139 replies to this topic

[Tomk]

newbe17, Kaspersky takes forever and is finicky but I think it's the best online scanner. Your scan will probably take at least 2 hours. Best bet is to start the scan before going to bed and then check it in the morning. If Kaspersky has a problem with your Java, it will just refuse to even try to run. If it started running, your Java should be OK. As far as it's worth. We gotten everything I can see. The point in running it is to get what we haven't seen some other way. Avast, and Mbam have taken care of everything they're going to. Looking back, it appears you are on Dial-up? If tieing up the phone line for hours is a hardship, we can take the risk that we got it all and move on with some closeout procedures.

[Neo]

Tomk, The windows hosts file that mbam keeps finding and is not able to fully delete still hangnails me. I did a boot time scan with avast and like you said, it came up clean, it's done all it's going to do. I don't recall ever uploading the c host file for an analysis. Have we done that yet? newbe17

[Tomk]

newbe17, We haven't. Can you find it? If you can, go ahead and send it to Jotti per earlier instructions.

[Neo]

Tomk, there are 4 files in the folder: C:\WINDOWS\hosts . I scanned each one separately they all came back clean, exept at the bottom of the page it showed different results, and that confused me. Either way, can I reach in grab C:\WINDOWS\hosts and delete it from my pc and end all this? Seems to me like the best thing to do. newbe17

[Neo]

Tomk, I guess its time to move on. Windows still won't boot up properly, but I can live with that. newbe17

[Tomk]

newbe17, You can delete that file. I let your boot issue slip my mind. Give me a little time to work on it. If I can't come up with a solution by tommorrow, we will do a little closeout housekeeping and then send you over to the Tech Team.

[Tomk]

newbe17,

Lets try to fix that by editing the Boot.ini file.

• Right-click My Computer, and then click Properties.
• On the Advanced tab, click Settings under Startup and Recovery.
• Under System Startup, click Edit.

Make sure under Default operating system:
it says Microsoft Windows XP Home Edition
Select OK

[Neo]

Tomk, Good morning I did as you asked , the running system is "Microsoft Windows XP Home Edition"/nonexecute=option/ Is it supposed to read like that? while browsing that box I noticed the edit button and clicked on it just to see what was inside and I copied this: [boot loader] timeout=0 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons This computer still lags very badly. While you and I were at work on it a couple of days ago I was only able to download a small version of java platform, I could never get the version you told me to download. I spent all day yesterday and all night last night trying to get the version you told me to get. Finally, at about 7:30 this a.m. the download was completed, I went to install it, and it said it was not a valid windows 32 application, which if my understanding is correct would mean the I simply didn't get a good download. newbe 17

[Tomk]

newbe17,

That looks correct to me.

Please download DDS and save it to your desktop.

• Disable any script blocking protection
• Double click dds.scr to run the tool.
• When done, DDS.txt will open.
• Click Yes at the next prompt for Optional Scan.
• Save both reports to your desktop.

---------------------------------------------------

• Post the contents of the DDS.txt report in your next reply
• Attach the Attach.txt report to your post by scroling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and the click UPLOAD.

[Neo]

Tomk, Here are the files you requested, ty . DDS (Ver_09-03-16.01) - NTFSx86 Run by Compaq_Owner at 18:40:11.78 on Wed 03/18/2009 Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_12 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.222.31 [GMT -5:00] AV: avast! antivirus 4.8.1229 [VPS 090316-0] *On-access scanning enabled* (Updated) ============== Running Processes =============== C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\ALCXMNTR.EXE c:\windows\system\hpsysdrv.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Compaq_Owner\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.yahoo.com/ uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1237323000500 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab TCP: {0064A5F4-20F9-40DD-8516-C7C7B21E6882} = 207.65.4.25 216.153.94.101 Notify: AtiExtEvent - Ati2evxx.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\compaq~1\applic~1\mozilla\firefox\profiles\evspears@hifo.net\ FF - prefs.js: browser.startup.homepage - hxxps://login.yahoo.com/config/login_verify2?.intl=us&.src=ym ============= SERVICES / DRIVERS =============== R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-6-13 78416] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-6-13 20560] R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2006-9-4 147640] R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2006-9-4 250040] R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2006-9-4 348344] S3 PCD5SRVC;PCD5SRVC - PCDR Kernel Mode Service Helper Driver;c:\progra~1\pc-doc~1\PCD5SRVC.pkms [2005-5-10 20224] =============== Created Last 30 ================ 2009-03-18 18:09 <DIR> --d----- c:\program files\MSXML 4.0 2009-03-18 16:27 333,952 -------- c:\windows\system32\dllcache\srv.sys 2009-03-18 15:09 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys 2009-03-18 14:33 1,106,944 -------- c:\windows\system32\dllcache\msxml3.dll 2009-03-18 14:27 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe 2009-03-18 14:27 2,189,184 -------- c:\windows\system32\dllcache\ntoskrnl.exe 2009-03-18 14:27 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe 2009-03-18 14:27 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe 2009-03-18 13:59 203,136 -------- c:\windows\system32\dllcache\rmcast.sys 2009-03-18 13:15 <DIR> --d----- c:\program files\Messenger 2009-03-18 13:15 <DIR> --d----- c:\windows\system32\scripting 2009-03-18 13:15 <DIR> --d----- c:\windows\l2schemas 2009-03-18 13:15 <DIR> --d----- c:\windows\system32\en 2009-03-18 13:15 <DIR> --d----- c:\windows\system32\bits 2009-03-18 13:12 <DIR> --d----- c:\windows\ServicePackFiles 2009-03-18 13:07 1,374 a------- c:\windows\imsins.BAK 2009-03-18 13:02 <DIR> --d----- c:\windows\EHome 2009-03-18 03:13 331,776 -------- c:\windows\system32\dllcache\msadce.dll 2009-03-17 16:01 23,576 a------- c:\windows\system32\wuapi.dll.mui 2009-03-17 15:49 <DIR> --ds---- c:\documents and settings\compaq_owner\UserData 2009-03-17 13:39 15,504 a------- c:\windows\system32\drivers\mbam.sys 2009-03-17 13:39 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-03-17 13:39 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware 2009-03-16 12:42 691,712 -------- c:\windows\system32\dllcache\inetcomm.dll 2009-03-16 12:27 337,408 -------- c:\windows\system32\dllcache\netapi32.dll 2009-03-16 12:17 272,128 -------- c:\windows\system32\dllcache\bthport.sys 2009-03-15 16:10 <DIR> --d----- C:\KAV 2009-03-15 09:41 <DIR> --d----- c:\documents and settings\compaq_owner\DoctorWeb 2009-03-14 23:54 <DIR> --d-h--- c:\windows\$hf_mig$ 2009-03-14 22:32 410,984 a------- c:\windows\system32\deploytk.dll 2009-03-14 16:12 <DIR> --d-h--- c:\windows\PIF 2009-03-13 23:50 <DIR> --d----- C:\Lop SD 2009-03-13 18:21 <DIR> --d----- c:\program files\Full Tilt Poker.Net 2009-03-12 13:01 161,792 a------- c:\windows\SWREG.exe 2009-03-12 13:01 98,816 a------- c:\windows\sed.exe 2009-03-12 02:36 <DIR> --d----- C:\Rooter$ 2009-03-09 17:12 <DIR> --d----- c:\program files\Trend Micro 2009-03-05 19:00 <DIR> --d----- c:\windows\Speeditup Free ==================== Find3M ==================== 2009-03-18 16:37 8,704 a--sh--- c:\program files\Thumbs.db 2009-03-18 13:19 81,867 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat 2009-03-18 13:19 45,056 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\uninstallui\eHelpSetup.exe 2009-03-18 13:19 163,840 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\modemcheck.dll 2009-03-18 13:19 61,440 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\modemutil.dll 2009-03-18 13:19 44,032 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\scripts\devcon.exe 2009-03-18 13:19 40,960 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\ScDmi.dll 2009-03-18 13:19 32,768 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\uploadHSC.dll 2009-03-18 13:19 32,768 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\Scom.dll 2009-03-18 13:19 287,310 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\HPBasicDetection.dll 2009-02-09 06:13 1,846,784 a------- c:\windows\system32\win32k.sys 2009-02-09 06:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys 2006-09-04 18:02 11,682,968 a------- c:\program files\setupeng.exe 2006-09-03 15:37 11,746,992 a------- c:\program files\antivir_workstation_win7u_en_h.exe 2006-08-25 12:23 56,742 a------- c:\program files\vdl.dat 2006-08-25 10:30 452,719 a------- c:\program files\sarman.pdf 2005-02-16 12:06 218,112 a------- c:\program files\HijackThis.exe ============= FINISH: 18:41:08.07 =============== I fully updated my windows with the exception of the malicious virus removal tool. That seemed useless to me and even a bit silly because we aren't ever supposed to run more than one virus scanner on the same computer. newbe17

[Tomk]

newbe17,

malicious virus removal tool will not interfere with your anti-virus and is not worthless. Please update it.

However, I think it's time to seen you over to the Tech Team and see if they can help you with your boot problem. We have exceeded my usefulness.

I suggest you post a question in the Windows Forum. Please provide a link there to this thread so that they will have access to your logs and they can see what you did here.

Log looks good


Time for some housekeeping

• Click START then RUN
• Now type Combofix /u in the runbox and click OK
• Note the space between the X and the U, it needs to be there.
• 

The above procedure will:

• Implement some cleanup procedures.
• Reset System Restore.

Please re-enable any security that was disabled.

Download ToolsCleaner2 to your desktop and run it ( by de A.Rothstein & Dj Quiou )

• Click the Pt. Restauration button and press OK to the prompts.
• Click the Corbeille button and press OK to the prompt.
• Click the Fichiers temp button and press OK to the prompt.
• Click the Recherche button and let it run ( it may look like it freezes but let it continue )
• Once it is done click the Suppression button and let it remove anything it finds.
• Close the program

The following is my standard advice for the future. Use what you can and pat yourself on the back for what you're already doing.

Please take time to read Preventing Malware - Tools and Practices for Safe Computing. Very important information for your consideration is contained therein.

I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein


Also: "How to prevent malware"
by miekiemoes

Please respond back that you understand the above and let me know if you have any questions. Otherwise, this thread will be closed Resolved.

[Neo]

Tomk, I understand all that you have noted above. I don't know how to thank you enough for all the time and effort you put in to helping me, except to give back to someone else what was so freely given to me. Strange as it may sound, I'm going to miss working with you - fond memories of a bad situation It is good to know that in this world we live in today there are still some really good people, Tom, and you are one of them. May you continue to let God bless you and guide your path. Thank you newbe17 P.S. I have the malicious tool downloaded but I did not install it, and now I cant's find it to install it, lol . Could you please tell me where it is?

[Tomk]

newbe17, It installs itself just like a windows update. Shouldn't be anything for you to do. You are very welcome. Glad to help. If you do join the classroom, I'll watch for you. Good Luck and be Well.

[Tomk]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.

[Neo]

Tomk, I'm baaaack Need to get rid of Virtumonde and Win32.TDSS.rtk. but iv'e done the preventive steps in the "preventing malware" article u supplied and have online armor installed and running. When I rebooted after installing online armor firewall spy bot search and destroy ran a boot scan all by itself It found only 1 infection, the virtumonde, and for the second time this evening, said it had fixed the problem. So, here I sit newbe17