Sign in to follow this  
ohgodhelp

Virtumonde Trojan :(

Recommended Posts

The old error message stopped popping up, however, Avira found some new evil .dlls early this morning, which I think is the first automated scan that has completed since the last fix. I'll run the ESET scan today, but I figured I ought to post about this now, since I expect the ESET scan will take several hours.

Share this post


Link to post
Share on other sites
Hi,

Take your time with the Eset scan. Meanwhile, can you try to post a log of the Avira scan? Or if not, can you give me the list of bad files (along with their directories) that Avira found? Thanks. ;)

Share this post


Link to post
Share on other sites
[code]Avira AntiVir Personal
Report file date: Friday, March 19, 2010 05:00

Scanning for 1876413 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP 64 Bit
Windows version : (Service Pack 1) [5.2.3790]
Boot mode : Normally booted
Username : SYSTEM
Computer name : THE-BL7D5N9D5A8

Version information:
BUILD.DAT : 9.0.0.419 21701 Bytes 1/22/2010 18:29:00
AVSCAN.EXE : 9.0.3.10 466689 Bytes 11/20/2009 09:28:21
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 15:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 16:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 15:58:52
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 09:28:20
VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 09:28:21
VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 10:02:51
VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 09:28:25
VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 09:28:56
VBASE005.VDF : 7.10.4.204 2048 Bytes 3/5/2010 09:28:56
VBASE006.VDF : 7.10.4.205 2048 Bytes 3/5/2010 09:28:56
VBASE007.VDF : 7.10.4.206 2048 Bytes 3/5/2010 09:28:56
VBASE008.VDF : 7.10.4.207 2048 Bytes 3/5/2010 09:28:56
VBASE009.VDF : 7.10.4.208 2048 Bytes 3/5/2010 09:28:57
VBASE010.VDF : 7.10.4.209 2048 Bytes 3/5/2010 09:28:57
VBASE011.VDF : 7.10.4.210 2048 Bytes 3/5/2010 09:28:57
VBASE012.VDF : 7.10.4.211 2048 Bytes 3/5/2010 09:28:57
VBASE013.VDF : 7.10.4.242 153088 Bytes 3/8/2010 09:27:42
VBASE014.VDF : 7.10.5.17 99328 Bytes 3/10/2010 09:27:42
VBASE015.VDF : 7.10.5.44 107008 Bytes 3/11/2010 09:27:41
VBASE016.VDF : 7.10.5.69 92672 Bytes 3/12/2010 08:27:43
VBASE017.VDF : 7.10.5.91 119808 Bytes 3/15/2010 08:27:39
VBASE018.VDF : 7.10.5.121 112640 Bytes 3/18/2010 08:28:09
VBASE019.VDF : 7.10.5.122 2048 Bytes 3/18/2010 08:28:09
VBASE020.VDF : 7.10.5.123 2048 Bytes 3/18/2010 08:28:10
VBASE021.VDF : 7.10.5.124 2048 Bytes 3/18/2010 08:28:10
VBASE022.VDF : 7.10.5.125 2048 Bytes 3/18/2010 08:28:10
VBASE023.VDF : 7.10.5.126 2048 Bytes 3/18/2010 08:28:10
VBASE024.VDF : 7.10.5.127 2048 Bytes 3/18/2010 08:28:10
VBASE025.VDF : 7.10.5.128 2048 Bytes 3/18/2010 08:28:10
VBASE026.VDF : 7.10.5.129 2048 Bytes 3/18/2010 08:28:10
VBASE027.VDF : 7.10.5.130 2048 Bytes 3/18/2010 08:28:11
VBASE028.VDF : 7.10.5.131 2048 Bytes 3/18/2010 08:28:11
VBASE029.VDF : 7.10.5.132 2048 Bytes 3/18/2010 08:28:11
VBASE030.VDF : 7.10.5.133 2048 Bytes 3/18/2010 08:28:11
VBASE031.VDF : 7.10.5.136 153600 Bytes 3/18/2010 08:28:12
Engineversion : 8.2.1.194
AEVDF.DLL : 8.1.1.3 106868 Bytes 1/23/2010 09:27:46
AESCRIPT.DLL : 8.1.3.18 1024378 Bytes 3/18/2010 08:31:09
AESCN.DLL : 8.1.5.0 127347 Bytes 2/26/2010 00:38:52
AESBX.DLL : 8.1.2.1 254323 Bytes 3/18/2010 08:31:12
AERDL.DLL : 8.1.4.3 541043 Bytes 3/18/2010 08:30:58
AEPACK.DLL : 8.2.1.0 426356 Bytes 3/3/2010 09:27:42
AEOFFICE.DLL : 8.1.0.41 201083 Bytes 3/18/2010 08:30:50
AEHEUR.DLL : 8.1.1.13 2470262 Bytes 3/18/2010 08:30:48
AEHELP.DLL : 8.1.10.2 237941 Bytes 3/18/2010 08:30:21
AEGEN.DLL : 8.1.2.2 373107 Bytes 3/18/2010 08:30:19
AEEMU.DLL : 8.1.1.0 393587 Bytes 10/3/2009 08:55:56
AECORE.DLL : 8.1.12.3 188789 Bytes 3/18/2010 08:30:14
AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 19:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 13:47:59
AVPREF.DLL : 9.0.3.0 44289 Bytes 9/9/2009 08:27:41
AVREP.DLL : 8.0.0.7 159784 Bytes 2/18/2010 09:27:44
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 15:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 20:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 15:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 20:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 13:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 15:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 20:39:58
RCTEXT.DLL : 9.0.73.0 86785 Bytes 11/20/2009 09:28:20

Configuration settings for the scan:
Jobname.............................: Local Hard Disks
Configuration file..................: c:\program files (x86)\avira\antivir desktop\alldiscs.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:, F:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: off
Integrity checking of system files..: off
Scan all files......................: Intelligent file selection
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Friday, March 19, 2010 05:00

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avnotify.exe' - '1' Module(s) have been scanned
Scan process 'AAWTray.exe' - '1' Module(s) have been scanned
Scan process 'unsecapp.exe' - '0' Module(s) have been scanned
Scan process 'AAWService.exe' - '1' Module(s) have been scanned
Scan process 'EVEMon.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'Steam.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '0' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '0' Module(s) have been scanned
Scan process 'alg.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '0' Module(s) have been scanned
Scan process 'nvsvc64.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '0' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'PDVDServ.exe' - '1' Module(s) have been scanned
Scan process 'winampa.exe' - '1' Module(s) have been scanned
Scan process 'TeamSpeak.exe' - '1' Module(s) have been scanned
Scan process 'pidgin.exe' - '1' Module(s) have been scanned
Scan process 'Dropbox.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'daemon.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '0' Module(s) have been scanned
Scan process 'LWEMon.exe' - '0' Module(s) have been scanned
Scan process 'cfp.exe' - '0' Module(s) have been scanned
Scan process 'RTHDCPL.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '0' Module(s) have been scanned
Scan process 'explorer.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '0' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '0' Module(s) have been scanned
Scan process 'cmdagent.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '0' Module(s) have been scanned
Scan process 'lsass.exe' - '0' Module(s) have been scanned
Scan process 'services.exe' - '0' Module(s) have been scanned
Scan process 'winlogon.exe' - '0' Module(s) have been scanned
Scan process 'csrss.exe' - '0' Module(s) have been scanned
Scan process 'smss.exe' - '0' Module(s) have been scanned
19 processes with 19 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!
Boot sector 'F:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '42' files ).


Starting the file scan:

Begin scan in &#39;C&#58;\&#39; <The Workshop>
C&#58;\pagefile.sys
&#91;WARNING&#93; The file could not be opened!
&#91;NOTE&#93; This file is a Windows system file.
&#91;NOTE&#93; This file cannot be opened for scanning.
C&#58;\Documents and Settings\Administrator\My Documents\Downloads\Elton John Collection\1999 - The Muse Soundtrack1 - Elton John - Driving Home.mp3
&#91;0&#93; Archive type&#58; CAB &#40;Microsoft&#41;
--> msihnd.dll
&#91;WARNING&#93; No further files can be extracted from this archive. The archive will be closed
&#91;WARNING&#93; No further files can be extracted from this archive. The archive will be closed
C&#58;\System Volume Information\_restore{B033583C-1F18-4DD2-9CE8-9220CD082F71}\RP413\A0074443.dll
&#91;DETECTION&#93; Is the TR/Vundo.Gen2 Trojan
C&#58;\System Volume Information\_restore{B033583C-1F18-4DD2-9CE8-9220CD082F71}\RP419\A0076552.dll
&#91;DETECTION&#93; Is the TR/Vundo.Gen2 Trojan
C&#58;\System Volume Information\_restore{B033583C-1F18-4DD2-9CE8-9220CD082F71}\RP419\A0076555.dll
&#91;DETECTION&#93; Is the TR/Vundo.Gen2 Trojan
C&#58;\System Volume Information\_restore{B033583C-1F18-4DD2-9CE8-9220CD082F71}\RP419\A0076556.dll
&#91;DETECTION&#93; Is the TR/Vundo.Gen2 Trojan
C&#58;\System Volume Information\_restore{B033583C-1F18-4DD2-9CE8-9220CD082F71}\RP419\A0076558.dll
&#91;DETECTION&#93; Is the TR/Vundo.Gen2 Trojan
C&#58;\System Volume Information\_restore{B033583C-1F18-4DD2-9CE8-9220CD082F71}\RP419\A0076560.dll
&#91;DETECTION&#93; Is the TR/Vundo.Gen2 Trojan
C&#58;\System Volume Information\_restore{B033583C-1F18-4DD2-9CE8-9220CD082F71}\RP419\A0076562.dll
&#91;DETECTION&#93; Is the TR/Vundo.Gen2 Trojan
C&#58;\System Volume Information\_restore{B033583C-1F18-4DD2-9CE8-9220CD082F71}\RP419\A0076563.dll
&#91;DETECTION&#93; Is the TR/Vundo.Gen2 Trojan
C&#58;\System Volume Information\_restore{B033583C-1F18-4DD2-9CE8-9220CD082F71}\RP419\A0076567.dll
&#91;DETECTION&#93; Is the TR/Vundo.Gen2 Trojan
C&#58;\System Volume Information\_restore{B033583C-1F18-4DD2-9CE8-9220CD082F71}\RP419\A0076568.dll
&#91;DETECTION&#93; Is the TR/Vundo.Gen2 Trojan
C&#58;\System Volume Information\_restore{B033583C-1F18-4DD2-9CE8-9220CD082F71}\RP419\A0076569.dll
&#91;DETECTION&#93; Is the TR/Vundo.Gen2 Trojan
C&#58;\System Volume Information\_restore{B033583C-1F18-4DD2-9CE8-9220CD082F71}\RP419\A0076570.dll
&#91;DETECTION&#93; Is the TR/Vundo.Gen2 Trojan
C&#58;\System Volume Information\_restore{B033583C-1F18-4DD2-9CE8-9220CD082F71}\RP419\A0076571.dll
&#91;DETECTION&#93; Is the TR/Vundo.Gen2 Trojan
C&#58;\System Volume Information\_restore{B033583C-1F18-4DD2-9CE8-9220CD082F71}\RP419\A0076572.dll
&#91;DETECTION&#93; Is the TR/Vundo.Gen2 Trojan
C&#58;\WINDOWS\system32\drivers\sptd.sys
&#91;WARNING&#93; The file could not be opened!
C&#58;\_OTM\MovedFiles2262010_103543\C_WINDOWS\SysWOW64\vonamaji.dll
&#91;DETECTION&#93; Is the TR/Vundo.Gen2 Trojan
Begin scan in &#39;D&#58;\&#39; <The Arcade>
Begin scan in &#39;F&#58;\&#39; <The Warehouse>

Beginning disinfection&#58;
C&#58;\System Volume Information\_restore{B033583C-1F18-4DD2-9CE8-9220CD082F71}\RP413\A0074443.dll
&#91;DETECTION&#93; Is the TR/Vundo.Gen2 Trojan
&#91;NOTE&#93; The file was moved to &#39;4bd37552.qua&#39;!
C&#58;\System Volume Information\_restore{B033583C-1F18-4DD2-9CE8-9220CD082F71}\RP419\A0076552.dll
&#91;DETECTION&#93; Is the TR/Vundo.Gen2 Trojan
&#91;NOTE&#93; The file was moved to &#39;4f51e9f3.qua&#39;!
C&#58;\System Volume Information\_restore{B033583C-1F18-4DD2-9CE8-9220CD082F71}\RP419\A0076555.dll
&#91;DETECTION&#93; Is the TR/Vundo.Gen2 Trojan
&#91;NOTE&#93; The file was moved to &#39;4f50d13b.qua&#39;!
C&#58;\System Volume Information\_restore{B033583C-1F18-4DD2-9CE8-9220CD082F71}\RP419\A0076556.dll
&#91;DETECTION&#93; Is the TR/Vundo.Gen2 Trojan
&#91;NOTE&#93; The file was moved to &#39;4f56c6ab.qua&#39;!
C&#58;\System Volume Information\_restore{B033583C-1F18-4DD2-9CE8-9220CD082F71}\RP419\A0076558.dll
&#91;DETECTION&#93; Is the TR/Vundo.Gen2 Trojan
&#91;NOTE&#93; The file was moved to &#39;4fad08d3.qua&#39;!
C&#58;\System Volume Information\_restore{B033583C-1F18-4DD2-9CE8-9220CD082F71}\RP419\A0076560.dll
&#91;DETECTION&#93; Is the TR/Vundo.Gen2 Trojan
&#91;NOTE&#93; The file was moved to &#39;4f57d963.qua&#39;!
C&#58;\System Volume Information\_restore{B033583C-1F18-4DD2-9CE8-9220CD082F71}\RP419\A0076562.dll
&#91;DETECTION&#93; Is the TR/Vundo.Gen2 Trojan
&#91;NOTE&#93; The file was moved to &#39;4f52e18b.qua&#39;!
C&#58;\System Volume Information\_restore{B033583C-1F18-4DD2-9CE8-9220CD082F71}\RP419\A0076563.dll
&#91;DETECTION&#93; Is the TR/Vundo.Gen2 Trojan
&#91;NOTE&#93; The file was moved to &#39;4f55ce93.qua&#39;!
C&#58;\System Volume Information\_restore{B033583C-1F18-4DD2-9CE8-9220CD082F71}\RP419\A0076567.dll
&#91;DETECTION&#93; Is the TR/Vundo.Gen2 Trojan
&#91;NOTE&#93; The file was moved to &#39;4d1908bb.qua&#39;!
C&#58;\System Volume Information\_restore{B033583C-1F18-4DD2-9CE8-9220CD082F71}\RP419\A0076568.dll
&#91;DETECTION&#93; Is the TR/Vundo.Gen2 Trojan
&#91;NOTE&#93; The file was moved to &#39;4d18f0e3.qua&#39;!
C&#58;\System Volume Information\_restore{B033583C-1F18-4DD2-9CE8-9220CD082F71}\RP419\A0076569.dll
&#91;DETECTION&#93; Is the TR/Vundo.Gen2 Trojan
&#91;NOTE&#93; The file was moved to &#39;4d1ff82b.qua&#39;!
C&#58;\System Volume Information\_restore{B033583C-1F18-4DD2-9CE8-9220CD082F71}\RP419\A0076570.dll
&#91;DETECTION&#93; Is the TR/Vundo.Gen2 Trojan
&#91;NOTE&#93; The file was moved to &#39;4d1ee013.qua&#39;!
C&#58;\System Volume Information\_restore{B033583C-1F18-4DD2-9CE8-9220CD082F71}\RP419\A0076571.dll
&#91;DETECTION&#93; Is the TR/Vundo.Gen2 Trojan
&#91;NOTE&#93; The file was moved to &#39;4d1de85b.qua&#39;!
C&#58;\System Volume Information\_restore{B033583C-1F18-4DD2-9CE8-9220CD082F71}\RP419\A0076572.dll
&#91;DETECTION&#93; Is the TR/Vundo.Gen2 Trojan
&#91;NOTE&#93; The file was moved to &#39;4d1cd183.qua&#39;!
C&#58;\_OTM\MovedFiles2262010_103543\C_WINDOWS\SysWOW64\vonamaji.dll
&#91;DETECTION&#93; Is the TR/Vundo.Gen2 Trojan
&#91;NOTE&#93; The file was moved to &#39;4c117591.qua&#39;!


End of the scan&#58; Friday, March 19, 2010 08&#58;59
Used time&#58; 2&#58;03&#58;23 Hour&#40;s&#41;

The scan has been done completely.

17901 Scanned directories
637281 Files were scanned
15 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
15 Files were moved to quarantine
0 Files were renamed
2 Files cannot be scanned
637264 Files not concerned
8587 Archives were scanned
4 Warnings
16 Notes[/code]

Share this post


Link to post
Share on other sites
Hi ohgodhelp,

Those detections by Antivir are nothing to worry about. They are inactive and located in System Restore and can be flushed away once we reset the System Restore. The last infected file is in a subfolder of OTM, a tool that we used to remove the infections. The file is quarantined by OTM already. ;)

Go ahead with the ESET scan and post me the logs. Thanks.

Share this post


Link to post
Share on other sites
[code][email protected] as CAB hook log&#58;
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=7.00.6000.16827 &#40;vista_gdr.090226-1506&#41;
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-03-20 08&#58;53&#58;05
# local_time=2010-03-20 04&#58;53&#58;05 &#40;-0500, Eastern Daylight Time&#41;
# country=&#34;United States&#34;
# lang=1033
# osver=5.2.3790 NT Service Pack 1
# compatibility_mode=512 16777215 100 0 1546782 1546782 0 0
# compatibility_mode=1797 16775125 100 100 0 44557544 0 0
# compatibility_mode=3073 16777213 80 100 31438737 34949283 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=301916
# found=3
# cleaned=3
# scan_time=15279
C&#58;\Documents and Settings\Administrator\My Documents\Downloads\KingsSmithSetup.exe a variant of Win32/FenomenGame application &#40;cleaned by deleting - quarantined&#41; 00000000000000000000000000000000 C
C&#58;\System Volume Information\_restore{B033583C-1F18-4DD2-9CE8-9220CD082F71}\RP451\A0080198.dll a variant of Win32/Kryptik.CRP trojan &#40;cleaned by deleting - quarantined&#41; 00000000000000000000000000000000 C
C&#58;\_OTM\MovedFiles3022010_091503\C_WINDOWS\ibatibuxerugug.dll a variant of Win32/Cimag.BX trojan &#40;cleaned by deleting - quarantined&#41; 00000000000000000000000000000000 C[/code]

Share this post


Link to post
Share on other sites
Hey [b]ohgodhelp[/b],

Congratulations, your logs are clean. ;)

Below is the cleaning speech and the prevention speech, please have a look at them so you can prevent infections in the future.

[color="#800080"][b][u][size=4]Cleanup[/size][/u][/b][/color]

[color="#0000FF"][b][size=3]1)[/size] Update Adobe Reader [/b][/color]

Please uninstall the current version of Adobe you have and go [url="http://www.adobe.com/products/acrobat/readstep2.html"]here[/url] to install the latest version.

[color="#0000FF"][b][size=3]2)[/size] Remove Tools With OTC[/b][/color]

Please download [url="http://oldtimer.geekstogo.com/OTC.exe"][b]OTC[/b][/url].[list]
[*]Save it to your desktop.
[*]Double Click on [b]OTC.exe[/b], a window will appear.
[*]Please press the [b]CleanUp![/b] Button.
[*]You may be asked to reboot, click "[b]Yes[/b]".
[/list][color="#0000FF"][b][size=3]3)[/size] Re-enable Avira anti-virus[/b][/color][list=1]
[*]Right-click on the umbrella icon in System Tray. (bottom right hand corner of screen where the clock is)
[*]Tick the option "Antivir Guard enable".
[*]Restart your computer.
[/list][color="#0000FF"][b][size=3]4)[/size] Run TFC[/b][/color]

Download [url="http://oldtimer.geekstogo.com/TFC.exe"][color="#000000"][b]TFC[/b][/color][/url] to your desktop[list]
[*]Open the file and close any other windows.
[*]It [b][color="#FF0000"]will close all programs itself[/color][/b] when run, make sure to let it run uninterrupted.
[*]Click the Start button to begin the process. The program should not take long to finish its job
[*]Once its finished it should [b]reboot your machine[/b], if not, do this yourself to ensure a complete clean
[/list][color="#0000FF"][b][size=3]5)[/size] Reset System Restore Points[/b][/color]

You should [url="http://www.bleepingcomputer.com/tutorials/tutorial56.html"][color="blue"]Create a New Restore Point[/color][/url] to prevent possible reinfection from an old one.
Some of the malware you picked up could have been saved in System Restore.
Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point.
Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to [i]"roll-back"[/i] to a clean working state.

[color="#800080"][b][u][size=4]Prevention Speech[/size][/u][/b][/color]

Below are some recommendations to protect your computer against malware infections.

[size=5][b]1)[/b][/size] Keep Windows updated by regularly checking their website at :
[url="http://windowsupdate.microsoft.com/"]http://windowsupdate.microsoft.com/[/url]
This will ensure your computer has always the latest security updates available installed on your computer.

[size=5][b]2)[/b][/size] To reduce re-infection for malware in the future, I strongly recommend installing these free programs:

[u][b][color="#800080"]Complementary programs (does not conflict with any software that offers real time protection)[/color][/b][/u]

* [url="http://www.javacoolsoftware.com/sbdownload.html"][b][color="#FF8C00"]SpywareBlaster[/color][/b][/url]- Prevents malicious Active-X controls from installing in the first place and reducing your chances of infection of spyware.
* [url="http://www.spywarewarrior.com/uiuc/res/ie-spyad.exe"][b][color="#FF8C00"]IE-SpyAd[/color][/b][/url]- Puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites which actually installs malicious codes onto your system. (Tutorial available [url="http://www.bleepingcomputer.com/tutorials/tutorial53.html"]here[/url])
* [url="http://mvps.org/winhelp2002/hosts.htm"][b][color="#FF8C00"]MVPS Hosts file[/color][/b][/url]- Replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

[u][b][color="#800080"]Anti-spyware programs with real time protection[/color][/b][/u]

* [url="http://www.javacoolsoftware.com/sgdownload.html"][b][color="#48D1CC"]SpywareGuard[/color][/b][/url] offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program or there will be a conflict.
* [url="http://www.safer-networking.org/"][b][color="#48D1CC"]Spybot Search & Destroy[/color][/b][/url]- Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
* [url="http://www.microsoft.com/windows/products/winfamily/defender/default.mspx"][b][color="#48D1CC"]Windows Defender[/color][/b][/url] - Microsoft's free anti-spyware program that has high detection rates and protects well against unwanted malicious softwares

[u][b][color="#800080"]Firewalls[/color][/b][/u]

You should also have a good firewall. Here are 4 free ones available for personal use ([b]please turn OFF your Windows firewall after installing ONE of the following[/b]):

* [url="http://smb.sygate.com/products/spf_standard.htm"][b][color="#FF00FF"]Sygate Personal Firewall[/color][/b][/url]
* [url="http://www.kerio.com/us/kpf_download.html"][b][color="#FF00FF"]Kerio Personal Firewall[/color][/b][/url]
* [url="http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?lid=dbtopnav_za"][b][color="#FF00FF"]ZoneAlarm[/color][/b][/url]
* [url="http://www.personalfirewall.comodo.com/"][b][color="#FF00FF"]Comodo Firewall Pro[/color][/b][/url]

[size=3][b][color="#FF0000"]It is critical to have only ONE firewall, ONE anti virus and ONE anti-spyware resident protection running to protect your system and to keep them updated. Take note that not ALL programs offer real time protection, for a list of programs that DO offer real time protection, look [url="http://en.wikipedia.org/wiki/Real-time_protection"]here[/url][/color][/b][/size]

[size=5][b]3)[/b][/size] [b][u]Make Internet Explorer more secure[/u][/b][list]
[*]Click [b]Start[/b] > [b]Run[/b]
[*]Type [b]Inetcpl.cpl[/b] & click [b]OK[/b]
[*]Click on the [b]Security[/b] tab
[*]Click [b]Reset all zones to default level[/b]
[*]Make sure the [b]Internet Zone[/b] is selected & Click [b]Custom level[/b]
[*]In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
[*]Next Click [b]OK[/b], then [b]Apply[/b] button and then [b]OK[/b] to exit the Internet Properties page.
[/list][size=5][b]4)[/b][/size] Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
[url="http://www.mozilla.org/products/firefox/"][b][color="red"]Here[/color][/b][/url]

[size=5][b]5)[/b][/size] Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
[url="http://www.spywareinfoforum.com/index.php?showtopic=60955"][b][color="red"]Here[/color][/b][/url]

Thank you for your patience, and performing all of the procedures requested.

[b]Please post back telling me if there are any further problems. If everything is working properly, I will mark this as Solved.[/b]

Share this post


Link to post
Share on other sites
No worries, I'm glad to be of help. I'll leave this topic open for a few more days in case anything else sprouts up. :)

Share this post


Link to post
Share on other sites
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Thank You !

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this