dmueller375 Posted May 30, 2010 Author ID:258779 Share Posted May 30, 2010 Hi Elise, I'm back.We can now access this pc from user name Kate. Great Job!!!All processes killed========== OTL ==========HKU\S-1-5-21-2056517334-3818234146-3613033903-1012\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!HKU\S-1-5-21-2056517334-3818234146-3613033903-1012\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!HKU\S-1-5-21-2056517334-3818234146-3613033903-1012\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!========== COMMANDS ==========[EMPTYTEMP]User: AdministratorUser: Administrator.FAMILY->Temp folder emptied: 0 bytes->Temporary Internet Files folder emptied: 67 bytes->Flash cache emptied: 348 bytesUser: All UsersUser: Celia->Temp folder emptied: 0 bytes->Temporary Internet Files folder emptied: 469 bytes->Java cache emptied: 64023560 bytes->Flash cache emptied: 81929 bytesUser: Dave->Temp folder emptied: 0 bytes->Temporary Internet Files folder emptied: 298245 bytes->Java cache emptied: 236893853 bytes->Flash cache emptied: 689132 bytesUser: Default User->Temp folder emptied: 0 bytes->Temporary Internet Files folder emptied: 32902 bytesUser: Karen->Temp folder emptied: 0 bytes->Temporary Internet Files folder emptied: 6924750 bytes->Java cache emptied: 33322382 bytes->Flash cache emptied: 11943 bytesUser: Kate->Temp folder emptied: 687 bytes->Temporary Internet Files folder emptied: 6680874 bytes->Java cache emptied: 58218360 bytes->Flash cache emptied: 1294381 bytesUser: LocalService->Temp folder emptied: 65748 bytes->Temporary Internet Files folder emptied: 2366786 bytes->Flash cache emptied: 348 bytesUser: NetworkService->Temp folder emptied: 0 bytes->Temporary Internet Files folder emptied: 735314 bytes->Java cache emptied: 4493 bytes->Flash cache emptied: 11343 bytesUser: Owner%systemdrive% .tmp files removed: 14648 bytes%systemroot% .tmp files removed: 137401 bytes%systemroot%\System32 .tmp files removed: 26721297 bytes%systemroot%\System32\dllcache .tmp files removed: 0 bytes%systemroot%\System32\drivers .tmp files removed: 0 bytesWindows Temp folder emptied: 802091 bytes%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 38393 bytesRecycleBin emptied: 0 bytesTotal Files Cleaned = 419.00 mbOTL by OldTimer - Version 3.2.4.1 log created on 05292010_191642Files\Folders moved on Reboot...File\Folder C:\WINDOWS\temp\Perflib_Perfdata_64c.dat not found!Registry entries deleted on Reboot... Link to post Share on other sites More sharing options...
Elise Posted May 30, 2010 ID:258866 Share Posted May 30, 2010 Hello again,Thats good to hear Please let me know if there are any problems left. Lets also do one last scan.ESET ONLINE SCANNER----------------------------I'd like us to scan your machine with ESET OnlineScanHold down Control and click on the following link to open ESET OnlineScan in a new window.ESET OnlineScanClick the button.For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)Click on to download the ESET Smart Installer. Save it to your desktop.Double click on the icon on your desktop.Check Click the button.Accept any security warnings from your browser.Check Push the Start button.ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.When the scan completes, push Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.Note - when ESET doesn't find any threats, no report will be created.Push the button.Push Link to post Share on other sites More sharing options...
dmueller375 Posted May 30, 2010 Author ID:259119 Share Posted May 30, 2010 ESET scan results: C:\HelpAsst_backup\C\DOCUME~1\HELPAS~1\Application Data\Sun\Java\Deployment\cache\6.0\31\ba6991f-7a05e3f3 Java/TrojanDownloader.Agent.NAM trojan deleted - quarantinedC:\HelpAsst_backup\C\DOCUME~1\HELPAS~1\Application Data\Sun\Java\Deployment\cache\6.0\36\7945eda4-36b6eb9e multiple threats deleted - quarantinedWhile the ESET Scan was running, Norton gave me the following:ATIPI.SYS.vir This file requires manual removalInfected file: c:\Qoobox\quarantine\C\windows\system32\drivers\atapi.sys.virmanual removal requiredInfected file: c:\system volume information\_restore{b37680b2\ba0a-4e5d-bf30-83e44c588624}\RP1\A0000032.sysno fix attemptedPlease note I could not copy and paste the Norton results - I attempted to exactly retype but there may be mistakesAlso:Unauthorized Access blockedActor: C\windows\explorer.exeActor pid: 1868Target: \device\harddiskvolume2\program files\Norton Security Suite\engine\4.1.0.32\ccvchst.exetarget PID: 2980action: send terminate message to windowsreaction: unauthorized access blocked Link to post Share on other sites More sharing options...
Elise Posted May 30, 2010 ID:259122 Share Posted May 30, 2010 Hello again, That is nothing to worry about. Norton detects ESET accessing quarantined threads and flags them. The same goes for the access violation for explorer.exe, its just a conflict between to AV applications (ESET and Norton in this case).If there are no other problems, you are good to go ALL CLEAN--------------Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean Please do the following to remove the remaining programs from your PC:Delete the tools used during the disinfection:Click start > run and type combofix /uninstall, press enter. This will remove Combofix from your computer.Click Start > run and type helpasst -cleanup in the runbox, press enter. This will remove the Helpassistant backups.Delete DDS, GMER (this is a random named file) and OTL.Please read these advices, in order to prevent reinfecting your PC:Install and update the following programs regularly:an outbound firewallA comprehensive tutorial and a list of possible firewalls can be found here.an AntiVirus SoftwareIt is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.an Anti-Spyware programMalware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.SUPERAntiSpyware is another good scanner with high detection and removal rates.Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.Spyware BlasterA tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.MVPs hosts fileA tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file[*]Keep Windows (and your other Microsoft software) up to date!I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!![*]Keep your other software up to date as wellSoftware does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.[*]Stay up to date!The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.Some more links you might find of interest:Miekies' prevention suggestionsSo How did I get infected?Microsoft - 'Security at home'Calendar of Updates: See which updates have been released.How to backup your Data with Cobian Backup:because you never know, when your harddisk might fail :wink:Commonly Used Freeware Replacements: a nice list of freeware programs in all categories, that are regarded as useful by the users of this forum.osalt: Find (free) open source alternatives to known commercial software.Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards. Link to post Share on other sites More sharing options...
dmueller375 Posted May 30, 2010 Author ID:259134 Share Posted May 30, 2010 Hi and thank you so much Elise, I'm sure you are right the pc is now clean, but...... I'm a bit nervous because the norton virus warning was similar to what i received before you were helping me. Is it possible to wait closing out this topic until we run the pc another day and I report back to you tommorrow evening? Dave Link to post Share on other sites More sharing options...
Elise Posted May 30, 2010 ID:259138 Share Posted May 30, 2010 Of course Dave To understand why Norton flagged the file, you have to understand that System Restore contains copies of data (files/registry entries) from different points in the recent history of your computer. That way, a copy of the infected driver file ended up in System Restore. It is completely harmless there, since there is no way it can be active. The other copy was in Combofix quarantine. If you uninstalled Combofix as instructed both the System restore points and Combofix quarantine should be gone now.You can determine whether the file is harmless or not in this case based on the file location.Infected file: c:\Qoobox\quarantine\C\windows\system32\drivers\atapi.sys.virmanual removal required <-- C:\Qoobox is the directory where Combofix stores its quarantined files.Infected file: c:\system volume information\_restore{b37680b2\ba0a-4e5d-bf30-83e44c588624}\RP1\A0000032.sysno fix attempted <-- c:\system volume information is the folder where all restore points are saved.I hope this explains why Norton still detected the files.Please let me know if you have any more questions Link to post Share on other sites More sharing options...
dmueller375 Posted May 30, 2010 Author ID:259146 Share Posted May 30, 2010 Thanks again for the great explanation Elise.I was more nervous about blocked communication because the target was the ccvchst file, which is similar in name to ccsvhst.exe I discovered was taking up a large % of system cpu when I was first infected, as discovered through windows task manager. I'm sure all is fine, I'll report back to you tommorrow.Dave Link to post Share on other sites More sharing options...
Elise Posted May 30, 2010 ID:259149 Share Posted May 30, 2010 Okay Dave, just take your time to see if everything is fine. Link to post Share on other sites More sharing options...
dmueller375 Posted June 1, 2010 Author ID:259802 Share Posted June 1, 2010 Hi Elise,No problems, all is good. Thank you so much!! GratefullyDave Link to post Share on other sites More sharing options...
Elise Posted June 1, 2010 ID:259871 Share Posted June 1, 2010 You are welcome Dave I will request this topic to be closed. Link to post Share on other sites More sharing options...
Recommended Posts