Unknown Virus and Trojan, Not sure if I removed it properly Options

[andee39]

Yesterday I ran AdAware on my computer and it found a virus and trojan with a TAI rating of 10. Dopey me, instead of writing it down to investigate further I immediately clicked on remove and now I am not sure what it was, what damage it could have done and if I got rid of it permanently. I ran the program again this morning and it came up clean but I figure better safe than sorry. Interestlingly my BitDefender program did not find these problems. Below are the two files you request to begin this process. Thanks for taking the time to look into for me.



DDS (Version 1.1.0) - NTFSx86
Run by Andrea at 12:04:52.63 on Sun 12/28/2008
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Business 6.0.6001.1.1252.1.1033.18.3069.1964 [GMT -5:00]

AV: BitDefender Antivirus *On-access scanning enabled* (Updated)
FW: BitDefender Firewall *enabled*

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\System32\svchost.exe -k Cognizance
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\lxcrcoms.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
c:\Program Files\Bioscrypt\VeriSoft\Bin\AsGHost.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Lexmark 2400 Series\ezprint.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Windows\System32\rundll32.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\Program Files\ID Vault\IDVault.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\Windows\system32\wuauclt.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10a.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Andrea\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com
uWindow Title = My Internet Explorer
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
mURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: GuardId.MSIEBrowser.BHO: {5b0a01d2-b8a0-4e56-9e6b-cba0ef4b4eb5} - mscoree.dll
BHO: PCTools Site Guard: {5c8b2a36-3db1-42a4-a3cb-d426709bbfeb} - c:\progra~1\spywar~1\tools\iesdsg.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
BHO: TBSB01478 Class: {ac002f1a-6c85-477b-8d1f-f17b72be7c34} - c:\program files\registered coupons toolbar\registered_coupons.dll
BHO: {b56a7d7d-6927-48c8-a975-17df180c71ac} - PCTools Browser Monitor
BHO: CBHO Object: {cba74cda-df78-4ad9-954e-3b15d0a993de} - c:\program files\corestreet\spoofstick\SpoofStickBHO.dll
BHO: VeriSoft Access Manager: {df21f1db-80c6-11d3-9483-b03d0ec10000} - c:\program files\bioscrypt\verisoft\bin\ItIEAddIn.dll
TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\bitdefender\bitdefender 2009\IEToolbar.dll
TB: SpoofStick: {4d46ed77-1429-4cf6-8f63-c84b5d710baf} - c:\program files\corestreet\spoofstick\SpoofStick.dll
TB: Registered Coupons: {84a6aea7-c34b-4246-9a00-05ad7a36bf00} - c:\program files\registered coupons toolbar\registered_coupons.dll
TB: AIM Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
TB: {A057A204-BACC-4D26-CEC4-75A487FD6484} - No File
uRun: [Aim6]
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
mRun: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
mRun: [CognizanceTS] rundll32.exe c:\progra~1\bioscr~1\verisoft\bin\ASTSVCC.dll,RegisterModule
mRun: [EzPrint] "c:\program files\lexmark 2400 series\ezprint.exe"
mRun: [LXCRCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCRtime.dll,_RunDLLEntry@16
mRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [MSConfig] "c:\windows\system32\msconfig.exe" /auto
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [BDAgent] "c:\program files\bitdefender\bitdefender 2009\bdagent.exe"
mRun: [BitDefender Antiphishing Helper] "c:\program files\bitdefender\bitdefender 2009\IEShow.exe"
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\idvaul~1.lnk - c:\program files\id vault\IDVault.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~1\office12\ONBttnIE.dll
IE: {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - {A1EDC4A1-940F-48E0-8DFD-E38F1D501021}
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
IE: {84A6AEA7-C34B-4246-9A00-05AD7A36BF00} - {84A6AEA7-C34B-4246-9A00-05AD7A36BF00} - c:\program files\registered coupons toolbar\registered_coupons.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
AppInit_DLLs: APSHook.dll
LSA: Notification Packages = scecli ASWLNPkg

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-12-21 28544]
R2 {22D78859-9CE9-4b77-BF18-AC83E81A9263};{22D78859-9CE9-4b77-BF18-AC83E81A9263};\??\c:\program files\hp\quickplay\000.fcl [2007-5-23 13560]
R2 ASBroker;Logon Session Broker;c:\windows\system32\svchost.exe -k Cognizance [2008-5-19 21504]
R2 ASChannel;Local Communication Channel;c:\windows\system32\svchost.exe -k Cognizance [2008-5-19 21504]
R2 BDVEDISK;BDVEDISK;\??\c:\program files\bitdefender\bitdefender 2009\BDVEDISK.sys [2008-7-2 82440]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2007-9-16 600912]
R2 TG850P26;TG850P26;\??\c:\windows\system32\drivers\JAG57A1M.sys [2008-3-29 28384]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\ViewpointService.exe" [2007-10-27 24652]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2008-8-12 111112]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2008-8-14 104328]
R3 Ma730Pt;MA730 Bluetooth VCOM Driver;c:\windows\system32\drivers\Ma730Pt.sys [2008-3-29 103680]
R3 Ma730VaA;MA730 Bluetooth Advanced Audio;c:\windows\system32\drivers\Ma730VaA.sys [2008-3-29 21851]
R3 Ma730Vad;MA730 Bluetooth Audio;c:\windows\system32\drivers\Ma730Vad.sys [2008-3-29 50522]
R3 SMCSTUB;SMCSTUB;c:\windows\system32\drivers\smcstub.sys [2007-8-25 55680]
S3 Arrakis3;BitDefender Arrakis Server;"c:\program files\common files\bitdefender\bitdefender arrakis server\bin\Arrakis3.exe" [2008-7-17 118784]
S3 Ma730c;MA730 Bluetooth Core Driver;c:\windows\system32\drivers\MA730C.sys [2008-3-29 157024]
S3 mtsftkey;mtsftkey;c:\windows\system32\drivers\mtsftkey.sys [2007-8-25 60032]

=============== Created Last 30 ================

2008-12-24 14:09 481,443,533 a------- c:\windows\MEMORY.DMP
2008-12-21 16:35 <DIR> --d----- c:\program files\a-squared HiJackFree
2008-12-21 16:25 <DIR> --d----- c:\program files\Secunia
2008-12-21 09:21 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2008-12-21 09:21 <DIR> --d----- c:\program files\Panda Security
2008-12-12 21:30 2,048 a------- c:\windows\system32\tzres.dll
2008-12-12 21:17 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2008-12-12 21:17 28,672 a------- c:\windows\system32\Apphlpdm.dll
2008-12-12 21:17 296,960 a------- c:\windows\system32\gdi32.dll
2008-12-12 21:16 2,927,104 a------- c:\windows\explorer.exe
2008-12-12 21:16 827,392 a------- c:\windows\system32\wininet.dll
2008-12-12 21:15 2,868,736 a------- c:\windows\system32\mf.dll
2008-12-12 21:15 996,352 a------- c:\windows\system32\WMNetMgr.dll
2008-12-12 21:15 94,720 a------- c:\windows\system32\logagent.exe
2008-12-09 21:56 479 a------- c:\windows\system32\BDUpdateV1.xml
2008-11-30 12:07 <DIR> --d----- c:\programdata\acccore
2008-11-30 12:07 <DIR> --d----- c:\progra~2\acccore

==================== Find3M ====================

2008-11-18 20:50 192,512 a------- c:\windows\system32\txmlutil.dll
2008-11-18 20:50 104,328 a------- c:\windows\system32\drivers\bdfndisf.sys
2008-11-18 20:48 111,112 a------- c:\windows\system32\drivers\bdfm.sys
2008-11-18 20:48 230,920 a------- c:\windows\system32\drivers\bdfsfltr.sys
2008-11-16 20:14 2,928,600 a------- c:\users\andrea\ccsetup211.exe
2008-10-31 22:44 52,736 a------- c:\windows\apppatch\iebrshim.dll
2008-10-31 22:44 2,154,496 a------- c:\windows\apppatch\AcGenral.dll
2008-10-31 22:44 541,696 a------- c:\windows\apppatch\AcLayers.dll
2008-10-31 22:44 460,288 a------- c:\windows\apppatch\AcSpecfc.dll
2008-10-31 22:44 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2008-10-21 22:57 241,152 a------- c:\windows\system32\PortableDeviceApi.dll
2008-10-21 00:25 1,645,568 a------- c:\windows\system32\connect.dll
2008-10-16 15:56 1,524,736 a------- c:\windows\system32\wucltux.dll
2008-10-16 15:55 83,456 a------- c:\windows\system32\wudriver.dll
2008-10-16 14:08 162,064 a------- c:\windows\system32\wuwebv.dll
2008-10-16 13:56 31,232 a------- c:\windows\system32\wuapp.exe
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-18 19:11 143,360 a------- c:\windows\inf\infstrng.dat
2008-09-18 19:11 86,016 a------- c:\windows\inf\infstor.dat
2008-09-18 19:11 86,016 a------- c:\windows\inf\infpub.dat
2008-09-18 18:50 1,220,944 a------- c:\users\andrea\BitDefender_Uninstall_Tool.exe
2008-09-18 18:49 57,248,608 a------- c:\users\andrea\bitdefender_internetsecurity_2009_32b.exe
2008-06-18 18:25 1,505,160 a------- c:\users\andrea\install_easyshare.exe
2008-06-10 18:07 665,600 a------- c:\windows\inf\drvindex.dat
2008-05-19 13:02 174 a--sh--- c:\program files\desktop.ini
2008-05-18 10:15 76,342 a------- c:\users\andrea\appdata\roaming\nvModes.dat
2008-03-30 16:25 8 a------- c:\users\andrea\appdata\roaming\usb.dat.bin
2008-03-22 17:42 5,386,264 a------- c:\users\andrea\Plug-In.exe
2008-03-22 10:14 17,646,136 a------- c:\users\andrea\sdsetup.exe
2008-03-10 19:38 20,714,240 a------- c:\users\andrea\Verizon Music Essentials.exe
2008-02-29 23:08 530,528 a------- c:\users\andrea\yahoo_installer.exe
2008-02-25 20:54 12,273,400 a------- c:\users\andrea\IDVaultFull.exe
2008-02-24 14:44 9,723,880 a------- c:\users\andrea\spybotsd152.exe
2008-02-07 20:53 11,679,762 a------- c:\users\andrea\bitpim-1.0.5-setup.exe
2008-01-18 19:58 228,852,088 a------- c:\users\andrea\office2007sp1-kb936982-fullfile-en-us.exe
2007-12-22 11:15 399,816 a------- c:\users\andrea\driveralert-setup-0004.exe
2007-11-17 16:18 2,725,528 a------- c:\users\andrea\ccsetup202.exe
2007-11-17 15:26 1,454,080 a------- c:\users\andrea\Kodak Easyshare.exe
2007-10-28 13:49 12,810,390 a------- c:\users\andrea\tweakvi-basic-sfx.exe
2007-10-20 11:40 388,915 a------- c:\users\andrea\dustbuster.zip
2007-10-14 18:50 827,024 a------- c:\users\andrea\PhotoGreetingCards.exe
2007-09-21 16:18 174,952 a------- c:\users\andrea\spoofstick-ie.exe
2007-09-16 19:14 482,408 a------- c:\users\andrea\ccsetup141_slim.exe
2007-09-14 19:21 423,736 a------- c:\users\andrea\avgarkt-setup-1.1.0.42.exe
2007-09-02 20:56 2,437,120 a------- c:\users\andrea\ZenMicroP4S_PCFW_L16_2_21_02.exe
2007-09-02 14:24 956,344 a------- c:\users\andrea\SaveAsPDFandXPS.exe
2007-09-02 14:23 163,712 a------- c:\users\andrea\pfbackup.exe
2007-08-31 16:59 308,888 a------- c:\users\andrea\Install_AIM.exe
2007-08-31 14:01 38,990,192 a------- c:\users\andrea\bitdefender_internetsecurity_2008_32b.exe
2007-08-31 12:32 439,296 a------- c:\users\andrea\GoToAssist_phone__317_en.exe
2007-04-18 18:04 9,393,768 a------- c:\users\andrea\winzip111.exe
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 12:06:33.29 ===============

Attached File(s)

 Attach.txt ( 5.07k ) Number of downloads: 12

 

[Grinler]

Download GMER Rootkit Scanner from here.

• Extract the contents of the zipped file to the desktop.
• Double click GMER.exe and if you are asked if you want to allow gmer.sys driver to load, please allow it to do so.
• If it gives you a warning about rootkit activity and asks if you want to run scan, please click on NO.
• In the right panel you will see several boxes that have been checked. Uncheck the following the following checkboxes:
  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Now click on the Scan button and wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in ark.txt and save it to your desktop.

Please visit the following link and use the instructions there to post a ComboFix log as a reply to this topic:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

When following the instructions please install the Windows XP Recovery Console if you are using XP.

After running ComboFix, please post the ComboFix log as well as the ark.txt log from your earlier Gmer run.

[andee39]

Thank you so much for helping me with this issue. I ran Gmer.exe as requested but I have a few questions about the next step. I have Vista running on my computer. The only disk I recieved with my laptop was a System Recovery DVD. Is that the DVD I should put in to boot from? Also, once I finally get into the Recovery environment I'm not sure from the instructions how to get to the Combofix icon that is saved on my desktop to run the program. There were instructions detailing the use with XP but not for Vista. Thanks!

[Grinler]

For vista you can skip the recovery console info. Just download and run combofix.

[andee39]

Attached are the Gmer and Combofix logs requested. Two other things I wanted to add:
- I found the names of the two issues that came up when I ran AdAware. Not sure if it is moot at this point but I thought I would let you know - Win32 Trojan.Dnschanger and Win32.Trojan.Starter.
- after running Combofix, I got a dialog box with the following error message regarding Bit Defender:
C\:Program Files\BitDefender\BitDefender2009\BitDefenderInnerFire\midas32-v1_7\leaktests.m32. Any idea of what that might mean and is it related to the problems you are checking on?

Thanks,
andee39

Attached File(s)

 ark.txt ( 2.04k ) Number of downloads: 7
 ComboFix.txt ( 21.37k ) Number of downloads: 15

 

[Grinler]

What displayed that message?

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

DDS::
TB: {A057A204-BACC-4D26-CEC4-75A487FD6484} - No File
IE: {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - {A1EDC4A1-940F-48E0-8DFD-E38F1D501021}

Suspect::[3]
c:\windows\System32\drivers\JAG57A1M.sys

Save this as the txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply[/b].

[andee39]

The error message appeared after I ran Combofix. Now whenever I turn on my computer I get a series of boxes with that same message followed by "is either not designed to run on Windows or it contains an error. Try installing the program again using original install media or contact system administrator or software vendor for support." Each of the boxes show this same error message but have a different program listed in the upper outer portion of the box. It says userinit.exe-Bad Image, then when I click ok another box opens that shows mpnotify.exe-Bad Image and on and on for several more boxes that close after I click on ok. The other programs mentioned are asghost.exe, launcher.exe and explorer.exe. Once I click ok through the series of boxes I come to my desktop.

I ran the follow-up Combofix as you requested. I've attached the log but there were some issues along the way. After completing Stage 50, the following message came on the screen, "C:\Windows\system32\is not recognized as an internal or external command, operable program or batch file." Thinking about the previous instructions about not clicking anywhere while the program was running, I let it sit for 15 minutes but nothing happened. Assuming the program had stopped running, I hit enter and the program finally continued and then another message,"C:\Windows\System32 CF 10696.exe will be added to the registry." (BitDefender dialog box popped up at this point, asking if I wanted to allow - I clicked yes) The program then continued saying that it was almost done, then preparing the log. An additional message said "SED: can't read temp0D: no such file or directory." Once the log appeared on the screen a dialog box opened that read Combofix had to send a malware report for further research and to make sure I was connected to the Internet. I clicked on ok and came to another box that said to copy and paste the following text into a box and press send to send to Bleeping Computer, C:\Qoobox\Quarantine\(3)-submit_2009-01-10@18.40.zip. I clicked on send several times but it didn't appear that it sent it. I waited about 10 minutes to see if the box automatically closed but when it didn't I clicked on the X and came back to the screen with the log open.

My apologies if I included unnecessary information but I wanted to make sure to include everything that happened in case it was pertinent to my problems.

Thanks!

Attached File(s)

 ComboFix.txt ( 24.56k ) Number of downloads: 17

 

[Grinler]

Those errors, though not common, are not abnormal and can be ignored.

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
c:\windows\System32\drivers\JAG57A1M.sys

Driver::
TG850P26

Save this as the txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply[/b].

[andee39]

The first time I attempted to run Combofix it got to the point where the report was being generated and then Windows shut down unexpectedly and I had to start the program over again. I'm not sure if these issues are related.

Thanks!

Attached File(s)

 ComboFix.txt ( 23.95k ) Number of downloads: 3

 

[Grinler]

Looks good .. How does the computer feel?

[andee39]

Outside of my recent blue screen issue (I believe it is card related issue - someone in Microsoft groups is looking at some minidump files for me) the computer seems to be running on the slow side. It takes awhile for boot up and intermittantly is slow to open programs and web pages. I do want to ask you about the virus/trojan that Adaware found - do you think BitDefender should have blocked or at least found in scans? I'm getting to the end of my yearly subscription and I'm thinking of changing. Not sure if that is something you can comment on. Thanks!

[Grinler]

The reality is that if a malware is brand new, no antimalware software is going to get it. Malware first needs to be diagnosed and added the anti-malware softwares definitions. So, Yes, stuff can slip through. BitDefender is a decent product and do not see anything wrong with it.

I personally use Avast free.

At this point, should we close this topic, as I do not think it is malware related.

[andee39]

One last thing before you close the topic - could you tell me what you found? Was there stuff left behind or in addition to what AdAware found?

[Grinler]

Pretty much remnants of what may have been found previously. Nothing that was actively hurting your machine.

Now that your clean:

Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and reenable system restore here for your particular Windows Version:

Managing Windows Millenium System Restore

or

Windows XP System Restore Guide

or

Windows Vista System Restore Guide


Renable system restore with instructions from tutorial above


Next,

This process will clean out your Temp files and your Temporary Internet Files. Please do both steps:

Step 1:Delete Temp Files
To clean out your temp files, click on Start and then run, and type %temp% and press the ok button.

This should open up the temp directory that your machine uses. Please delete all files that are found there. If you get an error when deleting a file, skip that file and delete all the others. If you had trouble deleting a file, reboot into Safe Mode and follow this step again. You should now be able to delete all the files.

Step 2: Delete Temporary Internet Files
Now I want you to open up Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button. This may take quite a while, so do not be alarmed with how long it takes. When it is done, your Temporary Internet Files will now be deleted.

Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet

I am closing this topic. Please message a moderator if you need it reopened.

Glad I was able to help and if there any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BC, we also help people with other computer problems! Do not forget to tell your friends about us!

[andee39]

Thanks very much for your help. I didn't realize that you helped people with other computer type problems. I'll remember that the next time I have an issue with my computer .