Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Seemingly spyware infectrion, MBAM Rkill SAS


  • Please log in to reply
8 replies to this topic

#1 Jan6000

Jan6000

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 19 July 2011 - 05:54 PM

A few days ago I ran Roguekiller and the log-files were refused to store (so program stopped working).
I found out that suddenly any directory-name with the word "Quarantine" in it was forbidden to access. So I could create a folder Quarantine, and it was impossible to access or to delete.

I then ran MBAM and it found Rogue.AntiVirusPC2009 in the folder-name C:\program files\antivirus pc 2009\quarantine.
I clicked to solve the problem, MBAM stated it was, however at a rerun the problem was still there.
I could not find the folder with my file-manager (ZTreeWin).

I found on internet an advise to first run Rkill, and then MBAM or SAS. I did Rkill + SAS.
Rkill found a few programs, one always was flux from F.lux (to adapt the monitor-brightness after sun-dawn).
After running SAS 2 trojans were found:
- Trojan.Agent/Gen-IExplorer[Fake] in C:\Users\MyName\Appdata\Local\Temp\RARSFX0\NIRD\IEXPLORE.EXE
- Trojan.Agent/Gen-PEC in C:\Users\MyName\Appdata\Local\Temp\RARSFX0\PROCS\EXPLORER.EXE
SAS removed the files.
However after repeating Rkill + SAS the same trojans were found, now in the directory ..\RARSFX1\...
And after again deleting and rerun, again in ....\RARSFX2\....

After quite some fumbling around I discovered that running Rkill creates the above mentioned directory/file-names, which are then found by SAS.
So Rkill was the cause of the found trojans (so false positives??) !!!!!!
I ran CCleaner (with CEnhancer) to delete the TEMP files/directories, however they remained (a CCleaner prolem I think)!!! PureRA did the job of deleting the TEMP-files !!!
So maybe you can find if something is wrong with Rkill, and prevent above experience ?!


So the trojan-problem of Rkill + SAS was not really existing.
However the problem with the inaccessible directories with "Quarantine" in its name and with MBAM finding Rogue.AntiVirusPC2009 still existed.
I was running several different system and registry optimizers without any improvement. Then suddenly Roguekiller functioned again, and the directories with "Quarantine" in their name, were accessible again. Now MBAM did NOT find anymore Rogue.AntiVirusPC2009 in the folder C:\program files\antivirus pc 2009\quarantine
I do not understand why or how this problem started and why or how it ended.

Just yesterday I had again the inaccessible "Quarantine" problem and MBAM finding the Rogue.
This morning it disappeared again.
I now remember that before the 2 incidents, I had in CCleaner+Cenhancer in the Windows-Advanced tab (a.o. Old Prefetch Data) all items checked (normally these items are the only ones unchecked, all others I have checked).

I have reconstructed the MBR by aswMBR and Easeus and PartitionGuru, to try to get rid of a possible MBR-problem. It seemed as if my PC was starting and closing quicker (aswMBR ran the first time OK, later for the second time it refused (loading error), however in safe-mode it ran OK).

Maybe you have a idea what triggered the problem on and off of the inaccessible Quarantine-directory and the Rogue by MBAM?
And maybe you have an advice for further checking?


Thanks in advance

Edit: Moved topic from Win 7 to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:11:33 AM

Posted 19 July 2011 - 08:05 PM

Welcome aboard Posted Image

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List last 10 Event Viewer log
  • List Users, Partitions and Memory size
Click Go and post the result.

=============================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

=============================================================================

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#3 Jan6000

Jan6000
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 20 July 2011 - 09:15 AM

Thanks for your advice.

When I tried to download GMER randomly, my Anti-virus Comodo stated it had a virus (Heur.Suspecious@237767114).
So I downloaded the ZIP, and extracted it.
When I tried to run the extracted GMER (all Comodo Internet Security (so including anti-virus)+ SpyShelter + Spybot + SAS disabled)access was denied (Windows can not access ..., not right permission...). I started in Safe Mode and GMER ran OK.
When after reboot (normal) I scanned GMER with Comodo, it stated it had the above mentioned virus. Scanning it with MBAM and SAS did NOT give a virus.
I tried an older version of GMER (1.0.15.15640, the above downloaded was ...15641), this one gave not any problem or virus warning.
Maybe not being able to run the latest GMER in normal booted Windows had something to do with Comodo thinking that it had a virus (despite I had Comodo stopped (through icon right below, in Taskbar)


When I ran MBAM the first time (today), my Comodo anti-virus intervened because of a suspect file:
C:\User\MyName\Appdata\Local\TEMP\{69106EAC-72BF-4FA1-96BE-6EF26FE48636} (virus: Packed.Win32.MUPX.Gen@129019204).
I ordered my Comodo to ignore this to enable MBAM to continue.
When I later used my filemanager (ZTreeWin) to delete this file, I could not (in use !!). PureRa succeeded in deleting it (all in this TEMP-directory).
I was baffled (but maybe something to do with downloading GMER which was also interrupted by Comodo ?).


Additional info:
After I partitioned my HD, a very small amount was unspecified because of cyclinder-rounding. Later I specified this very small amount as NTFS (drive E) to enable access to this region by my antivirus (I had a suspicion).

Folowing the logs:

Checkup.txt:
Results of screen317's Security Check version 0.99.7
Windows 7 Service Pack 1 (UAC is enabled)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Disabled!
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

MVPS Hosts File
Malwarebytes' Anti-Malware
CCleaner
Abyssal Registry Cleaner 1.4.0
Java™ 6 Update 26
Out of date Java installed!
Adobe Flash Player 10.3.181.34
````````````````````````````````
Process Check:
objlist.exe by Laurent

Comodo Firewall cmdagent.exe
Comodo Firewall cfp.exe
``````````End of Log````````````

(PS: I think I have IE 9)


Result.txt:
MiniToolBox by Farbar
Ran by Sebastianus (administrator) on 20-07-2011 at 13:45:33
Windows 7 Ultimate Service Pack 1 (X86)

***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= FF Proxy Settings: ==============================

========================= Hosts content: =================================
::1 localhost

127.0.0.1 localhost
127.0.0.1 fr.a2dfp.net m.fr.a2dfp.net ad.a8.net asy.a8ww.net abcstats.com a.abv.bg adserver.abv.bg adv.abv.bg bimg.abv.bg
127.0.0.1 ca.abv.bg www2.a-counter.kiev.ua track.acclaimnetwork.com accuserveadsystem.com www.accuserveadsystem.com achmedia.com aconti.net secure.aconti.net www.aconti.net
127.0.0.1 am1.activemeter.com www.activemeter.com ads.activepower.net stat.active24stats.nl ad2games.com cms.ad2click.nl ads.ad2games.com content.ad20.net core.ad20.net
127.0.0.1 banner.ad.nu cl21.v4.adaction.se adadvisor.net tag1.adaptiveads.com www.adbanner.ro vad.adbasket.net wad.adbasket.net ad.pop1.adbn.ru ad.top1.adbn.ru
127.0.0.1 ad.rich1.adbn.ru james.adbutler.de www.adbutler.de www.adchimp.com banners.adclick.lt show.adclick.lt show.adclick.lv www.adclick.lv ad-clix.com
127.0.0.1 www.ad-clix.com servedby.adcombination.com adcomplete.com www.adcomplete.com axa.addcontrol.net banners.delivery.addynamo.com s01.delivery.addynamo.com static.uk.addynamo.com www.adeos.eu
127.0.0.1 pt.server1.adexit.com www.adexit.com 222-33544_999.pub.adfirmative.com c.adfirmative.com www.adfirmative.com track.adform.net ads.adfox.ru gazeta.adfox.ru media.adfrontiers.com
127.0.0.1 www.adgitize.com adsrv.adgroupm.com www.ad-groups.com adhitzads.com ssl3.adhost.com www2.adhost.com mztag.ad-indicator.com adfarm1.adition.com imagesrv.adition.com
127.0.0.1 ad.adition.net hosting.adjug.com tracking.adjug.com adsearch.adkontekst.pl publicidad.adlead.com www.adlimg03.com regio.adlink.de west.adlink.de rc.de.adlink.net
127.0.0.1 tr.de.adlink.net n.admagnet.net ads3.adman.gr r2d2.adman.gr admarket.cz www.admarket.cz js.admeld.com tag.admeld.com admigo.ru
127.0.0.1 data.admigo.ru apps.admission.net appcache.admission.net view.admission.net www.ad.admitad.com ad.admixer.net rms.admeta.com ads.admodus.com ad.adnet.biz
127.0.0.1 ad.adnetwork.com.br img.adnet.com.tr adnext.fr adpixel.com.ru tt11.adobe.com ad01.adonspot.com ad02.adonspot.com www.adoperator.com www.adperium.com
127.0.0.1 img.adplan-ds.com e.adpower.bg ab.adpro.com.ua system.adquick.nl www.adquest.nl www.adreap.com adroll.com jsad1.adsflip.com www.adsurve.com
127.0.0.1 www.ad-purge.com cntr.adrime.com images.adrime.com ad.adriver.ru content.adriver.ru www.adrotate.net serv.ad-rotator.com antevenio.flux.ads-click.com www.adsxchange.lv
127.0.0.1 assets.adtaily.com fusion.adtoma.com engage2.advanstar.com ds.advg.jp m.adx.bg beta.adyea.com delivery.adyea.com img.ads-click.com ad.ads.dk
127.0.0.1 tdkads.ads.dk js.adscale.de ih.adscale.de adscendmedia.com adservicedomain.info adsfac.net images.adshuffle.com this.content.served.by.adshuffle.com adsfac.eu
127.0.0.1 www.adshot.de allchix.adsmax.com www2.adsmax.com www.adspace.be ads.adsponse.de adserve.adster.com images.adster.com openx.adtext.ro ads.adtiger.de
127.0.0.1 www.adtiger.de ad.adtoma.com downldcl.adtoolsinc.com www.adtoolsinc.com dot.adtotal.pl rek.adtotal.pl www.adtrade.net www.adtrader.com ads.adtube.de

There are 3262 more lines starting with "127.0.0.1"

========================= IP Configuration: ================================

# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global defaultcurhoplimit=128 icmpredirects=enabled taskoffload=enabled
set interface interface="Local Area Connection" forwarding=disabled advertise=disabled mtu=1492 metric=0 siteprefixlength=0 nud=disabled routerdiscovery=disabled managedaddress=disabled otherstateful=disabled weakhostsend=disabled weakhostreceive=disabled ignoredefaultroutes=disabled advertisedrouterlifetime=0 advertisedefaultroute=disabled currenthoplimit=0 forcearpndwolpattern=disabled enabledirectedmacwolpattern=disabled


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : Sebastianus-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : arnhem.chello.nl

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : arnhem.chello.nl
Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
Physical Address. . . . . . . . . : 00-0F-20-6E-9E-A2
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::dc23:749e:3e26:8c47%11(Preferred)
IPv4 Address. . . . . . . . . . . : 80.56.159.101(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : woensdag 20 juli 2011 13:07:52
Lease Expires . . . . . . . . . . : zaterdag 23 juli 2011 2:27:41
Default Gateway . . . . . . . . . : 80.56.159.1
DHCP Server . . . . . . . . . . . : 10.15.230.1
DHCPv6 IAID . . . . . . . . . . . : 234884896
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-8C-15-CB-00-0F-20-6E-9E-A2
DNS Servers . . . . . . . . . . . : 208.67.222.222
208.67.220.220
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.arnhem.chello.nl:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter 6TO4 Adapter:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft 6to4 Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 9:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Server: resolver1.opendns.com
Address: 208.67.222.222

Name: google.com.chello.nl
Address: 67.215.77.132


Pinging google.com [74.125.39.106] with 32 bytes of data:
Reply from 74.125.39.106: bytes=32 time=21ms TTL=55
Reply from 74.125.39.106: bytes=32 time=16ms TTL=55

Ping statistics for 74.125.39.106:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 16ms, Maximum = 21ms, Average = 18ms
Server: resolver1.opendns.com
Address: 208.67.222.222

Name: yahoo.com.chello.nl
Address: 67.215.77.132


Pinging yahoo.com [72.30.2.43] with 32 bytes of data:
Reply from 72.30.2.43: bytes=32 time=166ms TTL=54
Reply from 72.30.2.43: bytes=32 time=166ms TTL=54

Ping statistics for 72.30.2.43:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 166ms, Maximum = 166ms, Average = 166ms

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
11...00 0f 20 6e 9e a2 ......Broadcom NetXtreme Gigabit Ethernet
1...........................Software Loopback Interface 1
12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
13...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter
14...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 80.56.159.1 80.56.159.101 20
80.56.159.0 255.255.255.0 On-link 80.56.159.101 276
80.56.159.101 255.255.255.255 On-link 80.56.159.101 276
80.56.159.255 255.255.255.255 On-link 80.56.159.101 276
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 80.56.159.101 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 80.56.159.101 276
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
11 276 fe80::/64 On-link
11 276 fe80::dc23:749e:3e26:8c47/128
On-link
1 306 ff00::/8 On-link
11 276 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

========================= Event log errors: ===============================

Application errors:
==================
Error: (07/20/2011 05:34:48 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "assemblyIdentity1".Error in manifest or policy file "assemblyIdentity2" on line assemblyIdentity3.
The value "*" of attribute "language" in element "assemblyIdentity" is invalid.

Error: (07/19/2011 04:38:27 AM) (Source: Application Error) (User: )
Description: Faulting application name: RogueKiller(1).exe, version: 5.2.7.0, time stamp: 0x4e0c11c2
Faulting module name: RogueKiller(1).exe, version: 5.2.7.0, time stamp: 0x4e0c11c2
Exception code: 0xc0000417
Fault offset: 0x0004cc3b
Faulting process id: 0x8b0
Faulting application start time: 0xRogueKiller(1).exe0
Faulting application path: RogueKiller(1).exe1
Faulting module path: RogueKiller(1).exe2
Report Id: RogueKiller(1).exe3

Error: (07/19/2011 04:37:36 AM) (Source: Application Error) (User: )
Description: Faulting application name: RogueKiller(1).exe, version: 5.2.7.0, time stamp: 0x4e0c11c2
Faulting module name: RogueKiller(1).exe, version: 5.2.7.0, time stamp: 0x4e0c11c2
Exception code: 0xc0000417
Fault offset: 0x0004cc3b
Faulting process id: 0x6f8
Faulting application start time: 0xRogueKiller(1).exe0
Faulting application path: RogueKiller(1).exe1
Faulting module path: RogueKiller(1).exe2
Report Id: RogueKiller(1).exe3

Error: (07/19/2011 02:23:14 AM) (Source: Application Error) (User: )
Description: Faulting application name: RogueKiller(1).exe, version: 5.2.7.0, time stamp: 0x4e0c11c2
Faulting module name: RogueKiller(1).exe, version: 5.2.7.0, time stamp: 0x4e0c11c2
Exception code: 0xc0000417
Fault offset: 0x0004cc3b
Faulting process id: 0xa58
Faulting application start time: 0xRogueKiller(1).exe0
Faulting application path: RogueKiller(1).exe1
Faulting module path: RogueKiller(1).exe2
Report Id: RogueKiller(1).exe3

Error: (07/19/2011 02:22:18 AM) (Source: Application Error) (User: )
Description: Faulting application name: RogueKiller(1).exe, version: 5.2.7.0, time stamp: 0x4e0c11c2
Faulting module name: RogueKiller(1).exe, version: 5.2.7.0, time stamp: 0x4e0c11c2
Exception code: 0xc0000417
Fault offset: 0x0004cc3b
Faulting process id: 0xf48
Faulting application start time: 0xRogueKiller(1).exe0
Faulting application path: RogueKiller(1).exe1
Faulting module path: RogueKiller(1).exe2
Report Id: RogueKiller(1).exe3

Error: (07/19/2011 02:22:02 AM) (Source: Application Error) (User: )
Description: Faulting application name: RogueKiller(1).exe, version: 5.2.7.0, time stamp: 0x4e0c11c2
Faulting module name: RogueKiller(1).exe, version: 5.2.7.0, time stamp: 0x4e0c11c2
Exception code: 0xc0000417
Fault offset: 0x0004cc3b
Faulting process id: 0xe58
Faulting application start time: 0xRogueKiller(1).exe0
Faulting application path: RogueKiller(1).exe1
Faulting module path: RogueKiller(1).exe2
Report Id: RogueKiller(1).exe3

Error: (07/19/2011 02:21:43 AM) (Source: Application Error) (User: )
Description: Faulting application name: RogueKiller(1).exe, version: 5.2.7.0, time stamp: 0x4e0c11c2
Faulting module name: RogueKiller(1).exe, version: 5.2.7.0, time stamp: 0x4e0c11c2
Exception code: 0xc0000417
Fault offset: 0x0004cc3b
Faulting process id: 0xbdc
Faulting application start time: 0xRogueKiller(1).exe0
Faulting application path: RogueKiller(1).exe1
Faulting module path: RogueKiller(1).exe2
Report Id: RogueKiller(1).exe3

Error: (07/19/2011 02:20:47 AM) (Source: Application Error) (User: )
Description: Faulting application name: RogueKiller(1).exe, version: 5.2.7.0, time stamp: 0x4e0c11c2
Faulting module name: RogueKiller(1).exe, version: 5.2.7.0, time stamp: 0x4e0c11c2
Exception code: 0xc0000417
Fault offset: 0x0004cc3b
Faulting process id: 0xbfc
Faulting application start time: 0xRogueKiller(1).exe0
Faulting application path: RogueKiller(1).exe1
Faulting module path: RogueKiller(1).exe2
Report Id: RogueKiller(1).exe3

Error: (07/19/2011 00:42:32 AM) (Source: Application Error) (User: )
Description: Faulting application name: RogueKiller(1).exe, version: 5.2.7.0, time stamp: 0x4e0c11c2
Faulting module name: RogueKiller(1).exe, version: 5.2.7.0, time stamp: 0x4e0c11c2
Exception code: 0xc0000417
Fault offset: 0x0004cc3b
Faulting process id: 0xb34
Faulting application start time: 0xRogueKiller(1).exe0
Faulting application path: RogueKiller(1).exe1
Faulting module path: RogueKiller(1).exe2
Report Id: RogueKiller(1).exe3

Error: (07/18/2011 11:51:59 PM) (Source: Application Error) (User: )
Description: Faulting application name: RogueKiller(1).exe, version: 5.2.7.0, time stamp: 0x4e0c11c2
Faulting module name: RogueKiller(1).exe, version: 5.2.7.0, time stamp: 0x4e0c11c2
Exception code: 0xc0000417
Fault offset: 0x0004cc3b
Faulting process id: 0xcc4
Faulting application start time: 0xRogueKiller(1).exe0
Faulting application path: RogueKiller(1).exe1
Faulting module path: RogueKiller(1).exe2
Report Id: RogueKiller(1).exe3


System errors:
=============
Error: (07/20/2011 01:08:04 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
wayuia

Error: (07/20/2011 01:07:31 PM) (Source: Ntfs) (User: )
Description: The default transaction resource manager on volume E: encountered a non-retryable error and could not start. The data contains the error code.

Error: (07/20/2011 07:39:29 AM) (Source: Ntfs) (User: )
Description: The default transaction resource manager on volume E: encountered a non-retryable error and could not start. The data contains the error code.

Error: (07/20/2011 05:32:04 AM) (Source: volsnap) (User: )
Description: The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.

Error: (07/20/2011 02:27:24 AM) (Source: Ntfs) (User: )
Description: The default transaction resource manager on volume E: encountered a non-retryable error and could not start. The data contains the error code.

Error: (07/19/2011 08:53:16 PM) (Source: Ntfs) (User: )
Description: The default transaction resource manager on volume E: encountered a non-retryable error and could not start. The data contains the error code.

Error: (07/19/2011 08:36:10 PM) (Source: Ntfs) (User: )
Description: The default transaction resource manager on volume E: encountered a non-retryable error and could not start. The data contains the error code.

Error: (07/19/2011 05:39:11 PM) (Source: Ntfs) (User: )
Description: The default transaction resource manager on volume E: encountered a non-retryable error and could not start. The data contains the error code.

Error: (07/19/2011 04:55:53 PM) (Source: Ntfs) (User: )
Description: The default transaction resource manager on volume E: encountered a non-retryable error and could not start. The data contains the error code.

Error: (07/19/2011 00:20:46 PM) (Source: Ntfs) (User: )
Description: The default transaction resource manager on volume E: encountered a non-retryable error and could not start. The data contains the error code.


Microsoft Office Sessions:
=========================
Error: (07/20/2011 05:34:48 AM) (Source: SideBySide)(User: )
Description: assemblyIdentitylanguage*c:\program files\spybot - search & destroy\DelZip179.dllc:\program files\spybot - search & destroy\DelZip179.dll8

Error: (07/19/2011 04:38:27 AM) (Source: Application Error)(User: )
Description: RogueKiller(1).exe5.2.7.04e0c11c2RogueKiller(1).exe5.2.7.04e0c11c2c00004170004cc3b8b001cc45bcd9ba7c01D:\Downloads\RogueKiller(1).exeD:\Downloads\RogueKiller(1).exe2db2c57f-b1b0-11e0-8e39-000f206e9ea2

Error: (07/19/2011 04:37:36 AM) (Source: Application Error)(User: )
Description: RogueKiller(1).exe5.2.7.04e0c11c2RogueKiller(1).exe5.2.7.04e0c11c2c00004170004cc3b6f801cc45bccbc175edD:\Downloads\RogueKiller(1).exeD:\Downloads\RogueKiller(1).exe0fb4f2bb-b1b0-11e0-8e39-000f206e9ea2

Error: (07/19/2011 02:23:14 AM) (Source: Application Error)(User: )
Description: RogueKiller(1).exe5.2.7.04e0c11c2RogueKiller(1).exe5.2.7.04e0c11c2c00004170004cc3ba5801cc45a9f14e676fD:\Downloads\RogueKiller(1).exeD:\Downloads\RogueKiller(1).exe4a2f2833-b19d-11e0-be36-000f206e9ea2

Error: (07/19/2011 02:22:18 AM) (Source: Application Error)(User: )
Description: RogueKiller(1).exe5.2.7.04e0c11c2RogueKiller(1).exe5.2.7.04e0c11c2c00004170004cc3bf4801cc45a9e72e32b3D:\Downloads\RogueKiller(1).exeD:\Downloads\RogueKiller(1).exe289df495-b19d-11e0-be36-000f206e9ea2

Error: (07/19/2011 02:22:02 AM) (Source: Application Error)(User: )
Description: RogueKiller(1).exe5.2.7.04e0c11c2RogueKiller(1).exe5.2.7.04e0c11c2c00004170004cc3be5801cc45a9dbd9fc2cD:\Downloads\RogueKiller(1).exeD:\Downloads\RogueKiller(1).exe1f707d44-b19d-11e0-be36-000f206e9ea2

Error: (07/19/2011 02:21:43 AM) (Source: Application Error)(User: )
Description: RogueKiller(1).exe5.2.7.04e0c11c2RogueKiller(1).exe5.2.7.04e0c11c2c00004170004cc3bbdc01cc45a9baeeee6dD:\Downloads\RogueKiller(1).exeD:\Downloads\RogueKiller(1).exe13d6d63f-b19d-11e0-be36-000f206e9ea2

Error: (07/19/2011 02:20:47 AM) (Source: Application Error)(User: )
Description: RogueKiller(1).exe5.2.7.04e0c11c2RogueKiller(1).exe5.2.7.04e0c11c2c00004170004cc3bbfc01cc45a9a7246335D:\Downloads\RogueKiller(1).exeD:\Downloads\RogueKiller(1).exef295cdb3-b19c-11e0-be36-000f206e9ea2

Error: (07/19/2011 00:42:32 AM) (Source: Application Error)(User: )
Description: RogueKiller(1).exe5.2.7.04e0c11c2RogueKiller(1).exe5.2.7.04e0c11c2c00004170004cc3bb3401cc459befa01363D:\Downloads\RogueKiller(1).exeD:\Downloads\RogueKiller(1).exe393ac397-b18f-11e0-929b-000f206e9ea2

Error: (07/18/2011 11:51:59 PM) (Source: Application Error)(User: )
Description: RogueKiller(1).exe5.2.7.04e0c11c2RogueKiller(1).exe5.2.7.04e0c11c2c00004170004cc3bcc401cc4594db52a242D:\Downloads\RogueKiller(1).exeD:\Downloads\RogueKiller(1).exe28e4fc3a-b188-11e0-929b-000f206e9ea2


========================= Memory info: ===================================

Percentage of memory in use: 39%
Total physical RAM: 1015.55 MB
Available physical RAM: 611.87 MB
Total Pagefile: 2039.55 MB
Available Pagefile: 1118.96 MB
Total Virtual: 2047.88 MB
Available Virtual: 1941.36 MB

========================= Partitions: =====================================

2 Drive c: () (Fixed) (Total:31.89 GB) (Free:17.16 GB) NTFS
3 Drive d: () (Fixed) (Total:154.42 GB) (Free:4.83 GB) NTFS

========================= Users: ========================================

User accounts for \\SEBASTIANUS-PC

Administrator Guest Sebastianus


== End of log ==


mbam-log:
Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7210

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

20-7-2011 13:59:56
mbam-log-2011-07-20 (13-59-56).txt

Scan type: Quick scan
Objects scanned: 146065
Time elapsed: 9 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

(PS, this is the by Comodo intervened, 2 later scanning have the same result however lasted 4.11 and 3.02 minutes)


GMER.log:
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-07-20 15:05:57
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD2000JB-00GVA0 rev.08.02D08
Running: gmer.exe; Driver: C:\Users\SEBAST~1\AppData\Local\Temp\kwlyaaog.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwSaveKey + 13CD 81C87A09 1 Byte [06]
.text ntoskrnl.exe!KiDispatchInterrupt + 5A2 81CA7512 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[1208] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [74222437] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1208] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74205600] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1208] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [742056BE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1208] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [742224B2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1208] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74218514] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1208] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74214CC8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1208] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [7421506F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1208] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [74215144] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1208] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [74216671] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1208] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7421826B] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1208] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [742187BA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1208] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7421901B] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1208] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7421E1BE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1208] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74214BFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\0000004e halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

PS: I had to run GMER in safe mode because Windows gave me no access. An older version of GMER did run. (Comodo found a virus in the new version, not in the old version. Possibly, despite disabling Comodo, Comodo continued to intervene running the new GMER?)


I hope you are not confused by all the above info!

I am beginning to wonder if the Comodo anti-virus is doing too much (false positive), and if stopping it through the Taskbar-icon is not really disabling it?


Best Regards
Jan6000

#4 Jan6000

Jan6000
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 21 July 2011 - 06:13 PM

Hello,

Possibly any idea after my above added results from your advice?

Thanks

#5 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:11:33 AM

Posted 21 July 2011 - 08:23 PM

It looks like your Comodo got little bit overexcited :)

Uninstall Abyssal Registry Cleaner 1.4.0
Registry cleaners/optimizers are not recommended for several reasons:

  • Registry cleaners are extremely powerful applications that can damage the registry by using aggressive cleaning routines and cause your computer to become unbootable.

    The Windows registry is a central repository (database) for storing configuration data, user settings and machine-dependent settings, and options for the operating system. It contains information and settings for all hardware, software, users, and preferences. Whenever a user makes changes to settings, file associations, system policies, or installed software, the changes are reflected and stored in this repository. The registry is a crucial component because it is where Windows "remembers" all this information, how it works together, how Windows boots the system and what files it uses when it does. The registry is also a vulnerable subsystem, in that relatively small changes done incorrectly can render the system inoperable. For a more detailed explanation, read Understanding The Registry.
  • Not all registry cleaners are created equal. There are a number of them available but they do not all work entirely the same way. Each vendor uses different criteria as to what constitutes a "bad entry". One cleaner may find entries on your system that will not cause problems when removed, another may not find the same entries, and still another may want to remove entries required for a program to work.
  • Not all registry cleaners create a backup of the registry before making changes. If the changes prevent the system from booting up, then there is no backup available to restore it in order to regain functionality. A backup of the registry is essential BEFORE making any changes to the registry.
  • Improperly removing registry entries can hamper malware disinfection and make the removal process more difficult if your computer becomes infected. For example, removing malware related registry entries before the infection is properly identified can contribute to system instability and even make the malware undetectable to removal tools.
  • The usefulness of cleaning the registry is highly overrated and can be dangerous. In most cases, using a cleaner to remove obsolete, invalid, and erroneous entries does not affect system performance but it can result in "unpredictable results".
Unless you have a particular problem that requires a registry edit to correct it, I would suggest you leave the registry alone. Using registry cleaning tools unnecessarily or incorrectly could lead to disastrous effects on your operating system such as preventing it from ever starting again. For routine use, the benefits to your computer are negligible while the potential risks are great.


========================================================

So far everything looks clean.

Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

=============================================================================

Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push List of found threats
  • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#6 Jan6000

Jan6000
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 23 July 2011 - 02:46 PM

Thanks for your further advice.


I ran ESET, it ran for ~20 hours (200 GB + 750 GB)

I was very astonished that ESET found considerable items.
I ran MBAM and SAS earlier in safe mode and they found nothing.
Further earlier I ran virus-scanners from a bootable CD (eSAN and Bitdefender) and they found a few minor items. So I thought I was fairly clean of malware.
However ESET also found Unlocker (downloaded from FileHippo), which I suppose must be a false positive !!

So is ESET a more thorough scanner (possibly this explains the time it takes to scan)?


Following is the report from ESET

ESET-Jan6000-20110722
D:\Downloads\Clickfix_v3.00.zip HTML/ScrInject.B.Gen virus deleted - quarantined
D:\Downloads\Setup_FreeConverter(2).exe Win32/Adware.Toolbar.Dealio application deleted - quarantined
D:\Downloads\SystemSpeedBooster-2.8.0.8.Setup.exe a variant of Win32/Adware.RealRegistryCleaner application deleted - quarantined
D:\Downloads\Unlocker1.9.1(1).exe Win32/Adware.ADON application deleted - quarantined
G:\Downloads\Clickfix_v3.00.zip HTML/ScrInject.B.Gen virus deleted - quarantined
G:\Downloads\Internet_TV_Setup(2).exe a variant of Win32/Adware.ADON application deleted - quarantined
G:\Downloads\Internet_TV_Setup.exe a variant of Win32/Adware.ADON application deleted - quarantined
G:\Downloads\Lupo_PenSuite_v6.76_Full.exe probably a variant of Win32/Agent.JKSSESN trojan deleted - quarantined
G:\Downloads\puinstall303-en-p.exe multiple threats deleted - quarantined
G:\Downloads\Setup_FreeConverter(2).exe Win32/Adware.Toolbar.Dealio application deleted - quarantined
G:\Downloads\SF(5).exe Win32/Adware.Toolbar.Dealio application deleted - quarantined
G:\Downloads\sp20rc2.exe probably a variant of Win32/Agent.BGOSGZQ trojan deleted - quarantined
G:\Downloads\fc_setup_\fc_setup.exe a variant of Win32/Adware.ADON application deleted - quarantined
G:\Downloads\fc_setup_(3)\fc_setup.exe a variant of Win32/Adware.ADON application deleted - quarantined
G:\Downloads2\unlocker1.9.0.exe Win32/Adware.ADON application deleted - quarantined
J:\Doc+Set_Oud\Jan Overbeek\My Documents\Downloads\165 Standalone Programs for Windows XP\165_STANDALONE_Programs_for_Windows_XP.exe multiple threats deleted - quarantined
J:\Torrentss\lp-recorder-10.0.1.exe a variant of Win32/Agent.QHQ trojan deleted - quarantined
J:\Torrentss\physical-chemistry-4e.exe multiple threats deleted - quarantined
J:\Torrentss\Daemon.Tools.Pro.4.30.0305-Mohsen6558\DAEMON.Tools.Pro.Advanced.v4.30.0305_by_GoranM\DTPro4300305.exe a variant of Win32/Kryptik.ZT trojan deleted - quarantined
J:\Torrentss\Hard Disk Recovery Collection\DataDoctor DataRecovery Works\Data Doctor.exe probably a variant of Win32/IRCBot.FEQYUYJ trojan deleted - quarantined
J:\Torrentss\MGA6_crack\MGA6crack.exe probably a variant of Win32/Agent.JEMANYM trojan deleted - quarantined

I also ran afterwards my antivurus (Comodo), it additionally found an unbelievable 75 items. After reviewing them I considered them all to be trivial !!

Jan6000

#7 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:11:33 AM

Posted 23 July 2011 - 02:59 PM

As you can see, all those finding are not active.
Just some dangerous downloads, using torrents I'd assume...

Your computer is clean Posted Image

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll remove all old restore points and create fresh, clean restore point.

Turn system restore off.
Restart computer.
Turn system restore back on.

If you don't know how to do it...
Windows XP: http://support.microsoft.com/kb/310405
Vista and Windows 7: http://www.howtogeek.com/howto/windows-vista/disable-system-restore-in-windows-vista/

2. Make sure, Windows Updates are current.

3. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

4. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

5. Run Temporary File Cleaner (TFC) weekly.

6. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

7. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

8. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

9. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#8 Jan6000

Jan6000
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 23 July 2011 - 05:32 PM

Thanks for your help and advises.

Fine that this kind of help is possible.

Jan6000

#9 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:11:33 AM

Posted 23 July 2011 - 05:39 PM

You're very welcome Posted Image

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users