Tech Support Forum - View Single Post - Infections found following panda online active scan

Sempurna · 02-21-2007, 10:49 PM

Hi slinkykatt,

Welcome to Tech Support Forum!

I apologize for the delay getting to your log. The helpers here are all volunteers and we have been very busy here lately. If you are still having malware problems, I will be glad to help.

OK, let’s do this first.

Please run HijackThis and click "Scan". Place a check (tick) next to the following entries (if present):

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Close ALL programs and browsers (including this one), leaving ONLY HijackThis open, then click "Fix checked".

Then please exit HijackThis.

NEXT:

Please enable viewing of hidden files as follows:

Go to My Computer, and click on the "Tools" menu.
Click "Folder options".
Select the "View" tab.
Make sure "Show hidden files and folders" is selected.
Make sure "Hide extensions for known file types" is unchecked.
Make sure "Hide protected operating system files (recommended)" is unchecked.

CAUTION : You will see many folders and files which you may not recognize. Most of these folders and files are LEGITIMATE. Please do NOT delete anything you deem suspicious unless you are specifically instructed to do so. To do otherwise may irreparably damage your system.

NEXT:

Using Windows Explorer, please navigate to and delete the following FILES (if they exist):

c:\windows\system32\MSWINF32.DLL
C:\WINDOWS\SYSTEM32\MI1.EXE

NEXT:

Let's run some cleanup and diagnostic scans to make sure we're not leaving anything behind.

Please download CCleaner (freeware) and save it to your desktop:

Run the CCleaner installer.
During installation process, please UNCHECK "Add CCleaner Yahoo! Toolbar".
Once installed, run CCleaner and click the Windows tab.
Select the following:
- Check everything under the Internet Explorer section.
- Check everything under the Windows Explorer section.
- Check everything under the System section.
- Check ONLY Old Prefetch data under the Advanced section.
Then, click the Applications tab:
- UNCHECK everything there.
Next, click the Options button, then click the Advanced button:
- UNCHECK : "Only delete files in Windows Temp folders older than 48 hours".
Next, click the Cleaner button, then click the Run Cleaner button (bottom right), then Exit.

CAUTION : Please do NOT use the Issues button. This is a built-in registry cleaner. If you don’t know how to use it, you may cause irreparable damage to your system.

NEXT:

NEXT:

Please do an online scan with Kaspersky Online Scanner:

Click on Kaspersky Online Scanner.
You will be prompted to install an ActiveX component from Kaspersky, click Yes.
The program will launch and then begin downloading the latest definition files.
Once the files have been downloaded click on Next.
Now click on Scan Settings.
In the scan settings make sure that the following are selected:
- Scan using the following Anti-Virus database:
  Extended
- Scan Options:
  Scan Archives
  Scan Mail Bases
Click OK.
Now under select a target to scan:
- Select My Computer.
This program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save Report As button.
- In the File name: field, type kavscan.
- In the Save as type: field, select Text file (*.txt).
Save the file to your desktop.
Copy and paste that information in your next post.

Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.

NEXT:

Please download ComboScan by Deckard and save it to your desktop:

Close all applications and windows (including this one).
Double-click on comboscan.exe to run it, and follow the prompts.
When the scan is complete, a text file will open – ComboScan.txt.
Copy (Ctrl + A then Ctrl + C) and paste (Ctrl + V) the contents of ComboScan.txt in your next reply.
A folder, C:\ComboScan, will also open. In it will be another text file, Supplementary.txt.
Please attach Supplementary.txt to your post.

Note: Some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

NEXT:

Please REBOOT your computer normally into Windows and post these logs in your next reply:

The log from the Kaspersky scan.
The logs from ComboScan.

Also, please let me know how things are running now and if you encountered any problems while you were following the directions I posted.

02-21-2007, 10:49 PM	#3 (permalink)
Sempurna Analyst, Security Team Join Date: Sep 2006 Posts: 1,302 OS: Windows XP SP2	Hi slinkykatt, Welcome to Tech Support Forum! I apologize for the delay getting to your log. The helpers here are all volunteers and we have been very busy here lately. If you are still having malware problems, I will be glad to help. OK, let’s do this first. Please run HijackThis and click "Scan". Place a check (tick) next to the following entries (if present): R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) Close ALL programs and browsers (including this one), leaving ONLY HijackThis open, then click "Fix checked". Then please exit HijackThis. NEXT: Please enable viewing of hidden files as follows: Go to My Computer, and click on the "Tools" menu. Click "Folder options". Select the "View" tab. Make sure "Show hidden files and folders" is selected. Make sure "Hide extensions for known file types" is unchecked. Make sure "Hide protected operating system files (recommended)" is unchecked. CAUTION : You will see many folders and files which you may not recognize. Most of these folders and files are LEGITIMATE. Please do NOT delete anything you deem suspicious unless you are specifically instructed to do so. To do otherwise may irreparably damage your system. NEXT: Using Windows Explorer, please navigate to and delete the following FILES (if they exist): c:\windows\system32\MSWINF32.DLL C:\WINDOWS\SYSTEM32\MI1.EXE NEXT: Let's run some cleanup and diagnostic scans to make sure we're not leaving anything behind. Please download CCleaner (freeware) and save it to your desktop: Run the CCleaner installer. During installation process, please UNCHECK "Add CCleaner Yahoo! Toolbar". Once installed, run CCleaner and click the Windows tab. Select the following: Check everything under the Internet Explorer section. Check everything under the Windows Explorer section. Check everything under the System section. Check ONLY Old Prefetch data under the Advanced section. Then, click the Applications tab: UNCHECK everything there. Next, click the Options button, then click the Advanced button: UNCHECK : "Only delete files in Windows Temp folders older than 48 hours". Next, click the Cleaner button, then click the Run Cleaner button (bottom right), then Exit. CAUTION : Please do NOT use the Issues button. This is a built-in registry cleaner. If you don’t know how to use it, you may cause irreparable damage to your system. NEXT: NEXT: Please do an online scan with Kaspersky Online Scanner: Click on Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, click Yes. The program will launch and then begin downloading the latest definition files. Once the files have been downloaded click on Next. Now click on Scan Settings. In the scan settings make sure that the following are selected: Scan using the following Anti-Virus database: Extended Scan Options: Scan Archives Scan Mail Bases Click OK. Now under select a target to scan: Select My Computer. This program will start and scan your system. The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected. Now click on the Save Report As button. In the File name: field, type kavscan. In the Save as type: field, select *Text file (.txt). Save the file to your desktop. Copy and paste that information in your next post. Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%. NEXT: Please download ComboScan by Deckard and save it to your desktop: Close all applications and windows (including this one). Double-click on comboscan.exe to run it, and follow the prompts. When the scan is complete, a text file will open – ComboScan.txt. Copy (Ctrl + A then Ctrl + C) and paste (Ctrl + V) the contents of ComboScan.txt in your next reply. A folder, C:\ComboScan, will also open. In it will be another text file, Supplementary.txt. Please attach Supplementary.txt to your post. Note: Some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so. NEXT: Please REBOOT** your computer normally into Windows and post these logs in your next reply: The log from the Kaspersky scan. The logs from ComboScan. Also, please let me know how things are running now and if you encountered any problems while you were following the directions I posted. __________________ Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support. Donation link for Tech Support Forum