multiple malware and viruses need advice

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by mbini, Oct 4, 2004.

  1. mbini

    mbini Private E-2

    On my win 2000 laptop managed to run multiple scans and found uncleanable viruses and malware

    A2 scanner
    C:\WINNT\system32\cab\copy\back32.exe not-a-virus:RiskWare.Tool.HideWindows
    C:\WINNT\system32\cab\copy\ntcnd.exe not-a virus:RiskWare.Tool.HideWindows
    C:\WINNT\system32\cab\ntcnd.exe not-a-virus:RiskWare.Tool.HideWindows
    C:\WINNT\system32\LIBPARSE.EXE not-a-virus:RiskWare.Tool.PrcView.3621
    C:\WINNT\system32\NBNG.exe not-a-virus:RiskWare.mIRC.6.03 C:\WINNT\system32\libmodll.exe not-a-virus:RiskWare.Tool.PrcView.3621 C:\WINNT\preInsln.exe Spyware.Win32.BiSpy.o

    Bitdefender scan
    Memory ok
    Master Boot Record 80 ok (Windows 95 B20 - Windows 98)
    Partition Boot 1 (primary) (active) ok (Windows NT 2000 FAT32)
    Partition Boot 2 ok (Windows 98 FAT32)
    Boot Sector of Drive A: ok (Read Error)
    C:\WINNT\system32\o suspect: Backdoor.BotGet.FtpB.Gen
    C:\WINNT\system32\o copied
    C:\WINNT\system32\cab\copy\back32.exe infected: Virtool.HiddenRun.B
    C:\WINNT\system32\cab\copy\back32.exe unable to disinfect
    C:\WINNT\system32\cab\copy\ntcnd.exe infected: Virtool.HiddenRun.B
    C:\WINNT\system32\cab\copy\ntcnd.exe unable to disinfect
    C:\WINNT\system32\cab\copy\svhost.exe infected: Virtool.Xscan.A
    C:\WINNT\system32\cab\copy\svhost.exe unable to disinfect
    C:\WINNT\system32\cab\dat\easy_user.dic infected: Trojan.RemoteData.Cfg
    C:\WINNT\system32\cab\dat\easy_user.dic unable to disinfect
    C:\WINNT\system32\cab\dat\nt_pass.dic infected: Trojan.RemoteData.Cfg
    C:\WINNT\system32\cab\dat\nt_pass.dic unable to disinfect
    C:\WINNT\system32\cab\plugin\010-port.xpn infected: Virtool.Xscan.Plugin
    C:\WINNT\system32\cab\plugin\010-port.xpn unable to disinfect
    C:\WINNT\system32\cab\plugin\020-netbios.xpn infected: Virtool.Xscan.Plugin
    C:\WINNT\system32\cab\plugin\020-netbios.xpn unable to disinfect
    C:\WINNT\system32\cab\plugin\030-rpc.xpn infected: Virtool.Xscan.Plugin
    C:\WINNT\system32\cab\plugin\030-rpc.xpn unable to disinfect
    C:\WINNT\system32\cab\plugin\090-ntpass.xpn infected: Virtool.Xscan.Plugin
    C:\WINNT\system32\cab\plugin\090-ntpass.xpn unable to disinfect
    C:\WINNT\system32\cab\ntcnd.exe infected: Virtool.HiddenRun.B
    C:\WINNT\system32\cab\ntcnd.exe unable to disinfect
    C:\WINNT\system32\cab\svhost.exe infected: Virtool.Xscan.A
    C:\WINNT\system32\cab\svhost.exe unable to disinfect
    C:\WINNT\system32\LIBPARSE.EXE=>(Upx) infected: Application.PrcView.A
    C:\WINNT\system32\LIBPARSE.EXE=>(Upx) unable to disinfect
    C:\WINNT\system32\dmsis.exe=>(CAB Sfx o)=>e.BAT infected: BAT.Noshare.N
    C:\WINNT\system32\dmsis.exe=>(CAB Sfx o)=>l.EXE=>(Upx) infected: Application.PrcView.A
    C:\WINNT\system32\dmsis.exe=>(CAB Sfx o)=>qerq.her infected: IRC-Worm.Randon.T
    C:\WINNT\system32\dmsis.exe=>(CAB Sfx o)=>r.BAT infected: BAT.Passer.A
    C:\WINNT\system32\dmsis.exe=>(CAB Sfx o)=>t.exe=>(Upx) infected: Trojan.HideWindows.A
    C:\WINNT\system32\Microsoft\dmsis.exe=>(CAB Sfx o)=>e.BAT infected: BAT.Noshare.N
    C:\WINNT\system32\Microsoft\dmsis.exe=>(CAB Sfx o)=>l.EXE=>(Upx) infected: Application.PrcView.A
    C:\WINNT\system32\Microsoft\dmsis.exe=>(CAB Sfx o)=>qerq.her infected: IRC-Worm.Randon.T
    C:\WINNT\system32\Microsoft\dmsis.exe=>(CAB Sfx o)=>r.BAT infected: BAT.Passer.A
    C:\WINNT\system32\Microsoft\dmsis.exe=>(CAB Sfx o)=>t.exe=>(Upx) infected: Trojan.HideWindows.A
    C:\WINNT\system32\libmodll.exe=>(Upx) infected: Application.PrcView.A
    C:\WINNT\system32\libmodll.exe=>(Upx) unable to disinfect
    C:\WINNT\Installer\41d1a8.msi=>(Embedded CAB)=>F324_SCAN86.EXE.23611738_B786_4229_BA5E_8655EF44B621 infected: One_Half.3570
    C:\Program Files\Common Files\Network Associates\VirusScan Engine\4.0.xx\OldEngine\SCAN86.sav infected: One_Half.3570
    C:\Program Files\Common Files\Network Associates\VirusScan Engine\4.0.xx\OldEngine\SCAN86.sa

    RAV scan
    Scanning memory...
    Scanning boot sectors...
    Scanning files...
    C:\WINNT\system32\rundll33.exe->(ZipSfx)->explore.exe->(UPXW) - Trojan:Win32/Glitch -> Infected
    C:\WINNT\system32\rundll33.exe->(ZipSfx)->iiscached.dll - Backdoor:IRC/Minion* -> Infected
    C:\WINNT\system32\dmsis.exe->(CABSfx)->e.BAT - Trojan:BAT/Noshare.N* -> Infected
    C:\WINNT\system32\dmsis.exe->(CABSfx)->qerq.her - IRC/Generic* -> Suspicious
    C:\WINNT\system32\dmsis.exe->(CABSfx)->t.exe - Tool:HideWindows -> Infected
    C:\WINNT\system32\NWIZ.IN_ - BAT/Cah* -> Infected
    C:\WINNT\system32\NWIZ.INI - BAT/Cah* -> Infected
    C:\WINNT\system32\cab\ntcnd.exe - Virtool:Win32/HiddenRun.B -> Infected
    C:\WINNT\system32\cab\copy\back32.exe - Virtool:Win32/HiddenRun.B -> Infected
    C:\WINNT\system32\cab\copy\ntcnd.exe - Virtool:Win32/HiddenRun.B -> Infected
    C:\WINNT\system32\Microsoft\dmsis.exe->(CABSfx)->e.BAT - Trojan:BAT/Noshare.N* -> Infected
    C:\WINNT\system32\Microsoft\dmsis.exe->(CABSfx)->qerq.her - IRC/Generic* -> Suspicious
    C:\WINNT\system32\Microsoft\dmsis.exe->(CABSfx)->t.exe - Tool:HideWindows -> Infected

    Scanned
    ============================
    Objects: 32866
    Directories: 2517
    Archives: 1159
    Size(Kb): 626528
    Infected files: 11

    Found
    ============================
    Viruses found: 6
    Suspicious files: 2
    Disinfected files: 0
    Mail files: 88

    I cant figure out how to get rid of them as those scans could not automatically disinfect tham.
    A2 scanner would allow to delete the files. Is it okay to delete those files?
    Please advice.
     
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes! Delete those files with A2.

    Also you should please follow all the steps in this Sticky thread < READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal >

    If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

    NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.
     
  3. mbini

    mbini Private E-2

    Followed all the steps
    Cleaned a2 detected infected files. Still has malware from

    RAV scan
    C:\WINNT\system32\rundll33.exe->(ZipSfx)->explore.exe->(UPXW) - Trojan:Win32/Glitch -> Infected
    C:\WINNT\system32\rundll33.exe->(ZipSfx)->iiscached.dll - Backdoor:IRC/Minion* -> Infected
    C:\WINNT\system32\dmsis.exe->(CABSfx)->e.BAT - Trojan:BAT/Noshare.N* -> Infected
    C:\WINNT\system32\dmsis.exe->(CABSfx)->qerq.her - IRC/Generic* -> Suspicious
    C:\WINNT\system32\dmsis.exe->(CABSfx)->t.exe - Tool:HideWindows -> Infected
    C:\WINNT\system32\NWIZ.IN_ - BAT/Cah* -> Infected
    C:\WINNT\system32\NWIZ.INI - BAT/Cah* -> Infected
    C:\WINNT\system32\Microsoft\dmsis.exe->(CABSfx)->e.BAT - Trojan:BAT/Noshare.N* -> Infected
    C:\WINNT\system32\Microsoft\dmsis.exe->(CABSfx)->qerq.her - IRC/Generic* -> Suspicious
    C:\WINNT\system32\Microsoft\dmsis.exe->(CABSfx)->t.exe - Tool:HideWindows -> Infected

    and by Bitdefender scan
    C:\WINNT\system32\spool\drivers\w32x86\3\EB5ST000.DAT=>(CAB Sfx o)=>\LPT_t\Ebplpt.dll: bad crc
    C:\WINNT\system32\spool\drivers\w32x86\EB5ST000.DAT=>(CAB Sfx o)=>\LPT_t\Ebplpt.dll: bad crc
    C:\WINNT\system32\o: suspect Backdoor.BotGet.FtpB.Gen
    C:\WINNT\system32\o: disinfection failed
    C:\WINNT\system32\cab\copy\svhost.exe: infected with Virtool.Xscan.A
    C:\WINNT\system32\cab\copy\svhost.exe: disinfection failed
    C:\WINNT\system32\cab\dat\easy_user.dic: infected with Trojan.RemoteData.Cfg
    C:\WINNT\system32\cab\dat\easy_user.dic: disinfection failed
    C:\WINNT\system32\cab\dat\nt_pass.dic: infected with Trojan.RemoteData.Cfg
    C:\WINNT\system32\cab\dat\nt_pass.dic: disinfection failed
    C:\WINNT\system32\cab\plugin\010-port.xpn: infected with Virtool.Xscan.Plugin
    C:\WINNT\system32\cab\plugin\010-port.xpn: disinfection failed
    C:\WINNT\system32\cab\plugin\020-netbios.xpn: infected with Virtool.Xscan.Plugin
    C:\WINNT\system32\cab\plugin\020-netbios.xpn: disinfection failed
    C:\WINNT\system32\cab\plugin\030-rpc.xpn: infected with Virtool.Xscan.Plugin
    C:\WINNT\system32\cab\plugin\030-rpc.xpn: disinfection failed
    C:\WINNT\system32\cab\plugin\090-ntpass.xpn: infected with Virtool.Xscan.Plugin
    C:\WINNT\system32\cab\plugin\090-ntpass.xpn: disinfection failed
    C:\WINNT\system32\cab\svhost.exe: infected with Virtool.Xscan.A
    C:\WINNT\system32\cab\svhost.exe: disinfection failed
    C:\WINNT\system32\dmsis.exe=>(CAB Sfx o)=>e.BAT: infected with BAT.Noshare.N
    C:\WINNT\system32\dmsis.exe=>(CAB Sfx o)=>e.BAT: disinfection failed
    C:\WINNT\system32\dmsis.exe=>(CAB Sfx o)=>l.EXE=>(Upx): infected with Application.PrcView.A
    C:\WINNT\system32\dmsis.exe=>(CAB Sfx o)=>l.EXE=>(Upx): disinfection failed
    C:\WINNT\system32\dmsis.exe=>(CAB Sfx o)=>qerq.her: infected with IRC-Worm.Randon.T
    C:\WINNT\system32\dmsis.exe=>(CAB Sfx o)=>qerq.her: disinfection failed
    C:\WINNT\system32\dmsis.exe=>(CAB Sfx o)=>r.BAT: infected with BAT.Passer.A
    C:\WINNT\system32\dmsis.exe=>(CAB Sfx o)=>r.BAT: disinfection failed
    C:\WINNT\system32\dmsis.exe=>(CAB Sfx o)=>t.exe=>(Upx): infected with Trojan.HideWindows.A
    C:\WINNT\system32\dmsis.exe=>(CAB Sfx o)=>t.exe=>(Upx): disinfection failed
    C:\WINNT\system32\Microsoft\dmsis.exe=>(CAB Sfx o)=>e.BAT: infected with BAT.Noshare.N
    C:\WINNT\system32\Microsoft\dmsis.exe=>(CAB Sfx o)=>e.BAT: disinfection failed
    C:\WINNT\system32\Microsoft\dmsis.exe=>(CAB Sfx o)=>l.EXE=>(Upx): infected with Application.PrcView.A
    C:\WINNT\system32\Microsoft\dmsis.exe=>(CAB Sfx o)=>l.EXE=>(Upx): disinfection failed
    C:\WINNT\system32\Microsoft\dmsis.exe=>(CAB Sfx o)=>qerq.her: infected with IRC-Worm.Randon.T
    C:\WINNT\system32\Microsoft\dmsis.exe=>(CAB Sfx o)=>qerq.her: disinfection failed
    C:\WINNT\system32\Microsoft\dmsis.exe=>(CAB Sfx o)=>r.BAT: infected with BAT.Passer.A
    C:\WINNT\system32\Microsoft\dmsis.exe=>(CAB Sfx o)=>r.BAT: disinfection failed
    C:\WINNT\system32\Microsoft\dmsis.exe=>(CAB Sfx o)=>t.exe=>(Upx): infected with Trojan.HideWindows.A
    C:\WINNT\system32\Microsoft\dmsis.exe=>(CAB Sfx o)=>t.exe=>(Upx): disinfection failed
    C:\WINNT\Installer\41d1a8.msi=>(Embedded CAB)=>F324_SCAN86.EXE.23611738_B786_4229_BA5E_8655EF44B621: infected with One_Half.3570
    C:\WINNT\Installer\41d1a8.msi=>(Embedded CAB)=>F324_SCAN86.EXE.23611738_B786_4229_BA5E_8655EF44B621: disinfection failed
    C:\WINNT\avxoscan\Suspicious\o: suspect Backdoor.BotGet.FtpB.Gen
    C:\WINNT\avxoscan\Suspicious\o: disinfection failed
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DelfinProject3.zip=>sbRecovery.reg: password protected
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DelfinProject3.zip=>sbRecovery.ini: password protected
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\nCase.zip=>sbRecovery.reg: password protected
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\nCase.zip=>sbRecovery.ini: password protected
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AlexaRelated.zip=>RELATED.HTM: password protected
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AlexaRelated.zip=>sbRecovery.ini: password protected
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ShopNav.zip=>sbRecovery.reg: password protected
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ShopNav.zip=>sbRecovery.ini: password protected
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BDEProjector.zip=>mskin/mskin.bmp: password protected
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BDEProjector.zip=>mskin/config3.ini: password protected
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BDEProjector.zip=>sbRecovery.ini: password protected
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\PromulGate.zip=>patchme.exe: password protected
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\PromulGate.zip=>sbRecovery.ini: password protected
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ShopNav1.zip=>sbRecovery.reg: password protected
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ShopNav1.zip=>sbRecovery.ini: password protected
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BDEProjector1.zip=>bdeverify.exe: password protected
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BDEProjector1.zip=>sbRecovery.ini: password protected
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DelfinProject4.zip=>sbRecovery.reg: password protected
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DelfinProject4.zip=>sbRecovery.ini: password protected
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCA.zip=>sbRecovery.reg: password protected
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCA.zip=>sbRecovery.ini: password protected
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BDEProjector2.zip=>bdesecureinstall.exe: password protected
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BDEProjector2.zip=>sbRecovery.ini: password protected
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DelfinProject5.zip=>sbRecovery.reg: password protected
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DelfinProject5.zip=>sbRecovery.ini: password protected
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SexList.zip=>sbRecovery.reg: password protected
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SexList.zip=>sbRecovery.ini: password protected
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BDEProjector3.zip=>bdesecureinstall.cab: password protected
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BDEProjector3.zip=>sbRecovery.ini: password protected
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DownloadWare.zip=>sbRecovery.reg: password protected
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DownloadWare.zip=>sbRecovery.ini: password protected
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BDEProjector4.zip=>bdeverify.dll: password protected
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BDEProjector4.zip=>sbRecovery.ini: password protected
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit.zip=>sbRecovery.reg: password protected
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit.zip=>sbRecovery.ini: password protected
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit1.zip=>sbRecovery.reg: password protected
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit1.zip=>sbRecovery.ini: password protected
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BDEProjector5.zip=>sbRecovery.reg: password protected
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BDEProjector5.zip=>sbRecovery.ini: password protected
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\GoldenPalaceCasino.zip=>sbRecovery.reg: password protected
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\GoldenPalaceCasino.zip=>sbRecovery.ini: password protected
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BDEProjector6.zip=>sbRecovery.reg: password protected
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BDEProjector6.zip=>sbRecovery.ini: password protected
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WurldMedia.zip=>sbRecovery.reg: password protected
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WurldMedia.zip=>sbRecovery.ini: password protected
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WurldMedia1.zip=>sbRecovery.reg: password protected
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WurldMedia1.zip=>sbRecovery.ini: password protected
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BDHelper.zip=>sbRecovery.reg: password protected
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BDHelper.zip=>sbRecovery.ini: password protected
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit2.zip=>sbRecovery.reg: password protected
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit2.zip=>sbRecovery.ini: password protected
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit3.zip=>sbRecovery.reg: password protected
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit3.zip=>sbRecovery.ini: password protected
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BDHelper1.zip=>sbRecovery.reg: password protected
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BDHelper1.zip=>sbRecovery.ini: password protected
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit4.zip=>sbRecovery.reg: password protected
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit4.zip=>sbRecovery.ini: password protected
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DelfinProject.zip=>remove_tools.html: password protected
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DelfinProject.zip=>sbRecovery.ini: password protected
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit5.zip=>sbRecovery.reg: password protected
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit5.zip=>sbRecovery.ini: password protected
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit6.zip=>sbRecovery.reg: password protected
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit6.zip=>sbRecovery.ini: password protected
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DelfinProject1.zip=>sbRecovery.reg: password protected
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DelfinProject1.zip=>sbRecovery.ini: password protected
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit7.zip=>sbRecovery.reg: password protected
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit7.zip=>sbRecovery.ini: password protected
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DelfinProject2.zip=>sbRecovery.reg: password protected
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DelfinProject2.zip=>sbRecovery.ini: password protected
    C:\Documents and Settings\Manoj\Local Settings\Temporary Internet Files\Content.IE5\KLIN0DI3\dotnetfx_a86fd901dfe693e5d9465b4f89715da[1].exe=>(CAB Sfx r)=>InstMsiW.exe: bad crc
    C:\Program Files\Common Files\Network Associates\VirusScan Engine\4.0.xx\OldEngine\SCAN86.sav: infected with One_Half.3570
    C:\Program Files\Common Files\Network Associates\VirusScan Engine\4.0.xx\OldEngine\SCAN86.sav: disinfection failed
    C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>arrow1.bmp: password protected
    C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>arrow2.bmp: password protected
    C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bck1.bmp: password protected
    C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bck2.bmp: password protected
    C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt11.bmp: password protected
    C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt12.bmp: password protected
    C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt13.bmp: password protected
    C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt21.bmp: password protected
    C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt22.bmp: password protected
    C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt23.bmp: password protected
    C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt31.bmp: password protected
    C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt32.bmp: password protected
    C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt33.bmp: password protected
    C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt41.bmp: password protected
    C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt42.bmp: password protected
    C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt43.bmp: password protected
    C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt51.bmp: password protected
    C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt52.bmp: password protected
    C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt53.bmp: password protected
    C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt61.bmp: password protected
    C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt62.bmp: password protected
    C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>checkbox1.bmp: password protected
    C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>checkbox2.bmp: password protected
    C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>checkbox3.bmp: password protected
    C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>checkbox4.bmp: password protected
    C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>default.skn: password protected
    C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>defbtn1.bmp: password protected
    C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>defbtn2.bmp: password protected
    C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>defbtn3.bmp: password protected
    C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph1.bmp: password protected
    C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph2.bmp: password protected
    C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph3.bmp: password protected
    C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph4.bmp: password protected
    C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph5.bmp: password protected
    C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph6.bmp: password protected
    C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph7.bmp: password protected
    C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>main.bmp: password protected
    C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>preview.bmp: password protected
    C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>sprite1.bmp: password protected
    C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>tab1.bmp: password protected
    C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>tab2.bmp: password protected
    C:\Program Files\Java\j2re1.4.0\lib\ext\localedata.jar=>sun/text/resources/thai_dict: bad crc
    C:\Program Files\Java\j2re1.4.0\lib\rt.jar=>javax/swing/tree/DefaultMutableTreeNode$PreorderEnumeration.class: bad crc
    C:\Program Files\Java\j2re1.4.0\lib\jaws.jar=>sunw/demo/classfile/UTF8Constant.class: bad crc
    C:\Program Files\Java\j2re1.4.0\lib\charsets.jar=>sun/io/CharToByteTIS620.class: bad crc
    C:\Program Files\Java\j2re1.4.0_03\lib\ext\localedata.jar=>sun/text/resources/thai_dict: bad crc
    C:\Program Files\Java\j2re1.4.0_03\lib\rt.jar=>javax/swing/tree/DefaultMutableTreeNode$PreorderEnumeration.class: bad crc
    C:\Program Files\Java\j2re1.4.0_03\lib\jaws.jar=>sunw/demo/classfile/UTF8Constant.class: bad crc
    C:\Program Files\Java\j2re1.4.0_03\lib\charsets.jar=>sun/io/CharToByteTIS620.class: bad crc
    C:\Program Files\Java Web Start\javaws.jar=>build.id: bad crc
    D:\aawsepersonal.exe=>wise0023=>arrow1.bmp: password protected
    D:\aawsepersonal.exe=>wise0023=>arrow2.bmp: password protected
    D:\aawsepersonal.exe=>wise0023=>bck1.bmp: password protected
    D:\aawsepersonal.exe=>wise0023=>bck2.bmp: password protected
    D:\aawsepersonal.exe=>wise0023=>bt11.bmp: password protected
    D:\aawsepersonal.exe=>wise0023=>bt12.bmp: password protected
    D:\aawsepersonal.exe=>wise0023=>bt13.bmp: password protected
    D:\aawsepersonal.exe=>wise0023=>bt21.bmp: password protected
    D:\aawsepersonal.exe=>wise0023=>bt22.bmp: password protected
    D:\aawsepersonal.exe=>wise0023=>bt23.bmp: password protected
    D:\aawsepersonal.exe=>wise0023=>bt31.bmp: password protected
    D:\aawsepersonal.exe=>wise0023=>bt32.bmp: password protected
    D:\aawsepersonal.exe=>wise0023=>bt33.bmp: password protected
    D:\aawsepersonal.exe=>wise0023=>bt41.bmp: password protected
    D:\aawsepersonal.exe=>wise0023=>bt42.bmp: password protected
    D:\aawsepersonal.exe=>wise0023=>bt43.bmp: password protected
    D:\aawsepersonal.exe=>wise0023=>bt51.bmp: password protected
    D:\aawsepersonal.exe=>wise0023=>bt52.bmp: password protected
    D:\aawsepersonal.exe=>wise0023=>bt53.bmp: password protected
    D:\aawsepersonal.exe=>wise0023=>bt61.bmp: password protected
    D:\aawsepersonal.exe=>wise0023=>bt62.bmp: password protected
    D:\aawsepersonal.exe=>wise0023=>checkbox1.bmp: password protected
    D:\aawsepersonal.exe=>wise0023=>checkbox2.bmp: password protected
    D:\aawsepersonal.exe=>wise0023=>checkbox3.bmp: password protected
    D:\aawsepersonal.exe=>wise0023=>checkbox4.bmp: password protected
    D:\aawsepersonal.exe=>wise0023=>default.skn: password protected
    D:\aawsepersonal.exe=>wise0023=>defbtn1.bmp: password protected
    D:\aawsepersonal.exe=>wise0023=>defbtn2.bmp: password protected
    D:\aawsepersonal.exe=>wise0023=>defbtn3.bmp: password protected
    D:\aawsepersonal.exe=>wise0023=>glyph1.bmp: password protected
    D:\aawsepersonal.exe=>wise0023=>glyph2.bmp: password protected
    D:\aawsepersonal.exe=>wise0023=>glyph3.bmp: password protected
    D:\aawsepersonal.exe=>wise0023=>glyph4.bmp: password protected
    D:\aawsepersonal.exe=>wise0023=>glyph5.bmp: password protected
    D:\aawsepersonal.exe=>wise0023=>glyph6.bmp: password protected
    D:\aawsepersonal.exe=>wise0023=>glyph7.bmp: password protected
    D:\aawsepersonal.exe=>wise0023=>main.bmp: password protected
    D:\aawsepersonal.exe=>wise0023=>preview.bmp: password protected
    D:\aawsepersonal.exe=>wise0023=>sprite1.bmp: password protected
    D:\aawsepersonal.exe=>wise0023=>tab1.bmp: password protected
    D:\aawsepersonal.exe=>wise0023=>tab2.bmp: password protected

    Do I have to manually remove all these files? I guess ad-aware and spybot files are already quarantined. But what about rest of them? Please advice.
     
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You should only pay attention to the lines with infections and ignore the other stuff. You could dump all the stuff in your SpyBot recovery folder too. Yes some may require manual deletion but you really never indicate following my directions earlier. That could help. Especially if you can run the scans in safe mode.

    This is what I said earlier:

    "Also you should please follow all the steps in this Sticky thread < READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal > "
     
  5. mbini

    mbini Private E-2

    I followed all your steps except my dsl does not work in the safe mode with network. I cant do online scans in safe modes. How do I make it work?
     
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Just run the Symantec and TrendMicro scans in normal boot mode. And run everything else in safe mode as indicated in the tutorial.
     
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

  8. ElaineJohnson

    ElaineJohnson Private E-2

    I have a difficult time to find out where to POST the question as a new member. Hopefully, someone will read this and tell me what to do.

    I had similar problem with different virus and Backdoor.BotGet.FtpB.Gen. Bitdefender found it, but cannot cleanned it.

    Searching for help. Found your answer to another member. Followed your direction below:

    "< READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal > "

    Created more problems. Now, I cannot turn RPC back on to automatic. There is no active option for me to click on. By the way, there was no active option for STOP, but disabled, which I did.

    Cleanned with everything, but I still cannot install AVG7. Now, I cannot even run Bitdefender.

    What a mess! Can anybody help?
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds