Author Topic: Antispyware XP (Read 42948 times)

rstoddard · « **Reply #45 on:** April 24, 2010, 12:15:35 PM »

Hello.

I tried SafeMode with Networking. The icon for setup still does not appear on the desktop.

Dr Jay · « **Reply #46 on:** April 25, 2010, 12:20:31 PM »

Hmm....

Please download DrWeb-CureIt and save it to your Desktop. Do NOT perform a scan yet

Link:

ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Double-click on drweb-cureit.exe to start the program.
An Express Scan of your PC notice will appear.
Under Start the Express Scan Now, Click OK to start the scan.
This is a short scan that will scan the files currently running in memory.
If something is found, click the Yes button when it asks you if you want to cure it.
Once the short scan has finished, Click Options > Change settings
Choose the Scan tab and UNcheck Heuristic analysis
Back at the main window, click Custom Scan, then Select drives (a red dot will show which drives have been chosen).
Then click the Start/Stop Scanning button (green arrow on the right, and the scan will start.
When finished, a message will be displayed at the bottom advising if any viruses were found.
Click Yes to all if it asks if you want to cure/move the file.
When the scan has finished, look if you can see the icon next to the files found.

If so, click it, then click the next icon right below and select Move incurable.
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)

Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
Save the DrWeb.csv report to your Desktop.
Exit Dr.Web Cureit when you have finished.
Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

rstoddard · « **Reply #47 on:** April 29, 2010, 09:13:22 PM »

O.K., here it is:

couponprinter.exe\data012;C:\Documents and Settings\HP_Administrator\My Documents\Important Files\Program Set-Up FilesA\couponprinter.exe;Adware.Coupons.34;;
couponprinter.exe;C:\Documents and Settings\HP_Administrator\My Documents\Important Files\Program Set-Up FilesA;Container contains infected objects;Moved.;
couponprinter.exe\data012;C:\Documents and Settings\HP_Administrator\Desktop\couponprinter.exe;Adware.Coupons.34;;
couponprinter.exe\data013;C:\Documents and Settings\HP_Administrator\Desktop\couponprinter.exe;Adware.Coupons.34;;
couponprinter.exe\data015;C:\Documents and Settings\HP_Administrator\Desktop\couponprinter.exe;Adware.Coupons.34;;
couponprinter.exe\data016;C:\Documents and Settings\HP_Administrator\Desktop\couponprinter.exe;Adware.Coupons.34;;
couponprinter.exe;C:\Documents and Settings\HP_Administrator\Desktop;Container contains infected objects;Moved.;
Install.dat.XXX/data001\data002;C:\Documents and Settings\LocalService\Application Data\Install.dat.XXX/data001;Trojan.Fakealert.4767;;
Install.dat.XXX/data001\data003;C:\Documents and Settings\LocalService\Application Data\Install.dat.XXX/data001;Adware.Spysheriff;;
Install.dat.XXX/data001\data005;C:\Documents and Settings\LocalService\Application Data\Install.dat.XXX/data001;Adware.Spysheriff;;
data001;C:\Documents and Settings\LocalService\Application Data;Container contains infected objects;;
Install.dat.XXX;C:\Documents and Settings\LocalService\Application Data;Container contains infected objects;Moved.;
aolcinst.exe\core.cab\GTDOWNAO_106.ocx;C:\Program Files\Online Services\AOL\United States\AOL90\comps\coach\aolcinst.exe;Adware.Gdown;;
aolcinst.exe;C:\Program Files\Online Services\AOL\United States\AOL90\comps\coach;Archive contains infected objects;Moved.;
CouponPrinter.ocx;C:\WINDOWS;Adware.Coupons.34;Moved.;
CouponPrinter.ocx.XXX;C:\WINDOWS;Adware.Coupons.34;Moved.;

Dr Jay · « **Reply #48 on:** April 29, 2010, 09:29:28 PM »

Save these instructions so you can have access to them while in Safe Mode.

Please click here to download AVP Tool by Kaspersky.

Save it to your desktop.
Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
Double click the setup file to run it.
Click Next to continue.
Accept the License agreement and click on next.
It will, by default, install it to your desktop folder. Click Next.
It will then open a box There will be a tab that says Automatic scan.
Under Automatic scan make sure these are checked.

Hidden Startup Objects
System Memory
Disk Boot Sectors.
My Computer.
Also any other drives (Removable that you may have)[/color]

Leave the rest of the settings as they appear as default.

Then click on Scan at the to right hand Corner.
It will automatically Neutralize any objects found.
If some objects are left un-neutralized then click the button that says Neutralize all
If it says it cannot be neutralized then choose the delete option when prompted.
After that is done click on the reports button at the bottom and save it to file name it Kas.
Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.

Note: This tool will self uninstall when you close it so please save the log before closing it.

rstoddard · « **Reply #49 on:** May 05, 2010, 06:37:28 AM »

Hello: It has produced a report, but it seems that I have no way to save it. I've kept the program open. How do I save the report

Dr Jay · « **Reply #50 on:** May 05, 2010, 05:31:29 PM »

You can copy and paste the results to Notepad and save it that way.

rstoddard · « **Reply #51 on:** May 06, 2010, 09:16:24 PM »

Well, I'm not having much luck with Kaspersky. I've tried it three times, and each time when I try to cut and paste the contents of the report, it causes my system to freeze (I get the message that it's "not responding")

So, I waited a while and the hour glass was still there. I had to close the program, and--of course--it uninstalled itself. I have no idea if it removed anything, but the report was very short.

The computer is working fine, but I can't help but to think that something else is lurking in there.

Any ideas for further action?

Dr Jay · « **Reply #52 on:** May 06, 2010, 11:37:42 PM »

Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan. Remove selected, and post the log in your next reply.

rstoddard · « **Reply #53 on:** May 08, 2010, 02:23:05 PM »

Well, it looks like it didn't find anything

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

5/8/2010 4:16:03 PM
mbam-log-2010-05-08 (16-16-03).txt

Scan type: Quick scan
Objects scanned: 204346
Time elapsed: 25 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Dr Jay · « **Reply #54 on:** May 08, 2010, 08:34:21 PM »

Please run Panda ActiveScan online scan.

Click the big green Scan now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
Once the scan is completed, please hit the notepad icon next to the text Export to:
Save it to a convenient location such as your Desktop
Post the contents of the ActiveScan.txt in your next reply

rstoddard · « **Reply #55 on:** May 10, 2010, 09:16:02 PM »

Well, now, this found something:

;***********************************************************************************************************************************************************************************
ANALYSIS: 2010-05-10 07:46:53
PROTECTIONS: 1
MALWARE: 40
SUSPECTS: 3
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
ZoneAlarm Security Suite Antivirus 9.1.507.000 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No c:\documents and settings\hp_administrator\cookies\hp_administrator@trafficmp[1].txt
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No c:\documents and settings\hp_administrator\cookies\hp_administrator@casalemedia[2].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No c:\documents and settings\justin2\application data\netscape\nsb\profiles\bsaruoks.default\cookies.txt[.doubleclick.net/]
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No c:\documents and settings\hp_administrator\cookies\hp_administrator@doubleclick[1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No c:\helpasst_backup\c\docume~1\helpas~1\application data\netscape\nsb\profiles\h6nrp0si.default\cookies.txt[.doubleclick.net/]
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No c:\helpasst_backup\c\docume~1\helpas~1\application data\netscape\nsb\profiles\h6nrp0si.default\cookies.txt[.atdmt.com/]
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No c:\documents and settings\hp_administrator\cookies\hp_administrator@atdmt[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No c:\helpasst_backup\c\docume~1\helpas~1\application data\netscape\nsb\profiles\h6nrp0si.default\cookies.txt[.atdmt.com/]
00145393 Cookie/Tradedoubler TrackingCookie No 0 Yes No c:\documents and settings\hp_administrator\cookies\hp_administrator@tradedoubler[2].txt
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No c:\documents and settings\hp_administrator\cookies\hp_administrator@247realmedia[1].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No c:\documents and settings\hp_administrator\cookies\hp_administrator@fastclick[1].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No c:\documents and settings\hp_administrator\cookies\hp_administrator@tribalfusion[2].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No c:\documents and settings\hp_administrator\cookies\hp_administrator@mediaplex[1].txt
00145807 Cookie/Linksynergy TrackingCookie No 0 Yes No c:\documents and settings\hp_administrator\cookies\hp_administrator@linksynergy[2].txt
00159564 Cookie/WUpd TrackingCookie No 0 Yes No c:\documents and settings\hp_administrator\cookies\hp_administrator@revenue[2].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No c:\helpasst_backup\c\docume~1\helpas~1\cookies\hp_administrator@com[1].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No c:\documents and settings\hp_administrator\cookies\hp_administrator@com[1].txt
00167647 Cookie/Yadro TrackingCookie No 0 Yes No c:\documents and settings\hp_administrator\cookies\hp_administrator@yadro[1].txt
00167747 Cookie/Azjmp TrackingCookie No 0 Yes No c:\documents and settings\hp_administrator\cookies\hp_administrator@azjmp[2].txt
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No c:\documents and settings\hp_administrator\cookies\hp_administrator@statcounter[2].txt
00167760 Cookie/Hitslink TrackingCookie No 0 Yes No c:\documents and settings\hp_administrator\cookies\[email protected][1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No c:\documents and settings\hp_administrator\cookies\[email protected][2].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No c:\documents and settings\hp_administrator\cookies\hp_administrator@apmebf[1].txt
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No c:\documents and settings\hp_administrator\cookies\hp_administrator@burstnet[1].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No c:\documents and settings\hp_administrator\cookies\hp_administrator@serving-sys[2].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No c:\documents and settings\hp_administrator\cookies\[email protected][2].txt
00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No c:\documents and settings\hp_administrator\cookies\[email protected][1].txt
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No c:\documents and settings\hp_administrator\cookies\[email protected][1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No c:\documents and settings\justin2\application data\netscape\nsb\profiles\bsaruoks.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No c:\documents and settings\justin2\application data\netscape\nsb\profiles\bsaruoks.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No c:\documents and settings\justin2\application data\netscape\nsb\profiles\bsaruoks.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No c:\helpasst_backup\c\docume~1\helpas~1\application data\netscape\nsb\profiles\h6nrp0si.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No c:\helpasst_backup\c\docume~1\helpas~1\application data\netscape\nsb\profiles\h6nrp0si.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No c:\documents and settings\hp_administrator\cookies\hp_administrator@advertising[1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No c:\documents and settings\justin2\application data\netscape\nsb\profiles\bsaruoks.default\cookies.txt[.advertising.com/]
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No c:\documents and settings\hp_administrator\cookies\[email protected][2].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No c:\documents and settings\hp_administrator\cookies\[email protected][2].txt
00170554 Cookie/Overture TrackingCookie No 0 Yes No c:\documents and settings\hp_administrator\cookies\hp_administrator@overture[2].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No c:\documents and settings\hp_administrator\cookies\hp_administrator@realmedia[2].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No c:\documents and settings\hp_administrator\cookies\hp_administrator@questionmarket[2].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No c:\documents and settings\hp_administrator\cookies\hp_administrator@zedo[1].txt
00173520 Cookie/Bluestreak TrackingCookie No 0 Yes No c:\documents and settings\hp_administrator\cookies\hp_administrator@bluestreak[1].txt
00187950 Cookie/bravenetA TrackingCookie No 0 Yes No c:\documents and settings\hp_administrator\cookies\hp_administrator@bravenet[1].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No c:\helpasst_backup\c\docume~1\helpas~1\cookies\hp_administrator@go[2].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No c:\documents and settings\hp_administrator\cookies\hp_administrator@go[1].txt
00199984 Cookie/Searchportal TrackingCookie No 0 Yes No c:\helpasst_backup\c\docume~1\helpas~1\cookies\[email protected][2].txt
00199984 Cookie/Searchportal TrackingCookie No 0 Yes No c:\documents and settings\hp_administrator\cookies\[email protected][2].txt
00207338 Cookie/Target TrackingCookie No 0 Yes No c:\documents and settings\hp_administrator\cookies\hp_administrator@target[1].txt
00207338 Cookie/Target TrackingCookie No 0 Yes No c:\helpasst_backup\c\docume~1\helpas~1\cookies\hp_administrator@target[1].txt
00262020 Cookie/Atwola TrackingCookie No 0 Yes No c:\documents and settings\justin2\application data\netscape\nsb\profiles\bsaruoks.default\cookies.txt[.atwola.com/]
00286738 Cookie/Cgi-bin TrackingCookie No 0 Yes No c:\documents and settings\hp_administrator\cookies\[email protected][1].txt
00298827 Adware/BraveSentry Adware No 0 Yes No c:\documents and settings\hp_administrator\doctorweb\quarantine\install.dat.xxx
00325830 Cookie/Bridgetrack TrackingCookie No 0 Yes No c:\documents and settings\hp_administrator\cookies\[email protected][1].txt
02002567 W32/Gaobot.OXI.worm Virus/Worm No 1 Yes No c:\documents and settings\hp_administrator\my documents\important files\important files\program set-up filesa\dvdfabdecrypter3030.exe
02002567 W32/Gaobot.OXI.worm Virus/Worm No 1 Yes No c:\documents and settings\hp_administrator\my documents\important files\program set-up filesa\dvdfabdecrypter3030.exe
;===================================================================================================================================================================================
SUSPECTS
Sent Location
;===================================================================================================================================================================================
No c:\hp\recovery\wizard\swr_wizard.exe
No c:\program files\hijackthis\backups\backup-20080120-122631-948.dll
No c:\program files\spymedic\spymedicupdater.exe
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description
;===================================================================================================================================================================================
208380 HIGH MS09-015
208378 HIGH MS09-013
208377 HIGH MS09-012
;===================================================================================================================================================================================

Dr Jay · « **Reply #56 on:** May 10, 2010, 09:21:16 PM »

Please download HAMeb_check.exe and save it to your desktop.

Double-click on HAMeb_check.exe to run the utility and it will create a log.
Copy and paste the contents of that log in your next reply.

rstoddard · « **Reply #57 on:** May 15, 2010, 07:29:15 PM »

Here is the log:

C:\Documents and Settings\HP_Administrator\Desktop\HAMeb_check.exe
Sat 05/15/2010 at 21:31:54.74

Account active No
Local Group Memberships

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll intelide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x01749DA10
malicious code @ sector 0x01749DA13 !
PE file found in sector at 0x01749DA29 !

~~ Checking for termsrv32.dll ~~

termsrv32.dll was not found

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ C:\WINDOWS\System32\termsrv.dll

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

~~ EOF ~~

Dr Jay · « **Reply #58 on:** May 16, 2010, 10:02:15 PM »

Please open Command Prompt (Start > Run and type CMD and press OK [Vista/7: Start search: CMD and press enter])
Enter the following in to the black box, pressing enter after each line:

Code: [Select]

mbr.exe -f

exit

Post a log (MBR.log).

rstoddard · « **Reply #59 on:** May 17, 2010, 08:44:29 PM »

O.K., here it is:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x01749DA10
malicious code @ sector 0x01749DA13 !
PE file found in sector at 0x01749DA29 !

Computer Hope Forum

News:

Author Topic: Antispyware XP (Read 42948 times)

rstoddard

Re: Antispyware XP

Dr Jay

Re: Antispyware XP

rstoddard

Re: Antispyware XP

Dr Jay

Re: Antispyware XP

rstoddard

Re: Antispyware XP

Dr Jay

Re: Antispyware XP

rstoddard

Re: Antispyware XP

Dr Jay

Re: Antispyware XP

rstoddard

Re: Antispyware XP

Dr Jay

Re: Antispyware XP

rstoddard

Re: Antispyware XP

Dr Jay

Re: Antispyware XP

rstoddard

Re: Antispyware XP

Dr Jay

Re: Antispyware XP

rstoddard

Re: Antispyware XP