Questions about malware

Welcome to Major Geeks!

No not really! There is no way to tell what may have been stolen. However you need to first determine if you even have to worry about any of this by determining if you have any malware infections.

Not 100%, but look at your firewall logs and any other logs from tools you have installed to see if they have captured any information. Most firewalls have logs and most will normally popup notices about strange activities and so will any good antispyware or antivirus program.

No! If you have malware (yet to be determined) you have to determine what the malware is and what it is capable of doing; however that does not mean that it actually did steal any information. On the otherhand, just because you don't notice any problems, it does not mean that you have no malware or that it did not stall anything.

You need to run the READ & RUN ME sticky thread procedure to determine if you have any malware problems.

 

Never heard of it but everyone calls things different names. Well actually let me amend this, I have heard of this. I believe it is this: http://www.symantec.com/security_response/writeup.jsp?docid=2006-031513-4219-99&tabid=1

It is something that you or someone else installed.

You will not be able to find out that information by looking at your PC. If you have no malware (are you really sure) then the only thing you can do is the below if you are worried about security of what may have been stolen.

http://www.dslreports.com/faq/10451

 

If you want to know if you have malware, the READ & RUN ME FIRST Before Asking for Support sticky thread procedure must be followed and then the below logs (from the procedure) must be attached.

• CounterSpy - only for Windows XP, 2K, & NT users
• AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy. - only for Windows XP, 2K, & NT users
• Bitdefender - from step 6
• Panda Scan - from step 6
• runkeys.txt - the log from GetRunKey.bat
• newfiles.txt - the log from ShowNew.bat
• HijackThis

 

That procedure will tell what remains which is really most important at this time.

If you want to attach the old logs from things you have already run, you can do that too and I will then see what they already may have removed.

 

Part of your ComboFix log shows the below:
C:\WINDOWS\system32\CRDE2003.dll
C:\WINDOWS\system32\ILRawRead.dll
C:\WINDOWS\system32\ISP2003.dll

These files may or may not be part of the Spectre item. If you look at the Symantec link you will see the Spectre installs them but puts them into its own folder in C:\Progam Files. Thus while these could be problems, they could also be used by some other program that uses the libraries. They may have functions with in them that are used by any program that does screen snapshots. Do you have anything installed like that. You can even see a couple of these are used in software like the below:

http://www.compulink-support.com/technotes/wantwain.htm

Other places they are used are in PDF Readers or conversion programs. Even Optical Character Recognition (scanners). Do you have a scanner? For example search the below file and you will see two of the above file names mentioned:

http://www.library.okstate.edu/access/ils/illiad/OCLCILLiadVersion7.pdf



I have no idea what the other two files ComboFix removed are:
C:\WINDOWS\system32\MRARM.dll
C:\WINDOWS\system32\MRCE2.dll

 

The odds are very high that these are not problems. You can right click on the files and select Properties, Version and take a look at who they belong to (assuming the files give you a version tab) but since they appear to be common DLLs use by a variety of programs that still does not tell you anything.

Since you do not have the Spectre software installed on your PC and the folders for it do not show, I still stand by my assertion that these are not problems.

In message # 3 you said:

If by this you mean that ComboFix removed them, then you will at some point find that some aspect of your scanner or Adobe software no longer works. That will answer your question as to whether the files are used by you. The other way is to reinstall your software and if the files show up again then you know where they came from (that is assuming they are really gone right now).

 

As I stated earlier they could be use for valid purposes and that is what they were. Whoever told you that you had Spectre was wrong.

You need to reinstall your Camera software or just move those files out of ComboFix's quarantine back to their original folders. That is assumig you need it.

 

Since you never follow my instructions from step # 6, I cannot say that you do not have any malware at all. I can just say that based on whaty you posted, you did not have any. And in addition you do not and did not have Spectre. You are worrying about nothing. Whatever told you you had Spectre was a false positive.

If you want to confirm this for yourself then do what I stated in my previous message and reinstall all of your camera software. You will more than likely see the files reappear in the system32 folder.

 

Not really, but you could check the file and folder dates in c:\Program Files to see what is new. That however assumes that this is where you installed everything.

 

You are overly paranoid for no reason at all. As I said before there are many processes/files that can be used for valid as well as malware purposes. You installed the software that put these files on your PC, if you don't trust them or are going to continue to be worried about them then uninstall the software and delete the those files if they are left behind. Then do not use the this software anymore.

 

You have infected file in other user accounts. You ran the scans on TONY.TONY-SBWG4ZNZOA but the user account named tony has some malware in its temp folder. Delete all files in the below folder:
C:\Documents and Settings\tony\Local Settings\Temp

Also delete this folder: C:\Program Files\Norton SystemWorks

Now uninstall the Sunbelt CounterSpy trial since we are finished with it now! Then delete the below two folders which may be left behind by the uninstall:
C:\Documents and Settings\All Users.WINDOWS\Application Data\Sunbelt Software
C:\Program Files\Sunbelt Software

Uninstall the below software:
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Mozilla Firefox (1.5.0.12)
SpywareBlaster v3.4 <-- this is more than 2 years out of date.
Viewpoint Media Player <-- should have been uninstalled in step 0 of the READ ME

Make sure you reboot after uninstalling the above!

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Then install the current version of FireFox from: Mozilla Firefox

Also install the current version of SpywareBlaster from: SpyWare Blaster


Now attach a new log from ShowNew.

 

Your log is clean!

I cannot answer that unless you tell me exactly what is being found and where it is finding it. All I can suggest is that you remove quarantines and backups from the tools (which the below steps should do) and see what happens.


If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, and the C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you run Avenger, you can delete all files related to Avenger now.
7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
8. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
9. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

Since you did not have any infections to begin with, the answer is no.

 

You need to post in the Software Forum. These are not malware issues.