XP infected with Win32.FakeAlert.ttam and Win32.Palevo

[Dakeyras]

Hi.

Thank you for your quick reply!

You're welcome!

Yes, it's "gengokoukan"! It's no big deal but if I can have it again, great!

OK.

As for the command to check for errors, a command window opens for less than one second and I can't find checkhd.txt (I made a search).

Hmmm no reason why it should not have been created unless there is a actual fault with the Hard-Drive...Though I have not seen any indication of such, anyway as a precaution we will perform some in-depth System Maintenance before we proceed any further after restoring the aforementioned folder.

Now I need to locate the exact location of the folder so we can restore it as follows:-

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  
  Code:

  :folderfind 
  gengokoukan

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

[French_User]

SystemLook 04.09.10 by jpshortstuff
Log created at 13:55 on 08/02/2011 by Andrea
Administrator - Elevation successful

========== folderfind ==========

Searching for "gengokoukan"
C:\Documents and Settings\Andrea\Bureau\sauvostro1\gengokoukan d------ [11:06 31/01/2011]
C:\_OTL\MovedFiles\02082011_103146\C_Documents and Settings\Andrea\Bureau\gengokoukan d------ [11:24 24/01/2011]

-= EOF =-

[Dakeyras]

Hi.

Custom OTL Script:

• Double OTL.exe to start the program.
• Copy the lines from the codebox to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Code:

:files 
C:\Documents and Settings\Andrea\Bureau\gengokoukan|C:\_OTL\MovedFiles\02082011_103146\C_Documents and Settings\Andrea\Bureau\gengokoukan /replace 

[EmptyTemp]
[Reboot]

• Return to OTL, right-click in the Custom Scans/Fixes window (under the cyan bar) and choose Paste.
• Then click the red Run Fix button.
• Let the program run unhindered.
• If OTL asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.

Note: The logfile can also be located C: >> _OTL >> MovedFiles >> DD/DD/DD TT/TT.txt <-- denotes date/time log created.

Hard-Drive Maintenance/Repair:

Note: for the CHKDSK portion you may refer to this tutorial of mine here and follow the instructions for Graphical Mode if you so wish.

• Click Start >> Run... then type in CMD and click on OK.
• At the Command Prompt C:\ > type the following:
• CD C:\ and hit the Enter/Return key.
• Now type in DEFRAG C: -F
• A Analysis report will be displayed and then Windows will start the Defragmention run automatically.
• This may take some time, when completed the Command Prompt C:\ > will appear.
• Now type in CHKDSK C: /R and hit the Enter/Return key.
• When prompted with:

CHKDSK cannot run because the volume is in use by another process
Would you like to schedule this volume to be checked next time the system
restarts (Y/N)

• Hit the Y key then at the Command Prompt C:\ >
• Type in EXIT and and hit the Enter/Return key.
• Now Reboot(Restart) your computer.

Note: Upon Reboot(Restart) the CHKDSK(check-disk) will start and carry out the repairs required.

You should see a screen like this just after the Post(power on self test) screen:



Note: Do not touch either the keyboard or Mouse, otherwise the Check-Disk will be cancelled and you computer will continue to boot-up as normal.

When completed the above, please post back the following in the order asked for:

• How is you computer performing now, any further symptoms and or problems encountered?
• OTL Log from the Custom Script.

[French_User]

Hi

The file that had been moved by OTL ("gengokoukan") is back on my desktop. Thank you!

No problem with my computer. Maybe it starts now more quickly, but not sure. I didn't see the screen you mentioned in your last post but I walked away from my computer just after I hit the reboot button for 1 minute (I thought it was going to install some Microsoft updates first but it didn't).


OTL log:

All processes killed
========== FILES ==========
File C:\Documents and Settings\Andrea\Bureau\gengokoukan successfully replaced with C:\_OTL\MovedFiles\02082011_103146\C_Documents and Settings\Andrea\Bureau\gengokoukan
File\Folder [EmptyTemp] not found.
File\Folder [Reboot] not found.

OTL by OldTimer - Version 3.2.20.6 log created on 02092011_142443

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

[Dakeyras]

Hi.

The file that had been moved by OTL ("gengokoukan") is back on my desktop. Thank you!

You're welcome!

No problem with my computer. Maybe it starts now more quickly, but not sure. I didn't see the screen you mentioned in your last post but I walked away from my computer just after I hit the reboot button for 1 minute (I thought it was going to install some Microsoft updates first but it didn't).

OK.

TFC(Temp File Cleaner):

• Please download TFC to your desktop,
• Save any unsaved work. TFC will close all open application windows.
• Double-click TFC.exe to run the program.
• Click the Start button in the bottom left of TFC
• If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It should not take longer than a couple of minutes , and may only take a few seconds. Only if needed will you be prompted to reboot.

New Java Installation:

• Click here to visit Java's website.
• Scroll down to Java SE 6 Update 23 (JDK or JRE). Click on Download JRE.
• Select Windows from the drop-down list for Platform.
• Check (tick) Java SE Runtime Environment 6u23 with JavaFX License Agreement box and click on Continue.
• Click on jre-6u23-windows-i586.exe link to download it and save this to your Desktop.
• Double-click on jre-6u23-windows-i586.exe to install Java.

ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

• Please go here then click on:
  

  Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
  All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

• Select the option YES, I accept the Terms of Use then click on:
• When prompted allow the Add-On/Active X to install.
• Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
• Now click on Advanced Settings and select the following:

1. Scan for potentially unwanted applications
2. Scan for potentially unsafe applications
3. Enable Anti-Stealth Technology

• Now click on:
• The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
• When completed the Online Scan will begin automatically.
• Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
• When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
• Now click on:
• Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
• Copy and paste that log as a reply to this topic.

When completed the above, please post back the following:

• How is you computer performing now? Any problems encountered and or any further symptoms?
• Eset Log.

[French_User]

Hello!

My computer has a normal behaviour.


ESET log:

ESETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6419
# api_version=3.0.2
# EOSSerial=de62a4a7dd427c4bad9f609291b7fa94
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-02-10 11:29:09
# local_time=2011-02-10 12:29:09 (+0100, Paris, Madrid)
# country="France"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1797 16775141 100 100 269391 72847636 49116 0
# compatibility_mode=8192 67108863 100 0 4027 4027 0 0
# scanned=144974
# found=8
# cleaned=0
# scan_time=5021
C:\System Volume Information\_restore{340C3340-2EBB-4324-859A-C37E85627171}\RP1\A0000008.exe a variant of Win32/Kryptik.KFV trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{340C3340-2EBB-4324-859A-C37E85627171}\RP1\A0000027.exe a variant of Win32/Kryptik.KFV trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{340C3340-2EBB-4324-859A-C37E85627171}\RP2\A0000052.exe a variant of Win32/Kryptik.KFV trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{340C3340-2EBB-4324-859A-C37E85627171}\RP2\A0000077.exe a variant of Win32/Kryptik.KFV trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{340C3340-2EBB-4324-859A-C37E85627171}\RP3\A0000101.exe a variant of Win32/Kryptik.KFV trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{340C3340-2EBB-4324-859A-C37E85627171}\RP4\A0000224.exe a variant of Win32/Kryptik.KFV trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{340C3340-2EBB-4324-859A-C37E85627171}\RP4\A0000253.exe a variant of Win32/Kryptik.KFV trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{340C3340-2EBB-4324-859A-C37E85627171}\RP4\A0000254.exe a variant of Win32/Kryptik.KFV trojan (unable to clean) 00000000000000000000000000000000 I

[Dakeyras]

Hi.

My computer has a normal behaviour.

Good.

What has been detected by the online scan denotes infected System Restore points. Which will be addressed during the ComboFix uninstallation procedure(below), it will flush the aforementioned and set a new clean one etc.

Next:

Congratulations your computer appears to be malware free!

Now I have some tasks for your good self to carry out as part of a clean up process and some advice about online safety.

Importance of Regular System Maintenance:

I advice you read both of the below listed topics as this will go a long way to keeping your Computer performing well.

Help! My computer is slow!

Also so is this:

What to do if your Computer is running slowly

Uninstall ComboFix:

• Click on Start >> Run...
• Now type in ComboFix /Uninstall into the and click OK.
• Note the space between the X and the /Uninstall, it needs to be there.
• 

Clean up with OTL:

• Double-click OTL to start the program.
• Close all other programs apart from OTL as this step will require a reboot.
• On the OTL main screen, depress the CleanUp button.
• Say Yes to the prompt and then allow the program to reboot your computer.

The above process should clean up and remove the vast majority of scanners used and logs created etc. Any left over merely delete yourself and empty the Recycle Bin.

Now some advice for on-line safety:

Malwarebyte's Anti-Malware:

This is a excellent application and I advise you keep this installed. Check for updates and run a scan once a week.

Other installed security software:

Your presently installed security application, Avira AntiVir automatically checks for updates and downloads/installs them with every system reboot and or periodically if the machine is left running providing a internet connection is active.

I advise you also run a complete scan with this also once per week.

Erunt:

Emergency Recovery Utility NT, I advice you keep this installed as a means to keep a complete backup of your registry and restore it when needed.

Myself I would actually create a new back up once per week as this along with System Restore may prove to be invaluable if something unforeseen occurs!

Keep your system updated:

Microsoft releases patches for Windows and other products regularly:

• I advise you visit: http://update.microsoft.com/microsof....aspx?ln=en-us
• Install the Active X
• Once installed it will advise set Auto-Updates if not set and you then you will be able to manually check for updates also via:
• Start >> All Programs >> Microsoft Updates

Be careful when opening attachments and downloading files:

Never open email attachments, not even if they are from someone you know. If you need to open them, scan them with your antivirus program before opening.
Never open emails from unknown senders.
Beware of emails that warn about viruses that are spreading, especially those from antivirus vendors. These email addresses can be easily spoofed. Check the antivirus vendor websites to be sure.
Be careful of what you download. Only download files from known sources. Also, avoid cracked programs. If you need a particular program that costs too much for you, try finding free alternatives on Sourceforge or Pricelessware.

Stop malicious scripts:

Windows by default allow scripts (which is VBScript and JavaScript) to run and some of these scripts are malicious. Use Noscript by Symantec or Script Defender by AnalogX to handle these scripts.

Avoid Peer to Peer software:

P2P may be a great way to get lots of seemingly freeware, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well. My advice is avoid these types of software applications.

Hosts File:

A Hosts file is like a phone book. You look up someone's name in the phone book before calling him/her. Similarly, your computer will look up the website's IP address before you can view the website.

Hosts file will replace your current Hosts file with another one containing well-known advertisement sites, spyware sites and other bad sites. This new Hosts file will protect you by re-directing these bad sites to 127.0.0.1.

Here are some Hosts files:

• MVPS Hosts File
• hpHosts

Only use one of the above!

Install WinPatrol:

WinPatrol alerts you about possible system hijacks, malware attacks and critical changes made to your computer without your permission.

Download it from here.

You can find information about how WinPatrol works here.

Next:

This is a very helpful/useful set of advice from Microsoft: Microsoft Online Safety.

Any questions? Feel free to ask, if not stay safe!

[French_User]

Thank you very much for your assistance and your time! Merci beaucoup!

I followed almost all the instructions in your last message and I am reading the security recommandations.

I was wondering:
-How to make sure the USB memory stick I connect to my computer is not infected?
-Can I download attachments of contacts I know and scan them with malwarebytes before extracting/opening them?

[Dakeyras]

Hi.

Thank you very much for your assistance and your time! Merci beaucoup! :thumbsup:

You're welcome!

How to make sure the USB memory stick I connect to my computer is not infected?

Follow the below advice:-

Flash Disinfector:

• Please download Flash_Disinfector and save it to your desktop.
• Double click to run it.
• You will be prompted to plug in your flash(USB) drive. Plug it in.
• Flash_Disinfector will start disinfecting your flash(USB) and hard drives. This takes a few seconds. Your desktop will disappear in the meantime.
• When done, a message box will appear. Click OK. Your desktop should now appear. If it doesn't, press Ctrl + Shift + Esc to open Task Manager.
• Click on File > New Task (Run...). Type in explorer.exe and press Enter. Your desktop should now appear.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

Next:

Can I download attachments of contacts I know and scan them with malwarebytes before extracting/opening them?

Aye that is perfectly feasible, right-click on the file and select Scan with Malwarebytes' Anti-Malware

You could also scan with Avira AntiVir, right-click on the file and select Scan selected files with AntiVir

Or you could actually upload the file to be checked by say Jotti's malware scan or VirSCAN for example.

[French_User]

One more time: thanks for helping efficiently, rapidly and for free.
Now that my computer is secure, I can transfer some money to Ireland...