Solved

Can't find the sourse of a virus.

Posted on 2008-06-09
19
1,136 Views
Last Modified: 2013-11-22
I keep getting a virus alert even after it gets "quarantined" after a normal scan.. can't find the sourse of the virus that keeps returning daily.

Scan type:  Auto-Protect Scan
Event:  Security Risk Found!
Threat: Downloader.Bancos!gen
File:  C:\DOCUME~1\Home User\LOCALS~1\Temp\$1F5C5~1.T$M
Location:  Quarantine
Computer:  PC-A1
User:  PC-A1\Home User
Action taken:  Quarantine succeeded : Access denied
Date found: Monday, June 09, 2008  5:21:45 PM
0
Comment
Question by:pasadenalocal1
  • 8
  • 6
  • 4
  • +1
19 Comments
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 21748081
Have you tried deleting/removing the files in quarantine?
Then clean out your temp folders.

Download and run ATF Cleaner by Atribune.
http://www.atribune.org/ccount/click.php?id=1
 
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

(If you use FireFox or the Opera browser,
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time.

OR:
CCleaner:
http://www.ccleaner.com/download/


If problem persists, show us a Hijackthis log to review.
Hijackthis:
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download

Open Hijackthis, click "Do a system scan and save a logfile" please don't fix anything yet.
Please attach the logfile as "Code Snippet".
0
 

Author Comment

by:pasadenalocal1
ID: 21748351
Well,

I ran the atribune test and it cleaned up a bunch of files.. about 35 MB.  I then ran a full system can with Norton Antivirus and it didn't come back with any infected files..

Also did what you suggested and deleted the actual quarantined files.. , etc....not sure how that would make a difference, but I'll take your word for it :)

So no sign of anything, but it seems to detect it once a day.. I will give it 24-48 hours and see if this did the trick!  Thanks for the help.. fingers crossed :D

~pasadenalocal1
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 21748586
When it comes back, scan the system with Hijackthis and attach its logfile please, so we can take a look.
0
 
LVL 20

Expert Comment

by:masnrock
ID: 21750193
You can also try scanning and cleaning up with your computer started in Safe Mode so that it doesn't have a chance to try to hook itself into anything at that point. Just keep us posted
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
ID: 21773414
this is a trojan horse, you really need to get rid of it ...


Overview
http://www.symantec.com/security_response/writeup.jsp?docid=2003-071710-2826-99&tabid=1

Technical Details
http://www.symantec.com/security_response/writeup.jsp?docid=2003-071710-2826-99&tabid=2

Removal
http://www.symantec.com/security_response/writeup.jsp?docid=2003-071710-2826-99&tabid=3


To remove the trojan horse, Follow the instructions written in the Removal page.

Good luck
0
 

Author Comment

by:pasadenalocal1
ID: 21774675
well, i waited a few days to make sure that it didnt come back.. and in fact it didnt.  

I dont get it..after doing rpggamergirl's fix (with ATF Cleaner & also dumping the quarantined files) I rescanned a couple days in a row, it went away..

OR I should say, it never came back with "temp" folder viruses found alerts...

thanks all for the suggestions... if anyone still wanted to see hijack this log file, i posted a fresh scan down below. Thanks again all!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:59:32 PM, on 6/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
E:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
E:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\system32\vmnetdhcp.exe
E:\Program Files\DynDNS Updater\DynDNS.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
E:\Program Files\Norton Ghost\Agent\VProTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
E:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\vptray.exe
E:\Program Files\VMware\VMware Workstation\vmware-tray.exe
E:\Program Files\VMware\VMware Workstation\hqtray.exe
E:\Program Files\ATI Multimedia\main\ATISched.EXE
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
E:\Program Files\Winamp\winamp.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -  (disabled by BHODemon)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL (disabled by BHODemon)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Alcohol Toolbar Helper - {8126A4A5-BFD3-46FE-BBDF-BFB5CF78E489} - C:\Program Files\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: Alcohol Toolbar - {ED4BD629-C1B6-4399-8A34-02CCAA921DC9} - C:\Program Files\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [Norton Ghost 12.0] "E:\Program Files\Norton Ghost\Agent\VProTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\\vptray.exe
O4 - HKLM\..\Run: [vmware-tray] E:\Program Files\VMware\VMware Workstation\vmware-tray.exe
O4 - HKLM\..\Run: [VMware hqtray] "E:\Program Files\VMware\VMware Workstation\hqtray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [ATI Scheduler] E:\Program Files\ATI Multimedia\main\ATISched.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_03] rundll32 advpack.dll,LaunchINFSection nlite.inf,S (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\j2re1.4.2_16\bin\npjpi142_16.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\j2re1.4.2_16\bin\npjpi142_16.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - E:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O15 - Trusted Zone: http://messaging.myspace.com
O15 - Trusted Zone: http://signups.myspace.com
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://192.168.2.3/tsweb/msrdp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4CBD4E71-4722-4377-ADCB-34C4CD1021C0}: NameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{6CFCFB82-EC7A-41B0-A4F1-150AB86A12DC}: NameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{EAF49215-BD62-4DED-8FAF-B57F717CE489}: NameServer = 192.168.2.1
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Filter: AutorunsDisabled - (no CLSID) - (no file)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Symantec pcAnywhere Host Service (awhost32) - Symantec Corporation - E:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: DynDNS Updater Service (DynDNS_Updater_Service) - Kana Solution - E:\Program Files\DynDNS Updater\DynDNS.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Intel(R) Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - E:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - E:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 12869 bytes
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 21775005
>>>Also did what you suggested and deleted the actual quarantined files.. , etc....not sure how that would make a difference, but I'll take your word for it :) <<<

I asked to also empty the quarantine folder because IF the bad file was no longer in the temp folder then ATF Cleaner wouldn't be of help.
Then that would mean that Avast keeps flagging the same file each time which was already in the quarantine, based on its report "Location:  Quarantine"


Just some redundant entries in Hijackthis that you might like to fix:
O2 - BHO: (no name) - AutorunsDisabled - (no file)  
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O24 - Desktop Component 0: (no name) - (no file)

Do you know the program that uses this 'runonce' batchfile? if not, you can fix that too.
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'LOCAL SERVICE')  
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'NETWORK SERVICE')
0
 

Author Comment

by:pasadenalocal1
ID: 21783659
AAARRG!!!!

Hey folks, it came back today after work... It took so many days.  I ATTACHED a new hijack this log file. Ive got the same stuff again:

Infostealer.Gampass
Downloader.Bancos!gen

&

Scan type:  Auto-Protect Scan
Event:  Security Risk Found!
Threat: Downloader.Bancos!gen
File:  C:\DOCUME~1\Home User\LOCALS~1\Temp\$762E6~1.T$M
Location:  Quarantine
Computer:  PC-A1
User:  PC-A1\Home User
Action taken:  Quarantine succeeded : Access denied
Date found: Friday, June 13, 2008  8:27:47 AM

------


Not sure what to do now. Actually, I will try the other step "ccleaner" .. So wierd.. its like it went dormant or somthing.. maybe its a time release virus.. i suppose thats possible... thanks for any more help.


hijackthis.log
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 225 total points
ID: 21783695
When running Hijackthis please close all other programs that were running, IE etc.

Okay, let's start again.

1.  Please uninstall one of your antivirus, just keep one with real-time protection, having 2 antivirus installed and both with realtime protection will give you insufficient security and can cause conflicts.

2. Please update your version of java as that version is very vulnerable to infections specially vundo.
Updating Java:
Go to Start > Control Panel > Add/Remove programs.
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
Select and click Remove.

Then Download and install the newest version from here:
http://www.java.com/en/download/manual.jsp

3. Install SpywareBlaster.
After installation, download updates and "Enable All protection".
http://www.javacoolsoftware.com/sbdownload.html

4. a) Either run an online scan with Kaspersky(save the log) or download and run Combofix.
Using Internet Explorer, run Kaspersky Online Scanner
http://www.kaspersky.com/virusscanner
   
* Click 'Accept' in the window that pops up.
* You will be prompted to install an ActiveX component from Kaspersky, Click on the information bar and select Install ActiveX Control if so. This may happen more than once. That is OK. You also may get a warning from your Windows Firewall. You can tell it to unblock.
* The program will launch and then start to download the latest definition files.
* Once the scanner is installed and the definitions downloaded, click 'Next'.
* Now click on 'Scan Settings'
* In the scan settings make sure that the following are selected:
          o Scan using the following Anti-Virus database: 'Extended' (If available, otherwise 'Standard')
          o Scan Options: 'Scan Archives' and 'Scan Mail Bases'
* Click 'OK'
* Now under 'Select a target to scan' select 'My Computer'
* The scan will take a while, so be patient and let it run. Once the scan is complete, it will display whether your system has been infected.
* Now click on the 'Save Report As...' button:
* Make sure it says Save as a text file - change it if not
* Save the file to your desktop.


b) Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply along with a fresh HJT log
Re-enable all the programs that were disabled during the running of ComboFix..


Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.


This link tells you How to use Combofix as well as installing RC if you haven't yet.
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:pasadenalocal1
ID: 21843346
Hi rpggamergirl,

update:

1) I had to wipe my hard drive "A" clean with a fresh install of xpsp2. (i screwed up some other unrelated local admin security settings) ..however, this should make things easier.

2) However, I only unplugged the second hard drive "B" (sata) from the mobo while i cleaned up the main hd "A". This is my main storage hd that i need to plug back in (personal files, software, downloads, etc)

3) I will be plugging back in hd "B", which im worried could be infected, so ive taken these steps for now:

a) left hd "B" unplugged temporarily
a) only installed one antivirus/firewall (norton security 03)
b) downloaded latest java (per your steps)
c) downloaded SpywareBlaster, enabled all security settings (per your steps)
d) turned off all unused services

I also created and backed up a ghost image of my current setup to restore in case something goes bad again (which i backed up to my 03 server on the network.

So, I will be plugging back in hd B , but wanted to double check any other suggestions/steps i should take.
 
thkns!

0
 
LVL 23

Expert Comment

by:Mohammed Hamada
ID: 21844525
Have you considered looking at the symantec removal instructions be4 replacing the HD?
0
 

Author Comment

by:pasadenalocal1
ID: 21847410
hi.. before placing which HD? A or B?
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
ID: 21847608
The Harddisk where the Operating system is installed on.
0
 

Author Comment

by:pasadenalocal1
ID: 21848401
i went through the steps from norton and either it failed, or i did it wrong. So i ended up formatting, reinstaling xpsp2 from scratch. So far its patched, all new apps including the spyware sofware suggested previously in the other posts.

Now i need to plug in the other sata (hd B) with all my personal files, downloads, software... but i dont want to get infected if that hd is bad. I guess i could always just setup a 3rd machine and run the virus scans from there.. something not on my network like the other two pcs.
0
 
LVL 23

Assisted Solution

by:Mohammed Hamada
Mohammed Hamada earned 25 total points
ID: 21848462
This is a good idea, Or you can hook up the HD as external with USB cable. If you have the rack cover to connect it with.
0
 

Author Comment

by:pasadenalocal1
ID: 21850245
ok i have an external hd cable connector from EZ-connect.. it works great.. So maybe that would be more secure that plugging in as a sata drive? I can try that for sure then.
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 225 total points
ID: 21851590
It was a wise decision reformatting and reinstalling.

>>>Now i need to plug in the other sata (hd B) with all my personal files, downloads, software... but i dont want to get infected if that hd is bad.<<<

You could scan it straightaway after putting it back, if that drive is infected it wouldn't straightaway contaminate the primary drive unless you start working with it, opening files etc.
What you're planning to do and or what moh10ly had suggested are all great ideas.
0
 

Author Comment

by:pasadenalocal1
ID: 21893248
got it.

the second storage drive after plugging it in got scanned. It picked up the 2 viruses in a zip file i had downloaded. Quarantine was successful!

:)

 
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 21893338
Well done, :)
Glad to know it's been resolved.

Thanks!
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

PREFACE The purpose of this guide is to explain how to manually move a SEP client to a different client group by performing steps on the client-side. These steps may prove particularly useful because they allow the client to move after it has alrea…
UPDATE - 6/15/2011 Added support for Release Update 6 Maintenance Patch 2 Point Patch 1 (RU6 MP2 PP1). Fixed a defect in the username field that was hard-coded to look for a specific domain (left over code from testing). This release will be the …
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now