[Inactive] 36 Trojans and counting...

Printable View

Show 40 post(s) from this thread on one page

March 20th, 2013, 08:25 PM
KU13

Yes used Mozilla and got to 56% 34 plus infections over 10 hrs scanning...then freeze

Going to try again today
March 20th, 2013, 08:33 PM
Broni
OK...
If it still doesn't work...

Please click HERE to download Kaspersky Virus Removal Tool.
- Double click on the file you just downloaded and let it install.
- It will install to your desktop (be patient; it may take a while).
- Accept license agreement and click "Start" button.
- Click on Settings button https://discussions.virtualdr.com/
  - In Scan scope leave pre-checked items as they're and also checkmark My Computer
  - In Actions checkmark Select action: (disinfect; delete if disinfection fails) instead of preselected Prompt on detection
- Click on Automatic Scan tab and then click on Start scanning button.
- Before it is done it may prompt for action regardless of the setting so choose delete if prompted.
- When the scan is done NO log will be produced.
- Click on Report button https://discussions.virtualdr.com/ then on Automatic Scan report tab.
- Right click anywhere within right pane, click Select All then right click again and click Copy.
- This will copy the items that it found to the clipboard you can then open notepad (go to start then run then type in notepad) and choose paste to paste the contents into Notepad.
- You can save this on the desktop.
- Post the contents of the document in your next reply.
March 22nd, 2013, 08:55 PM
KU13

Ok no go with last try.

Starting kaspersky...
March 27th, 2013, 11:54 AM
Broni

Still with me?
March 27th, 2013, 01:35 PM
KU13

Yes
March 27th, 2013, 01:42 PM
Broni

..and?
March 27th, 2013, 01:58 PM
KU13

Was having problems with Internet connection...just finished download
March 29th, 2013, 10:30 PM
KU13

Kaspersky finally

Status: Deleted (events: 15)
3/27/2013 9:11:35 PM Deleted Trojan program Trojan.Win32.Pasmu.aaw C:\Documents and Settings\All Users\COMODO\Cis\Quarantine\data\{1477CE23-C4BF-41DB-A9F7-B1EB4130D906} High
3/27/2013 9:11:35 PM Deleted Trojan program Trojan.Win32.Pasmu.aaw C:\Documents and Settings\All Users\COMODO\Cis\Quarantine\data\{1477CE23-C4BF-41DB-A9F7-B1EB4130D906}//UPX High
3/27/2013 9:11:35 PM Deleted Trojan program Trojan.Win32.Pasmu.aaw C:\Documents and Settings\All Users\COMODO\Cis\Quarantine\data\{1477CE23-C4BF-41DB-A9F7-B1EB4130D906}//UPX//PE_Patch.EPProt High
3/27/2013 9:12:16 PM Deleted Trojan program Trojan.Win32.Jorik.Fraud.vb C:\Documents and Settings\All Users\COMODO\Cis\Quarantine\data\{368BE4A0-6498-4D07-9D21-47784D5EA5C1} High
3/27/2013 9:12:25 PM Deleted Trojan program Exploit.Java.CVE-2010-4452.a C:\Documents and Settings\All Users\COMODO\Cis\Quarantine\data\{3C4EBC09-D45A-4A20-AED1-4B75A42EC22B} High
3/27/2013 9:14:20 PM Deleted Trojan program Trojan-Dropper.Win32.TDSS.aoea C:\Documents and Settings\All Users\COMODO\Cis\Quarantine\data\{583BD2FB-0FDB-4CFA-8286-6D35F3402750} High
3/27/2013 9:14:36 PM Deleted Trojan program Exploit.Java.CVE-2010-4452.a C:\Documents and Settings\All Users\COMODO\Cis\Quarantine\data\{9E688B75-DB09-4ABC-B1FF-C667B677763E} High
3/27/2013 9:15:03 PM Deleted Trojan program Trojan-Dropper.Win32.TDSS.aodz C:\Documents and Settings\All Users\COMODO\Cis\Quarantine\data\{E5310FAE-E2F3-4EB0-90D6-71A6A402C862} High
3/27/2013 9:15:22 PM Deleted Trojan program Exploit.Java.CVE-2010-4452.a C:\Documents and Settings\All Users\COMODO\Cis\Quarantine\data\{FB862A6A-8060-44F1-A6F0-1E4493F29466} High
3/29/2013 2:04:48 PM Deleted Trojan program Exploit.Java.CVE-2010-4452.a C:\Windows.old\Users\admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\2cc07e61-19dc7938 High
3/29/2013 2:04:53 PM Deleted Trojan program Exploit.Java.CVE-2010-4452.a C:\Windows.old\Users\admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\2cc07e61-43da3eb8 High
3/29/2013 2:04:58 PM Deleted Trojan program Exploit.Java.CVE-2010-4452.a C:\Windows.old\Users\admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\2cc07e61-4b0bb30b High
3/29/2013 2:05:03 PM Deleted Trojan program Exploit.Java.CVE-2010-4452.a C:\Windows.old\Users\admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\2cc07e61-6bdd2693 High
3/29/2013 2:05:10 PM Deleted Trojan program Exploit.Java.CVE-2010-4452.a C:\Windows.old\Users\admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\2cc07e61-76fb94f9 High
3/29/2013 2:05:37 PM Deleted Trojan program Exploit.Java.CVE-2010-4452.a C:\Windows.old\Users\admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\2cc07e61-77e68de9 High
Status: Quarantined (events: 11)
3/27/2013 9:11:42 PM Quarantined Trojan program HEUR:Trojan.Win32.Generic C:\Documents and Settings\All Users\COMODO\Cis\Quarantine\data\{0C23A1DB-8A68-4AAE-9C79-BEEC98958A96} High
3/27/2013 9:11:51 PM Quarantined Trojan program HEUR:Trojan.Win32.Generic C:\Documents and Settings\All Users\COMODO\Cis\Quarantine\data\{1EFD6F9B-5EC6-4511-8884-F8925E5CB315} High
3/27/2013 9:11:59 PM Quarantined Trojan program HEUR:Trojan.Win32.Generic C:\Documents and Settings\All Users\COMODO\Cis\Quarantine\data\{23CE8304-ECF6-41B4-8CC9-61B04E66E0FF} High
3/27/2013 9:12:08 PM Quarantined Trojan program HEUR:Trojan.Win32.Generic C:\Documents and Settings\All Users\COMODO\Cis\Quarantine\data\{330B9D5C-6329-43D4-8EA7-AEA8C100772E} High
3/27/2013 9:12:34 PM Quarantined Trojan program HEUR:Trojan.Win32.Generic C:\Documents and Settings\All Users\COMODO\Cis\Quarantine\data\{4D3061BA-400A-4ADD-A253-F7D58E280962} High
3/27/2013 9:12:44 PM Quarantined Trojan program HEUR:Trojan.Win32.Generic C:\Documents and Settings\All Users\COMODO\Cis\Quarantine\data\{4FF77CEB-ABD2-417E-A888-6316CE1C5A86} High
3/27/2013 9:14:12 PM Quarantined Trojan program HEUR:Trojan.Win32.Generic C:\Documents and Settings\All Users\COMODO\Cis\Quarantine\data\{53B52F67-28D9-4882-ACCA-CACE7CF832D1} High
3/27/2013 9:14:29 PM Quarantined Trojan program HEUR:Trojan.Win32.Generic C:\Documents and Settings\All Users\COMODO\Cis\Quarantine\data\{670233BC-A180-4BAD-81FB-D475FEFEC98E} High
3/27/2013 9:14:53 PM Quarantined Trojan program HEUR:Trojan.Win32.Generic C:\Documents and Settings\All Users\COMODO\Cis\Quarantine\data\{A4692D94-D5C3-470A-BC86-2EDFDF9822B3} High
3/29/2013 4:26:49 PM Quarantined Trojan program HEUR:Exploit.Script.Generic C:\Windows.old\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YPWL23B6\showthread[1].htm High
3/29/2013 5:50:06 PM Quarantined Trojan program HEUR:Exploit.Script.Generic C:\Windows.old\Windows\System32\config\systemprofile\AppData\Local\Temporary Internet Files\Content.IE5\YPWL23B6\showthread[1].htm High
Status: Clean (events: 2)
3/29/2013 6:33:14 PM Clean Trojan program HEUR:Trojan.Win32.Generic C:\Documents and Settings\All Users\COMODO\Cis\Quarantine\data\{A3A8FA29-0C5F-427D-A2B7-804218C5710A} High
3/29/2013 6:33:14 PM Clean Trojan program HEUR:Trojan.Win32.Generic C:\Documents and Settings\All Users\COMODO\Cis\Quarantine\data\{A3A8FA29-0C5F-427D-A2B7-804218C5710A}//UPX High
Status: Disinfected (events: 3)
3/27/2013 9:14:37 PM Disinfected Trojan program Exploit.Java.CVE-2010-0840.bh C:\Documents and Settings\All Users\COMODO\Cis\Quarantine\data\{A89A1112-2194-4210-91EA-AA5DD56A223E} High
3/27/2013 9:14:37 PM Disinfected Trojan program Exploit.Java.CVE-2010-0840.bj C:\Documents and Settings\All Users\COMODO\Cis\Quarantine\data\{A89A1112-2194-4210-91EA-AA5DD56A223E}/FactoryService/DefClass.class High
3/27/2013 9:14:37 PM Disinfected Trojan program Exploit.Java.CVE-2010-0840.bh C:\Documents and Settings\All Users\COMODO\Cis\Quarantine\data\{A89A1112-2194-4210-91EA-AA5DD56A223E}/MessageStack/TemplateMessage.class High
Status: Absent (events: 1)
3/29/2013 7:26:25 PM Not found Trojan program HEUR:Exploit.Script.Generic C:\Windows.old\Windows\System32\config\systemprofile\AppData\Local\Temporary Internet Files\Content.IE5\YPWL23B6\showthread[1].htm High
March 29th, 2013, 10:35 PM
Broni
Very good :)

All those items have been already quarantined by Comodo.

http://dev.discussions.virtualdr.forums.relay.cool/ Update Adobe Reader

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions (if present).
Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
It's a much smaller file to download and uses a lot less resources than Adobe Reader.
Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or any other garbage.

===============================

http://dev.discussions.virtualdr.forums.relay.cool/ Your computer is clean http://dev.discussions.virtualdr.forums.relay.cool/

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following:
Code:

:OTL :Commands [purity] [emptytemp] [EMPTYFLASH] [emptyjava] [CLEARALLRESTOREPOINTS] [Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Post resulting log.
2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:
- Double-click OTL.exe to start the program.
- Close all other programs apart from OTL as this step will require a reboot
- On the OTL main screen, press the CLEANUP button
- Say Yes to the prompt and then allow the program to reboot your computer.
If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure Windows Updates are current.

4. If any trojans, rootkits or bootkits were listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Check if your browser plugins are up to date.
Firefox - https://www.mozilla.org/en-US/plugincheck/
other browsers: https://browsercheck.qualys.com/ (click on "Launch a quick scan now" link)

6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

7. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

8. Run Temporary File Cleaner (TFC) weekly.

9. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

10. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

11. (Windows XP only) Run defrag at your convenience.

12. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

13. Read:
How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html
Simple and easy ways to keep your computer safe and secure on the Internet: http://www.bleepingcomputer.com/tuto...r-safe-online/

14. Please, let me know, how your computer is doing.
April 1st, 2013, 11:38 PM
KU13

After I finished up with OTL and completed Mal-Bytes (found 1 threat and removed)...my pc completed a restart...and then I got a blue screen with a bunch of text that did not make sense...So I powered down.

Now I am getting "Windows is not a valid copy" on the desktop.

Am I still infected?
April 2nd, 2013, 12:22 AM
Broni

Does it say "not valid" or "not genuine"?
April 6th, 2013, 12:03 AM
KU13

"Not genuine"
April 6th, 2013, 12:14 AM
Broni

1) Click the Start button
2) Type: CMD.exe in the start search field
3) Right-Click on CMD.exe and select Run as Administrator
4) Type: net stop sppsvc (it may ask you if you are sure, select yes)
5) Type: cd %windir%\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform
6) Type: rename tokens.dat tokens.bar
7) Type: cd %windir%\system32
8) Type: net start sppsvc
9) Type: slui.exe

After a couple of seconds Windows Activation dialog will appear. You likely be asked to re-enter your product key and/or re-activate.

Either key from COA sticker or key obtained from belarc advisor should work.
April 8th, 2013, 03:28 PM
KU13

Going to download/use BelArc now.
April 13th, 2013, 12:51 AM
KU13

Still the same. Any other suggestions?

Show 40 post(s) from this thread on one page