Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91977 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] jdstart.exe showed up, now there are problems


  • This topic is locked This topic is locked
16 replies to this topic

#1 GBS

GBS

    Authentic Member

  • Authentic Member
  • PipPip
  • 36 posts

Posted 06 November 2009 - 11:17 AM

Thanks in advance. This has always been an endlessly fantastic resource!

Not sure what I did because I'm usually careful and very virus-free. I think a trial version of some audio software was the culprit.

Regardless, my browser will steer away from common help sites, (like this one!) and i get warnings and odd errors from XP, as well as from Zone Alarm (which notified me of this "jdstart.exe" file--which I did NOT allow to access the trusted zone). Computer will not hibernate.

AVG hasn't caught anything yet, but I'm currently scanning.

I disabled Zone Alarm and AVG by exiting both from the tray before running DDS.

Here's the info:

ROOTREPEAL

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/06 12:00
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA8302000 Size: 49152 File Visible: No Signed: -
Status: -

Name: srescan.sys
Image Path: srescan.sys
Address: 0xB9D02000 Size: 81920 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8c69fc0

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8c66c80

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8c81170

#: 046 Function Name: NtCreatePort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8c6a580

#: 047 Function Name: NtCreateProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8c7e900

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8c7eb10

#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8c82b10

#: 056 Function Name: NtCreateWaitablePort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8c6a670

#: 062 Function Name: NtDeleteFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8c67210

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8c819f0

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8c817a0

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8c7e280

#: 098 Function Name: NtLoadKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8c81f10

#: 099 Function Name: NtLoadKey2
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8c81f90

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8c67070

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8c80180

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8c7ff40

#: 192 Function Name: NtRenameKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8c826f0

#: 193 Function Name: NtReplaceKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8c82150

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8c69be0

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8c82540

#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8c6a190

#: 224 Function Name: NtSetInformationFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8c67440

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8c814e0

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8c7f200

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8c7f080

==EOF==


DDS

DDS (Ver_09-06-26.01) - NTFSx86
Run by Shrews at 11:56:21.34 on Fri 11/06/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2038.1247 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Internet\xampp\apache\bin\httpd.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
D:\Internet\xampp\apache\bin\httpd.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Mediafour\MacDrive 7\MacDriveService.exe
D:\Internet\xampp\mysql\bin\mysqld.exe
D:\System\Norton\Agent\VProSvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Mediafour\MacDrive 7\MacDrive.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\wuauclt.exe
D:\System\Norton\Agent\GhostTray.exe
D:\Internet\skype\MorEmoticons\MorEmoticons.exe
C:\Documents and Settings\Shrews\Local Settings\Temp\JDstart.exe
D:\Internet\Mozilla_Firefox\firefox.exe
D:\Internet\avg\avgwdsvc.exe
D:\Internet\avg\avgrsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Shrews\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0071211
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0071211
uSearch Bar =
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - d:\internet\avg\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {7CE67716-5803-4FB7-B344-0C7A17F93B5D} - No File
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - d:\text\acrobat_6_prof\acrobat\AcroIEFavClient.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.4.2\gears.dll
BHO: ZoneAlarm Spy Blocker BHO: {f0d4b231-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\zonealarmsb\bar\1.bin\SPYBLOCK.DLL
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - d:\text\acrobat_6_prof\acrobat\AcroIEFavClient.dll
TB: ZoneAlarm Spy Blocker: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\zonealarmsb\bar\1.bin\SPYBLOCK.DLL
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - d:\text\acrobat_6_prof\acrobat\AcroIEFavClient.dll
uRun: [MorEmoticons] d:\internet\skype\moremoticons\MorEmoticons.exe /Minimize
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [<NO NAME>]
mRun: [AVG8_TRAY] d:\internet\avg\avgtray.exe
mRun: [{B179023B-6238-4499-8F26-CD73E9D90E0A}] "c:\program files\mediafour\macdrive 7\MacDrive.exe"
mRun: [MDGetStarted.exe] "c:\program files\mediafour\macdrive 7\MDGetStarted.exe" /auto
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Norton Ghost 10.0] "d:\system\norton\agent\GhostTray.exe"
mRun: [ZoneAlarm Client] "d:\internet\zonealarm\zonealarm\zlclient.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRunOnce: [WUAppSetup] c:\program files\common files\logishrd\WUApp32.exe -v 0x046d -p 0x092f -f video -m logitech -d 11.70.1193.0
StartupFolder: c:\docume~1\shrews\startm~1\programs\startup\window~1.lnk - c:\documents and settings\shrews\local settings\temp\JDstart.exe
IE: Download all with Free Download Manager - file://d:\internet\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://d:\internet\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://d:\internet\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - file://d:\internet\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - d:\micros~1\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.4.2\gears.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\micros~1\office11\REFIEBAR.DLL
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - d:\internet\avg\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: fccaBQJC - fccaBQJC.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {7CE67716-5803-4FB7-B344-0C7A17F93B5D} - No File

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\shrews\applic~1\mozilla\firefox\profiles\ma0zn774.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.newperspectivefilms.org
FF - component: c:\program files\google\google gears\firefox\components\gears.dll
FF - component: d:\internet\avg\firefox\components\avgssff.dll
FF - component: d:\internet\free download manager\firefox\extension\components\vmsfdmff.dll
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: d:\internet\mozilla_firefox\plugins\NPZoneSB.dll
FF - plugin: d:\players\quicktime\plugins\npqtplugin.dll
FF - plugin: d:\players\quicktime\plugins\npqtplugin2.dll
FF - plugin: d:\players\quicktime\plugins\npqtplugin3.dll
FF - plugin: d:\players\quicktime\plugins\npqtplugin4.dll
FF - plugin: d:\players\quicktime\plugins\npqtplugin5.dll
FF - plugin: d:\players\quicktime\plugins\npqtplugin6.dll
FF - plugin: d:\players\quicktime\plugins\npqtplugin7.dll
FF - HiddenExtension: Java Console: No Registry Reference - d:\internet\mozilla_firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 MDFSYSNT;MacDrive file system driver;c:\windows\system32\drivers\MDFSYSNT.SYS [2007-9-5 277888]
R0 MDPMGRNT;MDPMGRNT;c:\windows\system32\drivers\MDPMGRNT.sys [2007-2-28 19072]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-28 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-5-28 27784]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-10-20 353672]
R2 Apache2.2;Apache2.2;d:\internet\xampp\apache\bin\httpd.exe [2008-12-9 24636]
R2 avg8wd;AVG8 WatchDog;d:\internet\avg\avgwdsvc.exe [2009-8-17 297752]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-12-13 198256]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-12-13 165488]
R2 datunidr;DellAutomatedPCTuneUp UniDriver;c:\windows\system32\drivers\datunidr.sys [2007-8-23 5376]
R2 MacDriveService;MacDriveService;c:\program files\mediafour\macdrive 7\MacDriveService.exe [2007-5-1 143360]
S2 LicCtrlService;LicCtrl Service;rundll32.exe c:\windows\mmfs.dll,service --> rundll32.exe c:\windows\mmfs.dll,Service [?]
S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 .paros08;.paros08; [x]
S3 aawservice;Lavasoft Ad-Aware Service;d:\internet\adaware\aawservice.exe [2008-5-12 611664]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-12-13 79472]
S3 gupdate1c93d85b83e6994;Google Update Service (gupdate1c93d85b83e6994);c:\program files\google\update\GoogleUpdate.exe [2008-11-3 133104]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [2007-4-19 99200]
S3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\drivers\PTDUBus.sys [2009-3-7 29824]
S3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\drivers\PTDUMdm.sys [2009-3-7 41344]
S3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\drivers\PTDUVsp.sys [2009-3-7 39936]
S3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\drivers\PTDUWWAN.sys [2009-3-7 59776]
S3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2009-5-9 822424]

=============== Created Last 30 ================

2009-11-06 11:05 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-11-06 11:05 <DIR> --d----- c:\program files\Skype
2009-11-05 23:08 <DIR> --d----- c:\program files\Skype(2)
2009-11-05 22:44 56 a---h--- c:\windows\system32\ezsidmv.dat
2009-11-04 12:39 <DIR> a-d----- C:\gamma

==================== Find3M ====================

2009-11-02 22:37 175,104 a------- c:\windows\system32\RemoteControl.dll
2009-08-17 12:30 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-01-19 19:16 57,344 a------- c:\docume~1\shrews\applic~1\GDIPFONTCACHEV1.DAT
2008-03-23 21:51 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2006-05-03 04:06 163,328 ---shr-- c:\windows\system32\flvDX.dll
2007-02-21 05:47 31,232 ---shr-- c:\windows\system32\msfDX.dll
2007-12-17 07:43 27,648 ---sh--- c:\windows\system32\Smab0.dll

============= FINISH: 11:57:59.22 ===============

Attached Files


    Advertisements

Register to Remove


#2 oldman960

oldman960

    Forum God

  • Classroom Teacher
  • 14,755 posts

Posted 09 November 2009 - 12:38 AM

Hi , welcome to the forum.


To make cleaning this machine easier
  • Please do not uninstall/install any programs unless asked to
    It is more difficult when files/programs are appearing in/disappearing from the logs.
  • Please do not run any scans other than those requested
  • Please follow all instructions in the order posted
  • All logs/reports, etc.. must be posted in Notepad. Please ensure that word wrap is unchecked. In notepad click format, uncheck word wrap if it is checked.
  • Do not attach any logs/reports, etc.. unless specifically requested to do so.
  • If you have problems with or do not understand the instructions, Please ask before continuing.
  • Please stay with this thread until given the All Clear. A absence of symptoms does not mean a clean machine.

which notified me of this "jdstart.exe" file--which I did NOT allow to access the trusted zone

Good, keep it blocked.

Please read through these instructions to familarize yourself with what to expect when this tool runs


Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Please post back with the combofix log.

Thanks

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation Posted Image
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Posted Image

Threads will be closed if no response after 5 days.

#3 GBS

GBS

    Authentic Member

  • Authentic Member
  • PipPip
  • 36 posts

Posted 09 November 2009 - 01:44 PM

Hi. Thanks for your help! The logs I posted in my original post were per the "Welcome New Members" section. I apologize if I misunderstood the directions. That said, ComboFix.exe results in the following error: ...\Desktop\ComboFix.exe is not a valid Win32 application. Please advise. Thanks again! -- GBS

#4 oldman960

oldman960

    Forum God

  • Classroom Teacher
  • 14,755 posts

Posted 09 November 2009 - 01:57 PM

Hi

No you did it correctly, the logs give me a starting point.

Try this instead.

Delete the copy of combofix from your desktop and download a new with these instructions.

Please read through the instructions to familarize youself with what to expect when the tool runs.

It is vitally important that combofix is renamed before it is even started to download


Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

  • If you are using Firefox, make sure that your download settings are as follows:
    -Tools->Options->Main tab
    -Set to "Always ask me where to Save the files".
  • During the download, before you save it to your desktop, rename Combofix to jgh.com

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------

  • Double click on ComboFix.exe (renamed to jgh.com) & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.[/b]

Please post back with
  • combofix log
How is the computer?

Thanks

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation Posted Image
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Posted Image

Threads will be closed if no response after 5 days.

#5 GBS

GBS

    Authentic Member

  • Authentic Member
  • PipPip
  • 36 posts

Posted 09 November 2009 - 02:44 PM

I wasn't sure whether to attach or post the log. Instinct says post...so here it is: (The "problems" have been intermittent and small, so it'll take a few hours to see if they pop back up) ComboFix 09-11-08.03 - Shrews 11/09/2009 15:16.1.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2038.1480 [GMT -5:00] Running from: c:\documents and settings\Shrews\Desktop\jgh.exe AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\AutoRun.inf c:\windows\system32\lsprst7.dll c:\windows\system32\ssprs.dll Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected Restored copy from - Kitty ate it :P . ((((((((((((((((((((((((( Files Created from 2009-10-09 to 2009-11-09 ))))))))))))))))))))))))))))))) . 2009-11-09 20:12 . 2003-12-20 01:48 89184 ----a-w- c:\windows\system32\drivers\imagedrv.sys 2009-11-09 20:12 . 2007-05-09 02:22 277784 ----a-w- c:\windows\system32\drivers\iaStor.sys 2009-11-06 16:44 . 2009-11-06 16:44 -------- d-----w- c:\program files\ERUNT 2009-11-06 16:13 . 2009-10-21 12:51 2064152 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll 2009-11-06 16:05 . 2009-11-06 16:05 -------- d-----w- c:\windows\system32\wbem\Repository 2009-11-06 16:05 . 2009-11-06 16:05 -------- d-----w- c:\program files\Common Files\Skype 2009-11-06 16:05 . 2009-11-06 16:05 -------- d-----w- c:\program files\Skype 2009-11-06 04:08 . 2009-11-06 16:04 -------- d-----w- c:\program files\Skype(2) 2009-11-06 03:44 . 2009-11-06 03:44 56 ---ha-w- c:\windows\system32\ezsidmv.dat 2009-11-04 17:39 . 2009-11-04 17:39 -------- d---a-w- C:\gamma 2009-11-03 03:22 . 2009-11-06 18:51 53760 ----a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\903CB56BA52F42478957BE8314837A86\zlib.dll 2009-11-03 03:22 . 2009-11-06 18:51 442880 ----a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\903CB56BA52F42478957BE8314837A86\sound\SystemMP3SoundPlugin.dll 2009-11-03 03:22 . 2009-11-06 18:51 1605632 ----a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\903CB56BA52F42478957BE8314837A86\sound\VorbisOGGSoundPlugin.dll 2009-11-03 03:22 . 2009-11-06 18:51 5440760 ----a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\903CB56BA52F42478957BE8314837A86\PamelaPCR.exe 2009-11-03 03:22 . 2009-11-06 18:51 1496064 ----a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\903CB56BA52F42478957BE8314837A86\lng.dll 2009-11-03 03:22 . 2009-11-06 18:51 630272 ----a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\903CB56BA52F42478957BE8314837A86\CrashRpt.dll 2009-11-03 03:22 . 2009-11-06 18:51 489984 ----a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\903CB56BA52F42478957BE8314837A86\dbghelp.dll 2009-11-03 03:22 . 2009-11-06 18:51 1138688 ----a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\903CB56BA52F42478957BE8314837A86\libeay32.dll 2009-10-17 12:52 . 2009-10-17 12:52 2025752 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-11-08 03:23 . 2009-01-05 15:00 3964619 ----a-w- c:\windows\Internet Logs\tvDebug.Zip 2009-11-08 01:12 . 2008-10-21 02:55 -------- d-----w- c:\documents and settings\Shrews\Application Data\Skype 2009-11-07 01:01 . 2009-11-07 04:36 2147840 ----a-w- c:\windows\Internet Logs\xDB1D.tmp 2009-11-06 21:06 . 2008-10-21 02:55 -------- d-----w- c:\documents and settings\Shrews\Application Data\skypePM 2009-11-06 16:05 . 2008-03-24 01:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype 2009-11-06 06:26 . 2009-06-03 23:41 -------- d-----w- c:\documents and settings\Shrews\Application Data\Pamela 2009-11-03 04:39 . 2008-10-21 02:55 -------- d-----w- c:\documents and settings\Shrews\Application Data\uTorrent 2009-11-03 03:44 . 2009-11-03 03:46 2143232 ----a-w- c:\windows\Internet Logs\xDB1C.tmp 2009-11-03 03:37 . 2009-06-03 23:40 175104 ----a-w- c:\windows\system32\RemoteControl.dll 2009-09-24 18:16 . 2008-10-15 19:29 -------- d-----w- c:\program files\FriendBlasterPro 2009-09-24 15:22 . 2008-05-28 05:26 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8 2009-09-24 15:20 . 2009-09-24 15:22 2097152 ----a-w- c:\windows\Internet Logs\xDB1B.tmp 2009-09-24 15:20 . 2009-09-24 15:22 2678784 ----a-w- c:\windows\Internet Logs\xDB1A.tmp 2009-09-08 22:10 . 2009-09-08 22:10 1025 ----a-w- c:\windows\system32\clauth2.dll 2009-09-08 22:10 . 2009-09-08 22:10 1025 ----a-w- c:\windows\system32\clauth1.dll 2009-09-08 22:10 . 2009-09-08 22:10 1025 ----a-w- c:\windows\system32\sysprs7.dll 2009-09-08 21:28 . 2008-10-21 02:06 99360 ----a-w- c:\documents and settings\Shrews\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-08-22 17:15 . 2009-08-22 17:16 2673664 ----a-w- c:\windows\Internet Logs\xDB18.tmp 2009-08-22 17:15 . 2009-08-22 17:16 2074112 ----a-w- c:\windows\Internet Logs\xDB19.tmp 2009-08-18 04:56 . 2009-08-18 04:56 2723328 ----a-w- c:\windows\Internet Logs\xDB16.tmp 2009-08-18 04:56 . 2009-08-18 04:56 2069504 ----a-w- c:\windows\Internet Logs\xDB17.tmp 2009-08-17 17:30 . 2008-05-28 05:26 11952 ----a-w- c:\windows\system32\avgrsstx.dll 2009-08-17 17:30 . 2008-05-28 05:26 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-08-17 17:30 . 2008-05-28 05:26 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2008-04-17 05:41 . 2008-04-17 05:38 24 --sh--w- c:\windows\SDA93FE72.tmp 2006-05-03 09:06 . 2008-06-28 20:08 163328 --sh--r- c:\windows\system32\flvDX.dll 2007-02-21 10:47 . 2008-06-28 20:08 31232 --sh--r- c:\windows\system32\msfDX.dll 2007-12-17 12:43 . 2008-06-28 20:08 27648 --sh--w- c:\windows\system32\Smab0.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-03 851968] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-06 138008] "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-05-09 1392640] "AVG8_TRAY"="d:\internet\avg\avgtray.exe" [2009-11-03 2028312] "{B179023B-6238-4499-8F26-CD73E9D90E0A}"="c:\program files\Mediafour\MacDrive 7\MacDrive.exe" [2007-07-12 179288] "MDGetStarted.exe"="c:\program files\Mediafour\MacDrive 7\MDGetStarted.exe" [2007-06-13 139264] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320] "dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-12-13 58992] "Norton Ghost 10.0"="d:\system\Norton\Agent\GhostTray.exe" [2005-09-09 1537648] "ZoneAlarm Client"="d:\internet\ZoneAlarm\ZoneAlarm\zlclient.exe" [2009-02-16 981384] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792] "SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2007-06-06 405504] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "WUAppSetup"="c:\program files\Common Files\logishrd\WUApp32.exe" [2008-02-01 439568] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-08-17 17:30 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] @="Service" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Shrews^Start Menu^Programs^Startup^Adobe Gamma.lnk] path=c:\documents and settings\Shrews\Start Menu\Programs\Startup\Adobe Gamma.lnk backup=c:\windows\pss\Adobe Gamma.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"= "c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"= "d:\\Internet\\avg\\avgupd.exe"= "d:\\Internet\\utorrent\\uTorrent.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "10421:UDP"= 10421:UDP:SingleClick Discovery Protocol "10426:UDP"= 10426:UDP:SingleClick ICC R0 MDFSYSNT;MacDrive file system driver;c:\windows\system32\drivers\MDFSYSNT.SYS [9/5/2007 3:01 PM 277888] R0 MDPMGRNT;MDPMGRNT;c:\windows\system32\drivers\MDPMGRNT.sys [2/28/2007 11:15 AM 19072] R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/28/2008 12:26 AM 335240] R2 Apache2.2;Apache2.2;d:\internet\xampp\apache\bin\httpd.exe [12/9/2008 6:10 PM 24636] R2 avg8wd;AVG8 WatchDog;d:\internet\avg\avgwdsvc.exe [8/17/2009 12:29 PM 297752] R2 datunidr;DellAutomatedPCTuneUp UniDriver;c:\windows\system32\drivers\datunidr.sys [8/23/2007 7:29 PM 5376] R2 MacDriveService;MacDriveService;c:\program files\Mediafour\MacDrive 7\MacDriveService.exe [5/1/2007 2:55 PM 143360] S2 LicCtrlService;LicCtrl Service;rundll32.exe c:\windows\mmfs.dll,Service --> rundll32.exe c:\windows\mmfs.dll,Service [?] S3 .paros08;.paros08; [x] S3 gupdate1c93d85b83e6994;Google Update Service (gupdate1c93d85b83e6994);c:\program files\Google\Update\GoogleUpdate.exe [11/3/2008 2:26 AM 133104] S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [4/19/2007 12:09 PM 99200] S3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\drivers\PTDUBus.sys [3/7/2009 6:35 PM 29824] S3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\drivers\PTDUMdm.sys [3/7/2009 6:35 PM 41344] S3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\drivers\PTDUVsp.sys [3/7/2009 6:35 PM 39936] S3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\drivers\PTDUWWAN.sys [3/7/2009 6:35 PM 59776] --- Other Services/Drivers In Memory --- *NewlyCreated* - MBR *Deregistered* - mbr *Deregistered* - PROCEXP113 [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 . Contents of the 'Scheduled Tasks' folder 2009-11-09 c:\windows\Tasks\GoogleUpdateTaskMachine.job - c:\program files\Google\Update\GoogleUpdate.exe [2008-11-03 07:26] . . ------- Supplementary Scan ------- . uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0071211 IE: Download all with Free Download Manager - file://d:\internet\Free Download Manager\dlall.htm IE: Download selected with Free Download Manager - file://d:\internet\Free Download Manager\dlselected.htm IE: Download video with Free Download Manager - file://d:\internet\Free Download Manager\dlfvideo.htm IE: Download with Free Download Manager - file://d:\internet\Free Download Manager\dllink.htm IE: E&xport to Microsoft Excel - d:\micros~1\OFFICE11\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Shrews\Application Data\Mozilla\Firefox\Profiles\ma0zn774.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.newperspectivefilms.org FF - component: c:\program files\Google\Google Gears\Firefox\components\gears.dll FF - component: d:\internet\avg\Firefox\components\avgssff.dll FF - component: d:\internet\Free Download Manager\Firefox\Extension\components\vmsfdmff.dll FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll FF - plugin: d:\internet\Mozilla_Firefox\plugins\NPZoneSB.dll FF - plugin: d:\players\quicktime\Plugins\npqtplugin.dll FF - plugin: d:\players\quicktime\Plugins\npqtplugin2.dll FF - plugin: d:\players\quicktime\Plugins\npqtplugin3.dll FF - plugin: d:\players\quicktime\Plugins\npqtplugin4.dll FF - plugin: d:\players\quicktime\Plugins\npqtplugin5.dll FF - plugin: d:\players\quicktime\Plugins\npqtplugin6.dll FF - plugin: d:\players\quicktime\Plugins\npqtplugin7.dll . - - - - ORPHANS REMOVED - - - - ShellIconOverlayIdentifiers-MacDrive Volume Icons - (no file) Notify-fccaBQJC - fccaBQJC.dll ************************************************************************** scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version] "Version"=hex:07,4a,74,5f,2f,65,dd,6d,63,27,54,5f,a2,52,1b,6f,cc,f0,99,a5,ff, 22,38,3e,cb,b2,b2,06,f9,5d,e9,d3,3b,18,af,fe,b7,ed,fe,e4,50,a5,e9,cf,b1,0d,\ [HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version] "Version"=hex:07,4a,74,5f,2f,65,dd,6d,63,27,54,5f,a2,52,1b,6f,cc,f0,99,a5,ff, 22,38,3e,cb,b2,b2,06,f9,5d,e9,d3,3b,18,af,fe,b7,ed,fe,e4,50,a5,e9,cf,b1,0d,\ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(992) c:\windows\System32\BCMLogon.dll . Completion time: 2009-11-09 15:27 ComboFix-quarantined-files.txt 2009-11-09 20:26 Pre-Run: 3,128,320,000 bytes free Post-Run: 3,150,401,536 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect - - End Of File - - 06D0099484CEF250AD2CE1F462028799

#6 GBS

GBS

    Authentic Member

  • Authentic Member
  • PipPip
  • 36 posts

Posted 09 November 2009 - 02:46 PM

Quick note: The computer will hibernate, so that's definitely a start!!

#7 oldman960

oldman960

    Forum God

  • Classroom Teacher
  • 14,755 posts

Posted 09 November 2009 - 06:19 PM

Hi GBS,

Well that does seem like progress.

I see some Symantec (Norton) still installed. Is this a program that you no longer use?

Download and save to your desktop Malwarebytes Anti-Malware

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Please post back with the MBAM log and an aswer regarding Norton.

Thanks

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation Posted Image
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Posted Image

Threads will be closed if no response after 5 days.

#8 GBS

GBS

    Authentic Member

  • Authentic Member
  • PipPip
  • 36 posts

Posted 09 November 2009 - 06:49 PM

The Norton in question is probably Ghost which I used for backup at one time. I haven't used it in a while, but have not uninstalled since I plan to do another round of backup soon. MBAM said "No infections found" here is the log: Malwarebytes' Anti-Malware 1.41 Database version: 3137 Windows 5.1.2600 Service Pack 2 11/9/2009 7:45:22 PM mbam-log-2009-11-09 (19-45-22).txt Scan type: Quick Scan Objects scanned: 109660 Time elapsed: 5 minute(s), 20 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

#9 oldman960

oldman960

    Forum God

  • Classroom Teacher
  • 14,755 posts

Posted 09 November 2009 - 07:56 PM

Hi GBS,

I saw Ghost, but also saw these

LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)



Your java is out of date
If Information Bar pop-ups up, right-click on it and say it's OK to display the blocked content.
  • Select the platform (Windows, in your case), mutli language.
  • Accept the license agreement, click continue.
You do not have to install the Java Web Start ActiveX Control
  • Scroll down and click on Windows Offline Installation,
  • Save the file jre-6u17-windows-i586-p.exe to your desktop;
Do not select Run . Do not install it yet.

When the download is complete, close your browser.

Open Control Panel > Add/Remove Programs and uninstall

Java™ 6 Update 7

Do not uninstall Java TM 6 Update 17 if found! :yeah:

Reboot your computer.

  • Double-click on the saved file ( jre-6u17-windows-i586-p.exe) to install the update.
  • Delete the downloaded installation file after completing the above procedure and reboot if not prompted to do so.

Next, clear the java cache

To clear the Java Plug-in cache:
  • Click Start > Control Panel.
  • Double-click the Java icon in the control panel.
  • On the General tab, Click Settings under Temporary Internet Files.
  • On the Temporary Files Settings screen, Click Delete Files.
  • check all boxes
  • Click OK

One more scan to check our work.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.



Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions.
  • You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button
    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
    • Mail databases
  • Click on My Computerr under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Change the Files of type to Text file (.txt)
  • Set the Save In to Desktop
  • click the Save button.
  • Please post this log in your next reply.

Please post back with
  • Kaspersky log
  • new DDS log, just the DDS.txt this time.
Any problems?

Thanks

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation Posted Image
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Posted Image

Threads will be closed if no response after 5 days.

#10 GBS

GBS

    Authentic Member

  • Authentic Member
  • PipPip
  • 36 posts

Posted 09 November 2009 - 08:25 PM

LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)

I am unaware of what these could be. Unless they are part of Ghost, I would say that they are leftovers from software that was installed when I bought the laptop. To my knowledge, I have never used them.


Scroll down to "Java Runtime Environment (JRE) 6 Update 16

The site only lists Update 17, but I assume this is correct, as Update 17 is indicated in your suggested file name, however...


Save the file jre-6u17-windows-i586-p.exe to your desktop

The file name given on the Java site for offline install is actually jre-6u17-windows-i586.exe (no "-p")

I will go ahead and download the Update 17 as indicated in bold type above, but I will not run it until I receive confirmation that it is the correct Update.

Thanks!

GBS

    Advertisements

Register to Remove


#11 oldman960

oldman960

    Forum God

  • Classroom Teacher
  • 14,755 posts

Posted 09 November 2009 - 11:36 PM

Hi GBS, Looks like I missed one when I edited the canned to reflect the newer version. I would say Sun has also chaged their naming scheme. You have the right one. Co ahead and install it. Thanks

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation Posted Image
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Posted Image

Threads will be closed if no response after 5 days.

#12 GBS

GBS

    Authentic Member

  • Authentic Member
  • PipPip
  • 36 posts

Posted 10 November 2009 - 07:31 AM

Hi, So everything went well. However, Kaspersky was taking a long time so I went to bed while it was running. When I woke up, my browser was closed and the computer was on Standby (as an effect of the power-saving scheme). Is the log stored locally, or will I need to run it again? Also, the Symantec in question looks like it was installed w/ Ghost, but I still don't use it. Thanks a lot! GBS

#13 GBS

GBS

    Authentic Member

  • Authentic Member
  • PipPip
  • 36 posts

Posted 10 November 2009 - 02:14 PM

I went ahead and re-ran Kaspersky.

Kaspersky log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, November 10, 2009
Operating system: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, November 10, 2009 11:57:53
Records in database: 3187525
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
Y:\

Scan statistics:
Objects scanned: 178353
Threats found: 2
Infected objects found: 2
Suspicious objects found: 0
Scan duration: 05:04:33


File name / Threat / Threats count
C:\Documents and Settings\Shrews\Desktop\viry\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir Infected: Rootkit.Win32.TDSS.y 1
D:\outlook\data\archive2.pst Infected: Email-Worm.VBS.Gedza 1

Selected area has been scanned.

DDS log:


DDS (Ver_09-06-26.01) - NTFSx86
Run by Shrews at 15:06:51.62 on Tue 11/10/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2038.827 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
D:\Internet\xampp\apache\bin\httpd.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
D:\Internet\java\bin\jqs.exe
D:\Internet\xampp\apache\bin\httpd.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Mediafour\MacDrive 7\MacDriveService.exe
D:\Internet\xampp\mysql\bin\mysqld.exe
D:\System\Norton\Agent\VProSvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mediafour\MacDrive 7\MacDrive.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\System\Norton\Agent\GhostTray.exe
D:\Internet\java\bin\jusched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\Internet\Mozilla_Firefox\firefox.exe
D:\Internet\java\bin\java.exe
C:\Program Files\Skype\Phone\Skype.exe
D:\Internet\PandoraFox\SProxy\SProxy.exe
D:\Internet\PandoraFox\firefox.exe
D:\Internet\avg\avgrsx.exe
D:\Internet\avg\avgwdsvc.exe
D:\Internet\avg\avgrsx.exe
C:\WINDOWS\system32\wscntfy.exe
D:\Microsoft Office\OFFICE11\OUTLOOK.EXE
D:\System\nero\Nero\nero.exe
C:\Documents and Settings\Shrews\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0071211
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - d:\internet\avg\avgssie.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - d:\text\acrobat_6_prof\acrobat\AcroIEFavClient.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\internet\java\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.33.0\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\internet\java\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: ZoneAlarm Spy Blocker BHO: {f0d4b231-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\zonealarmsb\bar\1.bin\SPYBLOCK.DLL
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - d:\text\acrobat_6_prof\acrobat\AcroIEFavClient.dll
TB: ZoneAlarm Spy Blocker: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\zonealarmsb\bar\1.bin\SPYBLOCK.DLL
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [AVG8_TRAY] d:\internet\avg\avgtray.exe
mRun: [{B179023B-6238-4499-8F26-CD73E9D90E0A}] "c:\program files\mediafour\macdrive 7\MacDrive.exe"
mRun: [MDGetStarted.exe] "c:\program files\mediafour\macdrive 7\MDGetStarted.exe" /auto
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Norton Ghost 10.0] "d:\system\norton\agent\GhostTray.exe"
mRun: [ZoneAlarm Client] "d:\internet\zonealarm\zonealarm\zlclient.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "d:\internet\java\bin\jusched.exe"
dRunOnce: [WUAppSetup] c:\program files\common files\logishrd\WUApp32.exe -v 0x046d -p 0x092f -f video -m logitech -d 11.70.1193.0
IE: Download all with Free Download Manager - file://d:\internet\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://d:\internet\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://d:\internet\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - file://d:\internet\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - d:\micros~1\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.33.0\gears.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\micros~1\office11\REFIEBAR.DLL
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - d:\internet\avg\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\shrews\applic~1\mozilla\firefox\profiles\ma0zn774.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.newperspectivefilms.org
FF - component: c:\program files\google\google gears\firefox\lib\ff30\gears.dll
FF - component: d:\internet\avg\firefox\components\avgssff.dll
FF - component: d:\internet\free download manager\firefox\extension\components\vmsfdmff.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: d:\internet\java\bin\new_plugin\npdeploytk.dll
FF - plugin: d:\internet\java\bin\new_plugin\npjp2.dll
FF - plugin: d:\internet\mozilla_firefox\plugins\NPZoneSB.dll
FF - plugin: d:\players\quicktime\plugins\npqtplugin.dll
FF - plugin: d:\players\quicktime\plugins\npqtplugin2.dll
FF - plugin: d:\players\quicktime\plugins\npqtplugin3.dll
FF - plugin: d:\players\quicktime\plugins\npqtplugin4.dll
FF - plugin: d:\players\quicktime\plugins\npqtplugin5.dll
FF - plugin: d:\players\quicktime\plugins\npqtplugin6.dll
FF - plugin: d:\players\quicktime\plugins\npqtplugin7.dll
FF - HiddenExtension: Java Console: No Registry Reference - d:\internet\mozilla_firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 MDFSYSNT;MacDrive file system driver;c:\windows\system32\drivers\MDFSYSNT.SYS [2007-9-5 277888]
R0 MDPMGRNT;MDPMGRNT;c:\windows\system32\drivers\MDPMGRNT.sys [2007-2-28 19072]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-28 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-5-28 27784]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-10-20 353672]
R2 Apache2.2;Apache2.2;d:\internet\xampp\apache\bin\httpd.exe [2008-12-9 24636]
R2 avg8wd;AVG8 WatchDog;d:\internet\avg\avgwdsvc.exe [2009-8-17 297752]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-12-13 198256]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-12-13 165488]
R2 datunidr;DellAutomatedPCTuneUp UniDriver;c:\windows\system32\drivers\datunidr.sys [2007-8-23 5376]
R2 MacDriveService;MacDriveService;c:\program files\mediafour\macdrive 7\MacDriveService.exe [2007-5-1 143360]
R3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2009-5-9 822424]
S2 gupdate1c93d85b83e6994;Google Update Service (gupdate1c93d85b83e6994);c:\program files\google\update\GoogleUpdate.exe [2008-11-3 133104]
S2 LicCtrlService;LicCtrl Service;rundll32.exe c:\windows\mmfs.dll,service --> rundll32.exe c:\windows\mmfs.dll,Service [?]
S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 .paros08;.paros08; [x]
S3 aawservice;Lavasoft Ad-Aware Service;d:\internet\adaware\aawservice.exe [2008-5-12 611664]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-12-13 79472]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [2007-4-19 99200]
S3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\drivers\PTDUBus.sys [2009-3-7 29824]
S3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\drivers\PTDUMdm.sys [2009-3-7 41344]
S3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\drivers\PTDUVsp.sys [2009-3-7 39936]
S3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\drivers\PTDUWWAN.sys [2009-3-7 59776]

=============== Created Last 30 ================

2009-11-10 13:10 3,250 a------- c:\windows\system32\wbem\Outlook_01ca62310c54c1e2.mof
2009-11-10 03:03 <DIR> --d----- c:\windows\ServicePackFiles
2009-11-09 22:29 283,648 -------- c:\windows\system32\dllcache\pdh.dll
2009-11-09 22:29 399,360 -------- c:\windows\system32\dllcache\rpcss.dll
2009-11-09 22:29 60,416 -------- c:\windows\system32\dllcache\colbact.dll
2009-11-09 22:29 35,328 -------- c:\windows\system32\dllcache\sc.exe
2009-11-09 22:29 473,088 -------- c:\windows\system32\dllcache\fastprox.dll
2009-11-09 22:29 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-11-09 22:29 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-11-09 22:29 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-11-09 22:29 616,960 -------- c:\windows\system32\dllcache\advapi32.dll
2009-11-09 22:29 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-11-09 22:28 153,088 -------- c:\windows\system32\dllcache\triedit.dll
2009-11-09 22:27 128,512 -------- c:\windows\system32\dllcache\dhtmled.ocx
2009-11-09 22:21 655,872 -------- c:\windows\system32\dllcache\mstscax.dll
2009-11-09 22:20 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
2009-11-09 21:43 411,368 a------- c:\windows\system32\deploytk.dll
2009-11-09 21:43 73,728 a------- c:\windows\system32\javacpl.cpl
2009-11-09 19:37 <DIR> --d----- c:\docume~1\shrews\applic~1\Malwarebytes
2009-11-09 19:37 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-09 19:37 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-11-09 19:37 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-11-09 19:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-09 15:12 89,184 a------- c:\windows\system32\drivers\imagedrv.sys
2009-11-09 15:12 277,784 a------- c:\windows\system32\drivers\iaStor.sys
2009-11-09 15:07 267,264 a------- c:\windows\PEV.exe
2009-11-09 15:07 161,792 a------- c:\windows\SWREG.exe
2009-11-09 15:07 98,816 a------- c:\windows\sed.exe
2009-11-09 15:07 77,312 a------- c:\windows\MBR.exe
2009-11-06 11:05 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-11-06 11:05 <DIR> --d----- c:\program files\Skype
2009-11-05 23:08 <DIR> --d----- c:\program files\Skype(2)
2009-11-05 22:44 56 a---h--- c:\windows\system32\ezsidmv.dat
2009-11-04 12:39 <DIR> a-d----- C:\gamma

==================== Find3M ====================

2009-11-02 22:37 175,104 a------- c:\windows\system32\RemoteControl.dll
2009-09-11 09:33 133,632 a------- c:\windows\system32\msv1_0.dll
2009-09-11 09:33 133,632 -------- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 15:45 58,880 a------- c:\windows\system32\msasn1.dll
2009-09-04 15:45 58,880 -------- c:\windows\system32\dllcache\msasn1.dll
2009-08-28 05:28 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-08-28 05:28 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-08-27 00:18 634,648 -------- c:\windows\system32\dllcache\iexplore.exe
2009-08-27 00:18 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2009-08-26 03:16 247,326 a------- c:\windows\system32\strmdll.dll
2009-08-26 03:16 247,326 -------- c:\windows\system32\dllcache\strmdll.dll
2009-08-17 12:30 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-13 10:16 512,000 a------- c:\windows\system32\dllcache\jscript.dll
2009-01-19 19:16 57,344 a------- c:\docume~1\shrews\applic~1\GDIPFONTCACHEV1.DAT
2008-03-23 21:51 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2006-05-03 04:06 163,328 ---shr-- c:\windows\system32\flvDX.dll
2007-02-21 05:47 31,232 ---shr-- c:\windows\system32\msfDX.dll
2007-12-17 07:43 27,648 ---sh--- c:\windows\system32\Smab0.dll

============= FINISH: 15:07:39.43 ===============

I see Kaspersky found some problems. Let me know the next move. Thanks!

#14 oldman960

oldman960

    Forum God

  • Classroom Teacher
  • 14,755 posts

Posted 10 November 2009 - 07:22 PM

Hi GBS,

Nothing serious in the Kaspersky scan. One file is already quarantined and will be removed as part of the tools cleanup. The other is an e-mail. We can't use a tool as it might corrupt the account. I can't tell you the name of the e-mail but it is located in D:\outlook\data\archive2. I suggest you remove any old emails, emails with attachments are the usual culprit.

If no other problems, we can clean up our tools.

From your desktop, please delete
  • any notepads/logs that we created
  • RootRepeal.exe
  • DDS.scr

Next

Click the Start button, click Run. Copy and paste the following line into the run box and click OK
Combofix /uninstall


I suggest you keep MBAM. Keep it updated and use it regularly.


Updates and upgrades

You have an older version of Adobe Reader. You can download the current version HERE

You may want to consider Foxit Reader instead. It may be a bit lighter on resources.

Visit their support forum
Foxit Forum

In either case you should uninstall Adobe Reader 8.1.3 first. Be sure to move any PDF documents to another folder first though.


Some Recommendations and prevention tips

Basic security consists of 1 antivirus program, 1 resident antispyware program, 1 on demand antispyware program and a firewall. With the addition of MBAM you have them all.

You should also use Spyware Blaster to help immunize your computer.

- SpywareBlaster will add a large list of programs and sites into your Internet Explorer
settings that will protect you from running and downloading known malicious programs.

OR

A guide to understanding and using the hosts file.

Learn how your Hosts file can protect you and how you can protect it.
Besides the Hosts file information, there are links to a very good updated hosts file, a host file manager. and some programs that can protect your hosts file.
HOSTS

Please read the info on disabling the DNS Client before installing a custom hosts file.


-Secure your Internet Explorer

From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.


- Keeping your Windows up-to-date is crucial to your computer's security. Please go to the Windows Update Site (using Internet Explorer) and download and install all critical updates on a regular basis


- Ensure that Automatic Update is turned on so you get all the latest patches.
Click start, control panel, click Security Center.


- Keep your antivirus program updated, as well as any other security programs you have.


-Check this site out to check for out of date programs
Secunia Personal Software Inspector (PSI) 1.0


-More tips and programs can be found HERE


- You may also want to read this article By Tony Klein
http://www.freedomli...pic.php?t=22879

We will keep this thread open for a couple of days. Please post back if you have any problems or questions. Please post back when you have finished so this thread can be marked "Resolved".

Take care :adios:

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation Posted Image
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Posted Image

Threads will be closed if no response after 5 days.

#15 GBS

GBS

    Authentic Member

  • Authentic Member
  • PipPip
  • 36 posts

Posted 11 November 2009 - 10:56 PM

I can't thank you enough for your time in correcting my machine and for your suggestions for added performance. I deleted the Outlook archive folder and created a new one. Kaspersky found no problems with the new file. The computer is running great. Thanks a lot! GBS

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users