something awful

[jholland1964]

Try this scan and post back with the results. F-Secure

[philtro]

It seems ok in that regard, I really can't tell if I there's anything overt going on. Kaspersky gets a warning periodically saying "network attack Intrusion.Win.MSSQL.worm.Helkern", but then says it might be a false proxy or something or other like that. It only shows up as 'detected' and doesn't prompt for any kind of action.

I work swing shifts and unfortunately have to go to work now, I get off at nine mountain but i'll be here as soon as i get home...

Phillip

[jholland1964]

Kaspersky gets a warning periodically saying "network attack Intrusion.Win.MSSQL.worm.Helkern", but then says it might be a false proxy or something or other like that. It only shows up as 'detected' and doesn't prompt for any kind of action.

Thought you were going to do away with Kaspersky because of it's cost since this was a free trial? At least that is what you said in Post#20.

Now here is the information concerning your alert and use of Zone Alarm too from Kaspersky as stated in the Kaspersky Forum

It's probably a bot attack - just hitting all IP's within a certain range on port 1434 (Slammer worm). The log is saying that it's blocked basically so there is nothing you can do. Check again to make sure you are stealth from ZA free and that's about it. When using a 3rd party firewall like ZA you should disable the IDS (network protection) of KAV....correct way to disable ids...

1) Click 'Settings'tab
2) Click 'Configure Real-Time Protection'
3) Click 'Network' tab
4) Un Check 'Enable real-time protection against network attacks'

[philtro]

cool, thanks for the info. I was gonna drop the kaspersky when I do my reinstall (once i'm free and clean).

[jholland1964]

when I do my reinstall (once i'm free and clean).

Can I ask you again, if you end up free and clean why you will NEED to do a reinstall? I just am really curious as to why you feel this will be necessary. IF you feel it is necessary then don't go through all this clean up, just do a reformat and reinstall OF ALL DRIVES and all will be clean, without attempting all this cleaning.

[philtro]

here is the latest scan, sorry it took so long. I got the BSOD a few times, from kaspersky. I just uninstalled it, ran the scan, and now i'm going to install avir.

Scanning Report
Tuesday, December 02, 2008 22:23:11 - 22:37:05

Computer name: WATER909
Scanning type: Scan system for malware, rootkits
Target: C:\ E:\ F:\ H:\
Result: 0 malware found
Statistics
Scanned:

* Files: 16787
* System: 2239
* Not scanned: 6

Actions:

* Disinfected: 0
* Renamed: 0
* Deleted: 0
* None: 0
* Submitted: 0

Files not scanned:

* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

Options
Scanning engines:

* F-Secure USS: 2.40.0
* F-Secure Hydra: 2.8.8110, 2008-12-03
* F-Secure AVP: 7.0.171, 2008-12-02
* F-Secure Pegasus: 1.20.0, 2008-10-25
* F-Secure Blacklight: 2.4.1093

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use Advanced heuristics

[philtro]

Can I ask you again, if you end up free and clean why you will NEED to do a reinstall? I just am really curious as to why you feel this will be necessary. IF you feel it is necessary then don't go through all this clean up, just do a reformat and reinstall OF ALL DRIVES and all will be clean, without attempting all this cleaning.

I can't wipe all of my hard drives because they are full of data, all of my computer files from over the years. Even if I were to backup that data somewhere else and wipe the drives, it could still reinfect me (if it's indeed infected).

I want to do a clean install because
a)this one is already a fresh install (from a few days before I came here seeking help)
b)this install is funky from all the poking around I've done (mostly before I came here seeking help)
c)creating a new nlite install is very easy

Whether i keep this installation or reinstall windows, I still need to make sure all of my data is clean.

[philtro]

it seems to be running ok. It was getting a bit choked up, but uninstalling Kaspersky seems to have helped. It's very intrusive with pop ups from all different parts of your system, I might have blocked some internet pop ups due to recent extreme malware paranoia. I've been running scans here and there (MBAM, kaspersky, updating spywareblaster, superantispyware) and nothing is found.

[jholland1964]

Thanks for the clarification Phil. Kaspersky, while basically a good program does tend to "inform" quite often which is one reason I didn't care for it several years ago when I tried it out. It is good to be informed but this program takes it a bit far at times I believe and yes, at times it can slow a system down.

Now whether you finally decide to reinstall or not there are some things you must do regardless. In order stay clean and to be clean for sure, to prevent re-installing malware etc, you will still need to perform the scans/cleaning on ALL the storage/media that you used prior to that first reinstallation because now we know for certain the computer WAS infected then and probably reinfected after the reinstall. You know there was some prior infection there at some time, you stated that in your very first post in this thread, and the Dr. Web-Curit found two items in system restore and also the Trojan-Hacktool.Tool.Prockill on "C" drive. The combofix logs showed the suspicious files in "C" drive and the jotti scans identified them and you cleaned them out with combofix. So there IS a chance that when you did the back ups you also backed up these infections to the storage media you used...disks you burned, the other hard drives maybe, whatever. So all of these items will have to be scanned and cleaned BEFORE they are reinstalled to re-create "clean" media regardless of the decision you make, otherwise you will end up with the very same infections that started all of this.
You will also probably need to reinstall all of your applications also you will need those disks too. If you have programs you downloaded from the web, I personally would not reinstall those from the backups, I would download new copies to be safe.
There are also some helpful steps you can take after a reinstall, OR just sticking with the clean system as it is now, different ways of configuring certain windows services "disabling services that pose security risks, disabling services that are unnecessary to help keep the system clean, running fast so you might want to create a new post in
Operating Systems to discuss these steps.
Judy

[philtro]

ok here is what i have:
It seems that infections were cleaned on each of the scans they were found in or during the steps taken afterwards.

Every drive has been getting scanned each time I have run scanners that allow it, I even scanned my latest nlite cd multiple times.

I also deleted every single file i've recently downloaded (mainly just xp components and drivers) and scoured my computer for any unnecessary program backups (installers). (all of this when we first started)

Are there anymore scans out there, or are the ones run so far sufficient? If so, then I'd say I'm clean