the date is not correct because my friend dint set his pc date to correct date…but that is the virus discover these a few a day…
i finally run a boot time scan and found some trojan…with system restore off…then i scan his pc after log on with avast several time and found some add ware for the 1st scan then i found nothing for the 3rd and 4 th scan…is that means safe?i already install a fire wall to his pc(sunbelt)and it block somethings i dont know what is that…it just block it from access internet…what can i do for the following steps? :o
You haven’t disabled System Restore as Tech suggested before that last scan, that is what puts _restore points in C:\System Volume Information, this is because files (infected or otherwise) in system folders that are deleted have a restore point created s they can be restored if you made a mistake.
If as you say you have disabled system restore, you should reboot, this will clear ALL _restore points. Once you have disabled system restore, reboot, scan your PC again and if clear enable system restore. However in your case it is probably best to leave it off for the time being as I doubt you are completely clear yet.
Having done a boot-time scan you should repeat the scans with the anti-rootkit tools and then with AVG-as, SuperAntiSpyware, SpywareTerminatior (these from safe mode) and finally avast.
o…that scan is rn before the system restore…
the file i scan after system restore i will post later
sorry…
i means found after system restore…
Disabling the System Restore will delete the infected points left behind and avoid reinfection.
If you restore an infected point, your system will be infected again.
I suggest you follow the previous points 1, 2, 3…
http://forum.avast.com/index.php?topic=28630.msg234219#msg234219
Did you reboot after disabling system restore, that is essential to clear the _restore points ?
yeah…i do boot time scan after diable the system restore…
after that i scan with counter spy and found a back door and i remove it…and some cookies…what is cookies?i also scn with avg antirootkit and found nothing…i think…the trojan that keep coming already gone…i scan his computer several times with avast and DR web and found nothing…and now all the problem left is there is something access the internet…and it block by the firewall…i wonder what is it…
Cookies generally are nothing to worry about or are a low level issue as in theory they can track activity. They are used by web sites to basically store user information, like last visit, prefered settings, etc.
If it is blocked by the firewall, then what is the file name being blocked (check firewall logs) ?
When you find the file name, do a windows search for it to find the location and also a google search on the file name.
ooo…then i can take no action on the cookies…but the backdoor???i heard that ,backdoors can steal private information right??how to do window search??i not really good in computer…sorry…
I didn’t say take no action simply that they are generally classed as low risk, there are some that set their browser to delete all cookies on shutdown. The choice has to be with the user when to delete cookies.
A windows search, use the search icon in the windows explorer Or the Windows, Start button, Search.
I assume by the fact you are trying to find a file that you have found out what it was trying to get out, this was also asking you to tell us what it was (and we can then help too) ?
I haven’t a clue if you have a backdoor or not, the fact that your firewall is blocking an attempt to get out might point to not having a backdoor or that particular file isn’t a backdoor. The whole idea of a backdoor is to bypass your firewall.
thank…i will give u the file name that blocked by firewall later… sorry for bothering u…
Your welcome, it isn’t a bother.
the conditionis getting bad…take a look at this…
/3/2007 2:38:21 PM SYSTEM 1684 Sign of “Win32:Small-FCC [Trj]” has been found in “C:\WINDOWS\system32\msccrt.dll[Petite]” file.
6/3/2007 2:38:21 PM SYSTEM 1684 Sign of “Win32:Small-FCC [Trj]” has been found in “C:\WINDOWS\system32\msccrt.dll[Petite]” file.
6/3/2007 2:58:20 PM SYSTEM 1804 Sign of “Win32:Cinmus-D [Adw]” has been found in “C:\WINDOWS\System32\winlib .dll” file.
6/3/2007 2:58:20 PM SYSTEM 1804 Sign of “Win32:Cinmus-D [Adw]” has been found in “C:\WINDOWS\system32\winlib .dll” file.
6/3/2007 2:59:51 PM SYSTEM 1804 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4T6789MV\7[1].exe” file.
6/3/2007 2:59:51 PM SYSTEM 1804 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\WINDOWS\system32\7.exe” file.
6/3/2007 2:59:51 PM SYSTEM 1804 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\WINDOWS\system32\7.exe” file.
6/3/2007 3:05:21 PM SYSTEM 1584 Sign of “Win32:Cinmus-D [Adw]” has been found in “C:\WINDOWS\System32\winlib .dll” file.
6/3/2007 3:05:22 PM SYSTEM 1584 Sign of “Win32:Cinmus-D [Adw]” has been found in “C:\WINDOWS\system32\winlib .dll” file.
6/3/2007 3:06:21 PM SYSTEM 1584 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\WINDOWS\system32\7.exe” file.
6/3/2007 3:06:23 PM SYSTEM 1584 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\WINDOWS\system32\7.exe” file.
6/3/2007 3:06:36 PM SYSTEM 1584 Sign of “Win32:Small-EKC [Trj]” has been found in “C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4T6789MV\10[1].exe[NsPack]” file.
6/3/2007 3:06:36 PM SYSTEM 1584 Sign of “Win32:Small-EKC [Trj]” has been found in “C:\WINDOWS\system32\10.exe[NsPack]” file.
6/3/2007 3:06:36 PM SYSTEM 1584 Sign of “Win32:Small-EKC [Trj]” has been found in “C:\WINDOWS\system32\10.exe[NsPack]” file.
6/3/2007 3:06:38 PM SYSTEM 1584 Sign of “Win32:Delf-EJU [Trj]” has been found in “C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4DA30LU7\11[1].exe[UPX]” file.
6/3/2007 3:06:38 PM SYSTEM 1584 Sign of “Win32:Delf-EJU [Trj]” has been found in “C:\WINDOWS\system32\11.exe[UPX]” file.
6/3/2007 3:06:38 PM SYSTEM 1584 Sign of “Win32:Delf-EJU [Trj]” has been found in “C:\WINDOWS\system32\11.exe[UPX]” file.
6/3/2007 3:07:04 PM SYSTEM 1584 Sign of “Win32:Lmir-MM [Trj]” has been found in “C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\S1AR0TYN\qwetop[1].exe” file.
6/3/2007 3:07:04 PM SYSTEM 1584 Sign of “Win32:Lmir-MM [Trj]” has been found in “C:\WINDOWS\system32\qwetop.exe” file.
6/3/2007 3:07:04 PM SYSTEM 1584 Sign of “Win32:Lmir-MM [Trj]” has been found in “C:\WINDOWS\system32\qwetop.exe” file.
6/3/2007 3:40:24 PM Personal 5028 Sign of “Win32:Delf-EJU [Trj]” has been found in “C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4DA30LU7\11[1].exe[UPX]” file.
6/3/2007 3:40:32 PM Personal 5028 Sign of “Win32:Small-EKC [Trj]” has been found in “C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4T6789MV\10[1].exe[NsPack]” file.
6/3/2007 3:40:35 PM Personal 5028 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4T6789MV\7[1].exe” file.
6/3/2007 3:40:38 PM Personal 5028 Sign of “Win32:Lmir-MM [Trj]” has been found in “C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\S1AR0TYN\qwetop[1].exe” file.
6/3/2007 3:48:44 PM Personal 5028 Sign of “Win32:Small-FCC [Trj]” has been found in “C:\System Volume Information_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP1\A0000016.dll[Petite]” file.
6/3/2007 3:49:00 PM Personal 5028 Sign of “Win32:Small-FCC [Trj]” has been found in “C:\System Volume Information_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP1\A0001039.dll[Petite]” file.
6/3/2007 3:49:20 PM Personal 5028 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\System Volume Information_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP1\A0002036.exe” file.
6/3/2007 3:51:48 PM Personal 5028 Sign of “Win32:Small-EKC [Trj]” has been found in “C:\WINDOWS\system32\10.exe[NsPack]” file.
6/3/2007 3:52:02 PM Personal 5028 Sign of “Win32:Delf-EJU [Trj]” has been found in “C:\WINDOWS\system32\11.exe[UPX]” file.
6/3/2007 3:55:00 PM Personal 5028 Sign of “Win32:Lmir-MM [Trj]” has been found in “C:\WINDOWS\system32\qwetop.exe” file.
6/3/2007 4:36:11 PM SYSTEM 1596 Sign of “Win32:Cinmus-D [Adw]” has been found in “C:\WINDOWS\System32\winlib .dll” file.
6/3/2007 4:36:12 PM SYSTEM 1596 Sign of “Win32:Cinmus-D [Adw]” has been found in “C:\WINDOWS\system32\winlib .dll” file.
6/3/2007 4:38:02 PM SYSTEM 1596 Sign of “Win32:Lmir-MM [Trj]” has been found in “C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4T6789MV\qwetop[1].exe” file.
6/3/2007 4:38:02 PM SYSTEM 1596 Sign of “Win32:Lmir-MM [Trj]” has been found in “C:\WINDOWS\system32\qwetop.exe” file.
6/3/2007 4:38:02 PM SYSTEM 1596 Sign of “Win32:Lmir-MM [Trj]” has been found in “C:\WINDOWS\system32\qwetop.exe” file.
6/3/2007 4:38:42 PM SYSTEM 1596 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\S1AR0TYN\7[1].exe” file.
6/3/2007 4:39:42 PM SYSTEM 1596 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\WINDOWS\system32\7.exe” file.
6/3/2007 4:40:32 PM SYSTEM 1596 Sign of “Win32:Small-EKC [Trj]” has been found in “C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4T6789MV\10[1].exe[NsPack]” file.
6/3/2007 4:42:06 PM SYSTEM 1596 Sign of “Win32:Small-EKC [Trj]” has been found in “C:\WINDOWS\system32\10.exe[NsPack]” file.
6/3/2007 4:42:19 PM SYSTEM 1596 Sign of “Win32:Delf-EJU [Trj]” has been found in “C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4T6789MV\11[1].exe[UPX]” file.
6/3/2007 4:42:19 PM SYSTEM 1596 Sign of “Win32:Delf-EJU [Trj]” has been found in “C:\WINDOWS\system32\11.exe[UPX]” file.
6/3/2007 4:42:19 PM SYSTEM 1596 Sign of “Win32:Delf-EJU [Trj]” has been found in “C:\WINDOWS\system32\11.exe[UPX]” file.
6/3/2007 4:45:41 PM SYSTEM 1832 Sign of “Win32:Cinmus-D [Adw]” has been found in “C:\WINDOWS\System32\winlib .dll” file.
6/3/2007 4:45:41 PM SYSTEM 1832 Sign of “Win32:Cinmus-D [Adw]” has been found in “C:\WINDOWS\system32\winlib .dll” file.
6/3/2007 4:47:12 PM SYSTEM 1832 Sign of “Win32:Lmir-MM [Trj]” has been found in “C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4T6789MV\qwetop[1].exe” file.
6/3/2007 4:47:12 PM SYSTEM 1832 Sign of “Win32:Lmir-MM [Trj]” has been found in “C:\WINDOWS\system32\qwetop.exe” file.
6/3/2007 4:47:12 PM SYSTEM 1832 Sign of “Win32:Lmir-MM [Trj]” has been found in “C:\WINDOWS\system32\qwetop.exe” file.
6/3/2007 4:48:01 PM SYSTEM 1832 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4T6789MV\7[1].exe” file.
the firewall i installed have been disabled
i dont know why…
what h i done…???
help…
You have the delf dropper trojan
Download ComboFix from Here or Here to your Desktop.
[*]Double click combofix.exe and follow the prompts.
[*]When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix’s window while its running. That may cause it to stall
how can i idntified the trojan you have said ??
"Win32:Delf-EJUas reported by Avast
If you download and run combofix we can start removing it
ok…thanks…
can combofix remove other trojan?
Yes it will also target virtumondo wareout plus others