We were blacklisted by CBL late last week. We scanned our machines with Stinger as suggested by their website and found nothing.

We requested relisting. Over the weekend the IP was blacklisted again.

After emailing CBL, they sent us a link to SecCheck.

A trojan virus was found on one of the workstations as indicated here...

http://sc.mynetwatchman.com/seccheck/SubmissionStatus.jsp?submissionID=b9edad74f1f3a98db6b8ecf036b674b2

Before cleaning the infected machine, are there recommendations as to the best program or method to use to ensure it is fixed properly. We have been relisted twice now and do not want to risk a more serious ban.

Thanks in advance for your prompt response.

Hi happyandhealthy,

Your workstation computer has a rootkit which is a program that can hide itself and other components from the OS and scanners. You may have thought it was clean but most likely the infection was hidden and still present.

I would suggest that this workstation not be used to download games or used for surfing the internet if it is a business computer. Many infections gain entry with help from the user. Make sure your machine is fully patched and that an updated antivirus and firewall is installed.

Please print out and perform the following directions. Then post back the logs that I have requested.

Please download ATF Cleaner by Atribune.

This program is for Windows 2K, XP, and Vista

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Uncheck any items that you do not want removed such as stored cookies
• Click the Empty Selected button.

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
• NOTE: If you would like to keep your saved passwords, please click
• No at the prompt.

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
• NOTE: If you would like to keep your saved passwords, please click No at the prompt.

• Restart your computer
  
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
  
• Select the first option, to run Windows in Safe Mode, then press Enter.
  
• Choose your usual account.
  
• Locate the the folowing files and delete them. If you have any problems, try to rename them and then try to delete. them.
  • C:\info.exe
  • C:\32C.tmp
  • C:\WINDOWS\system32\7_exception.nls
  
  
• Open the extracted SDFix folder and double click RunThis.bat to start the script.
  
• Type Y to begin the cleanup process.
  
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  
• Press any Key and it will restart the PC.
  
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  
• Finally paste the contents of the Report.txt back in your next reply.

• Double-click SUPERAntiSpyware.exe and use the default settings for installation.
• An icon will be created on your desktop. Right-click that icon and select "Run as Administrator" to launch the SAS program.
• If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
• Under "Configuration and Preferences", click the Preferences button.
• Click the Scanning Control tab.
• Under Scanner Options make sure the following are checked (leave all others unchecked):
  • Close browsers before scanning.
  • Scan for tracking cookies.
  • Terminate memory threats before quarantining.
• Click the "Close" button to leave the control center screen.
• Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
• On the left, make sure you check C:\Fixed Drive.
• On the right, under "Complete Scan", choose Perform Complete Scan.
• Click "Next" to start the scan. Please be patient while it scans your computer.
• After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
• Make sure everything has a checkmark next to it and click "Next".
• A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
• If asked if you want to reboot, click "Yes".
• To retrieve the removal information after reboot, launch SUPERAntispyware again.
  • Click Preferences, then click the Statistics/Logs tab.
  • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
  • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
  • Please copy and paste the Scan Log results in your next reply.
• Click Close to exit the program.

_________________
Negster22 - MS MVP - Consumer Security 2006-2008