Skip to main content

kevinf80_1d0ac6

1.1K Posts

September 19th, 2010 04:00

 

Hi marylocke,

I'm kevinf80 and I will be helping with any issues you may have. Please be aware that some of the logs I may ask for can be very complex and can take a long time to decipher. I am a volunteer here with a job and family so I ask that you be patient when waiting for replies.
Please DO NOT run any scans/tools/fixes on your own as this will conflict with the tools we are going to use.
Please Print or Save to Notepad all instructions and please follow them carefully and if there's something you don't understand or that will not work please let me know and we will go through it together.
Malware is often buggy and can be very unstable, with that in mind it is advisable to backup any important data before we begin.
If you do not reply within 72 hours the thread will be closed, if you need more time let me know. Likewise if I do not respond within 48 hours feel free to PM me.

* If you are using any cracked software, please remove it. In addition to being illegal, when you install cracked software, you are running executable files from dubious, unknown sources. You are giving these sources access to information on your hard disk, and potential control over operation of your computer. Definition of cracked software HERE

** If you are using any P2P (file sharing) programs, please remove them before we clean your computer. The nature of such software and the high incidence of malware in files downloaded with them is counter productive to restoring your PC to a healthy state. That includes BitTorrent uTorrent etc. and similar programs.

Please proceed as follows :-

Step 1

Download and scan with CCleaner

1. Starting with v 1.27.26 (This version no. will differ), CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation. IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbar-free or Slim versions instead of the Standard Build.
2. Before first use, select Options > Advanced and UNCHECK " Only delete files in Windows Temp folder older than 24 hours"
3. Then select the items you wish to clean up.

In the Windows Tab:

  • Clean all entries in the "Internet Explorer" section except Cookies if you want to keep those.
  • Clean all the entries in the "Windows Explorer" section.
  • Clean all entries in the "System" section.
  • Clean all entries in the "Advanced" section.
  • Clean any others that you choose.



In the Applications Tab:
  • Clean all except cookies in the Firefox/Mozilla section if you use it.
  • Clean all in the Opera section if you use it.
  • Clean Sun Java in the Internet Section.
  • Clean any others that you choose.


4. Click the " Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click " OK" and it will scan and clean your system.
7. Click " exit" when done.

Step 2

user posted image Please download Malwarebytes Anti-Malware and save it to your desktop.
Alernative D/L mirror
Alternative D/L mirror

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.


Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Step 3

We need to see some additional information about what is happening in your machine. 
Please perform the following scan:
  • Download DDS by sUBs from one of the following links.  Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool.   
  • When done, DDS will open two (2) logs         1. DDS.txt
             2. Attach.txt
  • Save both reports to your desktop.
  • The instructions here ask you to attach the Attach.txt.user posted image
     
  • Instead of attaching, please copy/past both logs into your next reply.
  • Close the program window, and delete the program from your desktop.

Please note:  You may have to disable any script protection running if the scan fails to run.
After downloading the tool, disconnect from the internet and disable all antivirus protection.
Run the scan, enable your A/V and reconnect to the internet. 
Information on A/V control HERE

Step 4

Download Security Check by screen317 from HERE or HERE.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box. Press any key when asked.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

What i`d like in your reply :-

  • Log from Malwarebytes
  • Both logs from DDS
  • Log from Security Checks


Kevin

 

marylocke

8 Posts

September 19th, 2010 07:00

Hi Kevin,

Thanks for your instructions. The requested logs are below.

Kind regards - Mary

 

MALWAREBYTES:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4650

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18943

19/09/2010 10:38:31 PM
mbam-log-2010-09-19 (22-38-31).txt

Scan type: Quick scan
Objects scanned: 162178
Time elapsed: 10 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

DDS.TXT:


DDS (Ver_09-09-29.01) - NTFSx86 
Run by Mary at 22:41:31.92 on Sun 19/09/2010
Internet Explorer: 8.0.6001.18943
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.61.1033.18.2037.635 [GMT 10:00]

AV: Symantec AntiVirus *On-access scanning enabled* (Updated)   {FB06448E-52B8-493A-90F3-E43226D3305C}
SP: Symantec AntiVirus *enabled* (Updated) {6C85A515-B91D-4D2B-AF18-40984A4A8493}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\Program Files\Kaseya\Agent\AgentMon.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Windows\system32\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\RealVNC\VNC4\winvnc4.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Windows\WindowsMobile\wmdSync.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Users\Mary.Mary-PC\Downloads\dds.com
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.smh.com.au/
uWindow Title = Internet Explorer provided by Dell
uDefault_Page_URL = hxxp://www.google.com.au/ig/dell?hl=en&client=dell-row&channel=au&ibd=3070822
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ ]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~2\VPTray.exe
mRun: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
mRun: [SigmatelSysTrayApp] c:\program files\sigmatel\c-major audio\wdm\sttray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Eraser] "c:\progra~1\eraser\Eraser.exe" --atRestart
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\windows\installer\{7f0c4457-8e64-491b-8d7b-991504365d1e}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: kaseyasp.dll
DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} - hxxps://webmail.risk.sungard.com/iNotes6W.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SEH: Internet Shortcut: {fbf23b40-e3f0-101b-8488-00aa003e56f8} - c:\windows\system32\ieframe.dll

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-18 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-11 67656]
R2 KACLRTCH48056390693591;Kaseya Agent;c:\program files\kaseya\agent\AgentMon.exe [2008-7-8 806912]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2007-8-23 179712]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-9-13 102448]
R3 KAPFA;KAPFA;c:\windows\system32\drivers\KaPFA.sys [2008-7-8 13824]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-9-19 38224]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-9-17 21504]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-8-22 30192]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-11-28 122008]
S3 usb2vcom;USB to Serial Bridge Controller;c:\windows\system32\drivers\usb2vcom.sys [2007-9-21 28928]

=============== Created Last 30 ================

2010-09-19 22:25 

 --d----- c:\users\mary~1.mar\appdata\roaming\Malwarebytes
2010-09-19 22:25 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-19 22:25 20,952 a------- c:\windows\system32\drivers\mbam.sys
2010-09-19 22:25   --d----- c:\programdata\Malwarebytes
2010-09-19 22:25   --d----- c:\progra~2\Malwarebytes
2010-09-19 22:25   --d----- c:\program files\Malwarebytes' Anti-Malware
2010-09-19 21:15   --d----- c:\program files\CCleaner
2010-09-06 21:28   --d----- c:\windows\system32\catroot2(1384)
2010-09-05 23:05   --d----- C:\_OTM
2010-09-05 09:09   --d----- C:\867e58437be2a386f20e1faceee160
2010-09-05 09:03 292,840 a------- c:\windows\system32\drivers\aueywyol.sys
2010-08-29 16:37 292,840 a------- c:\windows\system32\drivers\vdzpzltx.sys
2010-08-29 13:08   --d----- c:\windows\system32\MpEngineStore
2010-08-29 11:01   --d----- c:\users\mary~1.mar\appdata\roaming\SUPERAntiSpyware.com
2010-08-29 11:01   --d----- c:\programdata\SUPERAntiSpyware.com
2010-08-29 11:01   --d----- c:\progra~2\SUPERAntiSpyware.com
2010-08-29 11:00   --d----- c:\program files\SUPERAntiSpyware
2010-08-25 22:12   --d----- c:\program files\Eraser

==================== Find3M  ====================

2010-06-26 16:05 916,480 a------- c:\windows\system32\wininet.dll
2010-06-26 16:02 109,056 a------- c:\windows\system32\iesysprep.dll
2010-06-26 16:02 71,680 a------- c:\windows\system32\iesetup.dll
2010-06-26 14:25 133,632 a------- c:\windows\system32\ieUnatt.exe
2010-06-21 23:37 2,037,760 a------- c:\windows\system32\win32k.sys
2010-05-20 22:13 143,360 a------- c:\windows\inf\infstrng.dat
2010-05-20 22:13 143,360 a------- c:\windows\inf\infstor.dat
2010-05-20 22:13 51,200 a------- c:\windows\inf\infpub.dat
2010-01-23 22:05 665,600 a------- c:\windows\inf\drvindex.dat
2008-12-10 21:24 174 a--sh--- c:\program files\desktop.ini
2006-11-02 22:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 22:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 22:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 22:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 19:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 19:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 19:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 19:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2009-11-07 10:50 245,760 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2010-04-13 10:22 16,384 a--sh--- c:\windows\system32\%appdata%\microsoft\windows\ietldcache\index.dat
2010-03-24 07:48 32,768 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012010032420100325\index.dat
2010-04-13 10:22 32,768 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012010041320100414\index.dat
2010-04-13 10:22 16,384 a--sh--- c:\windows\system32\config\systemprofile\desktop\%appdata%\microsoft\windows\iecompatcache\index.dat
2010-04-13 10:22 16,384 a--sh--- c:\windows\system32\config\systemprofile\desktop\%appdata%\microsoft\windows\ietldcache\index.dat
2010-04-13 10:22 65,536 a--sh--- c:\windows\system32\config\systemprofile\desktop\%appdata%\microsoft\windows\privacie\index.dat
2010-04-13 08:02 16,384 a--sh--- c:\windows\system32\config\systemprofile\documents\%appdata%\microsoft\windows\ietldcache\index.dat
2007-08-23 06:03 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT

============= FINISH: 22:45:20.91 ===============

(DDS) ATTACH.TXT:


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-09-29.01)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume3
Install Date: 22/08/2007 10:10:35 PM
System Uptime: 19/09/2010 2:17:02 PM (8 hours ago)

Motherboard: Dell Inc. |  | 0DT492
Processor: Intel(R) Core(TM)2 Duo CPU     T5450  @ 1.66GHz | Microprocessor | 1667/166mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 136 GiB total, 79.184 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 3.141 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP555: 19/08/2010 9:53:51 AM - Scheduled Checkpoint
RP556: 20/08/2010 10:24:24 AM - Scheduled Checkpoint
RP557: 21/08/2010 10:58:24 AM - Scheduled Checkpoint
RP558: 24/08/2010 9:44:26 AM - Scheduled Checkpoint
RP577: 5/09/2010 9:38:15 AM - Scheduled Checkpoint

==== Installed Programs ======================

2007 Microsoft Office Suite Service Pack 2 (SP2)
Ad-Aware
Adobe Flash Player 10 ActiveX
Adobe Reader 8.1.3
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AutoUpdate
Avi2Dvd 0.4.5 beta
AviSynth 2.5
Bonjour
Broadcom Management Programs
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon G.726 WMP-Decoder
Canon MovieEdit Task for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities EOS Utility
Canon Utilities PhotoStitch
Canon Utilities ZoomBrowser EX
CCleaner
Conexant HDA D330 MDC V.92 Modem
Dell Network Assistant
Dell Support Center
Dell System Customization Wizard
Dell Touchpad
DellSupport
Digital Line Detect
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
DVD Decrypter (Remove Only)
DVD Shrink 3.2
E2 Sales 472
Eraser 6.0.7.1893
Google Desktop
Google Toolbar for Internet Explorer
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Huge Pine USB to UART Driver 
iTunes
Java(TM) 6 Update 17
Java(TM) SE Runtime Environment 6
Kaseya Agent (mary-pc.10.ljh-manly - spoc.itsupportdesk.com.au)
LiveUpdate 3.2 (Symantec Corporation)
Malwarebytes' Anti-Malware
MediaDirect
Micrografx Picture Publisher 7
Microsoft .NET Framework 3.5 SP1
Microsoft FrontPage 2000
Microsoft Image Composer 1.5
Microsoft Office 2003 Web Components
Microsoft Office 2007 Primary Interop Assemblies
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Small Business 2007
Microsoft Office Small Business Connectivity Components
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Modem Diagnostic Tool
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NetWaiting
OGA Notifier 2.0.0048.0
OutlookAddinSetup
QuickSet
QuickTime
Roxio Creator Audio
Roxio Creator BDAV Plugin
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler
Roxio MyDVD DE
Roxio Update Manager
RuppLynx 6.2
Security Update for 2007 Microsoft Office System (KB2277947)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for 2007 Microsoft Office System (KB982312)
Security Update for 2007 Microsoft Office System (KB982331)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB982308)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office Outlook 2007 (KB980376)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office Publisher 2007 (KB982124)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2251419)
Sonic Activation Module
Spelling Dictionaries Support For Adobe Reader 8
SUPERAntiSpyware
Symantec AntiVirus
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (kb2279264)
URL Assistant
User's Guides
VNC Enterprise Edition E4.4.3
Xvid 1.1.3 final uninstall

==== Event Viewer Messages From Past Week ========

19/09/2010 2:40:57 PM, Error: Service Control Manager [7032]  - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error:  An instance of the service is already running.
19/09/2010 2:19:03 PM, Error: Service Control Manager [7034]  - The SQL Server VSS Writer service terminated unexpectedly.  It has done this 1 time(s).
18/09/2010 9:57:29 AM, Error: Service Control Manager [7022]  - The KtmRm for Distributed Transaction Coordinator service hung on starting.
16/09/2010 10:43:57 AM, Error: Service Control Manager [7032]  - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Remote Access Connection Manager service, but this action failed with the following error:  An instance of the service is already running.
14/09/2010 8:41:27 AM, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.
14/09/2010 8:39:01 AM, Error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  eeCtrl
13/09/2010 6:09:03 PM, Error: Service Control Manager [7022]  - The Windows Update service hung on starting.

==== End Of File ===========================

SECURITY CHECKS (checkup.txt):

 Results of screen317's Security Check version 0.99.5 
 Windows Vista Service Pack 2 (UAC is disabled!)
 Internet Explorer 8 
``````````````````````````````
Antivirus/Firewall Check:
 Windows Firewall Enabled! 
 Symantec AntiVirus    
 Antivirus up to date! 
```````````````````````````````
Anti-malware/Other Utilities Check:
 Ad-Aware
 Malwarebytes' Anti-Malware   
 CCleaner    
 Java(TM) 6 Update 17 
 Java(TM) SE Runtime Environment 6
 Out of date Java installed!
 Adobe Flash Player  
Adobe Reader 8.1.3
Out of date Adobe Reader installed!
````````````````````````````````
Process Check: 
objlist.exe by Laurent
 Norton ccSvcHst.exe
 Ad-Aware AAWService.exe
 Ad-Aware AAWTray.exe is disabled!
 Symantec AntiVirus DefWatch.exe  
 Symantec AntiVirus Rtvscan.exe  
 Symantec AntiVirus VPTray.exe  
````````````````````````````````
DNS Vulnerability Check:
 GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````

 

kevinf80_1d0ac6

1.1K Posts

September 19th, 2010 07:00

Hiya marylocke,

Proceed as follows please :-

Step 1

We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

Combofix

Don`t forget Combofix must be saved to your desktop. <--Very important

Ensure you have disabled your Firewall and all anti virus and anti malware programs so they do not interfere with the running of ComboFix. <---Very important

Please include the C:\ComboFix.txt in your next reply for further review.

Examples of how to disable realtime protection available at the following link :-

Disable realtime protection

Note: Do not click combofix's window with your mouse while it's running. That action may cause it to stall.

*EXTRA NOTES*
  • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
  • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
  • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)


Step 2

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content From between the dotted lines into the main textfield:
    --------------------------------------------------------

    :Dir
    C:\_OTM

    --------------------------------------------------------
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Post the logs from Combofix and System Look in next reply please.

Kevin

marylocke

8 Posts

September 19th, 2010 08:00

Hi Kevin,

OK, here are the logs you requested:

COMBOFIX:

ComboFix 10-09-17.04 - Mary 20/09/2010   0:18.1.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.61.1033.18.2037.779 [GMT 10:00]
Running from: c:\users\Mary.Mary-PC\Desktop\ComboFix.exe
AV: Symantec AntiVirus *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Symantec AntiVirus *disabled* (Updated) {6C85A515-B91D-4D2B-AF18-40984A4A8493}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\drivers\volmgrx.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
(((((((((((((((((((((((((   Files Created from 2010-08-19 to 2010-09-19  )))))))))))))))))))))))))))))))
.

2010-09-19 14:25 . 2010-09-19 14:26 -------- d-----w- c:\users\Mary.Mary-PC\AppData\Local\temp
2010-09-19 14:25 . 2010-09-19 14:25 -------- d-----w- c:\users\TEMP\AppData\Local\temp
2010-09-19 14:25 . 2010-09-19 14:25 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-09-19 12:25 . 2010-09-19 12:25 -------- d-----w- c:\users\Mary.Mary-PC\AppData\Roaming\Malwarebytes
2010-09-19 12:25 . 2010-04-29 05:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-19 12:25 . 2010-09-19 12:25 -------- d-----w- c:\programdata\Malwarebytes
2010-09-19 12:25 . 2010-04-29 05:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-19 12:25 . 2010-09-19 12:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-19 11:15 . 2010-09-19 11:15 -------- d-----w- c:\program files\CCleaner
2010-09-06 11:28 . 2010-09-06 11:32 -------- d-----w- c:\windows\system32\catroot2(1384)
2010-09-05 13:05 . 2010-09-05 13:05 -------- d-----w- C:\_OTM
2010-09-04 23:09 . 2010-09-14 02:00 -------- d-----w- C:\867e58437be2a386f20e1faceee160
2010-09-04 23:03 . 2010-09-04 23:03 292840 ----a-w- c:\windows\system32\drivers\aueywyol.sys
2010-08-29 06:37 . 2010-08-29 06:37 292840 ----a-w- c:\windows\system32\drivers\vdzpzltx.sys
2010-08-29 03:08 . 2010-09-05 10:33 -------- d-----w- c:\windows\system32\MpEngineStore
2010-08-29 01:04 . 2010-09-04 13:26 63488 ----a-w- c:\users\Mary.Mary-PC\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-08-29 01:04 . 2010-08-29 01:04 52224 ----a-w- c:\users\Mary.Mary-PC\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-08-29 01:04 . 2010-09-04 13:26 117760 ----a-w- c:\users\Mary.Mary-PC\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-08-29 01:01 . 2010-08-29 01:01 -------- d-----w- c:\users\Mary.Mary-PC\AppData\Roaming\SUPERAntiSpyware.com
2010-08-29 01:01 . 2010-08-29 01:01 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-08-29 01:00 . 2010-08-29 01:01 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-08-25 12:44 . 2010-08-25 12:44 -------- d-----w- c:\users\Mary.Mary-PC\AppData\Local\Eraser 6
2010-08-25 12:12 . 2010-08-25 12:12 -------- d-----w- c:\program files\Eraser
2010-08-25 10:05 . 2010-08-25 10:05 680 ----a-w- c:\users\Mary.Mary-PC\AppData\Local\d3d9caps.dat

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-14 02:00 . 2007-08-22 12:26 -------- d-----w- c:\programdata\Microsoft Help
2010-09-14 02:00 . 2007-09-04 13:40 -------- d-----w- c:\program files\Microsoft Image Composer
2010-09-14 02:00 . 2007-09-03 13:25 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-09-14 02:00 . 2007-08-22 12:33 -------- d-----w- c:\program files\Google
2010-09-14 02:00 . 2007-08-22 12:28 -------- d-----w- c:\program files\Microsoft Works
2010-06-26 06:05 . 2010-08-16 23:16 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-26 06:02 . 2010-08-16 23:16 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-06-26 06:02 . 2010-08-16 23:16 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-06-26 04:25 . 2010-08-16 23:16 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2007-08-22 20:03 . 2007-08-22 19:59 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-10 1233920]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2006-11-11 446976]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-05-21 159744]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-21 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-21 154392]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-21 133912]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-06 149280]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-08-30 30192]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2006-11-17 17920]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-22 107112]
"vptray"="c:\progra~1\SYMANT~2\VPTray.exe" [2006-11-27 134808]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2006-11-02 215552]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-06-25 405504]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-14 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"Eraser"="c:\progra~1\Eraser\Eraser.exe" [2010-04-09 979344]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-8-22 50688]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-18 65588]
QuickSet.lnk - c:\windows\Installer\{7F0C4457-8E64-491B-8D7B-991504365D1E}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe [2007-8-22 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-763004562-733847127-3944764089-1003]
"EnableNotificationsRef"=dword:00000002

R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-08-30 30192]
R3 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2006-11-27 122008]
R3 usb2vcom;USB to Serial Bridge Controller;c:\windows\system32\Drivers\usb2vcom.sys [2005-09-02 28928]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S2 KACLRTCH48056390693591;Kaseya Agent;c:\program files\Kaseya\Agent\AgentMon.exe [2010-04-06 806912]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-05-21 179712]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-06-17 102448]
S3 KAPFA;KAPFA;c:\windows\system32\drivers\KAPFA.SYS [2010-02-25 13824]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ    wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ    WcesComm RapiMgr
LocalServiceAndNoImpersonation REG_MULTI_SZ    FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.smh.com.au/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: kaseyasp.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-20 00:26
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-763004562-733847127-3944764089-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{4AF73A92-7418-F607-0CC2-65EA1A3ECF64}*]
"jakandigjcijdjiobmai"=hex:64,62,67,62,67,64,6f,6a,61,67,6a,6b,68,65,69,62,63,
   68,6b,69,69,6e,63,6f,69,6b,62,65,6f,69,69,68,63,6f,6a,6d,6a,63,6e,6a,00,fe
"hajamfodneeobhaj"=hex:61,62,62,63,65,62,64,6f,6a,64,64,6b,6e,70,64,64,64,62,
   6b,66,63,6f,61,6a,6b,6a,61,66,63,6f,6d,6f,62,6a,00,04

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-09-20  00:29:00
ComboFix-quarantined-files.txt  2010-09-19 14:28

Pre-Run: 84,903,649,280 bytes free
Post-Run: 84,883,566,592 bytes free

- - End Of File - - D19C61726A9DEACDD33D1B167A6B1921

SYSTEM LOOK:

SystemLook 04.09.10 by jpshortstuff
Log created at 00:35 on 20/09/2010 by Mary
Administrator - Elevation successful

========== Dir ==========

C:\_OTM - Parameters: "(none)"

---Files---
None found.

---Folders---
MovedFiles d------ [13:05 05/09/2010]

-= EOF =-

kevinf80_1d0ac6

1.1K Posts

September 19th, 2010 10:00

Hiya marylocke,

Please proceed as follows :-

Step 1

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text the dotted lines below into it:

-----------------------------------------------------------------

KillAll::
File::
c:\windows\system32\drivers\vdzpzltx.sys
c:\windows\system32\drivers\aueywyol.sys
Folder::
C:\867e58437be2a386f20e1faceee160
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 0 (0x0)
RegNull::
[HKEY_USERS\S-1-5-21-763004562-733847127-3944764089-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{4AF73A92-7418-F607-0CC2-65EA1A3ECF64}*]
RegLock::
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

-----------------------------------------------------------------

Save this as CFScript.txt, in the same location as ComboFix.exe
user posted image


user posted image


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Step 2

Run an online virus scan with Kaspersky from HERE. This scan is very thorough and may take several hours to run, please allow it to complete.
1. At the main page. Press on " Accept". After reading the contents.
2. At the next window Select  Update. Allow the Database to update.
Note: If prompted to run or update your Java, then follow the prompts to do so. Kaspersky requires Java to run.
3. Once the Database has finished, under the Scan icon Select My Computer to start the scan.
4. Select Scan Report.
5. If any threats were found they will appear in the report
6. Select "Save error report as"
Then in the file name just type in kaspersky
Under "save as type" select text .txt
Save it to your Desktop.
Copy and post the results of the Kaspersky Online scan. If no threats were found then report that as well.

The following animation may help.

Kaspersky Gif

Post logs from Combofix and Kaspersky in your reply, also give update on system. Any issues?

Kevin

































































marylocke

8 Posts

September 20th, 2010 15:00

Hi Kevin,

Looks like your magic has worked. I can now run a windows update, and I have - so far - not seen any of those fake virus warnings.

Logs below:

ComboFix 10-09-17.04 - Mary 20/09/2010  23:24:34.2.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.61.1033.18.2037.947 [GMT 10:00]
Running from: c:\users\Mary.Mary-PC\Desktop\ComboFix.exe
Command switches used :: c:\users\Mary.Mary-PC\Desktop\CFScript.txt
AV: Symantec AntiVirus *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Symantec AntiVirus *disabled* (Updated) {6C85A515-B91D-4D2B-AF18-40984A4A8493}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
 * Created a new restore point

FILE ::
"c:\windows\system32\drivers\aueywyol.sys"
"c:\windows\system32\drivers\vdzpzltx.sys"
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\867e58437be2a386f20e1faceee160
c:\867e58437be2a386f20e1faceee160\mrt.exe
c:\867e58437be2a386f20e1faceee160\mrtstub.exe
c:\windows\system32\drivers\aueywyol.sys
c:\windows\system32\drivers\vdzpzltx.sys

.
(((((((((((((((((((((((((   Files Created from 2010-08-20 to 2010-09-20  )))))))))))))))))))))))))))))))
.

2010-09-20 13:30 . 2010-09-20 13:35 -------- d-----w- c:\users\Mary.Mary-PC\AppData\Local\temp
2010-09-20 13:30 . 2010-09-20 13:30 -------- d-----w- c:\users\TEMP\AppData\Local\temp
2010-09-20 13:30 . 2010-09-20 13:30 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-09-20 13:30 . 2010-09-20 13:30 -------- d-----w- c:\users\Mary(7)\AppData\Local\temp
2010-09-20 13:30 . 2010-09-20 13:30 -------- d-----w- c:\users\Mary(6)\AppData\Local\temp
2010-09-20 13:30 . 2010-09-20 13:30 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-09-20 13:30 . 2010-09-20 13:30 -------- d-----w- c:\users\Mary\AppData\Local\temp
2010-09-19 12:25 . 2010-09-19 12:25 -------- d-----w- c:\users\Mary.Mary-PC\AppData\Roaming\Malwarebytes
2010-09-19 12:25 . 2010-04-29 05:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-19 12:25 . 2010-09-19 12:25 -------- d-----w- c:\programdata\Malwarebytes
2010-09-19 12:25 . 2010-04-29 05:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-19 12:25 . 2010-09-19 12:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-19 11:15 . 2010-09-19 11:15 -------- d-----w- c:\program files\CCleaner
2010-09-06 11:28 . 2010-09-06 11:32 -------- d-----w- c:\windows\system32\catroot2(1384)
2010-09-05 13:05 . 2010-09-05 13:05 -------- d-----w- C:\_OTM
2010-08-29 03:08 . 2010-09-05 10:33 -------- d-----w- c:\windows\system32\MpEngineStore
2010-08-29 01:04 . 2010-09-04 13:26 63488 ----a-w- c:\users\Mary.Mary-PC\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-08-29 01:04 . 2010-08-29 01:04 52224 ----a-w- c:\users\Mary.Mary-PC\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-08-29 01:04 . 2010-09-04 13:26 117760 ----a-w- c:\users\Mary.Mary-PC\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-08-29 01:01 . 2010-08-29 01:01 -------- d-----w- c:\users\Mary.Mary-PC\AppData\Roaming\SUPERAntiSpyware.com
2010-08-29 01:01 . 2010-08-29 01:01 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-08-29 01:00 . 2010-08-29 01:01 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-08-25 12:44 . 2010-08-25 12:44 -------- d-----w- c:\users\Mary.Mary-PC\AppData\Local\Eraser 6
2010-08-25 12:12 . 2010-08-25 12:12 -------- d-----w- c:\program files\Eraser
2010-08-25 10:05 . 2010-08-25 10:05 680 ----a-w- c:\users\Mary.Mary-PC\AppData\Local\d3d9caps.dat

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-14 02:00 . 2007-08-22 12:26 -------- d-----w- c:\programdata\Microsoft Help
2010-09-14 02:00 . 2007-09-04 13:40 -------- d-----w- c:\program files\Microsoft Image Composer
2010-09-14 02:00 . 2007-09-03 13:25 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-09-14 02:00 . 2007-08-22 12:33 -------- d-----w- c:\program files\Google
2010-09-14 02:00 . 2007-08-22 12:28 -------- d-----w- c:\program files\Microsoft Works
2010-06-26 06:05 . 2010-08-16 23:16 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-26 06:02 . 2010-08-16 23:16 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-06-26 06:02 . 2010-08-16 23:16 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-06-26 04:25 . 2010-08-16 23:16 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2007-08-22 20:03 . 2007-08-22 19:59 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-10 1233920]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2006-11-11 446976]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-05-21 159744]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-21 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-21 154392]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-21 133912]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-06 149280]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-08-30 30192]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2006-11-17 17920]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-22 107112]
"vptray"="c:\progra~1\SYMANT~2\VPTray.exe" [2006-11-27 134808]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2006-11-02 215552]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-06-25 405504]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-14 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"Eraser"="c:\progra~1\Eraser\Eraser.exe" [2010-04-09 979344]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-8-22 50688]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-18 65588]
QuickSet.lnk - c:\windows\Installer\{7F0C4457-8E64-491B-8D7B-991504365D1E}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe [2007-8-22 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-763004562-733847127-3944764089-1003]
"EnableNotificationsRef"=dword:00000002

R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-08-30 30192]
R3 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2006-11-27 122008]
R3 usb2vcom;USB to Serial Bridge Controller;c:\windows\system32\Drivers\usb2vcom.sys [2005-09-02 28928]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S2 KACLRTCH48056390693591;Kaseya Agent;c:\program files\Kaseya\Agent\AgentMon.exe [2010-04-06 806912]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-05-21 179712]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-06-17 102448]
S3 KAPFA;KAPFA;c:\windows\system32\drivers\KAPFA.SYS [2010-02-25 13824]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ    wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ    WcesComm RapiMgr
LocalServiceAndNoImpersonation REG_MULTI_SZ    FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.smh.com.au/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: kaseyasp.dll
.

**************************************************************************
scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files:

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Dell Network Assistant\hnm_svc.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\windows\system32\STacSV.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\RealVNC\VNC4\WinVNC4.exe
c:\program files\RealVNC\VNC4\winvnc4.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Symantec AntiVirus\VPTray.exe
c:\program files\Eraser\Eraser.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Dell\QuickSet\quickset.exe
c:\windows\ehome\ehmsas.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\DellTPad\Apntex.exe
c:\program files\DellTPad\HidFind.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
.
**************************************************************************
.
Completion time: 2010-09-20  23:40:51 - machine was rebooted
ComboFix-quarantined-files.txt  2010-09-20 13:40
ComboFix2.txt  2010-09-19 14:29

Pre-Run: 84,670,377,984 bytes free
Post-Run: 84,366,934,016 bytes free

- - End Of File - - 77F905A34DA4F1C6E3D4FAC259517408

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
 Tuesday, September 21, 2010
 Operating system: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 2 (build 6002)
 Kaspersky Online Scanner version: 7.0.26.13
 Last database update: Monday, September 20, 2010 05:49:11
 Records in database: 4226980
--------------------------------------------------------------------------------

Scan settings:
 scan using the following database: extended
 Scan archives: yes
 Scan e-mail databases: yes

Scan area - My Computer:
 C:\
 D:\
 E:\

Scan statistics:
 Objects scanned: 131957
 Threats found: 16
 Infected objects found: 62
 Suspicious objects found: 1
 Scan duration: 02:43:49


File name / Threat / Threats count
C:\E2Sales\PAXVNC.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C440000.VBN Infected: Virus.Win32.TDSS.b 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CA80000.VBN Infected: Trojan-Downloader.Java.Agent.gr 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CA80000.VBN Infected: Trojan-Downloader.Java.Agent.gs 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CA80000.VBN Infected: Trojan-Downloader.Java.Agent.gt 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CA80001.VBN Infected: Virus.Win32.TDSS.b 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CE80000\4CE9936A.VBN Infected: Trojan.Win32.Oficla.ln 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CF00000.VBN Infected: Virus.Win32.TDSS.b 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\15DC0000.VBN Infected: Trojan.Win32.Inject.aowv 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00000.VBN Infected: Trojan-Downloader.Java.Agent.ft 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00000.VBN Infected: Trojan-Downloader.Java.Agent.fu 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00000.VBN Infected: Trojan-Downloader.Java.Agent.fv 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00001.VBN Infected: Trojan-Downloader.Java.Agent.ft 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00001.VBN Infected: Trojan-Downloader.Java.Agent.fu 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00001.VBN Infected: Trojan-Downloader.Java.Agent.fv 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00002.VBN Infected: Trojan-Downloader.Java.Agent.ft 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00002.VBN Infected: Trojan-Downloader.Java.Agent.fu 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00002.VBN Infected: Trojan-Downloader.Java.Agent.fv 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00003.VBN Infected: Trojan-Downloader.Java.Agent.ft 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00003.VBN Infected: Trojan-Downloader.Java.Agent.fu 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00003.VBN Infected: Trojan-Downloader.Java.Agent.fv 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00004.VBN Infected: Trojan-Downloader.Java.Agent.ft 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00004.VBN Infected: Trojan-Downloader.Java.Agent.fu 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00004.VBN Infected: Trojan-Downloader.Java.Agent.fv 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00005.VBN Infected: Trojan-Downloader.Java.Agent.ft 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00005.VBN Infected: Trojan-Downloader.Java.Agent.fu 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00005.VBN Infected: Trojan-Downloader.Java.Agent.fv 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C440000.VBN Infected: Virus.Win32.TDSS.b 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CA80000.VBN Infected: Trojan-Downloader.Java.Agent.gr 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CA80000.VBN Infected: Trojan-Downloader.Java.Agent.gs 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CA80000.VBN Infected: Trojan-Downloader.Java.Agent.gt 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CA80001.VBN Infected: Virus.Win32.TDSS.b 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CE80000\4CE9936A.VBN Infected: Trojan.Win32.Oficla.ln 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CF00000.VBN Infected: Virus.Win32.TDSS.b 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\15DC0000.VBN Infected: Trojan.Win32.Inject.aowv 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00000.VBN Infected: Trojan-Downloader.Java.Agent.ft 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00000.VBN Infected: Trojan-Downloader.Java.Agent.fu 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00000.VBN Infected: Trojan-Downloader.Java.Agent.fv 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00001.VBN Infected: Trojan-Downloader.Java.Agent.ft 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00001.VBN Infected: Trojan-Downloader.Java.Agent.fu 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00001.VBN Infected: Trojan-Downloader.Java.Agent.fv 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00002.VBN Infected: Trojan-Downloader.Java.Agent.ft 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00002.VBN Infected: Trojan-Downloader.Java.Agent.fu 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00002.VBN Infected: Trojan-Downloader.Java.Agent.fv 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00003.VBN Infected: Trojan-Downloader.Java.Agent.ft 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00003.VBN Infected: Trojan-Downloader.Java.Agent.fu 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00003.VBN Infected: Trojan-Downloader.Java.Agent.fv 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00004.VBN Infected: Trojan-Downloader.Java.Agent.ft 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00004.VBN Infected: Trojan-Downloader.Java.Agent.fu 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00004.VBN Infected: Trojan-Downloader.Java.Agent.fv 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00005.VBN Infected: Trojan-Downloader.Java.Agent.ft 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00005.VBN Infected: Trojan-Downloader.Java.Agent.fu 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16E00005.VBN Infected: Trojan-Downloader.Java.Agent.fv 1
C:\Users\Mary.Mary-PC\AppData\Local\Microsoft\Outlook\archive2.pst Infected: Trojan.Win32.FraudPack.gen 1
C:\Users\Mary.Mary-PC\AppData\Local\Microsoft\Outlook\archive2.pst Suspicious: Exploit.HTML.Iframe.FileDownload 1
C:\Users\Mary.Mary-PC\AppData\Local\Microsoft\Outlook\archive2.pst Infected: Exploit.HTML.Iframe.FileDownload.bz 1
C:\Users\Mary.Mary-PC\AppData\Local\Microsoft\Outlook\outlook2.ost Infected: Trojan-Downloader.JS.Pegel.bt 2
C:\Users\Mary.Mary-PC\AppData\Local\Microsoft\Outlook\outlook2.ost Infected: Trojan-Downloader.JS.Agent.foz 4
C:\Users\Mary.Mary-PC\AppData\Local\Microsoft\Outlook\outlook2.ost Infected: Packed.Win32.Krap.x 1

Selected area has been scanned.

kevinf80_1d0ac6

1.1K Posts

September 20th, 2010 16:00

Hiya marylocke,

Good to hear that your system is starting to respond the way it should. Still a bit of work to do before we can clean up and set you free. Kaspersky has identified numerous entries, fortunately most of these are already quaratined and therefore safe. The remaining entries we have to deal with as follows :-

Please download OTM by OldTimer.
Alternative Mirror
Save it to your desktop.
Double click OTM.exe to start the tool.

  • Copy the text between the dotted lines below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    -------------------------------------------------------------------

    :Files
    C:\E2Sales\PAXVNC.exe
    C:\Users\Mary.Mary-PC\AppData\Local\Microsoft\Outlook\archive2.pst
    C:\Users\Mary.Mary-PC\AppData\Local\Microsoft\Outlook\outlook2.ost

    :Commands
    [EmptyFlash]
    [EmptyTemp]
    [Purity]
    [Reboot]


    ---------------------------------------------------------------------
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM


Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If the machine reboots, the Results log can be found here:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.

Post the log from OTM and letme know of any remaining issues in your reply,

Kevin.

marylocke

8 Posts

September 20th, 2010 22:00

Hi Kevin,

Before I do this, I just wanted to check with you that OTM isn't going to delete or otherwise corrupt the files in question. I am confident this isn't going to happen for the Outlook files; but E2Sales is an application I need for my work so just wanted to double-check, especially as the Kaspersky log says 'not-a-virus'.

Cheers - Mary

kevinf80_1d0ac6

1.1K Posts

September 21st, 2010 02:00

Hiya mary,

The term not a virus does not mean it aint malicious, Kaspersky has flagged that executible PAXVNC.exe as malicious. That is the reason I like to use Kaspersky online scan, it only identifies and does not kill. Likewise with OTM, any file/folder in the list is moved to the C:\_OTM folder, if it is subsequently found to be needed and in fact harmless we can move it back.
Likewise with the other two entries, the full archive will be moved, is that a problem for you? Please bear in mind when we clean up at the end the OTM folder will be deleted Leave OTM for now.

We need to upload a file to Jotti

1. Click HERE to get to Jotti's site.

2. At the top of the Jotti window, use the Browse button to locate the following file on your system:

C:\E2Sales\PAXVNC.exe

3. Once you have located the file, click SUBMIT and the content of the file will be uploaded by the site and analysed.

4. Please provide me with the results of the analysis.

Upload a File to Virustotal
Please visit Virustotal

  • Click the Browse... button
  • Navigate to the file C:\E2Sales\PAXVNC.exe
  • Click the Open button
  • Click the Send button
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Copy and paste the results back here please.


Lets see what report we get back from those two and take it from there. Regarding the other two entries:

C:\Users\Mary.Mary-PC\AppData\Local\Microsoft\Outlook\archive2.pst
C:\Users\Mary.Mary-PC\AppData\Local\Microsoft\Outlook\outlook2.ost

Can you navigate to each one in turn, right click it, do you have the option to scan with your AV and Malwarebytes. If so do each in turn and see what results you get.

Post back with the results from Jotti and VirusTotal. Also results from Outlook archives.

Kevin.

marylocke

8 Posts

September 21st, 2010 05:00

Hi Kevin,

The Jotti results all have 'Found Nothing', except for Kaspersky, which says "not-a-virus:RemoteAdmin.Win32.WinVNC-based.c":

2010-09-21  Found nothing
2010-09-21  Found nothing
2010-09-21  Found nothing
2010-09-21  Found nothing
2010-09-20  Found nothing
2010-09-21  not-a-virus:RemoteAdmin.Win32.WinVNC-based.c
2010-09-21  Found nothing
2010-09-21  Found nothing
2010-09-21  Found nothing
2010-09-20  Found nothing
2010-09-21  Found nothing
2010-09-21  Found nothing
2010-09-21  Found nothing
2010-09-21  Found nothing
2010-09-21  Found nothing
2010-09-20  Found nothing
2010-09-20  Found nothing
2010-09-20  Found nothing
2010-09-21  Found nothing

The Virus Total result is as follows: 

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name:
PAXVNC.exe
Submission date:
2010-09-21 11:00:39 (UTC)
Current status:
queued queued analysing finished
Result:
4/ 43 (9.3%)
VT Community

not reviewed
 Safety score: - 
Print results
Antivirus Version Last Update Result
AhnLab-V3 2010.09.21.01 2010.09.21 -
AntiVir 8.2.4.58 2010.09.21 -
Antiy-AVL 2.0.3.7 2010.09.21 RemoteAdmin/Win32.WinVNC-based.gen
Authentium 5.2.0.5 2010.09.21 -
Avast 4.8.1351.0 2010.09.21 -
Avast5 5.0.594.0 2010.09.21 -
AVG 9.0.0.851 2010.09.21 -
BitDefender 7.2 2010.09.21 -
CAT-QuickHeal 11.00 2010.09.21 -
ClamAV 0.96.2.0-git 2010.09.21 -
Comodo 6152 2010.09.21 -
DrWeb 5.0.2.03300 2010.09.21 -
Emsisoft 5.0.0.37 2010.09.21 -
eSafe 7.0.17.0 2010.09.20 -
eTrust-Vet 36.1.7868 2010.09.21 -
F-Prot 4.6.2.117 2010.09.20 -
F-Secure 9.0.15370.0 2010.09.21 -
Fortinet 4.1.143.0 2010.09.21 -
GData 21 2010.09.21 -
Ikarus T3.1.1.88.0 2010.09.21 -
Jiangmin 13.0.900 2010.09.21 -
K7AntiVirus 9.63.2561 2010.09.20 -
Kaspersky 7.0.0.125 2010.09.21 not-a-virus:RemoteAdmin.Win32.WinVNC-based.c
McAfee 5.400.0.1158 2010.09.21 RemAdm-VNC
McAfee-GW-Edition 2010.1C 2010.09.21 RemAdm-VNC
Microsoft 1.6201 2010.09.21 -
NOD32 5466 2010.09.21 -
Norman 6.06.06 2010.09.21 -
nProtect 2010-09-21.02 2010.09.21 -
Panda 10.0.2.7 2010.09.20 -
PCTools 7.0.3.5 2010.09.21 -
Prevx 3.0 2010.09.21 -
Rising 22.66.00.07 2010.09.21 -
Sophos 4.57.0 2010.09.21 -
Sunbelt 6904 2010.09.21 -
SUPERAntiSpyware 4.40.0.1006 2010.09.21 -
Symantec 20101.1.1.7 2010.09.21 -
TheHacker 6.7.0.0.025 2010.09.20 -
TrendMicro 9.120.0.1004 2010.09.21 -
TrendMicro-HouseCall 9.120.0.1004 2010.09.21 -
VBA32 3.12.14.0 2010.09.20 -
ViRobot 2010.9.8.4031 2010.09.21 -
VirusBuster 12.65.16.0 2010.09.20 -
Additional information
Show all
MD5   : 1f8311369f855793944aabd4a0e53e55
SHA1  : 59aa10e039f2fb1b4bc39ab6906a018ef2b124b5
SHA256: 8bca73b61506f38fbcd96605a8296b0115f8dc89ddcd411fcfc11b86ef9e37c8
ssdeep: 6144:cRgym92YGB+40vPLGPA2t658tv60seaqBRqNGsJEY:06fu+40vPUvnBamqQ4D
File size : 230130 bytes
First seen: 2010-09-21 09:58:01
Last seen : 2010-09-21 11:00:39
TrID:
Win64 Executable Generic (80.9%)
Win32 Executable Generic (8.0%)
Win32 Dynamic Link Library (generic) (7.1%)
Generic Win/DOS Executable (1.8%)
DOS Executable Generic (1.8%)
sigcheck:
publisher....: UltraVnc
copyright....: Copyright (C) UltraVnc
product......: UltraVncSC
description..: UltraVnc Self-Extract Setup
original name: UltraVncSC
internal name: UltraVncSC
file version.: 4, 10, 0, 1
comments.....:
signers......: -
signing date.: -
verified.....: Unsigned
PEiD: Armadillo v1.71
packers (F-Prot): UPX, 7Z
packers (Kaspersky): UPX
PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x1215F
timedatestamp....: 0x41EAA425 (Sun Jan 16 17:28:05 2005)
machinetype......: 0x14c (I386)

[[ 4 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0x12F4E, 0x13000, 6.42, c91ec8f2d7d6f1e35416df5fe732278b
.rdata, 0x14000, 0x39F0, 0x3A00, 4.33, 861bb8b297f369ef773dc6c7b125b37f
.data, 0x18000, 0x9F0, 0x600, 3.84, 53b3b978572819498207ab8228dc2ea8
.rsrc, 0x19000, 0xCBC, 0xE00, 3.23, 50f449b68df478f383134021eb761e62

[[ 5 import(s) ]]
COMCTL32.dll: -
KERNEL32.dll: DeleteCriticalSection, InitializeCriticalSection, CloseHandle, WaitForMultipleObjects, SetEvent, CreateThread, WaitForSingleObject, ResetEvent, VirtualAlloc, VirtualFree, MultiByteToWideChar, WideCharToMultiByte, GetLastError, CompareStringW, CompareStringA, AreFileApisANSI, GetModuleFileNameA, GetModuleFileNameW, LocalFree, FormatMessageA, FormatMessageW, GetWindowsDirectoryA, SetFileAttributesA, SetFileAttributesW, RemoveDirectoryA, RemoveDirectoryW, CreateDirectoryA, CreateDirectoryW, DeleteFileA, DeleteFileW, GetShortPathNameA, lstrlenA, GetFullPathNameA, GetFullPathNameW, GetCurrentDirectoryA, SetCurrentDirectoryA, GetTempPathA, GetTempFileNameA, FindClose, FindFirstFileA, FindFirstFileW, SetLastError, FindNextFileA, CreateFileA, CreateFileW, GetFileSize, SetFilePointer, ReadFile, SetFileTime, WriteFile, SetEndOfFile, CreateEventA, LeaveCriticalSection, EnterCriticalSection, Sleep, CreateProcessA, GetCommandLineW, GetModuleHandleA, GetStartupInfoA
USER32.dll: DestroyWindow, PostMessageA, ShowWindow, MessageBoxA, KillTimer, EndDialog, SendMessageA, GetDlgItem, SetTimer, MessageBoxW, SetWindowTextW, SetWindowTextA, LoadStringW, LoadStringA, CharPrevA, DialogBoxParamA, SetWindowLongA, GetWindowLongA
OLEAUT32.dll: -, -
MSVCRT.dll: _controlfp, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, _onexit, __dllonexit, _except_handler3, __1type_info@@UAE@XZ, memcpy, free, malloc, memmove, _purecall, memcmp, _CxxThrowException, __CxxFrameHandler, __2@YAPAXI@Z, __3@YAXPAX@Z

 

VT Community

 

0
This file has never been reviewed by any VT Community member. Be the first one to comment on it!
VirusTotal Team

As for those Outlook files

Both archive2.pst and outlook2.ost show no results from my Anti-virus scan, and the following from Malwarebytes (identical report for each file):

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4650

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18943

21/09/2010 9:11:56 PM
mbam-log-2010-09-21 (21-11-56).txt

Scan type: Quick scan
Objects scanned: 1
Time elapsed: 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

kevinf80_1d0ac6

1.1K Posts

September 21st, 2010 08:00

Hiya Mary,

There are times when security programs will flag perfectly good applications as malicious because of how they work. These are classed as fasle positives or FP for short. If you are quite happy to accept those flagged entries then that is fine by me.

Proceed as follows please :-

Step 1

Remove Combofix now that we're done with it
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")user posted image
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

The above procedure will delete the following:
  • ComboFix and its associated files and folders.
  • VundoFix backups, if present
  • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.


Step 2

  • Download OTC by OldTimer and save it to your desktop. Alternative mirror
  • Double click user posted image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big user posted image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
  • Any tools left on the Desktop can be safely removed by deleting.


Step 3

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to "JDK 6 Update 21 (JDK or JRE).
  • Click the Download JRE button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.

Go to Start > Control Panel, double-click on Uninstall a Program and remove all older versions of Java. But not JRE - 6 update 10 and above These are removed automatically with the new installer.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Uninstall button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u21-windows-i586-p.exe to install the newest version.

If using Windows Vista or Windows 7 and the installer refuses to launch due to insufficient user permissions, then Right Click and Run As Administrator.
If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.

Note:
The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications.
To disable the JQS service if you don't want to use it:
  • Go to Start > Control Panel > Programs > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
  • Click Ok and reboot your computer.


Step 4

Your Adobe Acrobat Reader is out of date. Older versions are vulnerable to attack.

Please go to the link below to update.

Adobe Reader Untick the Free McAfee® Security Scan Plus (optional) unless you want it.

Step 5

Download and scan with CCleaner

1. Starting with v 1.27.26 (This version no. will differ), CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation. IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbar-free or Slim versions instead of the Standard Build.
2. Before first use, select Options > Advanced and UNCHECK " Only delete files in Windows Temp folder older than 24 hours"
3. Then select the items you wish to clean up.

In the Windows Tab:

  • Clean all entries in the "Internet Explorer" section except Cookies if you want to keep those.
  • Clean all the entries in the "Windows Explorer" section.
  • Clean all entries in the "System" section.
  • Clean all entries in the "Advanced" section.
  • Clean any others that you choose.



In the Applications Tab:
  • Clean all except cookies in the Firefox/Mozilla section if you use it.
  • Clean all in the Opera section if you use it.
  • Clean Sun Java in the Internet Section.
  • Clean any others that you choose.


4. Click the " Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click " OK" and it will scan and clean your system.
7. Click " exit" when done.

Post back and let me know if all went OK, especially the Combofix uninstall. Also letme know if you have any remaining issues.

Kevin.

marylocke

8 Posts

September 22nd, 2010 05:00

Hi Kevin,

All good. Uninstalled ComboxFix fine (took me a few tries before I paid attention to the need for that space before "/"!)

All other steps completed successfully. CCleaner is a neat app!

Thanks a lot for all your help. My computer and I are eternally grateful to you!

Mary

 

kevinf80_1d0ac6

1.1K Posts

September 22nd, 2010 05:00

Hiya Mary,

Good to hear all went well with the clean up,

Here are some tips to reduce the potential for malware infection in the future; I strongly recommend that you read them and take them to heart so that you don't have to endure the process of cleaning your computer again.

Make proper use of your antivirus and firewall

Antivirus and Firewall programs are integral to your computer security. However, just having them installed isn't enough. The definitions of these programs are frequently updated to detect the latest malware, if you don't keep up with these updates then you'll be vulnerable to infection. Many antivirus and firewall programs have automatic update features, make use of those if you can. If your program doesn't, then get in the habit of routinely performing manual updates, because it's important.

You should keep your antivirus and firewall guard enabled at all times, NEVER turn them off unless there's a specific reason to do so. Also, regularly performing a full system scan with your antivirus program is a good idea to make sure you're system remains clean. Once a week should be adequate. You can set the scan to run during a time when you don't plan to use the computer and just leave it to complete on its own.

You will have several programs installed, these maybe outdated and vulnerable to exploits also. To be certain, please run the free online scan by Secunia, available Here Before clicking the Start scan button, please check the box for the option Enable thorough system inspection. Just below the "Scan Options:" section, you'll see the status of what's currently processing.... user posted image
...when the scan completes, the message "Detection completed successfully" will appear in the Programs/Result section. For each problem detected, Secunia will offer a "Solution" option. Please follow those instructions to download updated versions of the programs as recommended by Secunia.


Use a safer web browser

Internet Explorer is not the most secure tool for browsing the web. It has been known to be very susceptible to infection, and there are a few good free alternatives:

Firefox,

Opera, and

Chrome.

All of these are excellent faster, safer, more powerful and functional free alternatives to Internet Explorer. It's definitely worth the short period of adjustment to start using one of these. If you wish to continue using Internet Explorer, it would be a good idea to follow the tutorial HERE which will help you to make IE MUCH safer.

These browser add-ons will help to make your browser safer:

Web of Trust warns you about risky websites that try to scam visitors, deliver malware or send spam. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous ones:

Available for Firefox and Internet Explorer.

Green to go,
Yellow for caution, and
Red to stop.


Available for Firefox only. NoScript helps to block malicious scripts and in general gives you much better control over what types of things webpages can do to your computer while you're browsing.

These are just a couple of the most popular add-ons, if you're interested in more, take a look at THIS article.

Here a couple of links by two security experts that will give some excellent tips and advice.
So how did I get infected in the first place by Tony Klein
How to prevent Malware by Miekiemoes
Finally this link HERE will give a comprehensive upto date list of free Security programs. To include - Antivirus, Antispyware, Firewall, Antimalware, Online scanners and rescue CD`s.

Please reply so I know you have read this, its been a pleasure to work with you.
Take care,

Kevin

marylocke

8 Posts

September 22nd, 2010 06:00

Thanks Kevin. I will take your tips and recommendations on board.

Cheers,

Mary

kevinf80_1d0ac6

1.1K Posts

September 22nd, 2010 07:00

Since this issue appears to be resolved  the topic has been closed. Glad we could help.:emotion-21: 

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

The fixes and advice in this thread are for this System only. Do not apply the instructions from this thread to your own System. Please start a new thread describing your issue and someone will be along to assist you.

Was this post helpful?

View All

No Events found!

Top