win32.downloader (possibly)

[doubleoseverin2]

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 06-03-2014
Ran by severin at 2014-03-07 13:41:16 Run:1
Running from C:\Documents and Settings\severin\Desktop
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
start
C:\Documents and Settings\severin\My Documents\windows xp service pack 3 setup.exe
Reboot:
end

*****************

C:\Documents and Settings\severin\My Documents\windows xp service pack 3 setup.exe => Moved successfully.


The system needed a reboot.

==== End of Fixlog ====

CKScanner 2.4 - Additional Security Risks - These are not necessarily bad
scanner sequence 3.RP.11.AQNACZ
----- EOF -----

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Genuine
Validation Code: 0
Cached Validation Code: N/A
Windows Product Key: *****-*****-xxxx-xxxx-xxxx
Windows Product Key Hash: PU76jsiLPzTlYR2WZajTz8kIpWM=
Windows Product ID: 55277-OEM-2162343-84733
Windows Product ID Type: 3
Windows License Type: OEM System Builder
Windows OS version: 5.1.2600.2.00010300.3.0.hom
ID: {58161C3A-D15F-40CB-B164-1ADF0309C975}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: Registered, 1.7.69.2
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A
Version: N/A

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 100 Genuine
Microsoft Office Project Professional 2007 - 100 Genuine
Microsoft Office Home and Student 2007 - 100 Genuine
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-230-1_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005_E2AD56EA-765-b01a_E2AD56EA-766-0_E2AD56EA-148-80004005_16E0B333-89-80004005_B4D0AA8B-1029-80004005

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE; Win32)
Default Browser: C:\Program Files\Internet Explorer\IEXPLORE.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{58161C3A-D15F-40CB-B164-1ADF0309C975}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010300.3.0.hom</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-28GX3</PKey><PID>55277-OEM-2162343-84733</PID><PIDType>3</PIDType><SID>S-1-5-21-1844237615-1957994488-682003330</SID><SYSTEM><Manufacturer>DIXONSXP</Manufacturer><Model>DIXONSXP</Model></SYSTEM><BIOS><Manufacturer>Phoenix Technologies, LTD</Manufacturer><Version>6.00 PG</Version><SMBIOSVersion major="2" minor="2"/><Date>20060316000000.000000+000</Date></BIOS><HWID>6EEA3C5F0184C06C</HWID><UserLCID>0809</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>GMT Standard Time(GMT+00:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{90120000-003B-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Project Professional 2007</Name><Ver>12</Ver><Val>7564465DF09A586</Val><Hash>cSrIbQ0wa/18+rZMTIzL6VoYkNo=</Hash><Pid>89403-707-3154825-63260</Pid><PidType>14</PidType></Product><Product GUID="{91120000-002F-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Home and Student 2007</Name><Ver>12</Ver><Val>14357225E6D5720</Val><Hash>98wA5p/RqnV5CgMNq8KJAKPrnq4=</Hash><Pid>81602-912-2012691-68001</Pid><PidType>1</PidType></Product></Products><Applications><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/><App Id="3A" Version="12" Result="100"/><App Id="A1" Version="12" Result="100"/></Applications></Office></Software></GenuineResults>

Licensing Data-->
N/A

Windows Activation Technologies-->
N/A

HWID Data-->
N/A

OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: 1005A:Dixons Stores Group
Marker string from OEMBIOS.DAT: N/A, hr = 0x80004005

OEM Activation 2.0 Data-->
N/A

[Juliet]

Looks good.

How is it behaving today?

[doubleoseverin2]

Looking good now. I think moving that infected file has helped as I think the hard disk has finally stopped thrashing periodically. A few posts ago I did a spybot scan again and got 16 entries and the hard disk still seemed to be thrashing every so often, most I think were browser cache and those two are still there that I mentioned in the first post; I think I can put the others down to the fact that I didn't block tracking cookies in spybot. Shall I do another spybot scan?

[Juliet]

you can allow it to do another scan, if you can give me a name or a file path so I can examine it?

[doubleoseverin2]

Right, done another 2 scans. 1st came up with 14 entries; of which were browser cache, cookies and a few other bits and peices that I cannot recall. 2nd scan, I am once again left with the samer two entries: 1, drivers installation paths, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Installation Sources (is not), threat: low (green), category: tracks, rule #: 1E4E2003
2, browser: cache (1), Internet Explorer (User) (severin), threat: low (green, slighter lower than above), categoty: browser, rule #: 49804B54

I notice that the hard disk does not seem to be thrashing at the moment, but when I run spybot it does seem to every so often. I would expect this from an intensive scan, so is it right? I also notice the browser cache has gone again and the program list from the start menu has disappeared again, not during, but after spybot has run. Is this also right? I have had no further reports of virtual memory running out.

Cheers

[Juliet]

I really can't say.
Might be you have it set to highest security levels, maybe changing some of these recording events would be less alarming?

Are you ready to remove tools and quarantine folders and review a few preventive tips?

[doubleoseverin2]

sure am

[Juliet]

Open notepad. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

Run FRST/FRST64 and press the Fix button just once and wait.
no needed to post the log this time.

start
DeleteQuarantine:
end

~~~~~~~~~~~~~~~~~~~~~~~~~~~~`

1. Download Delfix from here
2. Ensure Remove disinfection tools is ticked
   Also tick:
   
   • Create registry backup
   • Purge system restore
   
   
   
3. Click Run

Any other remaining tools and folders can simply be deleted.



Your good to go, good job!

Please take the time to read over a few of my preventive tips.

Computer Security
http://malwareremoval.com/forum/view...557960#p557960
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Be prepared for CryptoLocker:

Cryptolocker Ransomware: What You Need To Know

CryptoLocker Ransomware Information Guide and FAQ

to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Please navigate to Microsoft Windows Updates and download all the "Critical Updates" for Windows.


Firefox 3
The award-winning Web browser is now faster, more secure, and fully customizable to your online life. With Firefox 3, added powerful new features that make your online experience even better. It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
*NoScript - Addon for Firefox that stops all scripts from running on websites. Stops malicious software from invading via flash, java, javascript, and many other entry points.

AdblockPlus

• AdblockPlus, Surf the web without annoying ads!
• Blocks banners, pop-ups and video ads - even on Facebook and YouTube
• Protects your online privacy
• Two-click installation, It's free!
• click the icon that corresponds to your browser and download.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
WOT Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites - green to go, yellow for caution and red to stop, helping you avoid the dangerous sites. WOT has an addon available for both Firefox and IE.

• Green should be good to go
• Yellow for caution
• Red to stop

~~~~~~~~~~~~~~~~~~~~~~~~~~~~
How to prevent Malware: Created by Miekiemoes


WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article (http://www.forbes.com/sites/eliseack...-disable-java/
and this article (http://www.nbcnews.com/technology/te...late-1B7938755

I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser (http://www.geekstogo.com/2600/how-to...r-web-browser/) and How to unplug Java from the browser (http://krebsonsecurity.com/how-to-un...m-the-browser/)


Avoid P2P

P2P may be a great way to get lots of stuffs, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.

• FBI Cyber Education Letter
  USAToday
  infoworld

*********************************************
Please read the following safe computing articles..

Secure My Computer: A Layered Approach


Free Antivirus-AntiSpyware-Firewall Software

Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

[Juliet]

Glad we could help.

Since this issue appears resolved ... this Topic is closed.