Hi there,

SuperAntiSpyware, Panda Scan & HJT logs attached (SAS and HJT make up the word document.

What' the verdict?

Thanks.

SUPERAntiSpyware & HJTHIS.doc
Description:		Download
Filename:	SUPERAntiSpyware & HJTHIS.doc
Filesize:	37 KB
Downloaded:	19 Time(s)

Panda log.txt
Description:		Download
Filename:	Panda log.txt
Filesize:	4.07 KB
Downloaded:	28 Time(s)

I forgot to mention on the previous post, I downloaded CC and ran a scan.

I was supprised to see so much rubbish on the system (almost 1Gb). I didn't know what half the things were that the scan identified but now all cleaned up.

Hi,

The Panda scan is clean, and once again, I cannot open the doc file with the password you sent. Could you simply post them in the open for me. If you need to remove your name from some lines, just edit it out. You can do a full search and replace to do that in one step.

Re-attached- clear.

By the way, although the Panda scan identified 4 items, were these false positives or are they some sort of file extension etc?

Thanks.

SUPERAntiSpyware & HJTHIS.doc
Description:		Download
Filename:	SUPERAntiSpyware & HJTHIS.doc
Filesize:	37 KB
Downloaded:	19 Time(s)

Hi,

I've taken full system scan with bitdefender. It identified 2 viruses which are listed below. How can I remove these items safely from my system (bitdefender could'nt quarantine / delete them as they are in an archive)?

BitDefender Log File !!!!!
Product : BitDefender Total Security 2008
Version : BitDefender UIScanner v.11
Log date : 15:45:06 21/04/2008
Log path : C:\Documents and Settings\All Users\Application Data\BitDefender\Desktop\Profiles\Logs\deep_scan\1208789106_1_02.xml

Scan Paths:Path0000: C:\
Path0001: D:\

Scan Options:Scan for viruses : Yes
Scan for adware : Yes
Scan for spyware : Yes
Scan for applications : Yes
Scan for dialers : Yes
Scan for rootkits : Yes


Target selection options:Scan registry keys : Yes
Scan cookies : Yes
Scan boot sectors : Yes
Scan memory processes : Yes
Scan archives : Yes
Scan runtime packers : Yes
Scan emails : Yes
Scan all files : Yes
Heuristic Scan : Yes
Scanned extensions :
Excluded extensions :


Target ProcessingDefault action for infected objects : Disinfect
Default action for suspicious objects : None
Default action for hidden objects : None


Scan engines summaryNumber of virus signatures : 1168829
Archive plugins : 41
Email plugins : 6
Scan plugins : 12
Archive plugins : 41
System plugins : 4
Unpack plugins : 7


Overall scan summaryScanned items : 192701
Infected items : 2
Suspicious items : 0
Resolved items : 0
Individual viruses found : 1
Scanned directories : 4025
Scanned boot sectors : 5
Scanned archives : 5612
Input-output errors : 126
Scan time : 00:00:47:13
Files per second : 67


Scanned processes summaryScanned : 52
Infected : 0


Scanned registry keys summaryScanned : 358
Infected : 0


Scanned cookies summaryScanned : 0
Infected : 0


Remaining issues:Object Name Threat Name Final Status

C:\System Volume Information\_restore{E2C7BCB7-2948-4E38-AEAB-0C5FDDA561FB}\RP609\A0275250.exe=](RAR Sfx o)=]327882R2FWJFW\NirCmdC.cfexe Spyware.Tool.Nircmd.A Delete Failed (file was in an archive)

C:\System Volume Information\_restore{E2C7BCB7-2948-4E38-AEAB-0C5FDDA561FB}\RP609\A0275253.exe=](RAR Sfx o)=]327882R2FWJFW\NirCmdC.cfexe Spyware.Tool.Nircmd.A Delete Failed (file was in an archive)


Resolved issues:Object Name Threat Name Final Status


Objects that were not scanned:Object Name Reason Final Status

Hi,

Panda. Two of those items are all false positives and programs used by me to help clean your system. Both nircmd and pskill can be identified as undesirable because in the wrong context they can really do mischief. As to the other two, they are in your Restore Points. One thing we will do at the end is to clear all your restore points and create a new one - voila, all gone. The same comment applies to what BitDefender found which are the same two ones in Restore Points that Panda saw. So, you need do nothing about them now.

The rest of your logs except for one or two HJT items, are clean. Are you still experiencing the freezes? Can you attribute any particular action to the freezes? If not, I think we will need to test your RAM top see if that's the cause. Freezes and unexplained reboots without BSODs are often caused by failing RAM.

Hi,

No freezes today but I'm watching over this just in case.

It might be a good idea to check the RAM anyway to rule out the possibility. What would I need to do?

What comes next with regards to HJT?

Must say that with the help your providing, it's opened my eyes to the various ways to cleaning up ones system and tracking potential problems.

Thanks.

Hi,

Run HijackThis again, but this time choose Do a system scan only, that is the second option from the top in the HijackThis What would you like to do choices. After HijackThis completes the system scan, check the box immediately to the left of the following item(s):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/

Please be very careful, do NOT check any other boxes.

Next, click on Fix checked on the bottom left side of the HijackThis screen.

Next, reboot.

Testing memory. Go to http://www.memtest.org and download either the bootable CD or bootable floppy image of Memtest. If you download the floppy one of the items in the zip file formats and makes a bootable floppy for you. If you download the CD iso version, you will need to do an "image" burn. To burn an .iso file, you need to use something like Nero, and do an image burn. If you do a regular burn the CD won't work. Alternatively, you can grab a free .iso burner here:

http://isorecorder.alexfeinman.com/isorecorder.htm

Watch the versions, v1 is for doing the burn on an XP SP1 system, v2 for XP SP2. After you download the file, right click on it, and choose Install from the context menu. That will install the .iso burner. You may need to reboot.

After that, navigate to the .iso file, right click on it and there will be a new context menu item called something like "Copy file to CD". Use that, and it will correctly burn the .iso file for you.

Then boot from the bootable disk you just created. Run memtest for 8 hours or so unless you start to get errors. If you get errors, there is a problem with your RAM and you can exit out of memtest. Next, if you have errors and more than one stick of RAM, rerun Memtest one stick at a time. That will find which one is bad.

Hi,

I’ve done everything with regards HJT. That worked fine.

I downloaded memtest Memtest86+ V2.01 (21/02/2008) **
Download - Pre-Compiled Bootable ISO (.zip)

and the .ISO burner
ISORecorder V2 - for Windows XP SP2 and Windows 2003 (including 64-bit OS).. Installed this and navigated to it ISO Recorder.
Right clicked and had the option of “Copy Image to CD”.

This is what I get
Source Image file:
C:\Program Files\Alex Feinman\ISO Recorder.iso

Recorder
E: Blank Writable Non Usable (cannot use this media). Not sure why all disks are DVD+R RW. I tried different disks but kept getting the same message.

I’ve checked to see whether I downloaded the correct files of Memtest and the ISO burner). As far as I’m aware I have. Anyway 3 attempts made but the system crashed 3 times. No bootable CD created.

I'm I doing something wrong / Is there any other way to check the memory?

Thanks.

LOL, did you click on the memtest iso or did you click on the installer for the iso program. Your source was wrong. Go to the memtest iso file, and right click on that one. Choose Copy to CD (and they mean CD, not DVD). That's what you want to burn.

That burner does not burn to DVD stock, it only burns to CDs as far as I know. You should be able to erase the DVD RWs that you burned, so I don't think you have lost any of them.

Ahhh damn. I only have DVD RW (stacks of them).

Are there any alternative methods to test the memory?

Thanks.

Do you have a floppy? There is a floppy version of memtest, and also one for a USB flash stick if you have one. If not, you might want to grab one, they are very cheap these days and are useful to have. You can probably get a 1GB one for $15 or less, particularly on sale if you don't have one.

No, unfortunately I don't have any floppy's, in fact I can't remember the last time I used one. With regards the USB flash stick, I don't have one of these either but can buy one. I wish things were cheaper in the UK as they are in the USA. It's scandalous over here.

Anyway, I'll try and get some CDs and/or a flash stick this weekend.

I'll go through the steps again when I have the particulars and let you know the reults.

Thanks.

Hi,

Sorry about this,

A few things. I was running my weekly scans, in this case Aluria. It picked up something called Mirar. Treid to delete but wouldn't go away as Spysweeper kept flashing up with (from what I can remember "AW-nuclues" is trying to chang your internet browser. Anyway switched SS off and was then able to quarantine Mirar.

I followed the registry key for the AW Nuclues to this:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains

Here I found entries a large amount of entries including 007guard, adult links and a load more. I'm concerned about this. Is this area where security s/w (such as SS, Aluria and Malwarebytes etc) keeps lists of items that should be blocked or have I come across something other then that- malicious?


Secondly for
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap

I found the following entries:

Value Name
Autodetect
IntranetName
ProxyByPass
UNCAsIntranet

All with REG_DWORD agianst the entry.

The Value Dat for all of them was 0.

Are these entries malicious?

Last thing is that I found the following entry in my Run Box (Start, Run) http://www.myfreepaysite.com/auth.wmv

I don't know how it got into the Run box or even what this site is, looks suspicious so haven't clicked on it. Thing is No matter what I try to delete the entry, it doesn't go away. Would you say that this is some sort of virus?

I was thinking that all the rubbish had been cleaned from my system and now find all this......................

What do you think?

Thanks.

Hi,

1. Yes, that's where IE keeps sites that are trusted and restricted. You can actually see what is trusted and restricted, without opening the registry, by opening IE, go to Tools, then Internet Options, and click on the Security tab. You will see Trusted and Restricted sites. You should have few or none under Trusted sites, and that long list will be in Restricted sites.

2. Those entries are not malicious. "REG_DWORD" simply tells you the kind of data the key holds, and 0 is the data.

3. That is very strange about you seeing that item in your Run box. Please post a fresh HJT log for me to take a look at. Then download and unzip the small file I have attached to this post. Inside is a very tiny file called run.reg. Double click on it, you will get a warning, permit the merge, and then reboot. That will force clear your Run box history. Let's see if that comes back after we do that.

run.zip
Description:		Download
Filename:	run.zip
Filesize:	222 Bytes
Downloaded:	15 Time(s)