Virus in System Restore

I've attached logs from Bitdefender and Kaspersky - I have a question on System Restore as well.

My External hard drive for some reason has hidden files containing System Restore files on it all of a sudden, whereas to my knowledge they weren't there to begin with.

My C Drive's SR might be infected but I would also like to find out how I can clean my External Hard Drive and other removable devices properly.

Many thanks!

 

Hi BFLeigh,

Run the BitDefender online scan again as you did the first time, only this time after you click on I agree, choose the highlighted text which allows you to choose which drives will be scanned. Have it scan your external drives and then follow the instructions for posting the log just like you did the first time. Attach that log here.

Antivirus programs don't get rid of infected restore points. The only way to get rid of them is to reset system restore. We ask that you not reset system restore until we are sure if all the malware has been removed from your system.

After you run the BitDefender scan on your external drives, it would be helpful if you could go to the READ & RUN ME FIRST and click on the link at the bottom of the page which applies to your operating system. In the page which opens up, please download and run Combofix and install and run the MGTools according to the instructions for each of these. Then attach the logs from these with your next post.

abri

 

MGTools and Combofix are attached. I will attached a new Bitdefender log later (it takes in excess of 3 hours).

 

Hi BFLeigh,

Hopefully if you set BitDefender to scan only your external drives, it won't take as long to run the scans.

This folder looks like it could be something of yours: C:\Program Files\Leigh Did you make the folder yourself? Why is it under Program Files? What kind of files does it contain? The reason I'm curious about it is because it was put on your computer close to the time that C:\WINDOWS\system32\gpprefcl.dll was installed, which is a file that there doesn't seem to be a lot of information about except that it's new. If it has anything to do with whatever you put in the Leigh folder, it would be nice to know what program it's associated with. Even then, it will only be a guess, because the two appeared on your computer about a half hour apart.

And finally, the last of my questions for now. What is in the following folder dated 18 Jan 2008? (Don't open any files!) It's a folder and it will be under WINDOWS and the tale part of the file may contain charaters. There should be a folder with that date and with that ending.

C:\WINDOWS\~CUA


And now, just to update your java:

1) Go to add/remove programs and uninstall the below:

Java(TM) 6 Update 3

2) Reboot after uninstalling the above.

3) Install the current version of Sun Java from: Sun Java Runtime Environment

How is your computer running aside from the restore points being infected?

abri

 

Okay, the Bitdefender scan came up clean.

The Leigh folder is a folder I use (FAQ's, Games, Media) it's been there for a very long time. I don't know the history to that .dll file though.

The ~CUA folder contains:

EniCommon

enismp

Prox

All .dll files. I don't know anything about this folder/these files.

I'm currently performing the Java update.

All in all, the PC is working fine. As I originally said, I am not sure if the System Restore on the Hard Drive was infected or not as well. The Bitdefender scan however says it is clean.

 

Hi BFLeigh,

I think the ~CUA folder has to do with your USB. I don't know why it has a name like that, but don't delete it.

Please rename the following file and see how your computer runs after that. If you have problems with any of your programs, you can rename it back to the original.

C:\WINDOWS\system32\gpprefcl.dll ------> gpprefcl.dll.zzz

You may want to go back to the XP Cleaning Instructions and run one of the antispyware programs listed there as Kaspersky did find one adware which it didn't remove. Other than that your computer is clean and when you are ready, you can run the final cleanup instructions which I'll post for you in the box belowlease do the final cleanup instructions in the box:

abri

 

I have renamed that file and so far no issues.....

I have ran into a problem with MBAM or whatever it's called - it won't run now and I can't seem to uninstall it.

I will run the other programs shortly and post their logs. SuperAntispyware came up with nothing though.

 

Hi BFLeigh,

Did you try uninstalling MalwareBytes from your add/remove programs? Is so, try reinstalling it over the old version. If it says there's already one installed, do you want to install it anyway, just say yes. Then see if the uninstaller in add/remove programs will work.

abri

 

OK I reinstalled it and it worked fine. Spybot and Malwarebytes found nothing either.

Shall I re-scan with Combofix/MGtools/an online scanner?

 

Hi BFLeigh,

I'm still curious about this one file: C:\WINDOWS\system32\gpprefcl.dll

Could you look for it in Windows Explorer and tell me what time stamp is on it?

You don't need to run the other scans, because I don't expect they'll turn up anything new in the way of malware.

Thanks.
abri

 

Its properties are as follows:

Created: 2008-03-12, 13:10

Modified: 2008-03-12, 13:10

Accessed: 2008-03-12, 13:10

 

Hi BFLeigh,

It seems to be a Microsoft file. Nothing to worry about in any case.

Your logs are clean. Be sure to read the How to protect yourself from malware page. There are some good software tips in there.

abri

 

Thanks abri,

I can re-set my system restore now do you think?

 

Hi BFLeigh!
Yes, do reset system restore. That will give you a known point to go back to and get rid of anything left over in your old restore points. Refer to the instructions in the "final instructions box" if you need to.
abri