Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Started As Spyfalcon, Now Appears To Be More


  • This topic is locked This topic is locked
10 replies to this topic

#1 nub

nub

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:07 AM

Posted 17 March 2006 - 10:58 PM

Followed all the steps in the Preparation guide and have discovered my problem is greater than just SpyFalcon. Assumed it was SpyFalcon as that is what Symantic picked up. SpyBot detects Vcodec each time it is run. Can eliminate it from memory when SpyBot is run on bootup. But like Herpes it keeps coming back. Panda and BitDefender found some items as well that they could not delete. Panda noted 2 virus named Trj/Zlob.DE and Trj/Zlob.DK. BitDefender listed the following three descriptions:

BehavesLike:Trojan.Downloader
Generic.Malware.Ssp.5B05AD8C
Trojan.Renos.C

I saved the logs for these runs as well if that info will help. Would really appreciate help on this as it appears the problem is getting bigger. :thumbsup: Thanks in advance!

The HiJack this log is as follows:

Logfile of HijackThis v1.99.1
Scan saved at 7:37:13 PM, on 3/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.west.cox.net/
O2 - BHO: (no name) - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - (no file)
O3 - Toolbar: Anonymizer 2005 Toolbar - {DB264E15-F83B-4603-BFC1-4EA7E3204686} - C:\Program Files\Anonymizer\Anon2005\AnonIEBar.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


m

#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:07 PM

Posted 18 March 2006 - 01:46 PM

Hello,

* Download Spyfalconfix from here:
http://www.martijnc.be/tools/sffix.exe
Download it to your desktop.
Doubleclick sffix.exe
Click the 'install' button.
This will create a new folder on your desktop called sffix.
Open that folder and click: Run.bat
In case your zonealarm gives an alert, allow it instead of blocking it, because this tool downloads an extra tool from the net to properly run it.
Let the tool perform its job.


* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O2 - BHO: (no name) - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - (no file)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

I also want you to perform a new Panda scan again, because we can't do anything with only the names of the infections it finds, I also want to know where they are located, so perform next:

* Perform an onlinescan with panda: (please use this scanner instead of any other scanner!)
Panda Online
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report and a new hijackthislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 nub

nub
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:07 AM

Posted 18 March 2006 - 02:40 PM

Followed your instructions and have the reports here. Everytime I see these reports I keep seeing more! So much for thinking I was adequately protected. :thumbsup:

Panda:

Incident Status Location

Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\end-user\Cookies\end-user@com[2].txt
Possible Virus. Not disinfected C:\Program Files\Symantec AntiVirus\SAVRT\0618NAV~.TMP
Virus:Trj/Agent.BOC Not disinfected C:\WINDOWS\system32\1024\ld27CE.tmp
Virus:Trj/Agent.BOC Not disinfected C:\WINDOWS\system32\1024\ld42A9.tmp
Virus:Trj/Zlob.DE Not disinfected C:\WINDOWS\system32\1024\ld47D6.tmp
Virus:Trj/Agent.BOC Not disinfected C:\WINDOWS\system32\1024\ld5DA3.tmp
Virus:Trj/Agent.BOC Not disinfected C:\WINDOWS\system32\1024\ld78AD.tmp
Virus:Trj/Agent.BOC Not disinfected C:\WINDOWS\system32\1024\ld92DC.tmp
Adware:Adware/SpywareStrike Not disinfected C:\WINDOWS\system32\1024\ldA7AC.tmp
Adware:Adware/SpywareStrike Not disinfected C:\WINDOWS\system32\1024\ldA81A.tmp
Virus:Trj/Zlob.DE Not disinfected C:\WINDOWS\system32\1024\ldA942.tmp
Virus:Trj/Agent.BOC Not disinfected C:\WINDOWS\system32\1024\ldA952.tmp
Virus:Trj/Agent.BOC Not disinfected C:\WINDOWS\system32\1024\ldAC5F.tmp
Virus:Trj/Agent.BOC Not disinfected C:\WINDOWS\system32\1024\ldD22.tmp
Adware:Adware/SecurityError Not disinfected C:\WINDOWS\system32\dfrgsrv.exe
Virus:Trj/Zlob.DE Not disinfected C:\WINDOWS\system32\dxole32.exe
Adware:Adware/SpywareStrike Not disinfected C:\WINDOWS\system32\hpAB46.tmp
Adware:Adware/SecurityError Not disinfected C:\WINDOWS\system32\ldC35F.tmp
Adware:adware/emediacodec Not disinfected C:\WINDOWS\system32\mssearchnet.exe
Adware:adware/securityerror Not disinfected C:\WINDOWS\system32\msvol.tlb


HiJackThis:

Logfile of HijackThis v1.99.1
Scan saved at 11:31:22 AM, on 3/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.west.cox.net/
O3 - Toolbar: Anonymizer 2005 Toolbar - {DB264E15-F83B-4603-BFC1-4EA7E3204686} - C:\Program Files\Anonymizer\Anon2005\AnonIEBar.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:07 PM

Posted 18 March 2006 - 02:58 PM

Hello,

The infection is not active anymore, because I don't see them running in the processes, however, there could be some files which won't delete in normal mode, that's why I want you to delete them in safe mode.
I recommend you save next instructions in notepad or print this out, because I don't want you delete other similar looking files.

Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

* Reboot into Safe Mode`: ( without networking support !)
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.

Once in safe mode, delete next folder and files:

C:\WINDOWS\system32\1024 <== folder
C:\WINDOWS\system32\dfrgsrv.exe
C:\WINDOWS\system32\dxole32.exe
C:\WINDOWS\system32\hpAB46.tmp
C:\WINDOWS\system32\ldC35F.tmp
C:\WINDOWS\system32\mssearchnet.exe
C:\WINDOWS\system32\msvol.tlb

Reboot back to normal mode.

Please hide your hidden files and folders again, because above instructions to set your system to show all files, unhide legit files and folders as well.
And I don't want you to delete them because they may look suspicious. To hide them again, just perform the above instructions in the opposite way.

Perform a full scan with an updated Adaware SE and/or Spybot S&D to get rid of some leftovers if still present.
If you don't have those programs yet, you can find the downloadlocations in my sig.
No need to post a new hijackthislog afterwards, since above one looks clean.
Just let me know how things are running afterwards. :thumbsup:

Edited by miekiemoes, 18 March 2006 - 02:58 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 nub

nub
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:07 AM

Posted 18 March 2006 - 04:41 PM

Followed your instructions and deleted the noted folder and files. Rebooted. SpyBot came up on reboot, found and deleted Vcodec. Ad-Aware SE did not find anything. I also ran Symantec and it also did not find anything.

Other than IE coming up a little slow I have not noticed anything else as far as performance.

I'm curous about the Panda scan now. So many items were noted. If I were to run it again now, it should come back clean based on what we did?

I appreciate your help on this so. Was thinking of just reformatting the drive just to get away from this problem. I will be reading your forums on how best ot close off the holes I have here and protect myself better. I was comfortable thinking between Zone Alarm Security Suite, Ad_aware and SpyBot I was safe. Just so you know I had disabled the Zone Alarm virus scan and loaded a current version of Symantec after this problem. Zone Alarm didnt show the problem when Symantec did. Do you have a suggestion on which to keep running (can't run Zone Alarm virus scan with Symantec loaded).

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:07 PM

Posted 18 March 2006 - 05:11 PM

Hi, normally, when you run a panda scan again, it should come up clean, except for some cookies, but don't worry about those. You can easily delete them by performing next:

* Clean your IE cookies and cache:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
To keep this clean in the future, I would suggest the following things:

Install Spywareblaster
SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. Because a lot of free software can bundle other software, including spyware.

Let your antispywarescanner(s) scan frequently and don't forget to update before.

And I do suggest you perform an online virusscan once in a while. (Housecall and/or Bitdefender). Because what one virusscanner can't find another one maybe can.
Also make sure that your virusscanner, the one that is installed on your system is always up to date!

Make sure your windows has the latest updates: http://windowsupdate.microsoft.com/

If you are having XP SP2, read here how to configure Security Features for Internet Explorer:
http://www.microsoft.com/technet/security/...xp/iesecxp.mspx

Also visit this Free Online Scanner for PC Health and Safety and Microsoft Security At Home for tips to Protect your Pc, Protect yourself and Protect your Family.

More info on how to prevent malware you can also find here (By Tony Klein)
and here: http://wiki.castlecops.com/Malware_Prevent...nt_Re-infection

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Happy surfing again! :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 nub

nub
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:07 AM

Posted 18 March 2006 - 05:52 PM

Ran Panda Online Scan again just to see. Seems the bad guys have resurface. Gave another list of Spyware and virus as follows:


Incident Status Location

Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\end-user\Cookies\end-user@com[2].txt
Adware:Adware/SpywareStrike Not disinfected C:\RECYCLER\S-1-5-21-796845957-179605362-682003330-1003\Dc10.tmp
Adware:Adware/SecurityError Not disinfected C:\RECYCLER\S-1-5-21-796845957-179605362-682003330-1003\Dc11.tmp
Virus:Trj/Agent.BOC Not disinfected C:\RECYCLER\S-1-5-21-796845957-179605362-682003330-1003\Dc7\ld27CE.tmp
Virus:Trj/Agent.BOC Not disinfected C:\RECYCLER\S-1-5-21-796845957-179605362-682003330-1003\Dc7\ld42A9.tmp
Virus:Trj/Zlob.DE Not disinfected C:\RECYCLER\S-1-5-21-796845957-179605362-682003330-1003\Dc7\ld47D6.tmp
Virus:Trj/Agent.BOC Not disinfected C:\RECYCLER\S-1-5-21-796845957-179605362-682003330-1003\Dc7\ld5DA3.tmp
Virus:Trj/Agent.BOC Not disinfected C:\RECYCLER\S-1-5-21-796845957-179605362-682003330-1003\Dc7\ld78AD.tmp
Virus:Trj/Agent.BOC Not disinfected C:\RECYCLER\S-1-5-21-796845957-179605362-682003330-1003\Dc7\ld92DC.tmp
Adware:Adware/SpywareStrike Not disinfected C:\RECYCLER\S-1-5-21-796845957-179605362-682003330-1003\Dc7\ldA7AC.tmp
Adware:Adware/SpywareStrike Not disinfected C:\RECYCLER\S-1-5-21-796845957-179605362-682003330-1003\Dc7\ldA81A.tmp
Virus:Trj/Zlob.DE Not disinfected C:\RECYCLER\S-1-5-21-796845957-179605362-682003330-1003\Dc7\ldA942.tmp
Virus:Trj/Agent.BOC Not disinfected C:\RECYCLER\S-1-5-21-796845957-179605362-682003330-1003\Dc7\ldA952.tmp
Virus:Trj/Agent.BOC Not disinfected C:\RECYCLER\S-1-5-21-796845957-179605362-682003330-1003\Dc7\ldAC5F.tmp
Virus:Trj/Agent.BOC Not disinfected C:\RECYCLER\S-1-5-21-796845957-179605362-682003330-1003\Dc7\ldD22.tmp
Adware:Adware/SecurityError Not disinfected C:\RECYCLER\S-1-5-21-796845957-179605362-682003330-1003\Dc8.exe
Virus:Trj/Zlob.DE Not disinfected C:\RECYCLER\S-1-5-21-796845957-179605362-682003330-1003\Dc9.exe
Adware:adware/securityerror Not disinfected C:\WINDOWS\system32\ot.ico
So you know...I have not gone to any sites other than those mentioned in previous posts for scanning purposes.

#8 nub

nub
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:07 AM

Posted 18 March 2006 - 06:06 PM

Dawned on me that C:\recycler may be the recycle bin. Discovered it was and deleted the contents. Reran Panda and got the following:


Incident Status Location

Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\end-user\Cookies\end-user@com[2].txt
Adware:adware/securityerror Not disinfected C:\WINDOWS\system32\ot.ico
One appears to be a cookie as you described in your last post. Not sure about the other.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:07 PM

Posted 19 March 2006 - 02:14 AM

Yes, delete this one:

C:\WINDOWS\system32\ot.ico
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 nub

nub
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:07 AM

Posted 19 March 2006 - 01:49 PM

Done and done! This computer is clean!! Thank you so much for your help.

This has opened my eyes a bit to this stuff. Will be running these scans on the GF's laptop next. Suspect she will have some issues as well. Will start a new thread if so.

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:07 PM

Posted 19 March 2006 - 02:06 PM

Glad I could help. :thumbsup:

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users