forka Posted November 27, 2008 Hi, I just got SAS and run my first scan because I knew I got infected. My previous AntiSpyware couldn't get rid of it but SAS detected a bunch of stuff and I quarantined all of it. However, some of my apps won't start now or there'd be a warning saying that the registry was not found in the expected state or something. The registry was in fact disabled by something ( not sure if it was by SAS or by the malware ) but I have enabled it after the clean-up. Still having issues though. I'm wondering if there's anyone in the support team or otherwise that can review my log and tell me if some of the files that were quarantined are benign. For example "System32.exe" got quarantined, though to me it sounds like a legit file... I'm on Vista. Thanks Share this post Link to post Share on other sites
siliconman01 Posted November 27, 2008 I feel sure that if you post your SAS scan log and specifically state what issues you are having, you will get support from SAS and also forum users. BTW, System32.exe is malicious. http://www.bleepingcomputer.com/startups/system32.exe-1.html Share this post Link to post Share on other sites
forka Posted November 27, 2008 Thank you for the response. I just wasn't sure if this was the right place to post logs. Here it is below. I simply want to verify if this is all bad stuff I can remove permanently or some of it got there by mistake. I can't run QuickBooks right now. And I get a warning when launching Illustrator CS3 that registry was not found in the expected state but at least the app seems to run. This may very well have to do with something else. But since I just did this clean-up and started having issues, I figured something might have interfered. ++++++++++++++++++ SUPERAntiSpyware Scan Log https://www.superantispyware.com Generated 11/26/2008 at 00:58 AM Application Version : 4.22.1014 Core Rules Database Version : 3653 Trace Rules Database Version: 1635 Scan type : Complete Scan Total Scan Time : 01:13:03 Memory items scanned : 309 Memory threats detected : 1 Registry items scanned : 5851 Registry threats detected : 11 File items scanned : 53624 File threats detected : 20 Trojan.Dropper/Gen C:\USERS\ANNA\APPDATA\LOCAL\TEMP\WINLOGGN.EXE C:\USERS\ANNA\APPDATA\LOCAL\TEMP\WINLOGGN.EXE [xsjfn83jkemfofght] C:\USERS\ANNA\APPDATA\LOCAL\TEMP\WINLOGGN.EXE [xsjfn83jkemfofght] C:\USERS\ANNA\APPDATA\LOCAL\TEMP\WINLOGGN.EXE HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D5BF49A2-94F1-42BD-F434-3604812C807D} HKCR\CLSID\{D5BF49A2-94F1-42BD-F434-3604812C807D} HKCR\CLSID\{D5BF49A2-94F1-42BD-F434-3604812C807D} HKCR\CLSID\{D5BF49A2-94F1-42BD-F434-3604812C807D}#ThreadingModel HKCR\CLSID\{D5BF49A2-94F1-42BD-F434-3604812C807D}\InProcServer32 HKCR\CLSID\{D5BF49A2-94F1-42BD-F434-3604812C807D}\InProcServer32#ThreadingModel C:\WINDOWS\SYSWOW64\JHSRF832JBNEFE.DLL HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler#{D5BF49A2-94F1-42BD-F434-3604812C807D} HKU\S-1-5-21-1117240473-2580913285-1194660769-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D5BF49A2-94F1-42BD-F434-3604812C807D} C:\USERS\ANNA\APPDATA\LOCAL\TEMP\LOW\3301011664.EXE C:\USERS\ANNA\APPDATA\LOCAL\TEMP\LOW\3330700048.EXE C:\USERS\ANNA\APPDATA\LOCAL\TEMP\UPDATER.EXE C:\Windows\Prefetch\3330700048.EXE-D66E40A2.pf C:\Windows\Prefetch\UPDATER.EXE-1072ACC9.pf Trojan.Csrssc/Systemc-B [Jnskdfmf9eldfd] C:\USERS\ANNA\APPDATA\LOCAL\TEMP\CSRSSC.EXE C:\USERS\ANNA\APPDATA\LOCAL\TEMP\CSRSSC.EXE C:\USERS\ANNA\APPDATA\LOCAL\TEMP\LOW\CSRSSC.EXE C:\Windows\Prefetch\CSRSSC.EXE-A5EE2DF3.pf C:\Windows\Prefetch\CSRSSC.EXE-D1572C55.pf Trojan.DNSChanger-Codec C:\Users\anna\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\homeview C:\Users\anna\Start Menu\Programs\homeview Trojan.SystemDriver C:\COMBOFIX\CREG.DAT Trojan.Dropper/Gen-Stub C:\USERS\ANNA\APPDATA\LOCAL\TEMP\CODEC.EXE C:\USERS\ANNA\APPDATA\LOCAL\TEMP\IS162815.EXE Trojan.Zlob/Media-Codec C:\USERS\ANNA\APPDATA\LOCAL\TEMP\MEDIACODEC.EXE Trojan.BotNet/Dropper C:\USERS\ANNA\APPDATA\LOCAL\TEMP\TMP51A9.TMP Trojan.Unclassified/GadCom C:\USERS\ANNA\APPDATA\ROAMING\GADCOM\GADCOM.EXE Trojan.System32 C:\WINDOWS\SYSTEM32.EXE Share this post Link to post Share on other sites
siliconman01 Posted November 27, 2008 I do not see anything in your SAS scan log that is incorrectly fixed by SAS. All the quarantined items appear to be legitimate removals. Have you rebooted your computer following these removals to see if that corrects the QuickBook issue? Share this post Link to post Share on other sites
forka Posted November 27, 2008 Thanks for reviewing the log and confirming it. I did do a reboot and even reinstalled the program a couple of times but it simply refuses to behave as it did. It would start loading and crash just as the splash screen comes on. Unfortunately I don't get any helpful errors either, just the standard "program stopped working" I know the program worked just before I got the virus ( I've used it in the morning of that day ). So I'm thinking either the virus or SAS changed something that was important to it. Incidentally Windows also had to install updates the same night, so lots of factors came in at once. I tried uninstalling those updates, but didn't make a difference. I imagine this will be hard to track now. I've tried various searches on Google and people do report similar issues with those programs but in completely different scenarios that don't necessarily involve malware. Anyhow, I wanted to rule out the quarantined items, which I did now. So I'll have to dig into something to resolve the crashing. cheers Share this post Link to post Share on other sites
siliconman01 Posted November 27, 2008 Have you considered a System Restore using a restore point just prior to when you became infected? That might set things back to normal for you. Share this post Link to post Share on other sites
forka Posted November 27, 2008 I actually did, but a little too late it seems. When I went into it there were only 7 restore points, which were all after the fact. When I tried uninstalling the new Windows updates and installing them again it created new restore points for each overwriting everything prior. I guess I didn't have enough disk space to keep more. Unless there is a way a retrieve earlier points? Share this post Link to post Share on other sites
Lagerx Posted November 27, 2008 http://www.softpedia.com/get/Security/S ... Tool.shtml Try to repair registry and so on with this tool. Share this post Link to post Share on other sites
forka Posted November 27, 2008 Hey, thanks I ran that software. Seems it helped with the Illustrator registry warning, but no change for QuickBooks. Share this post Link to post Share on other sites
Lagerx Posted November 27, 2008 I'm not sure if it helps, but download Ccleaner from www.ccleaner.com Install it (be careful at installing) and then run it. Go to registry and scan for errors. Now, when scan done, save backup (it will ask for it) and fix registry. After reboot, try to run QB again. Share this post Link to post Share on other sites
forka Posted November 27, 2008 Still no go. In the "Event Viewer" this is the Error that appears: ______________ Faulting application qbw32.exe, version 17.0.4001.1077, time stamp 0x4746a34b, faulting module MSVCR80.dll, version 8.0.50727.1434, time stamp 0x4757746d, exception code 0xc000000d, fault offset 0x00047780, process id 0x13d4, application start time 0x01c950c2d1884cd0. ______________ I tried to do a search on it but no clear solutions... Share this post Link to post Share on other sites