Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Keygen.exe Disappeared On Double Click


  • Please log in to reply
10 replies to this topic

#1 greenhorn

greenhorn

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:31 PM

Posted 01 May 2007 - 05:35 AM

hi,
a friend of mine just downloaded a keygen for nikon capture from somewhere and when she double-clicked on the .exe file it just disappeared from her drive and nothing else happened! she thought it was funny but i think i could be something more serious as the file seems to have autodeleted itself and could be a trojan or something that transferred to the system files. her system could be seriously infected. I ran her symantics anti virus which came clean and there's no anti spyware program installed on the comp, she's not at all technically inclined and i myself am not too savvy about what to do now. can anyone help please?
her system is a 3 year old amd based machine, running windows 2000.
thanks

BC AdBot (Login to Remove)

 


#2 fozzie

fozzie

    aut viam inveniam aut faciam


  • Members
  • 3,516 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ossendrecht/The Netherlands
  • Local time:07:01 PM

Posted 01 May 2007 - 06:21 AM

she should perform following steps



start with checking for malware causes to your problem.
Install Super Antispyware. Run it in safe mode. Allow it to quarantine whatever it finds.
http://www.superantispyware.com/]SuperAintiSpyware

Please run the F-Secure Online Scanner
Note: This Scanner is for Internet Explorer Only!
Follow the Instruction here for installation.
Accept the License Agreement.
Once the ActiveX installs,Click Full System Scan
Once the download completes, the scan will begin automatically.
The scan will take some time to finish, so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.
Click the Show Report button and Copy&Paste the entire report in your next reply.

#3 greenhorn

greenhorn
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:31 PM

Posted 01 May 2007 - 06:56 AM

thanks for taking out time to help us.
i've just downloaded Super antispyware and shall run the scan in safe mode now.
the only problem is that f-secure requires other anti virus programs to be uninstalled but there's already the symantics antivirus installed on the machine and our company regulations do not allow us to uninstall it.
can we use combofix or anything else?
thanks again for ur help

#4 fozzie

fozzie

    aut viam inveniam aut faciam


  • Members
  • 3,516 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ossendrecht/The Netherlands
  • Local time:07:01 PM

Posted 01 May 2007 - 09:31 AM

What was asked is to shut down the resident protection from Norton since it could interfere with F-Secure

Run the online scan for Bit Defender in normal mode. Allow it to quarantine whatever it finds.
Bitdefender

and post back te result

Edited by fozzie, 01 May 2007 - 09:39 AM.


#5 greenhorn

greenhorn
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:31 PM

Posted 01 May 2007 - 01:36 PM

hi sorry for such a long delay, the scan took a really long time.
here's the BitDefender scan report:

ReportBitDefender Online Scanner
Scan report generated at: Tue, May 01, 2007 - 23:47:29

Scan path: A:\;C:\;D:\;E:\;

Statistics
Time03:09:19
Files440335
Folders4186
Boot Sectors3
Archives66006
Packed Files38523

Results
Identified Viruses 2
Infected Files 3
Suspect Files 13
Warnings0
Disinfected0
Deleted Files16

Engines Info
Virus Definitions503531
Engine buildAVCORE v1.0 (build 2397) (i386) (Feb 8 2007 14:24:08)
Scan plugins14
Archive plugins38
Unpack plugins6
E-mail plugins6
System plugins1

Scan Settings
First ActionDisinfect
Second ActionDelete
HeuristicsYes
Enable WarningsYes
Scanned Extensions*;
Exclude Extensions
Scan EmailsYes
Scan ArchivesYes
Scan PackedYes
Scan FilesYes
Scan BootYes

Scanned File Status
C:\Documents and Settings\Administrator\Local Settings\Application
Data\Identities\{B43DE5E2-C327-4BF0-84AD-377DDFC87AED}\Microsoft\Outlook
Express\Deleted Items.dbx=>(message 17)=>[Subject: attchmnt][Date:
Fri, 4 Aug 2006 21:38:02 +0530]=>(MIME
part)=>Shantanu-Do-Not-Delete.zip=>Shantanu-Do-Not-Delete/Win-Spy
Eval Setup.exeInfected with: Backdoor.Genlot.JL
C:\Documents and Settings\Administrator\Local Settings\Application
Data\Identities\{B43DE5E2-C327-4BF0-84AD-377DDFC87AED}\Microsoft\Outlook
Express\Deleted Items.dbx=>(message 17)=>[Subject: attchmnt][Date:
Fri, 4 Aug 2006 21:38:02 +0530]=>(MIME
part)=>Shantanu-Do-Not-Delete.zip=>Shantanu-Do-Not-Delete/Win-Spy
Eval Setup.exeDisinfection failed
C:\Documents and Settings\Administrator\Local Settings\Application
Data\Identities\{B43DE5E2-C327-4BF0-84AD-377DDFC87AED}\Microsoft\Outlook
Express\Deleted Items.dbx=>(message 17)=>[Subject: attchmnt][Date:
Fri, 4 Aug 2006 21:38:02 +0530]=>(MIME
part)=>Shantanu-Do-Not-Delete.zip=>Shantanu-Do-Not-Delete/Win-Spy
Eval Setup.exeDeleted
C:\Documents and Settings\Administrator\Local Settings\Application
Data\Identities\{B43DE5E2-C327-4BF0-84AD-377DDFC87AED}\Microsoft\Outlook
Express\Deleted Items.dbx=>(message 17)=>[Subject: attchmnt][Date:
Fri, 4 Aug 2006 21:38:02 +0530]=>(MIME
part)=>Shantanu-Do-Not-Delete.zipUpdated
C:\Documents and Settings\Administrator\Local Settings\Application
Data\Identities\{B43DE5E2-C327-4BF0-84AD-377DDFC87AED}\Microsoft\Outlook
Express\Deleted Items.dbx=>(message 17)=>[Subject: attchmnt][Date:
Fri, 4 Aug 2006 21:38:02 +0530]=>(MIME part)Updated
C:\Documents and Settings\Administrator\Local Settings\Application
Data\Identities\{B43DE5E2-C327-4BF0-84AD-377DDFC87AED}\Microsoft\Outlook
Express\Deleted Items.dbx=>(message 17)Updated
C:\Documents and Settings\Administrator\Local Settings\Application
Data\Identities\{B43DE5E2-C327-4BF0-84AD-377DDFC87AED}\Microsoft\Outlook
Express\Deleted Items.dbxUpdate failed
C:\Documents and Settings\Administrator\Local Settings\Application
Data\Identities\{B43DE5E2-C327-4BF0-84AD-377DDFC87AED}\Microsoft\Outlook
Express\Deleted Items.dbx=>(message 22)=>[Subject: please save these
files][Date: Tue, 15 Aug 2006 04:27:32 +0530]=>(MIME
part)=>MobyDock.exeInfected with: Trojan.Spy.Keylogger.BP
C:\Documents and Settings\Administrator\Local Settings\Application
Data\Identities\{B43DE5E2-C327-4BF0-84AD-377DDFC87AED}\Microsoft\Outlook
Express\Deleted Items.dbx=>(message 22)=>[Subject: please save these
files][Date: Tue, 15 Aug 2006 04:27:32 +0530]=>(MIME
part)=>MobyDock.exeDisinfection failed
C:\Documents and Settings\Administrator\Local Settings\Application
Data\Identities\{B43DE5E2-C327-4BF0-84AD-377DDFC87AED}\Microsoft\Outlook
Express\Deleted Items.dbx=>(message 22)=>[Subject: please save these
files][Date: Tue, 15 Aug 2006 04:27:32 +0530]=>(MIME
part)=>MobyDock.exeDeleted
C:\Documents and Settings\Administrator\Local Settings\Application
Data\Identities\{B43DE5E2-C327-4BF0-84AD-377DDFC87AED}\Microsoft\Outlook
Express\Deleted Items.dbx=>(message 22)=>[Subject: please save these
files][Date: Tue, 15 Aug 2006 04:27:32 +0530]=>(MIME part)Updated
C:\Documents and Settings\Administrator\Local Settings\Application
Data\Identities\{B43DE5E2-C327-4BF0-84AD-377DDFC87AED}\Microsoft\Outlook
Express\Deleted Items.dbx=>(message 22)Updated
C:\Documents and Settings\Administrator\Local Settings\Application
Data\Identities\{B43DE5E2-C327-4BF0-84AD-377DDFC87AED}\Microsoft\Outlook
Express\Deleted Items.dbx=>(message 22)=>[Subject: please save these
files][Date: Tue, 15 Aug 2006 04:27:32 +0530]=>(MIME
part)=>SpyhunterSS.exeInfected with: Trojan.Spy.Keylogger.BP
C:\Documents and Settings\Administrator\Local Settings\Application
Data\Identities\{B43DE5E2-C327-4BF0-84AD-377DDFC87AED}\Microsoft\Outlook
Express\Deleted Items.dbx=>(message 22)=>[Subject: please save these
files][Date: Tue, 15 Aug 2006 04:27:32 +0530]=>(MIME
part)=>SpyhunterSS.exeDisinfection failed
C:\Documents and Settings\Administrator\Local Settings\Application
Data\Identities\{B43DE5E2-C327-4BF0-84AD-377DDFC87AED}\Microsoft\Outlook
Express\Deleted Items.dbx=>(message 22)=>[Subject: please save these
files][Date: Tue, 15 Aug 2006 04:27:32 +0530]=>(MIME
part)=>SpyhunterSS.exeDeleted
C:\Documents and Settings\Administrator\Local Settings\Application
Data\Identities\{B43DE5E2-C327-4BF0-84AD-377DDFC87AED}\Microsoft\Outlook
Express\Deleted Items.dbx=>(message 22)=>[Subject: please save these
files][Date: Tue, 15 Aug 2006 04:27:32 +0530]=>(MIME part)Updated
C:\Documents and Settings\Administrator\Local Settings\Application
Data\Identities\{B43DE5E2-C327-4BF0-84AD-377DDFC87AED}\Microsoft\Outlook
Express\Deleted Items.dbx=>(message 22)Updated
C:\Documents and Settings\Administrator\Local Settings\Application
Data\Identities\{B43DE5E2-C327-4BF0-84AD-377DDFC87AED}\Microsoft\Outlook
Express\Deleted Items.dbxUpdate failed
D:\backup\MDaemon\USERS\company.mail\beyondadvertising\md50000000207.msg=>[Subject:
Hello,beyondadvertising,some questions][Date: Tue, 4 Mar 2003
16:34:37 +0530]=>(MIME part)=>(message body)Suspected of:
Exploit.Iframe.Vulnerability
D:\backup\MDaemon\USERS\company.mail\beyondadvertising\md50000000207.msg=>[Subject:
Hello,beyondadvertising,some questions][Date: Tue, 4 Mar 2003
16:34:37 +0530]=>(MIME part)=>(message body)Disinfection failed
D:\backup\MDaemon\USERS\company.mail\beyondadvertising\md50000000207.msg=>[Subject:
Hello,beyondadvertising,some questions][Date: Tue, 4 Mar 2003
16:34:37 +0530]=>(MIME part)=>(message body)Deleted
D:\backup\MDaemon\USERS\company.mail\beyondadvertising\md50000000207.msg=>[Subject:
Hello,beyondadvertising,some questions][Date: Tue, 4 Mar 2003
16:34:37 +0530]=>(MIME part)Updated
D:\backup\MDaemon\USERS\company.mail\beyondadvertising\md50000000207.msgUpdated
D:\backup\MDaemon\USERS\company.mail\beyondadvertising\md50000000208.msg=>[Subject:
Here To Know More][Date: Wed, 5 Mar 2003 16:45:55 +0530]=>(MIME
part)=>(message body)Suspected of: Exploit.Iframe.Vulnerability
D:\backup\MDaemon\USERS\company.mail\beyondadvertising\md50000000208.msg=>[Subject:
Here To Know More][Date: Wed, 5 Mar 2003 16:45:55 +0530]=>(MIME
part)=>(message body)Disinfection failed
D:\backup\MDaemon\USERS\company.mail\beyondadvertising\md50000000208.msg=>[Subject:
Here To Know More][Date: Wed, 5 Mar 2003 16:45:55 +0530]=>(MIME
part)=>(message body)Deleted
D:\backup\MDaemon\USERS\company.mail\beyondadvertising\md50000000208.msg=>[Subject:
Here To Know More][Date: Wed, 5 Mar 2003 16:45:55 +0530]=>(MIME
part)Updated
D:\backup\MDaemon\USERS\company.mail\beyondadvertising\md50000000208.msgUpdated
D:\backup\MDaemon\USERS\company.mail\beyondadvertising\md50000000209.msg=>[Subject:
Your password][Date: Thu, 6 Mar 2003 05:35:28 +0000]=>(MIME
part)=>(message body)Suspected of: Exploit.Iframe.Vulnerability
D:\backup\MDaemon\USERS\company.mail\beyondadvertising\md50000000209.msg=>[Subject:
Your password][Date: Thu, 6 Mar 2003 05:35:28 +0000]=>(MIME
part)=>(message body)Disinfection failed
D:\backup\MDaemon\USERS\company.mail\beyondadvertising\md50000000209.msg=>[Subject:
Your password][Date: Thu, 6 Mar 2003 05:35:28 +0000]=>(MIME
part)=>(message body)Deleted
D:\backup\MDaemon\USERS\company.mail\beyondadvertising\md50000000209.msg=>[Subject:
Your password][Date: Thu, 6 Mar 2003 05:35:28 +0000]=>(MIME
part)Updated
D:\backup\MDaemon\USERS\company.mail\beyondadvertising\md50000000209.msgUpdated
D:\backup\MDaemon\USERS\company.mail\beyondadvertising\md50000000210.msg=>[Subject:
Support][Date: Fri, 7 Mar 2003 16:40:04 +0530]=>(MIME
part)=>(message body)Suspected of: Exploit.Iframe.Vulnerability
D:\backup\MDaemon\USERS\company.mail\beyondadvertising\md50000000210.msg=>[Subject:
Support][Date: Fri, 7 Mar 2003 16:40:04 +0530]=>(MIME
part)=>(message body)Disinfection failed
D:\backup\MDaemon\USERS\company.mail\beyondadvertising\md50000000210.msg=>[Subject:
Support][Date: Fri, 7 Mar 2003 16:40:04 +0530]=>(MIME
part)=>(message body)Deleted
D:\backup\MDaemon\USERS\company.mail\beyondadvertising\md50000000210.msg=>[Subject:
Support][Date: Fri, 7 Mar 2003 16:40:04 +0530]=>(MIME part)Updated
D:\backup\MDaemon\USERS\company.mail\beyondadvertising\md50000000210.msgUpdated
D:\backup\MDaemon\USERS\company.mail\beyondadvertising\md50000000211.msg=>[Subject:
Pluginspage][Date: Sat, 8 Mar 2003 05:18:02 +0000]=>(MIME
part)=>(message body)Suspected of: Exploit.Iframe.Vulnerability
D:\backup\MDaemon\USERS\company.mail\beyondadvertising\md50000000211.msg=>[Subject:
Pluginspage][Date: Sat, 8 Mar 2003 05:18:02 +0000]=>(MIME
part)=>(message body)Disinfection failed
D:\backup\MDaemon\USERS\company.mail\beyondadvertising\md50000000211.msg=>[Subject:
Pluginspage][Date: Sat, 8 Mar 2003 05:18:02 +0000]=>(MIME
part)=>(message body)Deleted
D:\backup\MDaemon\USERS\company.mail\beyondadvertising\md50000000211.msg=>[Subject:
Pluginspage][Date: Sat, 8 Mar 2003 05:18:02 +0000]=>(MIME
part)Updated
D:\backup\MDaemon\USERS\company.mail\beyondadvertising\md50000000211.msgUpdated
D:\backup\MDaemon\USERS\company.mail\beyondadvertising\md50000000212.msg=>[Subject:
Sos!][Date: Sat, 8 Mar 2003 17:48:52 +0530]=>(MIME part)=>(message
body)Suspected of: Exploit.Iframe.Vulnerability
D:\backup\MDaemon\USERS\company.mail\beyondadvertising\md50000000212.msg=>[Subject:
Sos!][Date: Sat, 8 Mar 2003 17:48:52 +0530]=>(MIME part)=>(message
body)Disinfection failed
D:\backup\MDaemon\USERS\company.mail\beyondadvertising\md50000000212.msg=>[Subject:
Sos!][Date: Sat, 8 Mar 2003 17:48:52 +0530]=>(MIME part)=>(message
body)Deleted
D:\backup\MDaemon\USERS\company.mail\beyondadvertising\md50000000212.msg=>[Subject:
Sos!][Date: Sat, 8 Mar 2003 17:48:52 +0530]=>(MIME part)Updated
D:\backup\MDaemon\USERS\company.mail\beyondadvertising\md50000000212.msgUpdated
D:\backup\MDaemon\USERS\company.mail\beyondadvertising\md50000000214.msg=>[Subject:
Sos!][Date: Sat, 8 Mar 2003 17:48:52 +0530]=>(MIME part)=>(message
body)Suspected of: Exploit.Iframe.Vulnerability
D:\backup\MDaemon\USERS\company.mail\beyondadvertising\md50000000214.msg=>[Subject:
Sos!][Date: Sat, 8 Mar 2003 17:48:52 +0530]=>(MIME part)=>(message
body)Disinfection failed
D:\backup\MDaemon\USERS\company.mail\beyondadvertising\md50000000214.msg=>[Subject:
Sos!][Date: Sat, 8 Mar 2003 17:48:52 +0530]=>(MIME part)=>(message
body)Deleted
D:\backup\MDaemon\USERS\company.mail\beyondadvertising\md50000000214.msg=>[Subject:
Sos!][Date: Sat, 8 Mar 2003 17:48:52 +0530]=>(MIME part)Updated
D:\backup\MDaemon\USERS\company.mail\beyondadvertising\md50000000214.msgUpdated
D:\backup\MDaemon\USERS\company.mail\beyondadvertising\md50000000216.msg=>[Subject:
Fw:beyondadvertising,congratulations][Date: Mon, 10 Mar 2003
05:58:04 +0000]=>(MIME part)=>(message body)Suspected of:
Exploit.Iframe.Vulnerability
D:\backup\MDaemon\USERS\company.mail\beyondadvertising\md50000000216.msg=>[Subject:
Fw:beyondadvertising,congratulations][Date: Mon, 10 Mar 2003
05:58:04 +0000]=>(MIME part)=>(message body)Disinfection failed
D:\backup\MDaemon\USERS\company.mail\beyondadvertising\md50000000216.msg=>[Subject:
Fw:beyondadvertising,congratulations][Date: Mon, 10 Mar 2003
05:58:04 +0000]=>(MIME part)=>(message body)Deleted
D:\backup\MDaemon\USERS\company.mail\beyondadvertising\md50000000216.msg=>[Subject:
Fw:beyondadvertising,congratulations][Date: Mon, 10 Mar 2003
05:58:04 +0000]=>(MIME part)Updated
D:\backup\MDaemon\USERS\company.mail\beyondadvertising\md50000000216.msgUpdated
D:\backup\MDaemon\USERS\company.mail\beyondadvertising\md50000000217.msg=>[Subject:
Jan 20 2003 14][Date: Mon, 10 Mar 2003 08:41:13 +0000]=>(MIME
part)=>(message body)Suspected of: Exploit.Iframe.Vulnerability
D:\backup\MDaemon\USERS\company.mail\beyondadvertising\md50000000217.msg=>[Subject:
Jan 20 2003 14][Date: Mon, 10 Mar 2003 08:41:13 +0000]=>(MIME
part)=>(message body)Disinfection failed
D:\backup\MDaemon\USERS\company.mail\beyondadvertising\md50000000217.msg=>[Subject:
Jan 20 2003 14][Date: Mon, 10 Mar 2003 08:41:13 +0000]=>(MIME
part)=>(message body)Deleted
D:\backup\MDaemon\USERS\company.mail\beyondadvertising\md50000000217.msg=>[Subject:
Jan 20 2003 14][Date: Mon, 10 Mar 2003 08:41:13 +0000]=>(MIME
part)Updated
D:\backup\MDaemon\USERS\company.mail\beyondadvertising\md50000000217.msgUpdated
D:\backup\MDaemon\USERS\company.mail\beyondadvertising\md50000000218.msg=>[Subject:
A powful tool][Date: Tue, 11 Mar 2003 11:47:24 +0000]=>(MIME
part)=>(message body)Suspected of: Exploit.Iframe.Vulnerability
D:\backup\MDaemon\USERS\company.mail\beyondadvertising\md50000000218.msg=>[Subject:
A powful tool][Date: Tue, 11 Mar 2003 11:47:24 +0000]=>(MIME
part)=>(message body)Disinfection failed
D:\backup\MDaemon\USERS\company.mail\beyondadvertising\md50000000218.msg=>[Subject:
A powful tool][Date: Tue, 11 Mar 2003 11:47:24 +0000]=>(MIME
part)=>(message body)Deleted
D:\backup\MDaemon\USERS\company.mail\beyondadvertising\md50000000218.msg=>[Subject:
A powful tool][Date: Tue, 11 Mar 2003 11:47:24 +0000]=>(MIME
part)Updated
D:\backup\MDaemon\USERS\company.mail\beyondadvertising\md50000000218.msgUpdated
D:\backup\MDaemon\USERS\company.mail\beyondadvertising\md50000000220.msg=>[Subject:
Jan 20 2003 14][Date: Thu, 13 Mar 2003 11:21:04 +0000]=>(MIME
part)=>(message body)Suspected of: Exploit.Iframe.Vulnerability
D:\backup\MDaemon\USERS\company.mail\beyondadvertising\md50000000220.msg=>[Subject:
Jan 20 2003 14][Date: Thu, 13 Mar 2003 11:21:04 +0000]=>(MIME
part)=>(message body)Disinfection failed
D:\backup\MDaemon\USERS\company.mail\beyondadvertising\md50000000220.msg=>[Subject:
Jan 20 2003 14][Date: Thu, 13 Mar 2003 11:21:04 +0000]=>(MIME
part)=>(message body)Deleted
D:\backup\MDaemon\USERS\company.mail\beyondadvertising\md50000000220.msg=>[Subject:
Jan 20 2003 14][Date: Thu, 13 Mar 2003 11:21:04 +0000]=>(MIME
part)Updated
D:\backup\MDaemon\USERS\company.mail\beyondadvertising\md50000000220.msgUpdated
D:\backup\MDaemon\USERS\company.mail\beyondadvertising\md50000000222.msg=>[Subject:
Me a Passport][Date: Fri, 14 Mar 2003 13:07:58 +0000]=>(MIME
part)=>(message body)Suspected of: Exploit.Iframe.Vulnerability
D:\backup\MDaemon\USERS\company.mail\beyondadvertising\md50000000222.msg=>[Subject:
Me a Passport][Date: Fri, 14 Mar 2003 13:07:58 +0000]=>(MIME
part)=>(message body)Disinfection failed
D:\backup\MDaemon\USERS\company.mail\beyondadvertising\md50000000222.msg=>[Subject:
Me a Passport][Date: Fri, 14 Mar 2003 13:07:58 +0000]=>(MIME
part)=>(message body)Deleted
D:\backup\MDaemon\USERS\company.mail\beyondadvertising\md50000000222.msg=>[Subject:
Me a Passport][Date: Fri, 14 Mar 2003 13:07:58 +0000]=>(MIME
part)Updated
D:\backup\MDaemon\USERS\company.mail\beyondadvertising\md50000000222.msgUpdated
D:\backup\MDaemon\USERS\company.mail\beyondadvertising\md50000000232.msg=>[Subject:
A powful tool][Date: Tue, 11 Mar 2003 11:47:24 +0000]=>(MIME
part)=>(message body)Suspected of: Exploit.Iframe.Vulnerability
D:\backup\MDaemon\USERS\company.mail\beyondadvertising\md50000000232.msg=>[Subject:
A powful tool][Date: Tue, 11 Mar 2003 11:47:24 +0000]=>(MIME
part)=>(message body)Disinfection failed
D:\backup\MDaemon\USERS\company.mail\beyondadvertising\md50000000232.msg=>[Subject:
A powful tool][Date: Tue, 11 Mar 2003 11:47:24 +0000]=>(MIME
part)=>(message body)Deleted
D:\backup\MDaemon\USERS\company.mail\beyondadvertising\md50000000232.msg=>[Subject:
A powful tool][Date: Tue, 11 Mar 2003 11:47:24 +0000]=>(MIME
part)Updated
D:\backup\MDaemon\USERS\company.mail\beyondadvertising\md50000000232.msgUpdated

#6 fozzie

fozzie

    aut viam inveniam aut faciam


  • Members
  • 3,516 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ossendrecht/The Netherlands
  • Local time:07:01 PM

Posted 01 May 2007 - 04:23 PM

You have 3 large problems in your Outlook which are in your "deleted items "folder. Clean those out first by emptying your deleted items folder.



The other things reported go way back to 2003!!!. I assume D is your second drive?

Did the Super Anti Spyware scan report anything?

After you have performed those steps re-run again a Bitdefender scan to see whether it is gone.

I do not know whther you have clicked those attachments. If so you should consider any data on that computer to be compromised since those are Keyloggers with backdoor data meaning that it could be possible that anything you have typed could be logged and send to a third party.

Please post back with the results and I will follow up

#7 greenhorn

greenhorn
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:31 PM

Posted 02 May 2007 - 04:46 AM

hi,
Thanks again for your help.
super anti spyware scan found 13 infections and cleaned them.
here's the latest bitDefender scan report:

BitDefender Online Scanner

Scan report generated at: Wed, May 02, 2007 - 14:35:39

Scan path: C:\;D:\;E:\;C:\Documents and Settings\Administrator\My Documents;

Statistics

Time
03:17:21

Files
449597

Folders
4552

Boot Sectors
3

Archives
67361

Packed Files
38778




Results

Identified Viruses
1

Infected Files
2

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
2




Engines Info

Virus Definitions
503579

Engine build
AVCORE v1.0 (build 2397) (i386) (Feb 8 2007 14:24:08)

Scan plugins
14

Archive plugins
38

Unpack plugins
6

E-mail plugins
6

System plugins
1




Scan Settings

First Action
Delete

Second Action
None

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{B43DE5E2-C327-4BF0-84AD-377DDFC87AED}\Microsoft\Outlook Express\Inbox.dbx=>(message 344)
Infected with: Win32.Worm.Stration.FC.m

C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{B43DE5E2-C327-4BF0-84AD-377DDFC87AED}\Microsoft\Outlook Express\Inbox.dbx=>(message 344)
Deleted

C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{B43DE5E2-C327-4BF0-84AD-377DDFC87AED}\Microsoft\Outlook Express\Inbox.dbx
Update failed

C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{B43DE5E2-C327-4BF0-84AD-377DDFC87AED}\Microsoft\Outlook Express\Inbox.dbx=>(message 345)
Infected with: Win32.Worm.Stration.FC.m

C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{B43DE5E2-C327-4BF0-84AD-377DDFC87AED}\Microsoft\Outlook Express\Inbox.dbx=>(message 345)
Deleted

C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{B43DE5E2-C327-4BF0-84AD-377DDFC87AED}\Microsoft\Outlook Express\Inbox.dbx
Update failed

#8 fozzie

fozzie

    aut viam inveniam aut faciam


  • Members
  • 3,516 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ossendrecht/The Netherlands
  • Local time:07:01 PM

Posted 02 May 2007 - 04:53 AM

It appears you are clean now. If you want to be absolutely sure Start Here and post a HJT log in the HJT Forum NOT HERE
where a helper will assist you.

The lesson to be learned from this is that you shoud [perform an online scan at least every 2 weeks to be sure. Eventhough you have Norton so now and than stuff still slips through.

Did you set Norton to also scan emails?

#9 greenhorn

greenhorn
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:31 PM

Posted 02 May 2007 - 05:38 AM

Phew! Thanks a lot Fozzie, my friend i truly appreciate all the help you've given us, and the time you took out for us. you are right this is a lesson to be learned here. i shall keep you good advice in mind and make sure that not this friend's computer but also my own get regularly scanned online. Maybe i'll also get BitDefender installed on my comp, it seems to be a great program and better than norton.
thanks again pal

#10 greenhorn

greenhorn
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:31 PM

Posted 02 May 2007 - 03:17 PM

sorry to bother you again, but i just ran an online scan on my own computer and got some shocking results! It detected some 7 infections (a couple of them were already quarantined by norton), which were deleted, but the most strange was that it showed that i was infected with a keylogger that was in the google earth.exe file! now i had downloaded google earth from the google website itself so how did this happen?? I've had google earth for some 8 months now, i shudder to think what damage this might have already done. Plus the scan also showed another keylogger somewhere else. do you think my system is seriously compromised?
here's the scan report:

BitDefender Online Scanner

Scan report generated at: Thu, May 03, 2007 - 00:27:45

Scan path: C:\;D:\;E:\;

Statistics

Time
01:13:57

Files
513433

Folders
6682

Boot Sectors
3

Archives
3364

Packed Files
50701


Results

Identified Viruses
4

Infected Files
7

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
7




Engines Info

Virus Definitions
503616

Engine build
AVCORE v1.0 (build 2397) (i386) (Feb 8 2007 14:24:08)

Scan plugins
14

Archive plugins
38

Unpack plugins
6

E-mail plugins
6

System plugins
1




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\63B24F7D.tmp=>(Quarantine-2)
Infected with: Win32.Warezov.CJ@mm

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\63B24F7D.tmp=>(Quarantine-2)
Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\63B24F7D.tmp=>(Quarantine-2)
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\652C55DC.tmp=>(Quarantine-2)
Infected with: Win32.Warezov.CJ@mm

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\652C55DC.tmp=>(Quarantine-2)
Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\652C55DC.tmp=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BA49E61E-B0DB-474E-8C12-99A65AF41D62}\RP206\A0020190.exe
Infected with: MemScan:Trojan.Vundo.AJ

C:\System Volume Information\_restore{BA49E61E-B0DB-474E-8C12-99A65AF41D62}\RP206\A0020190.exe
Disinfection failed

C:\System Volume Information\_restore{BA49E61E-B0DB-474E-8C12-99A65AF41D62}\RP206\A0020190.exe
Deleted

D:\Active Documents\PC stuff\dvd2one2.rar=>dvd2one2\Portable DVD2one.exe
Infected with: Backdoor.Pcclient.GV

D:\Active Documents\PC stuff\dvd2one2.rar=>dvd2one2\Portable DVD2one.exe
Disinfection failed

D:\Active Documents\PC stuff\dvd2one2.rar=>dvd2one2\Portable DVD2one.exe
Deleted

D:\Active Documents\PC stuff\dvd2one2.rar
Update failed

D:\Active Documents\PC stuff\dvd2one2.rar=>dvd2one2\Portable DVD2one.rar=>Portable DVD2one.exe
Infected with: Backdoor.Pcclient.GV

D:\Active Documents\PC stuff\dvd2one2.rar=>dvd2one2\Portable DVD2one.rar=>Portable DVD2one.exe
Disinfection failed

D:\Active Documents\PC stuff\dvd2one2.rar=>dvd2one2\Portable DVD2one.rar=>Portable DVD2one.exe
Deleted

D:\Active Documents\PC stuff\dvd2one2.rar=>dvd2one2\Portable DVD2one.rar
Update failed

D:\Active Documents\PC stuff\GoogleEarthpro.exe
Infected with: Trojan.Spy.Keylogger.BP

D:\Active Documents\PC stuff\GoogleEarthpro.exe
Disinfection failed

D:\Active Documents\PC stuff\GoogleEarthpro.exe
Deleted

D:\System Volume Information\_restore{BA49E61E-B0DB-474E-8C12-99A65AF41D62}\RP207\A0020292.exe
Infected with: Trojan.Spy.Keylogger.BP

D:\System Volume Information\_restore{BA49E61E-B0DB-474E-8C12-99A65AF41D62}\RP207\A0020292.exe
Disinfection failed

D:\System Volume Information\_restore{BA49E61E-B0DB-474E-8C12-99A65AF41D62}\RP207\A0020292.exe
Deleted

#11 fozzie

fozzie

    aut viam inveniam aut faciam


  • Members
  • 3,516 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ossendrecht/The Netherlands
  • Local time:07:01 PM

Posted 03 May 2007 - 02:03 AM

Trojan.Spy.Keylogger.BP

Step 1 please empty your quarantaine folder
Step 2

Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
Where I am slightly worried about is the Vundo infoection. It could well be that flushing the restore point will delete it but stillthere could be entries in the registry

Please do the following :

How To Remove Winfixer / Virtumonde / Msevents / Trojan.vundo.b to we

Do a rescan with Bitdefender and see whether they are still there. If no imporvement you better also post a HJT log by Starting Here




2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users