

Ok, that took care of it. Now you just had some cookies removed. Do one more scan just so we are sure.
Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Troubleshoot Malwarebytes' Anti-Malware
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 ArtistInNeed

ArtistInNeed
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 24 November 2010 - 10:14 PM

I re-ran the rogers online protection scan, and it just picked up a couple more cookies.
I'm currently running MBAM as you requested, I'll get back to you with the log as soon as possible.

Once again I'd like to thank you for your volunteering to help me :)

#6 ArtistInNeed

ArtistInNeed
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 24 November 2010 - 10:24 PM

(EDIT: I'm going to sleep now, I'll see your reply when the morning comes, I know I've thanked you tons of times in this thread already, but I feel obligated to do so since you're going out of your own way to help me :). So, thank you again!)

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5185

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

24/11/2010 10:23:32 PM
mbam-log-2010-11-24 (22-23-32).txt

Scan type: Quick scan
Objects scanned: 171928
Time elapsed: 11 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by ArtistInNeed, 24 November 2010 - 10:30 PM.


#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:30 PM

Posted 24 November 2010 - 10:58 PM

You're welcome and I appreciate uyour gratitude. Sleep well and Happy Thanksgiving.

This looks all go now. Next you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

Tips to protect yourself against malware and reduce the potential for re-infection:Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.

Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. To learn more about this risk, please read:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 ArtistInNeed

ArtistInNeed
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 25 November 2010 - 03:59 PM

Thank you :)
I got rid of the old restore points as you asked.

I don't know if I'm just being paranoid but when I was looking at my firewall in RogersOnlineProtection I saw the following

http://i377.photobucket.com/albums/oo213/Flaming-Pencil/RemoteDesktopconnection.jpg

I realized that I had never ran the Remote Desktop Connection ever on any computers ever. I wanted to know if it was added to my firewall because something was trying to access my computer utilizing it, or if it automatically connected to the internet as soon as the windows update added it to my machine(since I recently re-installed windows).

Should I be worried?
Also as a small question... If somewhere along the road I find another problem can I post back into this topic or should I make a whole new topic and maybe mention this one if it's related?

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:30 PM

Posted 25 November 2010 - 09:12 PM

Hello are you the only user on this PC?
To disable Remote Desktop

Qestion 2. Either way. If reply back to this one then I may be the only one that notices your replay. Due to the number of replies others will most likely pass it by as being helped. A new topic has 0 replies so all will see it.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 ArtistInNeed

ArtistInNeed
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 25 November 2010 - 10:29 PM

I'm not the only person on this computer, but the rest of my family that uses it arn't very tech savvy and mainly use it for youtube and emails, so I highly doubt they'd even know what a remote access is...

Well the box was already unchecked so I guess I was just being paranoid :P

Thanks yet again :)

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:30 PM

Posted 25 November 2010 - 10:45 PM

Hi, you're OK.
•Only use your computer's Administrator account if you need to install software or make system changes. Instead, create a separate account with only limited access rights, for everyday use (this can be done using User Accounts in Control Panel). This is important because when malicious code attacks, it will assume your access rights. If you're logged on with administrator-level access, that's what the virus, worm or Trojan gets too, and the malicious program will have access to vital system data.

From •Your Guide To Staying Safe Online. in the Restore Point above.

You are welcome from all here at BC.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 ArtistInNeed

ArtistInNeed
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 27 November 2010 - 06:00 PM

Ahh now I'm afriad...
I saw this...

http://i377.photobucket.com/albums/oo213/Flaming-Pencil/whatisthis.jpg

After watching a youtube video in full-screen.
I first took a screenshot right away.
I right clicked it and in my panic and then went back to chrome to Google what it was and it disappeared.

It's never happened to me while just doing normal things on my computer, and I only think that it's come up a day or two ago after I watched another video in full-screen.

EDIT:Hmm by the way I usually have ROP(the red sheild) Windows live messenger, and the sefely remove hardware icons in that area... The safely remove hardware Icon came back afterwards.

Edited by ArtistInNeed, 27 November 2010 - 06:34 PM.


#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:30 PM

Posted 27 November 2010 - 07:02 PM

OK, best not to take any chances. So meting is hiding from us and it's protected. We need a deeper look from our experts.
This will take a couple days for a reply as they analyze your logs.

Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Please include a link to this topic.
Also this image link you provided. http://i377.photobucket.com/albums/oo213/Flaming-Pencil/whatisthis.jpg


Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 ArtistInNeed

ArtistInNeed
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 27 November 2010 - 07:35 PM

I...I don't know what to say really...

At this point what would you suggest I do?
Reformat and put windows back on for the 3rd time in two months or should I go with waiting for the BC experts to look into it?

I'll be going through with the steps you listed but man to man, would you suggest I go with the only sure-fire way and just re-format?

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:30 PM

Posted 27 November 2010 - 08:40 PM

With what's going on here, if it were mine I'd pave it once more. Then read those tips in post 7.

In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore removes everything and is the safest action but I cannot make that decision for you.

Reformatting a hard disk deletes all data. If you decide to reformat, you can back up all your important documents, data files and photos. The safest practice is not to backup any autorun.ini or .exe files because they may be infected. Some types of malware may disguise itself by adding and hiding its extension to the existing extension of files so be sure you take a close look at the full name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive.


2 guidelines/rules when backing up

1) Backup all your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do not backup any executables files or any window files. These include .exe/.scr/.htm/.html/.xml/.zip/.rar files as they may contain traces of malware. Also, .html or .htm files that are webpages should also be avoided.


If you're not sure how to reformat or need help with reformatting, please review:These links include step-by-step instructions with screenshots:Vista users can refer to these instructions:Don't forget you will have to go to Microsoft Update and apply all Windows security patches after reformatting.

Note: If you're using an IBM, Sony, HP, Compaq or Dell machine, you may not have an original XP CD Disk. By policy Microsoft no longer allows OEM manufactures to include the original Windows XP CD-ROM on computers sold with Windows preinstalled. Instead, most computers manufactured and sold by OEM vendors come with a vendor-specific Recovery Disk or Recovery Partition for performing a clean "factory restore" that will reformat your hard drive, remove all data and restore the computer to the state it was in when you first purchased it. See Technology Advisory Recovery Media. If the recovery partition has become infected, you will need to contact the manufacturer, explain what happened and ask them to send full recovery disks to use instead..

If you need additional assistance with reformatting or partitioning, you can start a new topic in the Windows XP Home and Professional forum.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users