PDA

View Full Version : Vireus Removal for Trojan.SwfDL.A


iaustin
2007-07-21, 04:12
I have caught a Trojan and need help desperate help to remove in order to meet my deadline.

The Trojan is...
Trojan.SwfDL.A

I have ZoneAlarm firewall running 24,7 so I really don't know how my computer got the virus.

Any help would be greatly appreciated.



//----- My HihackThis log file ------

Logfile of HijackThis v1.99.1
Scan saved at 10:54:54 PM, on 7/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CascSvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\BacsTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\DAP\DAP.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\TM1184\ControlUtility\ControlUtility.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.5.0_08\bin\jucheck.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ike\Desktop\a1_clutter\spyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: XNetIEObj Class - {1808648B-3102-4293-8AD3-06AF71D3321B} - C:\Program Files\Endeavors\AppExpress\bho_2_5_5_17070\bho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AppExpress Client] "C:\Program Files\Endeavors\AppExpress\eSUser.exe" startslow
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UVS10 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe
O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Eceh] "C:\WINDOWS\MCROSO~1\regsvr32.exe" -vt rbnd
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: WinMySQLadmin.lnk.disabled
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Dell Control Utility.lnk = ?
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk.disabled
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: SWF Capture tool - C:\Program Files\Eltima Software\Flash Decompiler\iebt.html
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Program Files\Eltima Software\Flash Decompiler\iebt.dll (HKCU)
O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Program Files\Eltima Software\Flash Decompiler\iebt.dll (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1126002297648
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137976179364
O16 - DPF: {9184D21C-9835-42C5-A883-EA8BE7FC048D} (Downloader Class) - http://www.shop.intuit.com/commerce/account/downloads/executables/ie/IDA.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - http://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,15/mcgdmgr.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/SymAData.cab
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AppExpress Client - Unknown owner - C:\Program Files\Endeavors\AppExpress\ece.exe (file missing)
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Casc'ADSL (CascSvc) - Unknown owner - C:\WINDOWS\system32\CascSvc.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)


//-----End HijackThis
pskelley
2007-07-21, 17:48
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information. "BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

I need first to tell you about "deadlines". A volunteer forum, there are no resident helpers, we roam where needed and it can take from an hour or so to four or more days to get an answer, then from a day to weeks at a time to resolve malware issues.
If you have a "deadline" you might be better served with a local technician.

I can say I have looked at the HJT log and this is the only questionable item I can see:
C:\WINDOWS\system32\CascSvc.exe
O23 - Service: Casc'ADSL (CascSvc) - Unknown owner - C:\WINDOWS\system32\CascSvc.exe
Google does not know it: http://www.google.com/search?hl=en&q=CascSvc.exe&btnG=Google+Search
Nor does CastleCops know the service: http://www.castlecops.com/O23.html
While it may be valid, stuff is added faster than we can keep up, it is the only thing I see. There are other questions but not like this one.
You can expedite this by using one or more of these free online scanners to find our what that file is or you can tell me if you know.
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html
Post the results

The Trojan is...Trojan.SwfDL.A
I need to know the location of that trojan and the name of the program that identified it.

I have ZoneAlarm firewall running 24,7 so I really don't know how my computer got the virus.
Your firewall is only one piece of good layered protection and from my experience rarely how the infection gets in, they usually get in like this:
http://www.theregister.com/2007/05/11/google_malware_map/
http://redtape.msnbc.com/2007/05/the_next_net_th.html
of course that is not the only way it can happen, then once onboard, the hackers do what they wish with your settings, that's why they are call trojans.

Here is the Google on the trojan if you wish to look:
http://www.google.com/search?hl=en&q=Trojan.SwfDL.A&btnG=Google+Search

If your "deadline" gives you the time to do this at a forum, proceed as I mentioned above, if time does not permit this, please let me know so I can close your topic.

Thanks...Phil
iaustin
2007-07-21, 19:54
Thanks for your reply.

Bit Defender is the name of the program that identified the virus. Spybot - even ran in safe mode did not id the trojan.

Ike
pskelley
2007-07-21, 20:01
Thanks Ike for the feedback, not a BitDefender user or fan for that matter but many folks swear by it. What opportunites did BD give you, would it not delete the trojan or at least quarantine it? Did it tell you where it was located on your computer, the pathway to it?

Beyond those questions, this information does nothing to change the post I made.

Thanks...Phil
iaustin
2007-07-21, 20:03
Also, here is the location of the trojan...
C:\Documents and Settings\Ike\Local Settings\Temp\Temporary Internet Files\Content.IE5\K741OTI9\sp2-cydoor-728-2[1].swf=>[SWF command] Infected Trojan.SwfDL.A
iaustin
2007-07-21, 20:04
It could not move the trojan.
pskelley
2007-07-21, 20:12
C:\Documents and Settings\Ike\Local Settings\Temp\Temporary Internet Files\ <<< you can navigate to both folder I highlited in red and delete the contents. (Do not delete the folders)
There may be files that will not delete but the will be old files, the ones you are after are as recent as the infection. Both Temp and Temp Internet Files are designed to be deleted by their nature.

After you clean out those folder, run clean manager.
Clean Manager: http://spyware-free.us/tutorials/cleanmgr/

Now run BitDefender again to see what it reports. I am still concerned about the items I could not identify, do you know what they are.

Thanks
iaustin
2007-07-22, 06:24
Here are the kaspersky scan results.

What a great sanner! It detected 4 infections.

//-------------- results
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, July 31, 2007 1:12:57 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 21/07/2007
Kaspersky Anti-Virus database records: 343532
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 138050
Number of viruses found: 4
Number of infected objects: 7 / 0
Number of suspicious objects: 0
Duration of the scan process: 04:01:44

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\17a12d29c13dbb569611eae07eb1bb10_7b71fbce-dff3-42c2-9259-d2367eb8daa9 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e42d374a1b9d31a1d8a801f93ff801f3_7b71fbce-dff3-42c2-9259-d2367eb8daa9 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\ActivityLog\InboxLOG.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\ActivityLog\OutboxLOG.txt Object is locked skipped
C:\Documents and Settings\Ike\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Ike\Local Settings\Application Data\ApplicationHistory\NotifyAlert.exe.83a8f8c0.ini.inuse Object is locked skipped
C:\Documents and Settings\Ike\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/hold/07 Jul 2005 12:08 from PayPal:New Security Requirements.html Infected: Trojan-Spy.HTML.Paylap.ev skipped
C:\Documents and Settings\Ike\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/hold/05 Jul 2005 09:27 from PayPal:New Security Requirements.html Infected: Trojan-Spy.HTML.Paylap.ev skipped
C:\Documents and Settings\Ike\Local Settings\Application Data\Microsoft\Outlook\outlook.pst Mail MS Mail: infected - 2 skipped
C:\Documents and Settings\Ike\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Ike\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Ike\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Ike\Local Settings\History\History.IE5\MSHist012007073020070731\index.dat Object is locked skipped
C:\Documents and Settings\Ike\Local Settings\Temp\Perflib_Perfdata_cc4.dat Object is locked skipped
C:\Documents and Settings\Ike\Local Settings\Temp\~PST9532.tmp Object is locked skipped
C:\Documents and Settings\Ike\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ike\ntuser.dat Object is locked skipped
C:\Documents and Settings\Ike\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Inetpub\catalog.wci\00000002.ps1 Object is locked skipped
C:\Inetpub\catalog.wci\00000002.ps2 Object is locked skipped
C:\Inetpub\catalog.wci\00010002.ci Object is locked skipped
C:\Inetpub\catalog.wci\cicat.fid Object is locked skipped
C:\Inetpub\catalog.wci\cicat.hsh Object is locked skipped
C:\Inetpub\catalog.wci\CiCL0001.000 Object is locked skipped
C:\Inetpub\catalog.wci\CiP10000.000 Object is locked skipped
C:\Inetpub\catalog.wci\CiP20000.000 Object is locked skipped
C:\Inetpub\catalog.wci\CiPT0000.000 Object is locked skipped
C:\Inetpub\catalog.wci\CiSL0001.000 Object is locked skipped
C:\Inetpub\catalog.wci\CiSP0000.000 Object is locked skipped
C:\Inetpub\catalog.wci\CiST0000.000 Object is locked skipped
C:\Inetpub\catalog.wci\CiVP0000.000 Object is locked skipped
C:\Inetpub\catalog.wci\INDEX.000 Object is locked skipped
C:\Inetpub\catalog.wci\propstor.bk1 Object is locked skipped
C:\Inetpub\catalog.wci\propstor.bk2 Object is locked skipped
C:\Program Files\DAP\History\Ike\_lasthist.dat Object is locked skipped
C:\Program Files\DAP\Log\DAP_REPORT.LOG Object is locked skipped
C:\Program Files\Dell\Support\UI\Search\catalog.wci\00000002.ps1 Object is locked skipped
C:\Program Files\Dell\Support\UI\Search\catalog.wci\00000002.ps2 Object is locked skipped
C:\Program Files\Dell\Support\UI\Search\catalog.wci\00010002.ci Object is locked skipped
C:\Program Files\Dell\Support\UI\Search\catalog.wci\cicat.fid Object is locked skipped
C:\Program Files\Dell\Support\UI\Search\catalog.wci\cicat.hsh Object is locked skipped
C:\Program Files\Dell\Support\UI\Search\catalog.wci\CiCL0001.000 Object is locked skipped
C:\Program Files\Dell\Support\UI\Search\catalog.wci\CiP10000.000 Object is locked skipped
C:\Program Files\Dell\Support\UI\Search\catalog.wci\CiP20000.000 Object is locked skipped
C:\Program Files\Dell\Support\UI\Search\catalog.wci\CiPT0000.000 Object is locked skipped
C:\Program Files\Dell\Support\UI\Search\catalog.wci\CiSL0001.000 Object is locked skipped
C:\Program Files\Dell\Support\UI\Search\catalog.wci\CiSP0000.000 Object is locked skipped
C:\Program Files\Dell\Support\UI\Search\catalog.wci\CiST0000.000 Object is locked skipped
C:\Program Files\Dell\Support\UI\Search\catalog.wci\CiVP0000.000 Object is locked skipped
C:\Program Files\Dell\Support\UI\Search\catalog.wci\INDEX.000 Object is locked skipped
C:\Program Files\Dell\Support\UI\Search\catalog.wci\propstor.bk1 Object is locked skipped
C:\Program Files\Dell\Support\UI\Search\catalog.wci\propstor.bk2 Object is locked skipped
C:\Program Files\SBC Self Support Tool\SmartBridge\AlertFilter.log Object is locked skipped
C:\Program Files\SBC Self Support Tool\SmartBridge\log\httpclient.log Object is locked skipped
C:\Program Files\SBC Self Support Tool\SmartBridge\SmartBridge.log Object is locked skipped
C:\Program Files\Softwin\BitDefender8\Quarantine\artAD9.tmp Infected: Trojan-Proxy.Win32.Xorpix.al skipped
C:\System Volume Information\catalog.wci\00000002.ps1 Object is locked skipped
C:\System Volume Information\catalog.wci\00000002.ps2 Object is locked skipped
C:\System Volume Information\catalog.wci\00010002.ci Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.fid Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.hsh Object is locked skipped
C:\System Volume Information\catalog.wci\CiCL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP10000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP20000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiPT0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiST0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiVP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\INDEX.000 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk1 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk2 Object is locked skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP256\A0044493.exe Infected: Trojan-Downloader.Win32.PurityScan.be skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP257\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\AUSTIN.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\blautils.exe Infected: Trojan.Win32.Crypt.t skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\ODiag.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\OSession.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\ld.exe Infected: Trojan.Win32.Crypt.t skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\tmp00007a1a\tmp00000000 Object is locked skipped
C:\WINDOWS\Temp\ZLT07997.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT0799b.TMP Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
iaustin
2007-07-22, 07:00
I ran cleanmgr as yo suggested now I'm re-running BD. The scan will take a couple of hours so I'll post the result in the morning.

Thanks again for all your help.

I'm hoping giving you a heads up on the length of th BD scan will allow you to better manage you time.

This forum is a BIG help.

Ike
pskelley
2007-07-22, 14:42
Thanks for returning your scan results and your feedback, I apologize:sad: I should have waited until we finished with Kaspersky to have you run your resident antivirus. Please do not post that scan result, I have no need to see it.

Let's see what Kaspersky has to say:
KASPERSKY ONLINE SCANNER REPORT Tuesday, July 31, 2007 1:12:57 AM
Number of viruses found: 4
Number of infected objects: 7 / 0

If you wish to scan any item before you delete it here are free online scanners:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/


C:\Documents and Settings\Ike\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/hold/07 Jul 2005 12:08 from PayPal:New Security Requirements.html Infected: Trojan-Spy.HTML.Paylap.ev skipped
C:\Documents and Settings\Ike\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/hold/05 Jul 2005 09:27 from PayPal:New Security Requirements.html Infected: Trojan-Spy.HTML.Paylap.ev skipped
C:\Documents and Settings\Ike\Local Settings\Application Data\Microsoft\Outlook\outlook.pst Mail MS Mail: infected - 2 skipped
I don't use Outlook, I will highlite in red what I think is the infected file. You may scan first before you delete if you wish. Kasperky may see something as infected when it is not, which is the reason for the scanner, but this is VERY rare.

C:\Program Files\Softwin\BitDefender8\Quarantine\artAD9.tmp Infected: Trojan-Proxy.Win32.Xorpix.al skipped
Delete that file out of BD quarantine, it can not hard you there but other scanners will see and report it.

C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP256\A0044493.exe Infected: Trojan-Downloader.Win32.PurityScan.be skipped
(System Restore, we will clean these before we finish)

C:\WINDOWS\SYSTEM32\blautils.exe Infected: Trojan.Win32.Crypt.t skipped
a problem, Google does not indentify it, a random named trojan of some kind, delete it.

Once finished, run Kaspersky again, it should only show the one (1) System Restore item.

Thanks
iaustin
2007-07-23, 12:37
Here are the results from the latest kap scan.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, August 01, 2007 7:21:06 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 23/07/2007
Kaspersky Anti-Virus database records: 344008
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 138419
Number of viruses found: 4
Number of infected objects: 8 / 0
Number of suspicious objects: 0
Duration of the scan process: 03:52:31

Infected Object Name / Virus Name / Last Action
C:\!KillBox\artAD9.tmp Infected: Trojan-Proxy.Win32.Xorpix.al skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\17a12d29c13dbb569611eae07eb1bb10_7b71fbce-dff3-42c2-9259-d2367eb8daa9 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e42d374a1b9d31a1d8a801f93ff801f3_7b71fbce-dff3-42c2-9259-d2367eb8daa9 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\ActivityLog\InboxLOG.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\ActivityLog\OutboxLOG.txt Object is locked skipped
C:\Documents and Settings\Ike\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Ike\Local Settings\Application Data\ApplicationHistory\NotifyAlert.exe.83a8f8c0.ini.inuse Object is locked skipped
C:\Documents and Settings\Ike\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/hold/07 Jul 2005 12:08 from PayPal:New Security Requirements.html Infected: Trojan-Spy.HTML.Paylap.ev skipped
C:\Documents and Settings\Ike\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/hold/05 Jul 2005 09:27 from PayPal:New Security Requirements.html Infected: Trojan-Spy.HTML.Paylap.ev skipped
C:\Documents and Settings\Ike\Local Settings\Application Data\Microsoft\Outlook\outlook.pst Mail MS Mail: infected - 2 skipped
C:\Documents and Settings\Ike\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Ike\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Ike\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Ike\Local Settings\Temp\Perflib_Perfdata_cd8.dat Object is locked skipped
C:\Documents and Settings\Ike\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ike\ntuser.dat Object is locked skipped
C:\Documents and Settings\Ike\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Inetpub\catalog.wci\00000002.ps1 Object is locked skipped
C:\Inetpub\catalog.wci\00000002.ps2 Object is locked skipped
C:\Inetpub\catalog.wci\00010002.ci Object is locked skipped
C:\Inetpub\catalog.wci\cicat.fid Object is locked skipped
C:\Inetpub\catalog.wci\cicat.hsh Object is locked skipped
C:\Inetpub\catalog.wci\CiCL0001.000 Object is locked skipped
C:\Inetpub\catalog.wci\CiP10000.000 Object is locked skipped
C:\Inetpub\catalog.wci\CiP20000.000 Object is locked skipped
C:\Inetpub\catalog.wci\CiPT0000.000 Object is locked skipped
C:\Inetpub\catalog.wci\CiSL0001.000 Object is locked skipped
C:\Inetpub\catalog.wci\CiSP0000.000 Object is locked skipped
C:\Inetpub\catalog.wci\CiST0000.000 Object is locked skipped
C:\Inetpub\catalog.wci\CiVP0000.000 Object is locked skipped
C:\Inetpub\catalog.wci\INDEX.000 Object is locked skipped
C:\Inetpub\catalog.wci\propstor.bk1 Object is locked skipped
C:\Inetpub\catalog.wci\propstor.bk2 Object is locked skipped
C:\Program Files\DAP\History\Ike\_lasthist.dat Object is locked skipped
C:\Program Files\DAP\Log\DAP_REPORT.LOG Object is locked skipped
C:\Program Files\Dell\Support\UI\Search\catalog.wci\00000002.ps1 Object is locked skipped
C:\Program Files\Dell\Support\UI\Search\catalog.wci\00000002.ps2 Object is locked skipped
C:\Program Files\Dell\Support\UI\Search\catalog.wci\00010002.ci Object is locked skipped
C:\Program Files\Dell\Support\UI\Search\catalog.wci\cicat.fid Object is locked skipped
C:\Program Files\Dell\Support\UI\Search\catalog.wci\cicat.hsh Object is locked skipped
C:\Program Files\Dell\Support\UI\Search\catalog.wci\CiCL0001.000 Object is locked skipped
C:\Program Files\Dell\Support\UI\Search\catalog.wci\CiP10000.000 Object is locked skipped
C:\Program Files\Dell\Support\UI\Search\catalog.wci\CiP20000.000 Object is locked skipped
C:\Program Files\Dell\Support\UI\Search\catalog.wci\CiPT0000.000 Object is locked skipped
C:\Program Files\Dell\Support\UI\Search\catalog.wci\CiSL0001.000 Object is locked skipped
C:\Program Files\Dell\Support\UI\Search\catalog.wci\CiSP0000.000 Object is locked skipped
C:\Program Files\Dell\Support\UI\Search\catalog.wci\CiST0000.000 Object is locked skipped
C:\Program Files\Dell\Support\UI\Search\catalog.wci\CiVP0000.000 Object is locked skipped
C:\Program Files\Dell\Support\UI\Search\catalog.wci\INDEX.000 Object is locked skipped
C:\Program Files\Dell\Support\UI\Search\catalog.wci\propstor.bk1 Object is locked skipped
C:\Program Files\Dell\Support\UI\Search\catalog.wci\propstor.bk2 Object is locked skipped
C:\Program Files\SBC Self Support Tool\SmartBridge\AlertFilter.log Object is locked skipped
C:\Program Files\SBC Self Support Tool\SmartBridge\log\httpclient.log Object is locked skipped
C:\Program Files\SBC Self Support Tool\SmartBridge\SmartBridge.log Object is locked skipped
C:\Program Files\Softwin\BitDefender8\Quarantine\artAD9.tmp Infected: Trojan-Proxy.Win32.Xorpix.al skipped
C:\RECYCLER\S-1-5-21-3164941679-1693736371-1378865824-1006\Dc339.exe Infected: Trojan.Win32.Crypt.t skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP256\A0044493.exe Infected: Trojan-Downloader.Win32.PurityScan.be skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP258\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\AUSTIN.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\ODiag.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\OSession.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\ld.exe Infected: Trojan.Win32.Crypt.t skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\tmp00007acd\tmp00000000 Object is locked skipped
C:\WINDOWS\Temp\ZLT077ca.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT07a9c.TMP Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
pskelley
2007-07-23, 13:27
Appears you have not followed directions for removing the bad stuff I posted after the first Kaspersky run. A new one is Killbox backups you must have downloaded and you also have one in your recycle bin now. Empty the recycle bin. The one in BitDefend quarantine is still there. I will post them again and would appreciate it if you will take the time to delete what I ask.

C:\!KillBox\ <<< Delete this folder

I am not sure which files are infected, you should know, it's on your computer. Possibly the html files?
C:\Documents and Settings\Ike\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/hold/07 Jul 2005 12:08 from PayPal:New Security Requirements.html Infected: Trojan-Spy.HTML.Paylap.ev skipped
C:\Documents and Settings\Ike\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/hold/05 Jul 2005 09:27 from PayPal:New Security Requirements.html Infected: Trojan-Spy.HTML.Paylap.ev skipped
C:\Documents and Settings\Ike\Local Settings\Application Data\Microsoft\Outlook\outlook.pst Mail MS Mail: infected - 2 skipped

Open the quarantine folder and delete the contects.
C:\Program Files\Softwin\BitDefender8\Quarantine\artAD9.tmp Infected: Trojan-Proxy.Win32.Xorpix.al skipped

empty your recycle bin
C:\RECYCLER\S-1-5-21-3164941679-1693736371-1378865824-1006\Dc339.exe Infected: Trojan.Win32.Crypt.t skipped

C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP256\A0044493.exe Infected: Trojan-Downloader.Win32.PurityScan.be skipped
Follow these instructions:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx


Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html

Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
iaustin
2007-07-24, 05:32
Sorry about that. The virus seems to be gone so something we did was right.

I couldn't remove the C:\Program Files\Softwin\BitDefender8\Quarantine\artAD9.tmp file even is safe mode - In safe mode the file does not appear.

Unless you have a suggestion to remove that particular file, all seems well. I traced it down and removed it from the registry but, it still exists and is viewable in explorer.



Thanks again for all the help.


Ike
iaustin
2007-07-24, 05:40
I may have jumped the gun. I was reviewing our dialog and ran across other files you suggest I remove. See below...

C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP256\A0044493.exe Infected: Trojan-Downloader.Win32.PurityScan.be skipped
(System Restore, we will clean these before we finish)
pskelley
2007-07-24, 13:32
I would say there is no good reason for a trojan to remain on your computer in the BitDefender quarantine folder. Short of uninstalling BD, I suggest you contact: http://www.bitdefender.com/site/view/partner-benefits.html
for instructions.

If you followed the directions to clean System Restore in this link:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

The item you mention in your post #14 can no longer exist.

Thanks
iaustin
2007-07-26, 04:31
I'll contact BD about removing the Q file. Thanks again. We can consider this issue resolved.
pskelley
2007-07-31, 17:24
As the problem appears to be resolved this topic has been closed.

If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

Anyone else with similar problems please start a new topic.

Thanks...pskelley