musicshouldbefree101

Hi Maurice, I deleted all 3 avenger files as suggested. Thanks so much for all your help and time.

I did a few more scans and here are the results. In the order - Panda Active Scan, ESET Online Scan (this one came up clean but I will attach a jpeg for this one) and Malwarebytes Scan. I was surprised to see the avenger show up from the panda scan because those files were downloaded from this site for a previous cleaning. Just some background info. I haven't had any issues with my computer. From the scans, I don't think I'm infected, but I'm not the expert. Any information you can provide me on the scans would be greatly appreciated. Again, thanks for your help. Panda Active Scan ;******************************************************************************* ******************************************************************************** * ******************* ANALYSIS: 2010-06-10 20:09:16 PROTECTIONS: 1 MALWARE: 1 SUSPECTS: 0 ;******************************************************************************* ******************************************************************************** * ******************* PROTECTIONS Description Version Active Updated ;=============================================================================== ================================================================================ = =================== AVG Anti-Virus Free 9.0 No Yes ;=============================================================================== ================================================================================ = =================== MALWARE Id Description Type Active Severity Disinfectable Disinfected Location ;=============================================================================== ================================================================================ = =================== 06162619 Trj/Banbra.GQU Virus/Trojan No 1 Yes No c:\documents and settings\dell\my documents\soft\!\avenger\avenger.exe 06162619 Trj/Banbra.GQU Virus/Trojan No 1 Yes No c:\documents and settings\dell\my documents\soft\!\avenger.zip[avenger.exe] 06162619 Trj/Banbra.GQU Virus/Trojan No 1 Yes No c:\documents and settings\dell\my documents\my videos\downloads\new folder\avenger.zip[avenger.exe] ;=============================================================================== ================================================================================ = =================== SUSPECTS Sent Location ;=============================================================================== ================================================================================ = =================== ;=============================================================================== ================================================================================ = =================== VULNERABILITIES Id Severity Description ;=============================================================================== ================================================================================ = =================== 215935 HIGH MS09-069 ;=============================================================================== ================================================================================ = =================== Malawarebytes Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4187 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 6/10/2010 9:33:26 PM mbam-log-2010-06-10 (21-33-26).txt Scan type: Quick scan Objects scanned: 114966 Time elapsed: 7 minute(s), 41 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

Hi Maurice, Thanks for the reply. I really appreciate it. I will do another couple of scans at the sites you've provided and post them as soon as I can.

I'm not sure what this is, but I do a scan from time to time just for safety sake. The last time I did a scan it came up clean but this time when I used F-Secure Online Scan, it found 10 malware files. I know where all the files are but I don't know if they are really infected. Below are two scans. First the F-Secure Online Scan (shows 10 infected files), then a quick MalwareBytes Scan (which comes up clean). I am not sure if there is anything to this. Any help or advice would be greatly appreciated. Thanks. Scanning Report Tuesday, May 25, 2010 15:16:13 - 16:22:54 Computer name: DELL-D600 Scanning type: Scan system for malware, spyware and rootkits Target: C:\ 10 malware found Suspicious:W32/Malware!Gemini (virus) * C:\PROGRAM FILES\ADOBE\PHOTOSHOP 6.0\SAMPLES\DROPLETS\PHOTOSHOP DROPLETS\AGED PHOTO.EXE (Not cleaned & Submitted) Suspicious:W32/Malware!Gemini (virus) * C:\PROGRAM FILES\ADOBE\PHOTOSHOP 6.0\SAMPLES\DROPLETS\PHOTOSHOP DROPLETS\CONDITIONAL MODE CHANGE.EXE (Not cleaned & Submitted) Suspicious:W32/Malware!Gemini (virus) * C:\PROGRAM FILES\ADOBE\PHOTOSHOP 6.0\SAMPLES\DROPLETS\PHOTOSHOP DROPLETS\CONSTRAIN TO 64 PIXELS.EXE (Not cleaned & Submitted) Suspicious:W32/Malware!Gemini (virus) * C:\PROGRAM FILES\ADOBE\PHOTOSHOP 6.0\SAMPLES\DROPLETS\PHOTOSHOP DROPLETS\CONSTRAIN TO 300 PIXELS.EXE (Not cleaned & Submitted) Suspicious:W32/Malware!Gemini (virus) * C:\PROGRAM FILES\ADOBE\PHOTOSHOP 6.0\SAMPLES\DROPLETS\PHOTOSHOP DROPLETS\DROP SHADOW FRAME.EXE (Not cleaned & Submitted) Suspicious:W32/Malware!Gemini (virus) * C:\PROGRAM FILES\ADOBE\PHOTOSHOP 6.0\SAMPLES\DROPLETS\PHOTOSHOP DROPLETS\MAKE BUTTON.EXE (Not cleaned & Submitted) Suspicious:W32/Malware!Gemini (virus) * C:\PROGRAM FILES\ADOBE\PHOTOSHOP 6.0\SAMPLES\DROPLETS\PHOTOSHOP DROPLETS\MAKE SEPIA TONE.EXE (Not cleaned & Submitted) Suspicious:W32/Malware!Gemini (virus) * C:\PROGRAM FILES\ADOBE\PHOTOSHOP 6.0\SAMPLES\DROPLETS\PHOTOSHOP DROPLETS\SAVE AS JPEG MEDIUM.EXE (Not cleaned & Submitted) Suspicious:W32/Malware!Gemini (virus) * C:\PROGRAM FILES\ADOBE\PHOTOSHOP 6.0\SAMPLES\DROPLETS\PHOTOSHOP DROPLETS\SAVE AS PHOTOSHOP PDF.EXE (Not cleaned & Submitted) Suspicious:W32/Malware!Gemini (virus) * C:\PROGRAM FILES\ADOBE\PHOTOSHOP 6.0\REQUIRED\DROPLET TEMPLATE.EXE (Not cleaned & Submitted) Statistics Scanned: * Files: 44157 * System: 2920 * Not scanned: 11 Actions: * Disinfected: 0 * Renamed: 0 * Deleted: 0 * Not cleaned: 10 * Submitted: 10 Files not scanned: * C:\PAGEFILE.SYS * C:\WINDOWS\SYSTEM32\CONFIG\SAM * C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT * C:\WINDOWS\SYSTEM32\CONFIG\SECURITY * C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE * C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM * C:\WINDOWS\SYSTEM32\CATROOT2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\CATDB * C:\WINDOWS\SYSTEM32\CATROOT2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATDB * C:\SYSTEM VOLUME INFORMATION\MOUNTPOINTMANAGERREMOTEDATABASE * C:\DOCUMENTS AND SETTINGS\DELL\LOCAL SETTINGS\TEMP\HSPERFDATA_DELL\2308 * C:\DOCUMENTS AND SETTINGS\DELL\LOCAL SETTINGS\TEMP\HSPERFDATA_DELL\4080 Options Scanning engines: Scanning options: * Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR * Use advanced heuristics ------------------------------------ Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4143 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 5/25/2010 4:39:17 PM mbam-log-2010-05-25 (16-39-17).txt Scan type: Quick scan Objects scanned: 114448 Time elapsed: 12 minute(s), 45 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

screen317, Disregard that last reply. My internet connection is backup. I used the system restore to go back to a clean working date and it works fine now. Thanks for all your help again. You can now close this thread if you like. - musicshouldbefree101

Sorry to bother you again screen317, I decided to do a system restore to see if this would help. Unfortunately, I restore it back to Wed Aug 19th which is when my computer was still infected. So I went back in and re-restored it to Thursday Aug 20th when it was official clean. My question is, after the second restore, is my computer clean or should I still worry about the rootkit from the previous restore?

Okay, thanks.

screen317, I did as instructed but when I tried to uninstall I get the error message, Failed to uninstall the device. The device may be required to boot up the computer. So what I did was disable both and rebooted. I then tried to launch my browser, but it didn't work. Is there any other way around it? On a side note, I recently created an account at the outpost user support forum (musicfree101), but for some reason I can't post. I get this error. I guess I have to wait awhile. Your account has been activated but you are currently in the moderation queue to be added to the forum. Once available I will post to that forum with my issue.

I think I found the issue. When I went to my: control panel > systems > hardware > device manager Under network adapters, it shows two exclamation marks. I added a photo to show you what is there. When I right click on them, I get the options: update driver disable uninstall scan for hardware changes properties My questions are, if this is the issue, what should I do?

One more thing. I also did some windows updates and don't know if that's giving me the issue.

Hi screen317, I hate to bother you again, but while I was trying to install outpost on my desktop that was infected, I ran into an error. So I uninstalled it and now I no longer have internet connectivity to it. I went into the network connections and clicked on repair this connection, but I get a window that reads, Windows could not finish repairing the problem because the following action could not be completed: Failed to query TCP/IP settings of the connection. Cannot proceed. For assistance, contact the person who manages your network. I redownloaded combofix and re-ran it, but I had no luck. I don't know if you how to resolve this issue, but any advice would be much appreciate. Sorry again for the issue.

Hi screen317, Thank you and SpySentinel for all your help. I really appreciate it. I have downloaded the outpost firewall, spywareblaster, and wot. I don't use explorer, but use Firefox instead. Do you have any suggestions for the settings of security level on that browser? Also, should I create a system restore point? I will wait for your next reply, thanks again.

screen317, I did as advised in your last post and was able to remove rootrepeal successfully. Thank you very much. My computer seems to be running fine now with no issues. Is there anything else I should do? Thanks again and I will wait for your next reply.

Fixed. These are the programs I've installed during the cleaning session. Should I uninstall any or is it okay to keep them? SysProt AntiRootkit v1.0.1.0 rootrepeal (can't get rid of this icon on desktop) findit otm by oldtimer Dr.Web CureIt avenger Win32kDiag.exe TFC by OldTimer random's system information tool OTL

When I booted up in safemode, rootrepeal icon wasn't on my desktop. I checked the c: drive and and add/remove programs but could no locate it. These are the programs I've installed during the cleaning session. Should I install any or is it okay to keep them? SysProt AntiRootkit v1.0.1.0 rootrepeal (can't get rid of this icon on desktop) findit otm by oldtimer Dr.Web CureIt avenger Win32kDiag.exe TFC by OldTimer random's system information tool OTL Thanks.