BleepingComputer.com: continual same page popping

Hello Casey,

This time the process worked no problem... here is the log.

All processes killed
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\IMNNQ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\IMNNQ NetQ Web Server deleted successfully.
Starting removal of ActiveX control {33564D57-9980-0010-8000-00AA00389B71}
C:\WINDOWS\Downloaded Program Files\wmv9dmo.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{33564D57-9980-0010-8000-00AA00389B71}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{33564D57-9980-0010-8000-00AA00389B71}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{33564D57-9980-0010-8000-00AA00389B71}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{33564D57-9980-0010-8000-00AA00389B71}\ not found.
Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
C:\WINDOWS\Downloaded Program Files\erma.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Starting removal of ActiveX control {9F1C11AA-197B-4942-BA54-47A8489BB47F}
C:\WINDOWS\Downloaded Program Files\iuctl.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{9F1C11AA-197B-4942-BA54-47A8489BB47F}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9F1C11AA-197B-4942-BA54-47A8489BB47F}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9F1C11AA-197B-4942-BA54-47A8489BB47F}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9F1C11AA-197B-4942-BA54-47A8489BB47F}\ not found.
File Animation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab not found.
Starting removal of ActiveX control DirectAnimation Java Classes
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\DirectAnimation Java Classes\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\DirectAnimation Java Classes\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\DirectAnimation Java Classes\ not found.
File oft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab not found.
Starting removal of ActiveX control Microsoft XML Parser for Java
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Microsoft XML Parser for Java\ not found.
C:\Documents and Settings\All Users\Application Data\~P1kAlMiG2Kb7Fz moved successfully.
C:\Documents and Settings\All Users\Application Data\~P1kAlMiG2Kb7Fzr moved successfully.
C:\Documents and Settings\All Users\Application Data\P1kAlMiG2Kb7Fz moved successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:D282699C deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: dgratton
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: fneeser
->Temp folder emptied: 206582079 bytes
->Temporary Internet Files folder emptied: 431107729 bytes
->Java cache emptied: 21406793 bytes
->Flash cache emptied: 25727 bytes

User: fneeser2
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: techsupport2
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: u0040774
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: u0083445
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 202479 bytes

User: U3900484
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: U3900489
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: u3900493
->Temp folder emptied: 137367 bytes
->Temporary Internet Files folder emptied: 59051542 bytes
->Java cache emptied: 46766211 bytes
->Flash cache emptied: 10657 bytes

User: U3900571
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 3357726 bytes
%systemroot%\System32 .tmp files removed: 4227217 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 16867 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 36785 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 737.00 mb

Restore point Set: OTL Restore Point (0)

OTL by OldTimer - Version 3.2.27.0 log created on 09122011_083117

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

Glad to hear it - how is the PC?

Please update and then run a full scan with MalwareByte's AntiMalware and then post me the log.

I'd like us to scan your machine with ESET OnlineScan

• Hold down Control and click on the following link to open ESET OnlineScan in a new window.
  ESET OnlineScan
  
• Click the button.
  
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on to download the ESET Smart Installer. Save it to your desktop.
    
  • Double click on the icon on your desktop.
  
  
• Check
  
• Click the button.
  
• Accept any security warnings from your browser.
  
• Check
  
• Push the Start button.
  
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  
• When the scan completes, push
  
• Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  
• Push the button.
  
• Push

Casey

Hi Casey,

The pc is very quick and responsive now.

The eset scanner took several hours, but in the end it found nothing. The MBAM scan also found nothing. Here is the MBAM log.

Thanks for all your work...

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7699

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

9/12/2011 12:24:49 PM
mbam-log-2011-09-12 (12-24-49).txt

Scan type: Full scan (C:\|)
Objects scanned: 454974
Time elapsed: 1 hour(s), 16 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Great, could you try running DDS for me now? You may need to download a fesh copy. If it runs, please post me the log and attach the attach.txt

Casey

Hi,

I can't run DDS unless I first change the file associations, except I don't know what to change them to. Currently when I run it I get an IBM editor coming up. I don't mind changing them, since I no longer use that IBM tool, but I would need instructions.

Thanks.

Hi,

No need we'll change the file extension on DDS.

Please set Windows to show file extensions (details here). Then rename DDS.scr to DDS.com and see if it'll run.

Casey

Hi Casey,
This time it worked and here is the log. I'm also attaching attach.txt.

It appears we're just about done, doesn't it? What a relief.

Just for interest sake, I got a program called IEHISTORY which shows a log of which web-sites I went to. My idea was to see which page I was at just before the malware appeared on Aug 18 at 09.45am. Unfortunately as soon as the malware appeared that day, I did a system restore, which wiped out the history of that day. I supppose in the end it doesn't matter, because it would have been a well-known and reputable site, since those are the only sites I go to, so I don't know how these malwares get transferred. Any thoughts?

Thanks.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by u3900493 at 13:24:24 on 2011-09-13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2005.476 [GMT -4:00]
.
AV: Trend Micro OfficeScan Antivirus *Enabled/Updated* {82219614-CCD3-402E-9773-83F612795313}
FW: Trend Micro OfficeScan Enterprise Client Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Intel\AMT\atchksrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\PMService.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Intel\AMT\UNS.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\WINDOWS\Explorer.EXE
C:\logonapp.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\system32\trutil01.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\AMT\atchk.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\IBM\Client Access\Emulator\pcsws.exe
C:\Program Files\IBM\Client Access\Emulator\PCSCM.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\work\chess17\Arena\Arena.exe
C:\work\chess13\Fruit-2-3-1.exe
C:\Program Files\IBM\Client Access\Emulator\pcsws.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
C:\wdsc\SYSTEM\EVFWLX40.EXE
C:\wdsc\SYSTEM\RXAPI.EXE
C:\wdsc\SYSTEM\EVFCTCPD.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://inet/
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Client Access Service] "c:\program files\ibm\client access\cwbsvstr.exe"
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow
mRun: [EPA_EZ_GPO_Tool] c:\windows\system32\EZ_GPO_Tool.exe
mRun: [trutil0] c:\windows\system32\trutil01.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [atchk] "c:\program files\intel\amt\atchk.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [RunNarrator] Narrator.exe
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\realdo~1.lnk - c:\program files\real\realdownload\Realdownload.exe
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
uPolicies-explorer: DisablePersonalDirChange = 1 (0x1)
uPolicies-system: HideLogonScripts = 0 (0x0)
mPolicies-system: RunLogonScriptSync = 0 (0x0)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1244727302390
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1307387712671
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://thomsonevents.webex.com/client/v_mywebex-t20/event/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 10.192.4.33 10.192.4.34
TCP: Interfaces\{03D78A6E-BA0A-4D9E-823F-56BAC841EB8E} : DhcpNameServer = 10.192.4.175 10.192.4.176
TCP: Interfaces\{74A45951-A9D8-4E1A-9754-E4185B93C646} : DhcpNameServer = 10.192.4.22 10.192.4.21
TCP: Interfaces\{76D83FDF-4F99-4A04-8C8A-505BF71FF675} : DhcpNameServer = 10.192.4.22 10.192.4.21
TCP: Interfaces\{98533199-A0CE-4C82-890F-21D5E16183CF} : DhcpNameServer = 10.192.4.33 10.192.4.34
TCP: Interfaces\{C94ECD3C-5B53-4B58-A6DE-26CBCB092B16} : DhcpNameServer = 10.192.4.33 10.192.4.34
TCP: Interfaces\{ED24CA21-2D08-4038-9653-09A511ED176C} : DhcpNameServer = 10.192.4.22 10.192.4.21
Name-Space Handler: ftp\RealDownload - {EBCDDA5E-2A68-11D3-8A43-0060083CFB9C} - c:\windows\system32\nzdd.dll
Name-Space Handler: http\RealDownload - {EBCDDA5E-2A68-11D3-8A43-0060083CFB9C} - c:\windows\system32\nzdd.dll
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\u3900493\application data\mozilla\firefox\profiles\p3ftn96r.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: network.proxy.ftp - 10.192.4.61
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - 10.192.4.61
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.http - 10.192.4.61
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.ssl - 10.192.4.61
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 1
FF - component: c:\program files\mozilla firefox\components\qfaservices.dll
.
============= SERVICES / DRIVERS ===============
.
R2 EPA_GPO_PMService;Energy Star™ EZ GPO Power Management Configuration Tool;c:\windows\system32\PMService.exe [2005-1-21 81920]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2010-1-21 52304]
R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\TmXPFlt.sys [2008-12-2 249424]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\tmpreflt.sys [2008-12-2 36432]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\intel\amt\UNS.exe [2009-6-5 2521880]
R3 xMrMINI;xMrMINI;c:\windows\system32\drivers\xMrMINI.sys [2009-4-27 247808]
R3 xVGAMINI;xVGAMINI;c:\windows\system32\drivers\xVGAMINI.sys [2009-4-27 253184]
R3 xVGAUSB;USB 2.0 VGA DEVICE-1;c:\windows\system32\drivers\xvgausb.sys [2009-4-27 34944]
S1 CCDevice;CCDevice; [x]
S2 netsvcs_0x2;œüKdXt$sˆQ`œHKc�`ülhk“œYï=x86 Family 15;c:\windows\system32\svchost.exe -k netsvcs [2002-8-29 14336]
S3 OnePointDomainAdminService;Domain Migration Administrator Agent;c:\program files\onepointdomainagent\dctagentservice.exe --> c:\program files\onepointdomainagent\DCTAgentService.exe [?]
S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\trend micro\officescan client\TmProxy.exe [2008-12-2 689416]
.
=============== File Associations ===============
.
.scr=ipffile
.
=============== Created Last 30 ================
.
2011-09-09 12:35:12 -------- d-----w- C:\_OTL
2011-09-08 13:02:22 98816 ----a-w- c:\windows\sed.exe
2011-09-08 13:02:22 518144 ----a-w- c:\windows\SWREG.exe
2011-09-08 13:02:22 256000 ----a-w- c:\windows\PEV.exe
2011-09-08 13:02:22 208896 ----a-w- c:\windows\MBR.exe
2011-08-31 19:27:41 388096 ----a-r- c:\documents and settings\u3900493\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-08-30 18:50:02 -------- d-----w- c:\program files\ESET
2011-08-29 18:34:50 -------- d-----w- c:\documents and settings\u3900493\application data\Malwarebytes
2011-08-29 18:34:41 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-29 18:34:40 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-08-29 18:34:33 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-29 18:34:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-08-18 13:55:06 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-08-18 13:55:06 -------- d-----w- c:\windows\system32\wbem\Repository
.
==================== Find3M ====================
.
2011-08-29 19:44:33 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 13:25:29.10 ===============

Sorry for the delay in my reply!

Quote

Some reputable sites can become infected from time to time - so you can never be 100% safe.

I'm presuming the proxy settings listed in your logs are legitimate?

Uninstall Ad-aware 6 Personal

This is very outdated now and is serving no use. I recommend you uninstall it.

Update Adobe Reader

Your version of Adobe Reader is out-of-date. Older versions has vulnerabilities which are fixed in later releases. I strongly recommend that you update your version. The latest version can be downloaded from here: http://get.adobe.com/uk/reader/?promoid=BUIGO

Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.

• Microsoft: ‘Unprecedented Wave of Java Exploitation’
  
• Drive-by Trojan preying on out-of-date Java installations
  
• Ghosts of Java Haunt Users

Please follow these steps to remove older version Java components and update:

• Download the latest version of Java Runtime Environment (JRE) Version 7 and save it to your desktop.
  
• Look for "Java Platform, Standard Edition".
  
• Click the "Download JRE" button to the right.
  
• Read the License Agreement, and then check the box that says: "Accept License Agreement".
  
• From the list, select your OS and Platform (32-bit or 64-bit).
  
• If a download for an Offline Installation is available, it is recommended to choose that and save the file to your desktop.
  
• Close any programs you may have running - especially your web browser.

Go to > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7 and remove all older versions of Java.

• Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  
• Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  
• Repeat as many times as necessary to remove each Java versions.
  
• Reboot your computer once all Java components are removed.
  
• Then from your desktop double-click on jre-7-windows-i586.exe to install the newest version.
  
• If using Windows 7 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  
• When the Java Setup - Welcome window opens, click the Install > button.
  
• If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
  
• The McAfee Security Scan Plus tool is installed by default unless you uncheck the McAfee installation box when updating Java.

Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
To disable the JQS service if you don't want to use it:

• Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
  
• Click Ok and reboot your computer.

Casey

Casey_boy, on 15 September 2011 - 09:40 AM, said:

Hi,
I will follow your suggestions later today, but I just wanted to comment quickly.

I had already been wondering if it was a java thing thing that hit me, because I go to www.gameknot.com every day and they have a java applet that I use for chess games. This is probably confirmation of that.

My question is, since I'm still at the older version of java and still running that applet every day, what are the chances I've been re-infected? I could probably run those malware programs you had me run like gmer, tdsskiller etc in the same order you had me do them, and if I see anything like what we saw before, then I could run the same steps to dis-infect, without troubling you again. What do you think?

Thanks.

edit: btw, this link doesn't work
http://www.bleepingcomputer.com/forums/blog/676/entry-1747-microsoft-unprecedented-wave-of-java-exploitation/

This post has been edited by fredn: 15 September 2011 - 11:36 AM

Hi,

It could well be - out of date Java is an often exploited route. I wouldn't worry about re-running the scans, you'd have noticed if there was something still wrong.

Let me know how you get on.

Casey

Hi Casey,

I re-installed the latest version of Java and uninstalled Adaware and the older version of Adobe.

One odd thing that happened, I went to what I thought was a local radio station site. I mis-typed the address and suddenly found myself at a similar site to the one that I was seeing when all this malware stuff started. Probably it's just a case of someone appropriating a similar sounding site name, just thought I'd mention it.

Thanks for your assistance so far,
Fred

Hi Fred,

It could be a rogue website - or like you said just a similar looking one. I think that, unless you have any current symptoms, we can call this resolved.

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

We Need to Clean Up our Mess
Our work on your machine has left considerable leftovers on your box. Let's clean those up real quick:

• Reopen on your desktop.
  
• Click on
  
• You will be prompted to reboot your system. Please do so.

Below I have outlined a series of categories that outline how you can increase the security of your computer and help prevent reinfection. Please take the time to read through them and follow the advice given.

Keep Windows up-to-date
Microsoft continually releases security and stability updates for its supported operating systems and you should always apply these to help keep your PC secure.

• Windows XP users
  You should visit Windows Update to check for the latest updates to your system. The latest service pack (SP3) can be obtained directly from Microsoft here.

Practice Safe Internet

One of the main reasons people get infected in the first place is that they are not practicing Safe Internet. You practice Safe Internet when you educate yourself on how to properly use the Internet through the use of security tools and good practice. Knowing how you can get infected and what types of files and sites to avoid will be the most crucial step in keeping your computer malware free. The reality is that the majority of people who are infected with malware are ones who click on things they shouldn't be clicking on. Whether these things are files or sites it doesn't really matter. If something is out to get you, and you click on it, it most likely will. Below are a list of simple precautions to take to keep your computer clean and running securely:

• If you receive an attachment from someone you do not know, DO NOT OPEN IT! Simple as that. Opening attachments from people you do not know is a very common method for viruses or worms to infect your computer.
  
  
  
• If you receive an attachment and it ends with a .exe, .com, .bat, or .pif do not open the attachment unless you know for a fact that it is clean. For the casual computer user, you will almost never receive a valid attachment of this type.
  
  
  
• If you receive an attachment from someone you know, and it looks suspicious, then it probably is. The email could be from someone you know infected with a malware that is trying to infect everyone in their address book.
  
  
  
• If you are browsing the Internet and a popup appears saying that you are infected, ignore it!. These are, as far as I am concerned, scams that are being used to scare you into purchasing a piece of software. For an example of these types of popups, or Foistware, you should read this article: Foistware, And how to avoid it.
  
  There are also programs that disguise themselves as Anti-Spyware or security products but are instead scams. For a list of these types of programs we recommend you visit this link: Rogue/Suspect Anti-Spyware Products & Web Sites
  
  
  
• Another tactic to fool you on the web is when a site displays a popup that looks like a normal Windows message or alert. When you click on them, though, they instead bring you to another site that is trying to push a product on you. We suggest that you close these windows by clicking on the X instead of the OK button. Alternatively, you can check to see if it's a real alert by right-clicking on the window. If there is a menu that comes up saying Add to Favorites... you know it's a fake.
  
  
  
• Do not go to adult sites. I know this may bother some of you, but the fact is that a large amount of malware is pushed through these types of sites. I am not saying all adult sites do this, but a lot do.
  
  
  
• When using an Instant Messaging program be cautious about clicking on links people send to you. It is not uncommon for infections to send a message to everyone in the infected person's contact list that contains a link to an infection. Instead when you receive a message that contains a link, message back to the person asking if it is legit before you click on it.
  
  
  
• Stay away from Warez and Crack sites! In addition to the obvious copyright issues, the downloads from these sites are typically overrun with infections.
  
  
  
• Be careful of what you download off of web sites and Peer-2-Peer networks. Some sites disguise malware as legitimate software to trick you into installing them and Peer-2-Peer networks are crawling with it. If you want to download a piece of software a from a site, and are not sure if they are legitimate, you can use McAfee Siteadvisor to look up info on the site.
  
  
  
• DO NOT INSTALL any software without first reading the End User License Agreement, otherwise known as the EULA. A tactic that some developers use is to offer their software for free, but have spyware and other programs you do not want bundled with it. This is where they make their money. By reading the agreement there is a good chance you can spot this and not install the software.

Make Internet Explorer more secure

• From within Internet Explorer click on the Tools menu and then click on Options.
  
• Click once on the Security tab
  
• Click once on the Internet icon so it becomes highlighted.
  
• Click once on the Custom Level button.
  
• Change the Download signed ActiveX controls to Prompt
  
• Change the Download unsigned ActiveX controls to Disable
  
• Change the Initialize and script ActiveX controls not marked as safe to Disable
  
• Change the Installation of desktop items to Prompt
  
• Change the Launching programs and files in an IFRAME to Prompt
  
• Change the Navigate sub-frames across different domains to Prompt
  
• When all these settings have been made, click on the OK button.
  
• If it prompts you as to whether or not you want to save the settings, press the Yes button.
  
• Next press the Apply button and then the OK to exit the Internet Properties page.

Regularly Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Install SpywareBlaster

SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware


Update all these programs regularly
Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Casey

Hi Casey,
I ran your points 1 and 2 and studied the tips..... all very good and informative. One in particular I appreciate, the one about right-clicking the popup to see if you get a "add to favorites". That's a good one, didn't know that. I always either used the X or even task manager to kill the process, because I didn't trust responding, but now I know a way to check.

Thanks again for all your efforts. I'm going to keep this thread for myself so I know how to progress if something like this happens again. It's great to have a sequence to follow.

It's pretty cool to have a fast running pc again!

Regards,
Fred

No problem, I'm glad I could help

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

This post has been edited by Casey_boy: 21 September 2011 - 10:41 AM