How to make sure I won't reinfect from my backups

View previous topic View next topic Go down

How to make sure I won't reinfect from my backups

Post by shelschneider on 18th January 2010, 7:58 pm

I previously posted here because I had been infected with multiply viruses and trojans. I have wiped everything, formatted and reinstalled Windows XP.

I'm wary of restoring my backups. Is there a safe way to check my external drive for the viruses and trojans before I restore? The backups are saved as zip files.

If it matters, I am now running a dual boot system with Windows XP and Ubuntu Linux. I can access the external drive from Linux.

Thanks for any help you can give.

shelschneider
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-05-18
OS OS : XP
Points Points : 27763
# Likes # Likes : 0

View user profile

Back to top Go down

Re: How to make sure I won't reinfect from my backups

Post by Dr Jay on 19th January 2010, 10:17 am

Hello.

Please visit this webpage for instructions for downloading and running ComboFix:

[You must be registered and logged in to see this link.]

Post the log from ComboFix when you've accomplished that.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13743
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302211
# Likes # Likes : 10

View user profile

Back to top Go down

Re: How to make sure I won't reinfect from my backups

Post by shelschneider on 20th January 2010, 11:46 pm

DragonMaster Jay wrote:Hello.

Please visit this webpage for instructions for downloading and running ComboFix:

[You must be registered and logged in to see this link.]

Post the log from ComboFix when you've accomplished that.

I did this with my external drive plugged in. I'm not sure if it accessed that drive or not. I assume it did, but I don't know.

Anyway, here is the log:

ComboFix 10-01-18.03 - Michelle Schneider 01/20/2010 18:20:58.3.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.0.1252.1.1033.18.479.266 [GMT -5:00]

Running from: c:\documents and settings\Michelle Schneider\Desktop\ComboFix.exe

.



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.



Infected copy of c:\windows\system32\qmgr.dll was found and disinfected

Restored copy from - c:\windows\ERDNT\cache\qmgr.dll



.

((((((((((((((((((((((((( Files Created from 2009-12-20 to 2010-01-20 )))))))))))))))))))))))))))))))

.



2010-01-21 03:32 . 2010-01-21 03:32 0 ----a-w- c:\windows\nsreg.dat

2010-01-21 03:32 . 2010-01-21 03:32 -------- d-----w- c:\documents and settings\Michelle Schneider\Local Settings\Application Data\Mozilla

2010-01-20 22:43 . 2010-01-20 22:43 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-01-20 22:43 . 2010-01-20 22:43 -------- d-----w- c:\program files\Common Files\AnswerWorks 5.0

2010-01-20 22:43 . 2010-01-20 22:43 -------- d-----w- c:\program files\Common Files\InstallShield

2010-01-20 22:43 . 2010-01-13 15:30 4199784 ----a-w- c:\windows\system32\cdintf400.dll

2010-01-20 22:43 . 2010-01-13 15:27 26472 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Sku\Hab\Custom\billmind.exe

2010-01-20 22:43 . 2010-01-13 15:27 26472 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Sku\Deluxe\Custom\billmind.exe

2010-01-20 22:43 . 2010-01-13 15:27 26472 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Sku\RPM\Custom\billmind.exe

2010-01-20 22:43 . 2010-01-13 15:27 26472 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Sku\Premier\Custom\billmind.exe

2010-01-20 22:43 . 2010-01-20 22:43 -------- d-----w- c:\program files\Common Files\Intuit

2010-01-20 22:42 . 2010-01-20 22:43 -------- d-----w- c:\program files\Quicken

2010-01-20 22:42 . 2010-01-20 22:42 -------- d-----w- c:\documents and settings\Michelle Schneider\Application Data\Intuit

2010-01-20 22:38 . 2010-01-20 22:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Intuit

2010-01-19 21:26 . 2010-01-19 21:26 -------- d-----w- c:\documents and settings\Michelle Schneider\Application Data\Malwarebytes

2010-01-19 21:26 . 2009-12-30 19:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-19 21:26 . 2010-01-19 21:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-01-19 21:26 . 2010-01-19 21:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-01-19 21:26 . 2009-12-30 19:54 18520 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-01-19 21:24 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys

2010-01-19 21:24 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2010-01-19 21:24 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2010-01-19 21:24 . 2010-01-19 21:24 -------- d-----w- c:\program files\Avira

2010-01-19 21:24 . 2010-01-19 21:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2010-01-19 21:10 . 2001-08-17 19:03 21760 -c--a-w- c:\windows\system32\dllcache\usbstor.sys

2010-01-19 16:46 . 2010-01-19 16:46 -------- d-----w- c:\documents and settings\Michelle Schneider\Application Data\HP

2010-01-19 16:45 . 2010-01-19 16:45 -------- d-----w- c:\documents and settings\All Users\Application Data\HP

2010-01-19 16:44 . 2010-01-19 16:45 -------- d-----w- c:\program files\Common Files\HP

2010-01-19 16:43 . 2010-01-19 16:43 -------- d-----w- c:\program files\Hewlett-Packard

2010-01-19 16:43 . 2010-01-19 16:43 -------- d-----w- c:\program files\Common Files\Hewlett-Packard

2010-01-19 16:42 . 2006-04-12 10:04 16496 ----a-r- c:\windows\system32\drivers\HPZipr12.sys

2010-01-19 16:42 . 2006-04-12 10:04 49664 ----a-r- c:\windows\system32\drivers\HPZid412.sys

2010-01-19 16:42 . 2006-01-03 17:12 77824 ----a-r- c:\windows\system32\HPZIDS01.dll

2010-01-19 16:41 . 2006-04-10 19:03 48128 ----a-w- c:\windows\system32\hpzll054.dll

2010-01-19 16:41 . 2006-04-10 19:02 74240 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpzpp054.dll

2010-01-19 16:41 . 2001-08-17 18:53 13824 -c--a-w- c:\windows\system32\dllcache\usbscan.sys

2010-01-19 16:41 . 2001-08-17 18:53 13824 ----a-w- c:\windows\system32\drivers\usbscan.sys

2010-01-19 16:41 . 2006-03-04 02:03 282680 ----a-w- c:\windows\system32\HPZidr12.dll

2010-01-19 16:41 . 2006-03-04 02:03 65536 ----a-w- c:\windows\system32\HPZinw12.exe

2010-01-19 16:41 . 2006-03-04 02:03 69632 ----a-w- c:\windows\system32\HPZipm12.exe

2010-01-19 16:41 . 2006-03-04 02:02 204800 ----a-w- c:\windows\system32\HPZipr12.dll

2010-01-19 16:41 . 2006-03-04 02:02 94208 ----a-w- c:\windows\system32\HPZipt12.dll

2010-01-19 16:41 . 2006-03-04 02:02 57344 ----a-w- c:\windows\system32\HPZisn12.dll

2010-01-19 16:41 . 1998-10-29 21:45 306688 ----a-w- c:\windows\IsUninst.exe

2010-01-19 16:40 . 2010-01-19 16:45 -------- d-----w- c:\program files\HP

2010-01-19 16:38 . 2010-01-19 16:46 117681 ----a-w- c:\windows\hpoins11.dat

2010-01-19 16:38 . 2010-01-19 16:38 12720 ----a-w- c:\documents and settings\Michelle Schneider\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-01-19 16:37 . 2010-01-19 16:37 -------- d-s---w- c:\windows\system32\Microsoft

2010-01-19 16:36 . 2001-08-18 03:24 50944 -c--a-w- c:\windows\system32\dllcache\i8042prt.sys

2010-01-19 16:36 . 2001-08-18 03:24 50944 ----a-w- c:\windows\system32\drivers\i8042prt.sys

2010-01-19 16:36 . 2001-08-17 18:47 22016 -c--a-w- c:\windows\system32\dllcache\mouclass.sys

2010-01-19 16:36 . 2001-08-17 18:47 22016 ----a-w- c:\windows\system32\drivers\mouclass.sys

2010-01-19 16:36 . 2008-12-20 00:08 27784 ----a-w- c:\windows\system32\drivers\point32.sys

2010-01-19 16:36 . 2010-01-19 16:36 -------- dc----w- c:\windows\system32\DRVSTORE

2010-01-19 16:36 . 2010-01-19 16:36 -------- d-----w- c:\program files\Microsoft IntelliPoint

2010-01-19 16:34 . 2010-01-19 16:34 -------- d-----w- c:\program files\MSXML 6.0

2010-01-19 16:32 . 2001-08-17 19:00 24832 -c--a-w- c:\windows\system32\dllcache\usbprint.sys

2010-01-19 16:32 . 2001-08-17 19:00 24832 ----a-w- c:\windows\system32\drivers\usbprint.sys



.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-01-18 17:28 . 2010-01-18 17:28 -------- d-----w- c:\program files\microsoft frontpage

2010-01-18 17:27 . 2010-01-18 17:27 70691 ----a-w- c:\windows\PCHEALTH\HELPCTR\OfflineCache\index.dat

2010-01-18 17:25 . 2010-01-18 17:25 21640 ----a-w- c:\windows\system32\emptyregdb.dat

2010-01-13 15:29 . 2010-01-13 15:29 1721784 ----a-w- c:\windows\system32\inetclnt.dll

2010-01-13 15:26 . 2010-01-13 15:26 91 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\Pnf\Pas\reg.bat

.



((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-01-20 23:16 . 2010-01-20 23:16 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

- 2010-01-18 17:30 . 2010-01-21 03:27 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2010-01-18 17:30 . 2010-01-20 23:12 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2010-01-18 17:30 . 2010-01-21 03:27 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2010-01-20 23:16 . 2010-01-20 23:12 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2010-01-18 17:30 . 2010-01-21 03:27 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4



[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2001-08-02 1077277]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-01-07 1468296]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]



c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]



R0 avgntmgr;avgntmgr;c:\windows\system32\drivers\avgntmgr.sys [1/19/2010 4:24 PM 22360]

R1 avgntdd;avgntdd;c:\windows\system32\drivers\avgntdd.sys [1/19/2010 4:24 PM 45416]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [1/19/2010 4:24 PM 108289]

.

Contents of the 'Scheduled Tasks' folder



2010-01-19 c:\windows\Tasks\WebReg Deskjet F300 series.job

- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2006-02-19 10:09]

.

.

------- Supplementary Scan -------

.

IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm

FF - ProfilePath - c:\documents and settings\Michelle Schneider\Application Data\Mozilla\Firefox\Profiles\ieuy1xdg.default\

.



**************************************************************************



catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]

Rootkit scan 2010-01-20 18:25

Windows 5.1.2600 NTFS



scanning hȋdden processes ...



scanning hȋdden autostart entries ...



scanning hȋdden files ...



scan completed successfully

hȋdden files: 0



**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------



- - - - - - - > 'winlogon.exe'(500)

c:\windows\system32\ODBC32.dll



- - - - - - - > 'lsass.exe'(556)

c:\windows\System32\dssenh.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

c:\program files\Microsoft IntelliPoint\dpupdchk.exe

c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe

.

**************************************************************************

.

Completion time: 2010-01-20 18:26:19 - machine was rebooted

ComboFix-quarantined-files.txt 2010-01-20 23:26



Pre-Run: 38,217,207,808 bytes free

Post-Run: 38,193,963,008 bytes free



- - End Of File - - 35CC25F067CC327F59D2A61809239CE0

shelschneider
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-05-18
OS OS : XP
Points Points : 27763
# Likes # Likes : 0

View user profile

Back to top Go down

Re: How to make sure I won't reinfect from my backups

Post by Dr Jay on 21st January 2010, 12:48 am

Please download Malwarebytes Anti-Malware from [You must be registered and logged in to see this link.].
Alternate link: [You must be registered and logged in to see this link.].
(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)

Double Click mbam-setup.exe to install the application.

(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13743
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302211
# Likes # Likes : 10

View user profile

Back to top Go down

Re: How to make sure I won't reinfect from my backups

Post by shelschneider on 21st January 2010, 4:24 am

Here is my Malwarebytes log.

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600
Internet Explorer 6.0.2600.0000

1/21/2010 4:25:42 AM
mbam-log-2010-01-21 (04-25-42).txt

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 161431
Time elapsed: 2 hour(s), 54 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{A8D34CA1-F794-485D-83C0-3E734C9C45B2}\RP6\A0000247.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A8D34CA1-F794-485D-83C0-3E734C9C45B2}\RP6\A0000301.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A8D34CA1-F794-485D-83C0-3E734C9C45B2}\RP6\A0000388.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A8D34CA1-F794-485D-83C0-3E734C9C45B2}\RP6\A0000458.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A8D34CA1-F794-485D-83C0-3E734C9C45B2}\RP6\A0000608.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A8D34CA1-F794-485D-83C0-3E734C9C45B2}\RP6\A0000759.sys (Malware.Trace) -> Quarantined and deleted successfully.
F:\Drive_D_backup\____Downloads___\FlashMute_2.exe (Adware.BetterInternet) -> Quarantined and deleted successfully.



Last edited by shelschneider on 21st January 2010, 4:31 am; edited 1 time in total (Reason for editing : I edited my reply because I saved the log too early and posted the contents of the wrong log. This is the log after the files were quarantined.)

shelschneider
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-05-18
OS OS : XP
Points Points : 27763
# Likes # Likes : 0

View user profile

Back to top Go down

Re: How to make sure I won't reinfect from my backups

Post by Dr Jay on 21st January 2010, 11:20 pm

Please download the latest version of Kaspersky GetSystemInfo (GSI) from [You must be registered and logged in to see this link.] and save it to your Desktop.
Please close all other applications running on your system.

Please double click GetSystemInfo.exe to open it.

Click the Settings button.



Set it to Maximum



IMPORTANT! Then please click Customize - choose Driver / Ports tab and uncheck Scan Ports.


Click Create Report to run it.

It will create a zip folder called GetSystemInfo_XXXXXXXXXXXXXX.zip on your Desktop. Please upload the folder to [You must be registered and logged in to see this link.] and click the Submit button.

Please copy and paste the url of the GSI Parser report (not the log) in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13743
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302211
# Likes # Likes : 10

View user profile

Back to top Go down

Re: How to make sure I won't reinfect from my backups

Post by shelschneider on 22nd January 2010, 4:38 am

I hope this is the url you need. I didn't see anything that said "report". This is the summary page that came up after I clicked submit.

[You must be registered and logged in to see this link.]

shelschneider
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-05-18
OS OS : XP
Points Points : 27763
# Likes # Likes : 0

View user profile

Back to top Go down

Re: How to make sure I won't reinfect from my backups

Post by Dr Jay on 22nd January 2010, 6:24 pm


  • Make sure to use Internet Explorer for this
  • Please go to [You must be registered and logged in to see this link.]
  • Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:


    • C:\WINDOWS\system32\ntkrnlpa.exe


  • Click on the Upload button
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste it in your next reply.

==

Please run [You must be registered and logged in to see this link.] online scan.

  • Click the big green Scan now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • Once the scan is completed, please hit the notepad icon next to the text Export to:
  • Save it to a convenient location such as your Desktop
  • Post the contents of the ActiveScan.txt in your next reply


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13743
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302211
# Likes # Likes : 10

View user profile

Back to top Go down

Re: How to make sure I won't reinfect from my backups

Post by shelschneider on 24th January 2010, 2:51 am

VirSCAN.org Scanned Report :

Scanned time : 2010/01/23 10:28:33 (CST)

Scanner results: Scanners did not find malware!

File Name : ntkrnlpa.exe

File Size : 1896704 byte

File Type : PE32 executable for MS Windows (native) Intel 80386 32-bit

MD5 : 46e2e3dcf54b819cfb2ebfe48a22b5c9

SHA1 : 80a258f3a25e1660016cdd0dbe304494edc03100

Online report : [You must be registered and logged in to see this link.]



Scanner Engine Ver Sig Ver Sig Date Time Scan result

a-squared 4.5.0.8 20100123040135 2010-01-23 5.42 -

AhnLab V3 2010.01.22.03 2010.01.22 2010-01-22 1.45 -

AntiVir 8.2.1.150 7.10.3.62 2010-01-22 0.19 -

Antiy 2.0.18 20100122.3738848 2010-01-22 0.02 -

Arcavir 2009 201001221858 2010-01-22 0.67 -

Authentium 5.1.1 201001221746 2010-01-22 3.68 -

AVAST! 4.7.4 100122-0 2010-01-22 0.12 -

AVG 8.5.720 271.1.1/2639 2010-01-23 0.30 -

BitDefender 7.81008.4896038 7.30010 2010-01-23 4.27 -

CA (VET) 35.1.0 7253 2010-01-21 5.72 -

ClamAV 0.95.2 10326 2010-01-23 0.33 -

Comodo 3.13.579 3409 2010-01-22 0.91 -

CP Secure 1.3.0.5 2010.01.22 2010-01-22 0.51 -

Dr.Web 4.44.0.9170 0004.00.00 0004-00-00 9.08 -

F-Prot 4.4.4.56 20100122 2010-01-22 3.56 -

F-Secure 7.02.73807 2010.01.22.15 2010-01-22 0.20 -

Fortinet 11.406- 11.406 2010-01-22 0.22 -

GData 19.10090/19.694 20100123 2010-01-23 5.92 -

ViRobot 20100122 2010.01.22 2010-01-22 0.43 -

Ikarus T3.1.01.80 2010.01.22.75020 2010-01-22 6.74 -

JiangMin 13.0.900 2010.01.22 2010-01-22 5.59 -

Kaspersky 5.5.10 2010.01.22 2010-01-22 0.07 -

KingSoft 2009.2.5.15 2010.1.22.22 2010-01-22 0.62 -

McAfee 5.3.00 5869 2010-01-22 3.48 -

Microsoft 1.5405 2010.01.23 2010-01-23 6.92 -

Norman 6.01.09 6.01.00 2010-01-16 4.00 -

Panda 9.05.01 2010.01.21 2010-01-21 0.62 -

Trend Micro 9.120-1004 6.796.09 2010-01-22 0.07 -

Quick Heal 10.00 2010.01.21 2010-01-21 2.08 -

Rising 20.0 22.31.04.04 2010-01-22 1.04 -

Sophos 3.03.0 4.49 2010-01-23 3.21 -

Sunbelt 3.9.2392.2 5631 2010-01-21 2.43 -

Symantec 1.3.0.24 20100112.005 2010-01-12 0.00 -

nProtect 20100122.01 6971919 2010-01-22 7.48 -

The Hacker 6.5.0.9 v00159 2010-01-22 1.06 -

VBA32 3.12.12.1 20100121.1001 2010-01-21 2.95 -

VirusBuster 4.5.11.10 10.119.17/1987830 2010-01-23 6.50 -

ActiveScan.txt

I tried 3 times to scan with my removable drive plugged in. It took over 4 hours each time, but never completed. It kept getting stuck on one backup file. I unplugged the removable drive and the scan completed. The result is below.


;***********************************************************************************************************************************************************************************

ANALYSIS: 2010-01-24 02:41:07

PROTECTIONS: 0

MALWARE: 4

SUSPECTS: 0

;***********************************************************************************************************************************************************************************

PROTECTIONS

Description Version Active Updated

;===================================================================================================================================================================================

;===================================================================================================================================================================================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===================================================================================================================================================================================

00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No c:\documents and settings\michelle schneider\cookies\michelle schneider@atdmt[1].txt

00167753 Cookie/Statcounter TrackingCookie No 0 Yes No c:\documents and settings\michelle schneider\cookies\michelle schneider@statcounter[2].txt

00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No c:\documents and settings\michelle schneider\cookies\michelle schneider@questionmarket[2].txt

05898765 Trj/Nabload.DPS Virus/Trojan No 0 No No c:\documents and settings\michelle schneider\desktop\combofix.exe[32788r22fwjfw\catchme.cfxxe]

05898765 Trj/Nabload.DPS Virus/Trojan No 0 No No c:\system volume information\_restore{a8d34ca1-f794-485d-83c0-3e734c9c45b2}\rp6\a0000288.exe[32788r22fwjfw\catchme.cfxxe]

05898765 Trj/Nabload.DPS Virus/Trojan No 0 No No c:\system volume information\_restore{a8d34ca1-f794-485d-83c0-3e734c9c45b2}\rp6\a0000511.exe[32788r22fwjfw\catchme.cfxxe]

05898765 Trj/Nabload.DPS Virus/Trojan No 0 Yes No c:\combofix\catchme.tmp

;===================================================================================================================================================================================

SUSPECTS

Sent Location

;===================================================================================================================================================================================

;===================================================================================================================================================================================

VULNERABILITIES

Id Severity Description

;===================================================================================================================================================================================

;===================================================================================================================================================================================


shelschneider
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-05-18
OS OS : XP
Points Points : 27763
# Likes # Likes : 0

View user profile

Back to top Go down

Re: How to make sure I won't reinfect from my backups

Post by Dr Jay on 24th January 2010, 4:02 am

Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:
  • Select Start > All Programs > Accessories > System tools > System Restore.
  • On the dialogue box that appears select Create a Restore Point
  • Click NEXT
  • Enter a name e.g. Clean
  • Click CREATE

You now have a clean restore point, to get rid of the bad ones:
  • Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  • In the Drop down box that appears select your main drive e.g. C
  • Click OK
  • The System will do some calculation and the display a dialogue box with TABS
  • Select the More Options Tab.
  • At the bottom will be a system restore box with a CLEANUP button click this
  • Accept the Warning and select OK again, the program will close and you are done


To remove all of the tools we used and the files and folders they created, please do the following:
Please download [You must be registered and logged in to see this link.] by OldTimer:

  • Save it to your Desktop.
  • Double click OTC.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

==

Please download [You must be registered and logged in to see this link.] to your desktop
  • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start
    button to begin the process. Depending on how often you clean temp
    files, execution time should be anywhere from a few seconds to a minute
    or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.


==

Download Security Check by screen317 from [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13743
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302211
# Likes # Likes : 10

View user profile

Back to top Go down

Re: How to make sure I won't reinfect from my backups

Post by shelschneider on 24th January 2010, 11:31 pm

Results of screen317's Security Check version 0.99.1

Windows XP

Out of date service pack!!

``````````````````````````````

Antivirus/Firewall Check:


Windows Security Center service is not running! This report may not be accurate!

Avira AntiVir Personal - Free Antivirus

Avira updated!

``````````````````````````````

Anti-malware/Other Utilities Check:


Adobe Flash Player 10

``````````````````````````````

Process Check:

objlist.exe by Laurent


Avira Antivir avgnt.exe

Avira Antivir avguard.exe

``````````````````````````````

DNS Vulnerability Check:


Unknown. This method cannot test your vulnerability to DNS cache poisoning.



`````````End of Log```````````

shelschneider
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-05-18
OS OS : XP
Points Points : 27763
# Likes # Likes : 0

View user profile

Back to top Go down

Re: How to make sure I won't reinfect from my backups

Post by Dr Jay on 25th January 2010, 2:37 am

Please install Service Pack 1a for Windows XP.

Please upgrade to Windows XP Service Pack 2. It is probably the most important security update ever released for Windows.
Please, go to [You must be registered and logged in to see this link.] and download it from there.
Without this service pack, I can almost guarantee that you will get infected again. Service packs are service releases for the Windows Operating System. While all service packs are important, the Service Pack 2 is so essential due to many “holes” that are fixed by its installation.

==

Please upgrade to Windows XP SP3, because it includes all previously released updates. It also includes a small number of new functionalities. Some of the updates that Service Pack 3 provides, you may not have. It is now available via [You must be registered and logged in to see this link.].

More info about SP3: [You must be registered and logged in to see this link.]

==

Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.

Software recommendations

Firewall

  • [You must be registered and logged in to see this link.]: the free version is just as good as the premium. I have linked you to the free version.
  • [You must be registered and logged in to see this link.]: the free version is just as good as the premium. I have linked you to the free version. The optional security suite enhances the firewall by 40% increase. If you would like to install the suite that includes antivirus, then remove your old antivirus first.
  • [You must be registered and logged in to see this link.]: free and excellent firewall.


AntiSpyware

  • [You must be registered and logged in to see this link.]
    SpywareBlaster is a program that prevents spyware from installing on your computer. A tutorial on using SpywareBlaster may be found [You must be registered and logged in to see this link.].
  • [You must be registered and logged in to see this link.].
    Spybot - Search & Destroy is a spyware and adware removal program. It also has realtime protection, TeaTimer to help safeguard your computer against spyware. (The link for Spybot - Search & Destroy contains a tutorial that will help you download, install, and begin using Spybot).


NOTE: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.

Resident Protection help
A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.

Rogue programs help
There are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:
[You must be registered and logged in to see this link.]

Securing your computer

  • [You must be registered and logged in to see this link.] - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • [You must be registered and logged in to see this link.] replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.


Please consider using an alternate browser
Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.

If you are interested:


See [You must be registered and logged in to see this link.] for more info about malware and prevention.

Thank you for choosing GeekPolice. Please see [You must be registered and logged in to see this link.] if you would like to leave feedback or contribute to our site. Do you have any more questions?


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13743
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302211
# Likes # Likes : 10

View user profile

Back to top Go down

Re: How to make sure I won't reinfect from my backups

Post by shelschneider on 25th January 2010, 2:42 am

Thank you. I was upgraded to service pack 2 and had a firewall before I had to reinstall. My install disks didn't have service pack 2 or a firewall. I will make sure to update right away. Thank you for all your help and for the links you've suggested.

shelschneider
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-05-18
OS OS : XP
Points Points : 27763
# Likes # Likes : 0

View user profile

Back to top Go down

Re: How to make sure I won't reinfect from my backups

Post by Dr Jay on 25th January 2010, 2:49 am

You're welcome! Smile


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13743
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302211
# Likes # Likes : 10

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum