Jacked again...

The WinPFind log shows nothing of concern. You may be right the soyware appears to be gone. You may need to reinstall some drivers.

I want to take a look for RootKits first.

Download
- RootkitRevealer

Run RootkitReavealer from an account with Administrator privileges, make sure all unnecessary applications and browsers are closed before running this application.

Post the log after the above has been completed.

 

Here's the RootKitRevealer log.

 

That looks OK.

Looks like you may need to reinstall some drivers. It is quite possible that one or more drivers were corrupted by the infection. It happens from time to time.

 

Actually, I found out that I was just configuring my IP incorrectly (typed the wrong IP by a single digit). So as long as all the logs are clean, I'd say that my infection is gone now. Wouldn't you?

 

Yes, your system appears to be clean.

 

I guess now would be the time to go through the "Protecting yourself from malware" thread then.

 

Yes, there is some really good stuff in there.

 

Hmm, I still have one minor problem. It seems that any time I click on something within a program that would make an IE window pop up, the program hangs, and I have to end the program forcefully (this has happened with CWShredder, CCleaner, and the Bitdefender Online Scanner). I'm not quite sure why this is, any insight?

 

You may need to check settings. You also may need to reinstall some programs. It is possible that the viruses corrupted some things that aren't shown in the logs. You could also run sfc /scannow by using Run in teh Start Menu, this will replace any bad or missing Windows files with known good ones. You will need your Windows CD for this, and you may need to run Windows Update after SFC is done.

 

Okay, I've been running through the "READ ME" again to do some re-cleaning. I just finished running the online virus scanners, and they picked up quite a bit of stuff. I've attached the log from Kaspersky.

Trend Micro's Scanner found:

• TROJ DROPPER.UA @ C:\!KillBox\msupdate32.dll

 

Oh, also, I have not been able to run the Panda Online scanner. It always hangs when I get to the last button (when it's supposed to download the ActiveX for it), and eventually gives me a "Page cannot be displayed" error. Just thought I'd mention it.

 

None of this showed before. What did you do differently this time.

Empty Your Norton Quarantined Items. That will remove everthing associated with this file:
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\286338A2.zip

Manually delete the following using Windows Explorer in Safe Mode:
C:\!KillBox\msupdate32.dll
C:\Documents and Settings\Ryan Foster\Application Data\tizupd.bin
D:\My Documents\Downloads\scd-qm21.exe

In Outlook Express locate the following emails and delete them, then empty your deleted items folder:
From "eBay" <security-center-@ebay.ca>

Anything associated with RealVNC is not a virus, but can be exploited.

Mirc is not a virus but can be exploited.

Sysreset is used with Mirc.

 

I haven't been able to run the online scans since my first post about these problems, so that may be why we never noticed these things. Other than that, I never really did anything differently (besides running those scans). I deleted all the items you suggested, and there are no immediate problems right now. I'll continue running scans to see if anything has eluded our cleansing.

I use RealVNC for its intended purpose, as well as Sysreset (a variant of mIRC).

 

The ActiveX control on the PandaScan sometimes hangs, may take several attempts to get it to install. Panda is really good at finding things, won't remove them.

 

Alright, this is the same computer, with no serious issues, just a routine cleaning. However, I have had some installations and uninstallations hang on me frequently (most notably, ones involving my network adapters - a Cisco VPN client, and also Hamachi).

The Panda ActiveScan, once again, would not run, but I will attach the BitDefender and HJT logs. I uninstalled the VPN Client before I exited Safe Mode (following the READ ME procedures) and have not tried installing/uninstalling Hamachi since I originally had trouble with it. I had toyed with the idea of going through my registry and deleting all of the network adapters entries that were no longer in use, but I wasn't sure if that would affect anything (though I don't think it would, seeing as there are some entries in there of network adapter names that I changed things to and the adapters themselves don't exist anymore), but I figured that it might be wise to seek a second opinion on that.

 

You posted the BitDefender summary, I need the log. The summary only shows what, not where.

Are these 2 lines correct?

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0

O17 - HKLM\System\CCS\Services\Tcpip\..\{103C6159-6CC7-4CDB-A013-973BE539A171}: NameServer = 128.118.25.3,130.203.1.4

 

Sorry about the BitDefender log, I thought that I had saved it correctly. I believe it pointed to C:\WINDOWS\i386p as a virus (perhaps a specific file, but I cannot remember). Would you like me to rerun the BitDefender scan?

The first line from the HJT log, I am not sure about. The second line is correct, since I'm using a dormitory connection at school, the IP settings are manually configured, those are the DNS settings. What exactly does the first line mean, anyways?

 

The R1 line means you are connected through a proxy server, which may be correct since you are connecting through a campus system.

Yes I need the BitDefender log itself. It found an infection and I need to know where it found it and what it did.

 

I reran BitDefender, but it crashed right as it completed.

In any case, I recall clearly that it returned the statements "Disinfect failed" and "Deleted" after the one incidence was detected. I also recall that the rough location was "C:\WINDOWS\i386p", whether it pointed to a folder or a specific file, however, I cannot remember.

In any event, what is your take on cleaning the "network adapters" entries out of the registry? I like to think of myself as a fairly advanced PC user, but I generally assume that the people here are wiser than I am in certain things (the people who are authorized to answer questions in this forum, anyhow).

 

What is in the Windows\i386p?

 

Oddly enough, I checked, and that folder doesn't exist. So I ran a search for all files and folders containing "i386". It came up with several entries throughout the WINDOWS folder, and two other specific directories. I reran BitDefender on the entire C:\WINDOWS folder, and on the directories containing a subdirectory named "i386" (subfolders were included in the scan, so EVERYTHING in the WINDOWS folder was scanned). The scan turned up clean, and I am attaching the log to this post.

I think BitDefender deleted it with the initial scan, so we probably don't have to worry about it anymore. That being said, do you have anything to say about my aforementioned registry tinkering? Or is that a question for a different section of the MG forums (like Software)?

 

Any time you 'tinker' around in the registry can be dangerous. Backup your registry before deleting or modifying keys. It should be safe to remove old entries under "Network Adapters," as they are no longer present.

 

Mm, alright, then I suppose backing it up would be good, and then I can clear out the unnecessary entries in that folder.

Thanks for the help!