Infected again

[capricorn]

OK, I have been attempting to run Kaspersky online scanner and it is taking so long the machine locks up. I have not been able to babysit it. I ran this before and managed to get through it. How much time should I allow to keep an eye on this machine to make sure it doesn't stall again? Also, are there any tips which would help me run this successfully?

thanks.

[sjpritch25]

Go ahead and try this one instead

Go here to run an online scannner from ESET.

• Note: You will need to use Internet explorer for this scan
  
• Turn off the real time scanner of any existing antivirus program while performing the online scan
  
• Tick the box next to YES, I accept the Terms of Use.
  
• Click Start
  
• When asked, allow the activex control to install
  
• Click Start
  
• Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  
• Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  
• Click Scan
  
• Wait for the scan to finish
  
• Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  
• Copy and paste that log as a reply to this topic and also let me know how things are now.
  

[capricorn]

OK, I should be able to run this tomorrow. Thanks.

[sjpritch25]

okay

[capricorn]

I am in the middle of running the scanning program you gave me. It has been over 4 hours and is not yet halfway through, but has found a dozen infected files. I won't be up much longer and definitely not long enough for the scan to finish, so I'll post the logs tomorrow. At least the computer hasn't locked up so far.

[capricorn]

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=ef4f07113b7de04fb2e825efb571605c

# end=finished

# remove_checked=false

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2010-08-08 06:31:27

# local_time=2010-08-08 01:31:27 (-0600, Central Daylight Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 2

# compatibility_mode=512 16777215 100 0 5799869 5799869 0 0

# compatibility_mode=1024 16777215 100 0 5058527 5058527 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=85568

# found=35

# cleaned=0

# scan_time=23911

C:\Documents and Settings\Mary Giese\Application Data\Mozilla\Profiles\default\762hs4l8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\Inbox multiple threats 00000000000000000000000000000000 I

C:\Documents and Settings\Mary Giese\Application Data\Mozilla\Profiles\default\762hs4l8.slt\Mail\pop.charter-1.net\Inbox HTML/Phishing.gen trojan 00000000000000000000000000000000 I

C:\Documents and Settings\Mary Giese\Application Data\Thunderbird\Profiles\rjpk6lxk.default\Mail\Local Folders-1\Outlook Express Mail.sbd\old messages multiple threats 00000000000000000000000000000000 I

C:\Documents and Settings\Mary Giese\Application Data\Thunderbird\Profiles\rjpk6lxk.default\Mail\Local Folders-1\Outlook Express Mail0.sbd\old messages multiple threats 00000000000000000000000000000000 I

C:\Documents and Settings\Mary Giese\Desktop\backup\emailbackup\9vlgbsxe.slt\Mail\pop.charter-1.net\Inbox HTML/Phishing.gen trojan 00000000000000000000000000000000 I

C:\Documents and Settings\Mary Giese\Desktop\backup\emailbackup\Mail\pop.charter-1.net\Inbox HTML/Phishing.gen trojan 00000000000000000000000000000000 I

C:\Documents and Settings\Mary Giese\Desktop\backup\emailbackup\Mail\pop.charter-1.net\old messages multiple threats 00000000000000000000000000000000 I

C:\Documents and Settings\Mary Giese\Desktop\backup\emailbackup\Mail\pop.sunflower.comold\XVCVDC2T.TMP multiple threats 00000000000000000000000000000000 I

C:\Documents and Settings\Mary Giese\Desktop\backup\emailbackup\Mail\support.pop.sunflower.com\Inbox Win32/Netsky.Q worm 00000000000000000000000000000000 I

C:\Documents and Settings\Mary Giese\Desktop\backup\emailbackup\Mail\support.pop.sunflower.com\mary's mail Win32/Dumaru.A worm 00000000000000000000000000000000 I

C:\Documents and Settings\Mary Giese\Desktop\backup\emailbackup\Mail\support.pop.sunflower.com\Trash multiple threats 00000000000000000000000000000000 I

C:\Documents and Settings\Mary Giese\Desktop\backup\Program Files\AVPersonal\Avwin95.exe probably a variant of Win32/Genetik trojan 00000000000000000000000000000000 I

C:\Documents and Settings\Mary Giese\Desktop\backup\Program Files\Netscape\Users\default\Mail\Inbox multiple threats 00000000000000000000000000000000 I

C:\Documents and Settings\Mary Giese\Desktop\backup\Program Files\Netscape\Users\default\Mail\Sent Win32/Klez.J worm 00000000000000000000000000000000 I

C:\Documents and Settings\Mary Giese\Desktop\backup\Program Files\Netscape\Users\default\Mail\Trash multiple threats 00000000000000000000000000000000 I

C:\Documents and Settings\Mary Giese\Local Settings\Application Data\Identities\{31391EF3-B3AC-4F12-94D8-DC2DA45E9526}\Microsoft\Outlook Express\old messages.dbx multiple threats 00000000000000000000000000000000 I

C:\Documents and Settings\Mary Giese\Local Settings\temp\plugtmp\plugin-ujfnh.pdf JS/Exploit.Pdfka.OCD trojan 00000000000000000000000000000000 I

C:\Documents and Settings\Mary Giese\My Documents\Downloads\ComboFix(2).exe a variant of Win32/Kryptik.YI trojan 00000000000000000000000000000000 I

C:\Documents and Settings\Mary Giese\My Documents\Downloads\ComboFix(3).exe a variant of Win32/Kryptik.YI trojan 00000000000000000000000000000000 I

C:\Documents and Settings\Mary Giese\My Documents\Downloads\ComboFix(4).exe a variant of Win32/Kryptik.YI trojan 00000000000000000000000000000000 I

C:\Documents and Settings\Mary Giese\My Documents\Downloads\eMuleSetup.exe Win32/Adware.HotBar application 00000000000000000000000000000000 I

C:\Program Files\HBLite\bin\11.0.181.0\HBLiteSA.exe probably a variant of Win32/Adware.180Solutions application 00000000000000000000000000000000 I

C:\Program Files\HBLite\bin\11.0.181.0\HBLiteSAAX.dll a variant of Win32/Adware.HotBar.E application 00000000000000000000000000000000 I

C:\Program Files\HBLite\bin\11.0.181.0\HBLiteSAHook.dll probably a variant of Win32/Adware.HotBar.E application 00000000000000000000000000000000 I

C:\Program Files\HBLite\bin\11.0.181.0\HBLiteUninstaller.exe multiple threats 00000000000000000000000000000000 I

C:\Program Files\Netscape\Users\default\Mail\charter1a\Inbox HTML/Phishing.gen trojan 00000000000000000000000000000000 I

C:\Program Files\Netscape\Users\default\Mail\Copy of charter1a\Inbox HTML/Phishing.gen trojan 00000000000000000000000000000000 I

C:\Program Files\Netscape\Users\default\Mail\sunflower\Sent Win32/Klez.J worm 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\atapi.sys.vir Win32/Olmarik.ZC trojan 00000000000000000000000000000000 I

C:\RECYCLER\S-1-5-21-2821380735-165671010-3248845186-1006\Dc14 HTML/Phishing.gen trojan 00000000000000000000000000000000 I

C:\RECYCLER\S-1-5-21-2821380735-165671010-3248845186-1006\Dc17 multiple threats 00000000000000000000000000000000 I

C:\RECYCLER\S-1-5-21-2821380735-165671010-3248845186-1006\Dc18 Win32/Klez.J worm 00000000000000000000000000000000 I

C:\RECYCLER\S-1-5-21-2821380735-165671010-3248845186-1006\Dc20 multiple threats 00000000000000000000000000000000 I

C:\RECYCLER\S-1-5-21-2821380735-165671010-3248845186-1006\Dc21 multiple threats 00000000000000000000000000000000 I

${Memory} multiple threats 00000000000000000000000000000000 I

[sjpritch25]

Note: You may need to unhide hidden files and folders.

Configure Windows XP to show hide hidden files:

Click Start. Open My Computer.

Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select "Show hidden files and folders".

Uncheck the "Hide protected operating system files (recommended)" option.

Uncheck the "Hide file extensions for known file types" option.

Click Yes to confirm. Click OK.

You can delete this folder

C:\RECYCLER\S-1-5-21-2821380735-165671010-3248845186-1006

You may want to go through and remove some of those email backup folders and any old emails.

How is everything running?

[capricorn]

I checked and the "show hidden folders" is already checked. What is the Recycler folder? Also, will just deleting these emails take care of them?

[sjpritch25]

yes

[capricorn]

C:\Program Files\HBLite\bin\11.0.181.0\HBLiteSA.exe probably a variant of Win32/Adware.180Solutions application 00000000000000000000000000000000 I

C:\Program Files\HBLite\bin\11.0.181.0\HBLiteSAAX.dll a variant of Win32/Adware.HotBar.E application 00000000000000000000000000000000 I

C:\Program Files\HBLite\bin\11.0.181.0\HBLiteSAHook.dll probably a variant of Win32/Adware.HotBar.E application 00000000000000000000000000000000 I

C:\Program Files\HBLite\bin\11.0.181.0\HBLiteUninstaller.exe multiple threats 00000000000000000000000000000000 I

I have started deleting the various files. I got to this group and it is denying me access. These were added on July 10 and I don't know what they are. I need some assistance in how to get to these to delete them.

Thanks.

[sjpritch25]

Boot into Safe Mode and let me know if you still can't remove them.

[capricorn]

How do you boot into safe mode?

[sjpritch25]

http://www.pchell.com/support/safemode.shtml

[screen317]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!