Author Topic: Viruses in system32 folder  (Read 50669 times)

0 Members and 2 Guests are viewing this topic.

mauserme

  • Guest
Re: Viruses in system32 folder
« Reply #45 on: April 16, 2007, 02:07:50 AM »
Can you post the AVG log while I look at hjt?

Steven6767

  • Guest
Re: Viruses in system32 folder
« Reply #46 on: April 16, 2007, 02:13:39 AM »
yea sure here it is

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

 + Created at:   7:58:14 AM 4/15/2007

 + Scan result:   



C:\System Volume Information\_restore{EABF4578-546C-4D1E-BA23-7016DFA29785}\RP2\A0000019.exe -> Adware.BHO : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EABF4578-546C-4D1E-BA23-7016DFA29785}\RP2\A0001014.dll -> Adware.BHO : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EABF4578-546C-4D1E-BA23-7016DFA29785}\RP2\A0002069.dll -> Adware.BHO : Cleaned with backup (quarantined).
C:\Program Files\Alwil Software\Avast4\DATA\moved\tmp2.tmp.vir -> Backdoor.Apex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EABF4578-546C-4D1E-BA23-7016DFA29785}\RP2\A0002061.exe -> Downloader.Agent.es : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EABF4578-546C-4D1E-BA23-7016DFA29785}\RP2\A0003049.exe -> Downloader.Agent.es : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EABF4578-546C-4D1E-BA23-7016DFA29785}\RP2\A0003040.dll -> Downloader.ConHook.an : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\XJ2LPQU4\windm[2] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\XJ2LPQU4\windm[3] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\XJ2LPQU4\windm[4] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Y501N6YN\windm[2] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\mine\Desktop\SDFix\backups\xpupdate.exe -> Not-A-Virus.Hoax.Win32.Renos.hn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EABF4578-546C-4D1E-BA23-7016DFA29785}\RP2\A0001045.exe -> Not-A-Virus.Hoax.Win32.Renos.hn : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\EXAWLSZC\packed_installer_cna[1] -> Proxy.Wopla.ag : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\EXAWLSZC\packed_installer_cna[2] -> Proxy.Wopla.ag : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\EXAWLSZC\packed_installer_cna[3] -> Proxy.Wopla.ag : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\XJ2LPQU4\packed_installer_cna[1] -> Proxy.Wopla.ag : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\XJ2LPQU4\packed_installer_cna[2] -> Proxy.Wopla.ag : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\XJ2LPQU4\packed_installer_cna[3] -> Proxy.Wopla.ag : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Y501N6YN\packed_installer_cna[1] -> Proxy.Wopla.ag : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Y501N6YN\packed_installer_cna[2] -> Proxy.Wopla.ag : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Y501N6YN\packed_installer_cna[3] -> Proxy.Wopla.ag : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Y501N6YN\packed_installer_cna[4] -> Proxy.Wopla.ag : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Y501N6YN\packed_installer_cna[5] -> Proxy.Wopla.ag : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EABF4578-546C-4D1E-BA23-7016DFA29785}\RP2\A0000021.exe -> Proxy.Wopla.ag : Cleaned with backup (quarantined).
C:\Documents and Settings\mine\Desktop\SDFix\backups\partnership.dll -> Proxy.Xorpix.bc : Cleaned with backup (quarantined).
:mozilla.28:C:\Documents and Settings\mine\Application Data\Mozilla\Firefox\Profiles\833v7eaw.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.31:C:\Documents and Settings\mine\Application Data\Mozilla\Firefox\Profiles\833v7eaw.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.41:C:\Documents and Settings\mine\Application Data\Mozilla\Firefox\Profiles\833v7eaw.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.68:C:\Documents and Settings\mine\Application Data\Mozilla\Firefox\Profiles\833v7eaw.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.54:C:\Documents and Settings\mine\Application Data\Mozilla\Firefox\Profiles\833v7eaw.default\cookies.txt -> TrackingCookie.Netflame : Cleaned.
:mozilla.53:C:\Documents and Settings\mine\Application Data\Mozilla\Firefox\Profiles\833v7eaw.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.34:C:\Documents and Settings\mine\Application Data\Mozilla\Firefox\Profiles\833v7eaw.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.36:C:\Documents and Settings\mine\Application Data\Mozilla\Firefox\Profiles\833v7eaw.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.37:C:\Documents and Settings\mine\Application Data\Mozilla\Firefox\Profiles\833v7eaw.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.38:C:\Documents and Settings\mine\Application Data\Mozilla\Firefox\Profiles\833v7eaw.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.33:C:\Documents and Settings\mine\Application Data\Mozilla\Firefox\Profiles\833v7eaw.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.74:C:\Documents and Settings\mine\Application Data\Mozilla\Firefox\Profiles\833v7eaw.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\mine\Cookies\mine@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.35:C:\Documents and Settings\mine\Application Data\Mozilla\Firefox\Profiles\833v7eaw.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.39:C:\Documents and Settings\mine\Application Data\Mozilla\Firefox\Profiles\833v7eaw.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.40:C:\Documents and Settings\mine\Application Data\Mozilla\Firefox\Profiles\833v7eaw.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\EXAWLSZC\google[1] -> Trojan.Agent.aiw : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\EXAWLSZC\google[2] -> Trojan.Agent.aiw : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\EXAWLSZC\google[3] -> Trojan.Agent.aiw : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\EXAWLSZC\google[4] -> Trojan.Agent.aiw : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\EXAWLSZC\google[5] -> Trojan.Agent.aiw : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\XJ2LPQU4\google[1] -> Trojan.Agent.aiw : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\XJ2LPQU4\google[2] -> Trojan.Agent.aiw : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\XJ2LPQU4\google[3] -> Trojan.Agent.aiw : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Y501N6YN\google[1] -> Trojan.Agent.aiw : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Y501N6YN\google[2] -> Trojan.Agent.aiw : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Y501N6YN\google[3] -> Trojan.Agent.aiw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EABF4578-546C-4D1E-BA23-7016DFA29785}\RP2\A0000016.exe -> Trojan.Agent.aiw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EABF4578-546C-4D1E-BA23-7016DFA29785}\RP2\A0000018.exe -> Trojan.Agent.bou : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EABF4578-546C-4D1E-BA23-7016DFA29785}\RP2\A0002068.dll -> Trojan.Vqten : Cleaned with backup (quarantined).


::Report end

mauserme

  • Guest
Re: Viruses in system32 folder
« Reply #47 on: April 16, 2007, 02:24:24 AM »
Click Start > Run

In the empty filed type cmd and click OK

At the command prompt type

sc delete Microsoft IEUpdater2

and hit enter.

When you ran AVG the first time did you qurantine everything?  Are all these in your AVG log new items now?

Steven6767

  • Guest
Re: Viruses in system32 folder
« Reply #48 on: April 16, 2007, 02:35:16 AM »
When I do the cmd and type it it says " The specified service does not exist as an installed service"

I qaurantined everything but what do you mean are they new items now?

mauserme

  • Guest
Re: Viruses in system32 folder
« Reply #49 on: April 16, 2007, 02:45:25 AM »
I qaurantined everything but what do you mean are they new items now?
At the end of the first AVG scan there should have been an option to set Quarantine as the option to apply and a button to Apply All Actions.  If you did that on the first scan then all of the items you just posted on the subsequent scan are new and there is still a problem.

But looking at this logically I think you didn't quarantine the first time.  This is the only way I can make sense of the empty log from the first scan and the fact that System Restore files are being tagged in the second scan.

But, do you remember either way?  I would like to confirm my hypothesis if possible.

Steven6767

  • Guest
Re: Viruses in system32 folder
« Reply #50 on: April 16, 2007, 02:47:45 AM »
Yea I think I forgot to click apply all actions because I thought they were all quarantined. I might have just x'ed out of it.

Steven6767

  • Guest
Re: Viruses in system32 folder
« Reply #51 on: April 16, 2007, 02:53:49 AM »
I'm gonna go for a while, i'll be back on in a half hour or so. So I'll reply back then

mauserme

  • Guest
Re: Viruses in system32 folder
« Reply #52 on: April 16, 2007, 03:57:44 AM »
Yea I think I forgot to click apply all actions because I thought they were all quarantined. I might have just x'ed out of it.
I think that's probably it.

I asked you to run CleanUp earlier in this process but maybe that got missed too.  Go ahead and run it now to clean up any remaining temporary internet files (close your browser first).  When it asks about logging out you don't need to do that immediately.

Your computer should be running a bit faster now that it's clean.

Since it is clean let's create a new system restore point and get rid of the old ones.

1. Select Start > All Programs > Accessories > System tools > System Restore.
2. On the dialog box that appears select Create a Restore Point
3. Click NEXT
4. Enter a name e.g. Clean
5. Click CREATE

To get rid of the old ones:

1. Select Start > All Programs > Accessories > System tools > Disk Cleanup.
2. In the Drop down box that appears select your main drive e.g. C
3. Click OK
4. The System will do some calculation and the display a dialog box with TABS
5. Select the More Options Tab.
6. At the bottom will be a system restore box with a CLEANUP button click this
7. Accept the Warning and select OK again, the program will close

The files you moved to the user section of the avast! chest should be emailed to Alwil by highlighting them and clicking the email icon.  After successfully sending them they should be deleted.

SDFix and the backups can also be deleted now (there's no need to keep the program.  It's updated very often so if you ever needed it again you would want to download a fresh copy).

Keep AVG AntiSpyware even after the trial period ends.  Its good to scan with it from time to time (I scan weekly).  You can augment this with Super AntiSpyware if you like - its also free

http://www.superantispyware.com/

You should also download Spyware Blaster.  Install it, update, and "enable all protection".  Do this now, while your computer is clean

http://www.javacoolsoftware.com/spywareblaster.html

The free version needs to be manually updated about once a month.

And, without wanting to sound like your mom, I would have to say there are safer surfing habits than you've been exercising lately  :P  For sure set your Web Shield to high - its not going to slow you down noticeably.  But also think about the sites you visit -  before you get there.

And don't forget to get SP2.

Finally, DavidR posted some information about Drop My Rights in your other thread.  That advice is well worth following.


EDIT:  Please take a quick look for C:\WINDOWS\system32\clcl3.exe.  I just want to confirm that it's been deleted.

« Last Edit: April 16, 2007, 04:00:51 AM by mauserme »

Steven6767

  • Guest
Re: Viruses in system32 folder
« Reply #53 on: April 16, 2007, 04:06:27 AM »
Ok, I will tommorow though, because I don't have enough time tonight. I'll reply to you tommorow and tell you how everything went.

mauserme

  • Guest
Re: Viruses in system32 folder
« Reply #54 on: April 16, 2007, 04:07:19 AM »
Ok - see you later.

Steven6767

  • Guest
Re: Viruses in system32 folder
« Reply #55 on: April 17, 2007, 01:44:59 AM »
It says for the Cleanup "Do you want to delete everything that isn't recent?" wouldn't that wipe out some of my programs that I use but don't use them often?

mauserme

  • Guest
Re: Viruses in system32 folder
« Reply #56 on: April 17, 2007, 03:38:56 AM »
I don't remember ever seeing that statement with CleanUp.  Here's how mine is set





Instead of CleanUp you could use ATF Cleaner

http://www.atribune.org/content/view/19/2/

On the main ATF Cleaner page check everything except Prefetch and click Empty Selected.  Since you use Firefox make sure you click that tab too and check everything except Saved Form Info and Saved Passwords.  Then click Empty Selected again.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67199
Re: Viruses in system32 folder
« Reply #57 on: April 17, 2007, 03:41:21 AM »
It says for the Cleanup "Do you want to delete everything that isn't recent?" wouldn't that wipe out some of my programs that I use but don't use them often?
From which application does this error message belong?
The best things in life are free.

Offline polonus

  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 33756
  • malware fighter
Re: Viruses in system32 folder
« Reply #58 on: April 17, 2007, 11:16:23 AM »
Hi Steven6767,

Forward the infected file(s) to Avast please (info on their Website), before cleaning it out.
Information on this malware can be found here:
http://411-spyware.com/remove-trojan-downloader-small-2

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 33756
  • malware fighter
Re: Viruses in system32 folder
« Reply #59 on: April 17, 2007, 11:19:30 AM »
Hi Mauserme,

You perform this cleansing routine here. Nothing wrong with this. But you saw that Avast missed the malware file definition. Why you stated that it was not to be mailed by the victim further up in this thread?
Avst should have detection for this as well, isn't it? Or what were your considerations?

polonus
« Last Edit: April 17, 2007, 11:42:17 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!