Free Malware Removal Forum

[melboy]

Hi David

We'll try an alternative if you are having problems with the ESET scan.

Don't forget to let me know how things are running if this proves successful.



Kaspersky Online Scan

Please go to Kaspersky website and perform an online antivirus scan.

• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  • Spyware, Adware, Dialers, and other potentially dangerous programs
  • Archives
• Click on My Computer under Scan.
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
• Please post this log in your next reply.

Animated guide, if required.

[daviwish]

I could not seem to unload F-Secure this time so I disabled the virus scanner. At the bottom of the Kasp Scan Window a message appeared that said Attn. Anti-virus scan may be unavailable. If virus scan is running disalbe and restart. I don't know if I continued to have the problem of not being able to completely disable F-secure or not.
Here are the scan results which clearly relate to the problem as I reported it.
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, February 2, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, February 02, 2010 20:42:55
Records in database: 3398731
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: no

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 101852
Threats found: 3
Infected objects found: 4
Suspicious objects found: 0
Scan duration: 02:31:49


File name / Threat / Threats count
C:\desktop\HijackThis\backups\backup-20080308-090750-898.0ll Infected: Trojan.Win32.Vapsup.chf 1
C:\Program Files\MUSICMATCH\Common\ComponentMgr\HoldingArea\WebSys2\WebSys.mmz Infected: not-a-virus:RiskTool.Win32.Deleter.f 1
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\WebSys\offline.mmz Infected: not-a-virus:RiskTool.Win32.Deleter.f 1
C:\WINDOWS\Installer\{ab390fac-97ec-4aa3-9112-0e3a08fd7996}\DrvService.0ll Infected: Trojan-Dropper.Win32.Agent.ftu 1

Selected area has been scanned.

[melboy]

Hi David

The infections to which you initially referred to are not active infections but back-ups created when fixing things with Hijack This. They were created back in 2008.

Do you use the Musicmatch Jukebox at all? If not I would uninstall it.

Complete the instructions below and let me know how things are running now.



OTM

Download OTM by Old Timer and save it to your Desktop.

• Double-click OTM.exe to run it.
• Paste the following code under the area. Do not include the word Code.
  

  Code: Select all

  :Files
  C:\desktop\HijackThis\backups\backup-20080308-090750-898.0ll 
  C:\WINDOWS\Installer\{ab390fac-97ec-4aa3-9112-0e3a08fd7996}\DrvService.0ll 
  
  :Commands
  [purity]
  [emptytemp]
  [Reboot]
  

  
  
  • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
  • Push the large button.
  • OTM may ask to reboot the machine. Please do so if asked.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

[daviwish]

I sent this hours ago but it doesn't seem to have appeared there. here's the kaspersky report again.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, February 2, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, February 02, 2010 20:42:55
Records in database: 3398731
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: no

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 101852
Threats found: 3
Infected objects found: 4
Suspicious objects found: 0
Scan duration: 02:31:49


File name / Threat / Threats count
C:\desktop\HijackThis\backups\backup-20080308-090750-898.0ll Infected: Trojan.Win32.Vapsup.chf 1
C:\Program Files\MUSICMATCH\Common\ComponentMgr\HoldingArea\WebSys2\WebSys.mmz Infected: not-a-virus:RiskTool.Win32.Deleter.f 1
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\WebSys\offline.mmz Infected: not-a-virus:RiskTool.Win32.Deleter.f 1
C:\WINDOWS\Installer\{ab390fac-97ec-4aa3-9112-0e3a08fd7996}\DrvService.0ll Infected: Trojan-Dropper.Win32.Agent.ftu 1

Selected area has been scanned.

Thanks David

[daviwish]

Sorry. When I first checked your reply was absent. I did have a serious problem in 2008 - in fact several both mechanical and software.

[daviwish]

OTM results
All processes killed
========== FILES ==========
File/Folder C:\desktop\HijackThis\backups\backup-20080308-090750-898.011 not found.
File/Folder C:WINDOWS\Installer\ {ab390fac-97ec-4aa3-9112-0e3a08fd7996}\DrvService.011 not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: David
->Temp folder emptied: 99246172 bytes
->Temporary Internet Files folder emptied: 105748727 bytes
->Java cache emptied: 128123 bytes
->FireFox cache emptied: 2697211 bytes
->Google Chrome cache emptied: 594288 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 5552657 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 88 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 23943994 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 34318 bytes
RecycleBin emptied: 292071635 bytes

Total Files Cleaned = 506.00 mb

========== FILES ==========
C:\desktop\HijackThis\backups\backup-20080308-090750-898.0ll moved successfully.
C:\WINDOWS\Installer\{ab390fac-97ec-4aa3-9112-0e3a08fd7996}\DrvService.0ll moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: David
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32768 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 0.00 mb


OTM by OldTimer - Version 3.1.7.1 log created on 02022010_232645
I'll get rid of Msic match Jukebox
Thanks
David

[melboy]

Hi David

Things look good. Well done - Any more problems?


OTM by OldTimer

• Double-click OTM.exe
• Click the CleanUp! button
• Select Yes when the Begin cleanup Process? Prompt appears
• If you are prompted to Reboot during the cleanup, select Yes
• The tool will delete itself once it finishes, if not delete it by yourself

Your log now appears to be clean. Congratulations!
This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are.



=====================================================================



Protection Programs
Don't forget to re-enable any protection programs we disabled during your fix.

General Security and Computer Health
Below are some steps to follow in order to dramatically lower the chances of reinfection. You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented.


Clear Infected System Restore Points

• Turn System Restore off
  
• On the Desktop, right click on the My Computer icon.
• Click Properties.
• Click the System Restore tab.
• Check Turn off System Restore.
• Click Apply, and then click OK.
  
  Restart your computer
  
  
• Turn System Restore on
• On the Desktop, right click on the My Computer icon.
• Click Properties.
• Click the System Restore tab.
• Uncheck Turn off System Restore on all drives.
• Click Apply
• Click each drive in turn where system restore is not required and click Settings
Note: System restore is only needed on drives with an operating system installed.
For each drive without an operating system, check Turn off system restore on this drive, click Yes then click OK.

Note: only do this once, and not on a regular basis.

• Make sure that you keep your antivirus updated
  New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
  Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
  Uninstall Tools for Major Antivirus Products
• Security Updates for Windows, Internet Explorer & Microsoft Office
  Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.
  Note: The update process uses ActiveX, so you will need to use internet explorer for it and allow the ActiveX control to install.
• Update Non-Microsoft Programs
  Microsoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month.

Recommended Programs

I would recommend the download and installation of some or all of the following programs (if not already present), and the updating of them on a regular basis.

• WinPatrol
  As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE.
  
• Malwarebytes' Anti-Malware
  As you already have Malwarebytes' Anti-Malware on board I would keep it regularly updated and run regular quick scans with it. (TIP: Cleaning out temp files can reduce scanning times.)
  Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. The Full version includes a number of features, including a built in protection monitor that blocks malicious processes before they even start.
  
• Hosts File
  For added protection you may also like to add a host file. A simple explanation of what a Hosts file does is HERE and for more information regarding host files read HERE.
  
• Use an alternative Internet Browser
  Many of the exploits are directed to users of Internet Explorer. Try using a different browser instead:
  Firefox
  Opera

Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date.

Also please read this great article by Tony Klein So How Did I Get Infected In First Place

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.

Happy surfing and stay clean!

[daviwish]

Hi and thank you!
I've just been attempting to set up Firefox and downloaded their warning system WOT. It's a bit of a change from IE.
I have used Cleaner to eliminate temp files etc previously and F-Secure updates regularly. It certainly seems superior to Norton. I assume that the security devices you suggest work comfortably with my current security system.
I am considering changing to Nod 32 or AVG as F-secure is very slow around e-mail security. It apparently does not block all invaders and in particular misses adware.
I have followed all of your instructions and am about to download Winpatrol and Hosts.

I'm not sure why you do this, whether out of the goodness of your heart or as a part of your current education but once again, thank you for all your patience and assistance.
David

[melboy]

Hi David

You're most welcome.

The security software should work ok with your current set up, however, as every system's set up is different to the next, it's impossible to know for sure. you shouldn't have any problems though.

As for choice of AV; F-secure is a reputable company, as are Eset (Nod32), Norton (Symantec) and AVG. A lot of time it's down to personal preference. So long as you choose a well known reputable product you wont go far wrong. Every AV will miss things that others find and vice versa.
Whatever you choose I would recommend the occasional online scan with an alternative (such as the Kaspersky scan I had you run) and also regular scans - say once a week or so - with an "on-demand" scanner such as Malwarebytes Anti-Malware.

[markkhunt]

Since this issue appears resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.