PowerKord 's vundo

[PowerKord]

Hi,

Thanks for your answers.

But, regarding housekeeping--

1. What is OTMoveIt?

2. You state that the tool "..will delete all the tools you have downloaded plus itself." You mean it will actually properly de-install HJT, SAS, Cleanup, etc? Isn't it more reliable to do that from Windows Add/Remove? Though, if I do it from Windows, do the quarantined viruses get properly destroyed, or might they end up somewhere vulnerable or migrate themselves somewhere?

3. Also, what if I want to keep, say, SAS on my system?

4. Importantly--you state "to get you off to a good start we will re-set your restore points so that all the bad stuff is gone for good."

But, EB, I did not have System Restore enabled on my system. I decided not to use it because, knowing how glitchy computers can be, I wanted my system to run as simply as possible, to have as few processes to operate and manage as possible.

Your thoughts? Is it still necessary to re-set my restore point? I don't have any, right?

5. Relatedly, you further state: "You now have a clean restore point, to get rid of the bad ones:"

Regarding restore points, if System Restore was not enabled on my system, which it was not, do I have "bad ones"?


And, more generally--

1. Do SUPERantispyware, and SpywareBlaster do the same thing? You seem to recommend them both.

2. Can you please clarify answer #11?

3. I tend not to use Windows Update because in my years computing I've too many times experienced "updated" software of one type or another that was worse in one or more respects than that which it "updated." Also, I notice that when updating--I've had this happen with Word which always resets my toolbars when I update--software updates sometimes reset toolbar settings or other custom prefs that were set. Then comes a real pita to reset everything.

Your thoughts?

Thanks!

vince

[oldman]

Hi PowerKord

It seems you got it.

OTMOVEIT is a removal tool that can also be used to clean up/remove the other tools that where used along with there quarantined files. SAS and cleanup will not be affected. Just a note, when you empty the SAS quarantine, avast may detect the files then, it's normal. If you check the warning log, you will find that the "password protected" files are in fact SAS or another security program's quarantined or signature files. Again normal

System restore is system volume information. You had some avast detections there, so it was obviously turned on. Your choice of turning it off and leaving it off. But, if you don't have a disk imaging program like True Image, Norton Ghost, Goback, etc, you don't really have anything to fall back on in case of major problems.

Recovery console was my preference for going after the file, but AVZ did the trick. Everyone has a method.

The only way to really know what mrxsmbb.sys was, is to submit the Avenger zip to virustotal, if mrxsmbb.sys is the only file in it, and see what it comes back as. You can do this if you want, and you haven't all ready done the clean up routine essexboy gave you.

You can download OTMOVEIT2 from here and use it as essexboy suggested.

http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe


Service pack 2 is far more secure than service pack 1

[PowerKord]

Hello, oldman,

So nice to see you back!

(Wait--are you back?)

I had a last "mopup" email for EB (Reply #75) based on his previous instruction and remarks; can you please ask him to come back here to respond to it? It's the one you just responded to, but I'd really like his responses, since some of my questions pertain explicitly to things he said, or instructions he gave.

Please have him respond to this, too:

EB:

1. >>>Double click OTMoveIt once again and you should see a CleanUp! button, press that button, you may get prompted by your firewall that OTMoveIt wants to contact the internet, allow this, a cleanup.txt will be downloaded

I was not prompted to connect to the 'Net; only to reboot. Also, there was no .txt file downloaded to my knowledge.

2. After running OTMoveIt2, I notice that HJT, SAS, and Cleanup are all still listed in Add/Remove Programs. Weren't they supposed to be deleted? Should I delete them now from there? Are these programs actually already gone even though still listed?

Thanks.

vince

[essexboy]

HJT, SAS, and Cleanup are NOT removed by OTMoveit

I was not prompted to connect to the 'Net; only to reboot. Also, there was no .txt file downloaded to my knowledge.  If you just downloaded it it had the upto date data

[PowerKord]

Thanks, EB; I certainly don't want to keep you any longer than absolutely necessary, but if you could just respond to what are very likely my last few questions in Reply #75, as I had requested, above, I'd be very appreciative, as I am already, of course.

Then we can bring my problems and your assistance with same to a nice, neat conclusion, where I feel not just that my problem was solved, but that I have a proper understanding of how to proceed from here.

Thanks so much.

vince

[essexboy]

1. What is OTMoveIt? A low level file deletion programme that will also tidy up when it is time for it to go

3. Also, what if I want to keep, say, SAS on my system? I would recommend that

1. Do SUPERantispyware, and SpywareBlaster do the same thing? You seem to recommend them both. No SpywareBlaster places a kill bit in the registry so that BHO's and CLSID's cannot be installed by malware, it is completely passive and never runs except when you update it.  Superantispyware searches for and deletes known malware resident in your system and is run on demand 

2. Can you please clarify answer #11? There is a possibilty that one of your rarely used system files may have been corrupted by the malware.  SFC ?scannow will check your system files integrity

From the Start menu, select Run.
In the Open field, type sfc /scannow (Note: There is a space between sfc and /scannow)
Select the OK button.
Follow the prompts throughout the System File Checker process.
Reboot the computer when System File Checker completes.

[PowerKord]

Hello, EB/oldman,

1. I was away from my computer when scannow finished. When I returned there was no "scan complete" window or any other kind of window or scan-related screen object present onscreen. Is this what happens when the scan terminates, it displays nothing onscreen?

If yes, does that mean it found and fixed something, or that it found no problems?

2. OTMoveIt did not delete AVZ. Are there any files in the AVZ quarantine folder? If so, will deleting AVZ safely delete anything in the quarantine? Or is anything in there definitely already disabled?

3. I notice that SUPERAntiSpyware has its own module for malware interception. I assume, however, that SpywareBlaster does it better?

4. EB, per your recommendation, I installed and am presently running a 3rd-party firewall, Comodo Pro Firewall v2.4 (3.0 apparently requires XP SP2, which I don't have yet.) Should I disable Windows firewall, or also leave it running? Actually, I already disabled it.

5. Upon launching SeaMonkey, or perhaps just a new SeaMonkey tab, Comodo Pro firewall reports some kind of connection between Word and SeaMonkey, suggesting that Word is or may be using SeaMonkey for something, through an OLE mechanism. Why would Word use SeaMonkey?

6. I left SAS on my system, and removed Spybot S&D (after making a $ contribution for the times I've used it).

7. EB, you said if disk cleanup runs more than an hour I should kill it. But you also said it's probably running so long because I have many files and have never run it before. So should I try running it again, and not kill it, even if I see it's taking hours and hours, and appears to be doing nothing, including no apparent hard drive activity? That's what it was doing before.

8. Is my version of Windows XP Pro 32 bit or 64 bit? I ran Windows system information but it did not mention this.

Thanks!

Warm Regards,

vince

[polonus]

Hi PowerKord,

Well if you scan with Kaspersky's online scanner you get all your system info and the version of the Service Pack 2 you have on it (I hope), also absolutely vital for your security in relation to vundo infections is to have the most  recent Sun Java version, and to delete any older versions on your comp (because that is somehow not being done automatically, and the malware always go for the older version(s) with the exploitable code in it, you see!).
If you are using IE7 try to use freefixer from here: http://www.freefixer.com/download.html
With this tool you can do more or less the same as HijackThis, but if you want to fix something with it, try to get advice from us first, we will be glad to look into it,

polonus

[PowerKord]

Hi, Polonus,

Thanks so much for the info!

Is Kaspersky online scanner better than Avast Home Version on my PC, in your view?

I ordered SP2 on disk.

How do I update my Sun Java version?

And how do I delete older versions?

Thanks again!

Best,

vince

[polonus]

Hi vince,

Get your newest Sun Java version and download here: http://javadl.sun.com/webapps/download/AutoDL?BundleId=12797

Go to start and configuration screen Software Alter or Delete Programs and delete older version of Java (TM)
there.

Leave Avast Home on your computer it is a resident scanner, and you only need one resident scanner.
The Kaspersky scanner is an online non-resident scanner that can run from IE, and can be used safely next to Avast on your computer.

SP2 can also be get online: http://go.microsoft.com/?linkid=3646727

That's it,

polonus a.k.a. Damian

[1975maggie]

Hi Vince

Part of oldman's usual clean up spiel for your java

Open an Internet Explorer (only) window and go to http://java.sun.com/javase/downloads/index.jsp > Scroll down to "Java Runtime Environment (JRE) 6 Update 4...allows end-users to run Java applications".

Click the download button on the right.

 > If Information Bar pop-ups up, right-click on it and say it's OK to display the blocked content.

 You do not have to install the Java Web Start ActiveX Control


Accept the license agreement > Click on Windows (XP,Vista, .etc) Offline Installation, Multi-language and Save the file jre-6u4-windows-i586-p.exe to your desktop; do not Run it.

When the download is complete, Open Control Panel > Add/Remove Programs:

Uninstall anything that says Sun Java, Java JRE, or similar.

Close Add/Remove Programs.

In Windows Explorer, navigate to C:\Program Files\Java <=this folder, if found. Delete any subfolders it may contain.

Do NOT delete C:\Program Files\JavaVM <=this folder, if found!

Reboot your computer.

Double-click on the saved file to install the update.

Delete the downloaded installation file after completing the above procedure  and reboot if not prompted to do so.


Hope it helps!

For AVZ just delete the entire AVZ folder from C:\ and you windows would be 32 bit

[PowerKord]

Thanks, Polonus, and Maggie,

I may require a clarification of some things, but for now let me just ask:

I installed "Home Keylogger" a few minutes ago to record my info in case of a crash, as a backup. Guess what--after installing, Avast detected two trojans, Win32:trojan-gen, and another one.

How come SpywareBlaster, which is installed, didn't utter a peep? Is it because these were viruses and not malware? But for that matter SB didn't make a sound, either, when I downloaded and installed the keylogger (Avast did). How come?

Your thoughts?

Best,

vince

PS. Both of these infections now appear gone (are they?).

[1975maggie]

Hey Vince

The problem with keyloggers is they can be used for good and evil, so an av detection is not definative.

I'd suggest submitting the detected file to virustotal and see what other av have to say.

[PowerKord]

essexboy! oldman!

Am I infected again?

Please see attached file resulting from a partial Avast scan, and read above posting re keylogger!

Thanks for your suggestion Maggie. These guys have been helping me, so maybe they'll take a look at this, too. I understand that oldman is quite knowledgable, and essexboy is a real tech master!

Warm Regards,

vince

[oldman]

Hi Vince

Most of the detections are tools. Like 1975maggie mentioned, keylogger detections can be confusing. They can be used for good and evil. Follow her suggestion and submit the file(s) for analysis. I think anything that is detected as "tool" is OK. The others are probably ok also, just that they are associated with a keylogger program.

BTW 1975maggie just called my attention to this concern of yours.

Essexboy may have a different view.

Take care.