LandzDown Forum

Hi, Nash.  I don't know where they are coming from unless it is your son downloading files with the P2P programs.  I'm going to ask for another pair (or two) of eyes to take a look.  It could also be that something has been staring me in the face and I just haven't seen it. 

Hi Corrine, I dont know if your site was down yesterday but I could not get on at all, I tried the F-secure, it downloaded the online files, and when I wanted it to scan the system, it crashed, and my browser went down with it, so i tried again, and this time it worked on a shorter scan mode, i reported it to F-secure. Here is the log  :

Scanning Report
Saturday, January 10, 2009 00:46:30 - 11:23:02
Computer name: nash
Scanning type: Scan system for malware, rootkits
Target: C:\ G:\


--------------------------------------------------------------------------------

Result: 8 malware found
Client-IRC.Win32.mIRC (spyware)
System
TrackingCookie.Revsci (spyware)
System
TrackingCookie.Webtrends (spyware)
System
TrackingCookie.Xiti (spyware)
System
TrackingCookie.Zanox (spyware)
System
Trojan.Win32.Agent.bewa (virus)
C:\QOOBOX\QUARANTINE\C\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\IPDLL.DLL.VIR (Renamed & Submitted)
W32/Packed_FSG.D (virus)
C:\DOWNLOADS\SPYWARE DOCTOR 5.1.0.273 WITH ANTIVIRUS\KEYGEN\KEYGEN.EXE (Submitted)
mIRC/Gen_COM (virus)
C:\EXCURSION9.5\SYSTEM\REMOTES\EXS011.MRC (Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 135048
System: 4599
Not scanned: 31
Actions:
Disinfected: 0
Renamed: 1
Deleted: 0
None: 7
Submitted: 3
Files not scanned:
C:\WINDOWS\TEMP\PERFLIB_PERFDATA_60C.DAT
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
C:\WINDOWS\SYSTEM32\CATROOT2\EDB.LOG
C:\WINDOWS\SYSTEM32\CATROOT2\TMP.EDB
C:\QOOBOX\QUARANTINE\C\WINDOWS\NIRCMD.EXE.VIR.VIR
C:\DOCUMENTS AND SETTINGS\NORMAN\NTUSER.DAT
C:\DOCUMENTS AND SETTINGS\NORMAN\NTUSER.DAT.LOG
C:\DOCUMENTS AND SETTINGS\NORMAN\LOCAL SETTINGS\TEMP\JET3B08.TMP
C:\DOCUMENTS AND SETTINGS\NORMAN\LOCAL SETTINGS\TEMP\~DF772D.TMP
C:\DOCUMENTS AND SETTINGS\NORMAN\LOCAL SETTINGS\TEMP\~DF773F.TMP
C:\DOCUMENTS AND SETTINGS\NORMAN\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
C:\DOCUMENTS AND SETTINGS\NORMAN\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT.LOG
C:\DOCUMENTS AND SETTINGS\NORMAN\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\CARDSPACE\CARDSPACE.DB
C:\DOCUMENTS AND SETTINGS\NORMAN\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\CARDSPACE\CARDSPACE.DB.SHADOW
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\NTUSER.DAT
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\NTUSER.DAT.LOG
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT.LOG
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\NTUSER.DAT
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\NTUSER.DAT.LOG
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT.LOG

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 2.40.0
F-Secure Hydra: 2.8.8110, 2009-01-09
F-Secure AVP: 7.0.171, 2009-01-09
F-Secure Pegasus: 1.20.0, 2008-11-17
F-Secure Blacklight: 0.0.0
Scanning options:
Scan all files
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright © 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

Nash,

Put the above post to one side for a minute, I have just discovered that McAfee have updated their Avert Stinger tool and this version covers the infections I suspect that you are seeing. Stinger is easier to use than the Sophos tool as it can be run in the GUI. Download the tool from:
 
http://vil.nai.com/vil/stinger/

and save it to your desktop. Reboot the machine to "Safe Mode", disable system restore (details of how to do this are on the McAfee page) and run Stinger. Once it has run restart in Normal mode and let us know the results. See FAQ #2 on the McAfee page for details of how to save the logfile.

Well, dang it!  Just so you know, you're not alone, Nash.  I'm a bit tied up with some real life issues right now but the staff is consulting in the background.

Hi Eric and Corrine, the situation at the moment is , I can get on the web, but every now and then it locks and i have to reconnect, I can go to web pages from emails as well now. Avira has not found anything just lately, but then I have not been on much (a pets demise ).
I am keeping an eye on my web browsing and have Webroot running all the time scanning incoming and out going IPs also which ports are in use, so hopefully it is getting much better, thanks to you and the Landzdown Forum So i will keep monitering and if anything happens you will be the first to know, Thank you very much.

Hi, Nash. 

Please do the following to implement cleanup procedures an also to reset System Restore points:

Click Start > Run  and copy/paste the following bolded text into the Run box and click OK:  ComboFix /u



Note: In the event you wish to contribute to the ongoing development of ComboFix, the developer is accepting donations via PayPal.

Because your son appears to be using P2P software, a strong word of caution: 

P2P programs form a direct conduit on to your computer. They have always been a target of malware writers and are increasingly so of late. P2P security measures are easily circumvented and if your P2P program is not configured correctly, you may be sharing more files than you realize. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured program. Use of P2P programs can result in Identity Theft.

Having a firewall, anti-virus and anti-malware software are not enough.  You also need to stay current with security updates.  If you don't have your computer set to automatically install the Microsoft Security Updates, please check for updates now.  For additional information, see my blog post Understanding Microsoft Updates

To check if your system is missing security updates or has insecure applications installed, visit http://secunia.com/software_inspector/ .  The Secunia Software Inspector runs through your browser with no installation or download required and does the following:

• Detects insecure versions of applications installed
• Verifies that all Microsoft patches are applied
• Assists you in updating your system and applications

Install and update SpywareBlaster to prevent the installation of spyware and other potentially unwanted software: http://www.javacoolsoftware.com/spywareblaster.html

My favorite security software is WinPatrol which includes the features described at http://www.winpatrol.com/features.html

Please let me know if you have any questions.

Hi Corrine, I use the p2p to watch football (soccer) on the pc, the program is myp2p and i only go on it once a week if possible, the other program i use is packet news on Mirc, which i think could be the one that has a virus, as when i open it i get popups in the back ground and the pc tells me something is downloading behind the main screen. I have been on packet news for the last 4 years and it has always been clean.
I tried The Secunia Software Inspector but it stopped working, something about java applets, which I know that my Java is up to date, so maybe could be a problem there??
Apart from that everything seems to be working great, i ran Avira all night scanning and did not find anything, also Microsoft Malicious Software Removal Tool scanned and found nothing, but will put it on scan over night just in case.

Hi Corrine and Eric, have had probs with my server, my telephone line had a fault on it and my provider service help is based in India, so a few language problems for a start, also they said no problem with line for weeks, but i knew there was and now they have rectified it at long last.
So far No major problems ( touch wood), a few trojans have tried to get through but my defences are up and they are being kept at bay, also being very careful about what i download of the net as well.
Eric  my team is Chelsea, but we all have a cross to bare,