Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Infection?


  • This topic is locked This topic is locked
18 replies to this topic

#1 Storm3

Storm3

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:46 AM

Posted 20 February 2010 - 04:26 PM

Hello all,

I hope I'm posting this in the right area. I followed the "Preparation Guide", but for topic title it says to state the possible malware, etc. you might have but I'm not sure what I have. Hopefully, I did everything else right.

I have Windows XP and use a wireless router, but the computer giving me problems is my desktop PC, which is plugged directly into the router. I normally turn my computer off at night but a week ago, I left it on. When I got up and tried to check my email, Outlook gave me a Send/Receive error message. I then tried out Firefox, which gave me the classic "The Connection was Reset" message, as well as did IE. I just figured my ISP was on the fritz (as it sometimes goes out for a little while) and to try back later. An hour or so later, the same problems were present. I decided to try the internet on my laptop, which takes advantage of the wireless connection, connects fine (which is how I'm typing all this). Even my PS3, which uses the wireless connection, is connecting fine so I'm assuming there's a problem with the PC.

My virus protection is Trend Micro Internet Security, which I've scanned with but doesn't detect anything. It does pop up that "Your Personal Firewall has shut down. Try restarting Trend Micro Internet Security to restore it. If that does not help, try restarting the computer. If these suggestions do not restore the Personal Firewall, please contact technical support." Well, none of that restore the firewall but I did look up how to restore it, thinking Trend may be causing the internet problem, and found out how to restore it. The firewall is apparently restored but when I try to "Update Now" on Trend, it just tells me "An error prevented your security software from contacting Trend Micro. Make sure the Internet connection works, and check your proxy settings." I also used a program that helped me in the past, Malwarebytes' Anti-Malware but it didn't find anything either.

Next, I was wondering if the cable (since the wireless devices are working but the one actually connected to the router isn't) connecting the router to the PC went bad. However, when I go into "Control Panel", "Network Connections", and double click on "Local Area Connection 3", it tells me that "Status: Connected." The Duration and Speed are all listed and seem right too, so wouldn't this rule out a problem with the cable? I would appreciate any help and/or advice! Per the "Prep Guide", here's my DDS report:


DDS (Ver_09-12-01.01) - NTFSx86
Run by Owner at 2:31:12.73 on Fri 02/19/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1538 [GMT -5:00]

AV: Trend Micro Internet Security *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
svchost.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
BHO: {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - No File
TB: {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRun: [UpdatePDRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0"
dRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\26dbocp0.default\
FF - plugin: c:\documents and settings\owner\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\owner\application data\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\owner\application data\move networks\plugins\npqmp071705000014.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 uliagpkx;ULi AGP Bus Filter Driver;c:\windows\system32\drivers\AGPKX.SYS [2007-8-9 45056]
R1 SSHDRV64;SSHDRV64;c:\windows\system32\drivers\SSHDRV64.sys [2008-7-2 109568]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-5-17 50192]
R2 TmPfw;Trend Micro Personal Firewall;c:\program files\trend micro\internet security\TmPfw.exe [2010-2-19 492888]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2008-8-14 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2009-5-17 677128]
R3 BENDER;Pinnacle DV/AV Capture;c:\windows\system32\drivers\bender.sys [2006-11-21 203264]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2009-5-17 335376]
R3 ULI5261XP;ULi M526X Ethernet NT Driver;c:\windows\system32\drivers\ULILAN51.SYS [2007-8-9 28672]
S3 cpuz130;cpuz130;\??\c:\docume~1\owner\locals~1\temp\cpuz130\cpuz_x32.sys --> c:\docume~1\owner\locals~1\temp\cpuz130\cpuz_x32.sys [?]
S3 MOSUMAC;MosChip 7830 USB-Ethernet Driver;c:\windows\system32\drivers\MOSUMAC.SYS [2007-8-9 28800]
S3 PCD64X3;PCD64X3;\??\c:\docume~1\owner\locals~1\temp\pcd64x3.sys --> c:\docume~1\owner\locals~1\temp\PCD64X3.sys [?]
S3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [2008-1-14 223128]
S4 asurscsi;asurscsi;c:\program files\voyetra\audiosurgeon 5\asurscsi.exe [2002-10-2 208688]
S4 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [2008-2-2 2560]

=============== Created Last 30 ================


==================== Find3M ====================

2010-01-07 21:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-06 21:25:05 6435 ----a-w- c:\windows\system32\WORK.DAT
2009-12-31 16:58:07 92804 ----a-w- c:\windows\fonts\Strayhorn_MT.ttf
2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27:51 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43:50 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-11-27 17:11:44 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:11:44 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 16:07:35 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07:35 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07:34 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07:34 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:07:34 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-07-03 16:12:15 2633 --sha-w- c:\windows\system32\mmf.sys
2008-09-20 22:51:38 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092020080921\index.dat

============= FINISH: 2:31:56.75 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:46 AM

Posted 21 February 2010 - 07:35 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 Storm3

Storm3
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:46 AM

Posted 21 February 2010 - 08:15 PM

Just replying to the above post. Thanks for taking the time to help me with this, Mole. Just let me know what else you need me to do.

Once again, thanks for the time

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:46 AM

Posted 21 February 2010 - 09:00 PM

Hey,

There isn't really anything to look at on the logs you have provided. The PC could do with a clean-up and update but nothing else looks likely.

Please run these two programs just to double-check.

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.


Then an online scanner

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#5 Storm3

Storm3
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:46 AM

Posted 21 February 2010 - 09:29 PM

I actually already have Malwarebytes on my computer. I have fully scanned the computer twice already and both times came back with no viruses, etc. detected. Do you want me to scan it again and post the findings regardless? Also, I last updated Malwarebytes about a month ago, but since I cannot access the internet from the computer in question, I can't get the latest updates so maybe that's a problem with it. Remember, I am accessing the internet (wireless) through my laptop; the computer I'm having the issue with cannot access the internet at all. Won't load web pages, won't download email, etc. so I can't update Malwarebytes. EDIT: I just re-read the part where you can manually download the updates. I downloaded the mbam-rules.com from the link provided and installed it so I'll try to scan it again.

I've just downloaded the ESET test onto my laptop and will transfer it to the computer in question and try to scan it that way. I'll get back with that ASAP.

On another note, what do you mean that the PC could do with a good cleaning and updating? Do you mean drivers, etc. or actually getting better hard drives, etc.? And by cleaning do you men defragging or something else? If you could give me some recommendations, I would appreciate it.

Edited by Storm3, 21 February 2010 - 09:36 PM.


#6 Storm3

Storm3
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:46 AM

Posted 21 February 2010 - 09:39 PM

I just tried to install ESET Online Scanner on the PC in question, and it stops and states, "Can not get update. Is proxy configured?" and does nothing else. Once again, the main problem is that the computer in question can't access the internet so anything I do I have to be able to downloaded onto my laptop and then transfer it to the computer in question. Thanks.

Edited by Storm3, 21 February 2010 - 09:43 PM.


#7 Storm3

Storm3
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:46 AM

Posted 22 February 2010 - 03:17 AM

Per your last post, m0le, I used the link you provided and installed the updates for Malwarebytes' and scanned the PC again. This time, it found two instances of "Malware.Trace" files. I wanted to note that before I tried to delete them. Okay, I'm going to delete them now and then paste the report below:


Malwarebytes' Anti-Malware 1.44
Database version: 3740
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/22/2010 3:11:56 AM
mbam-log-2010-02-22 (03-11-56).txt

Scan type: Full Scan (C:\|)
Objects scanned: 209854
Time elapsed: 57 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\All Users\Application Data\sysReserve.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\WORK.DAT (Malware.Trace) -> Quarantined and deleted successfully.


#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:46 AM

Posted 22 February 2010 - 02:17 PM

A trace of Trace whistling.gif

If you suspect that the internet connection has been damaged through removal of malware - which looks possible now - I think we should attempt to reconnect your PC to the WWW.

We Need to Repair Your Internet Connection
  1. Please download WinsockXPFix from a working machine and copy it to a CD or flash media.
  2. Copy the file to the desktop on the non working machine.
  3. Double Click on on your desktop.
  4. Push the button.
  5. Allow your system to reboot.

Please let me know if your connection is restored in your next reply
Posted Image
m0le is a proud member of UNITE

#9 Storm3

Storm3
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:46 AM

Posted 22 February 2010 - 03:11 PM

YES! thumbup.gif

I do have internet connection now (I'm actually posting from the said computer). After deleting the malware.trace files with Malwarebytes' last night, I tried connecting but it didn't work. I restarted the computer and ran another scan overnight. When I woke up, the scan came back with no infections, and when I tried to connect this time, it connected. I guess Malwarebytes' just needed the latest updates so your link to find and download them via another computer was a lifesaver! If I would have none you could download the updates through another computer beforehand, I probably wouldn't have had to waste your time. I'm not sure if I should do anything else but I do have some questions that I hope you would kindly answer:

1) What is malware.trace (as in what does it do)? I've tried to Google it but nothing definitive comes up.

2) After reviewing my reports above, you stated that "The PC could do with a clean-up and update but nothing else looks likely." What do you mean by clean-up and update? Do you mean clean-up by defragging and updating by updating drivers? Or do you mean something else? I try to keep the computer in as good of working order as I can so whatever I can do to clean it up and keep it updated I would like to do. If it doesn't take you too much time, I would really like to know what you meant by this.

Thanks for your time and help!

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:46 AM

Posted 22 February 2010 - 04:53 PM

You didn't waste my time, Storm3. smile.gif

QUOTE(Storm3 @ Feb 22 2010, 08:11 PM) View Post
1) What is malware.trace (as in what does it do)? I've tried to Google it but nothing definitive comes up.


Malware.trace is just a name that MBAM has given malicious files that are peripheral files. You notice that none of these are .exe, they are data files or, in this case, initialization files.

QUOTE(Storm3 @ Feb 22 2010, 08:11 PM) View Post
2) After reviewing my reports above, you stated that "The PC could do with a clean-up and update but nothing else looks likely." What do you mean by clean-up and update? Do you mean clean-up by defragging and updating by updating drivers? Or do you mean something else? I try to keep the computer in as good of working order as I can so whatever I can do to clean it up and keep it updated I would like to do. If it doesn't take you too much time, I would really like to know what you meant by this.


Don't panic, there's just a few things on the log that we can clear up and, in particular, I was referring to the jumble of Java versions on your PC. We can deal with Java now and the clean-up will follow after that.

Old versions of Java are big doors to malware. JavaRa removes them and updates your version to the most current.

Please download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

    Please make sure you turn on the Java Automatic Update Feature

    Then you will not have to remember to update it when Java introduces a new version.
    Java is updated very frequently, and the old versions are malware magnets.

    Note: This feature is available only on Windows XP, 2003, 2000 (SP2 or higher) and set by default for these operating systems.


Now a quick scan with ESET

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
Please also post a new DDS log so we can finish up. smile.gif
Posted Image
m0le is a proud member of UNITE

#11 Storm3

Storm3
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:46 AM

Posted 23 February 2010 - 02:03 AM

I've completed the three things you requested that I do (run ESET Scan, new DDS report and JavRa). The first thing I did was the JavRa stuff, but I did run into a problem with it. I noticed that Trend Mirco was not being shown on the lower right toolbar. I opened it via the desktop shortcut, but it froze at the loading screen. I had to "ctr, alt, del" it to get it off the screen; however, the emblem for Trend remained at the lower right toolbar and wouldn't let me close it. I decided that I'd just reinstall it after doing the Java stuff. I ran JavRa and got rid of the old Java stuff, then went to search for updates, selected to update from the website as you told me to do, but when the browser loaded it went back to the "connection was reset"... couldn't access email, etc. just like it was doing. I figured that something must be wrong with Trend causing this problem so I uninstalled Trend and restarted the computer. When it rebooted, it connected to the internet fine. I'm telling you this so when you review my latest reports and don't see Trend listed on them, this is why.

My subscription runs out with Trend in April, and I've had my ups and downs with it. Would you recommend me reinstalling Trend or trying one of these free virus protection software like Avast (sp)? Is there one you would recommend over another? Anyway, you didn't tell me how you wanted the ESET report so I just zipped it up and attached it. UPDATE: It wouldn't let me upload zipped files so I just had to attach them.



DDS (Ver_09-12-01.01) - NTFSx86
Run by Owner at 1:48:46.01 on Tue 02/23/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1532 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
svchost.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
BHO: {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [UpdatePDRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
mPolicies-explorer: NoWindowsUpdate = 0 (0x0)
mPolicies-explorer: NoViewOnDrive = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\26dbocp0.default\
FF - plugin: c:\documents and settings\owner\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\owner\application data\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\owner\application data\move networks\plugins\npqmp071705000014.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 uliagpkx;ULi AGP Bus Filter Driver;c:\windows\system32\drivers\AGPKX.SYS [2007-8-9 45056]
R1 SSHDRV64;SSHDRV64;c:\windows\system32\drivers\SSHDRV64.sys [2008-7-2 109568]
R3 BENDER;Pinnacle DV/AV Capture;c:\windows\system32\drivers\bender.sys [2006-11-21 203264]
R3 ULI5261XP;ULi M526X Ethernet NT Driver;c:\windows\system32\drivers\ULILAN51.SYS [2007-8-9 28672]
S3 cpuz130;cpuz130;\??\c:\docume~1\owner\locals~1\temp\cpuz130\cpuz_x32.sys --> c:\docume~1\owner\locals~1\temp\cpuz130\cpuz_x32.sys [?]
S3 MOSUMAC;MosChip 7830 USB-Ethernet Driver;c:\windows\system32\drivers\MOSUMAC.SYS [2007-8-9 28800]
S3 PCD64X3;PCD64X3;\??\c:\docume~1\owner\locals~1\temp\pcd64x3.sys --> c:\docume~1\owner\locals~1\temp\PCD64X3.sys [?]
S3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [2008-1-14 223128]
S4 asurscsi;asurscsi;c:\program files\voyetra\audiosurgeon 5\asurscsi.exe [2002-10-2 208688]
S4 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [2008-2-2 2560]

=============== Created Last 30 ================

2010-02-23 05:33:04 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-02-22 02:36:22 0 d-----w- c:\program files\ESET
2010-02-21 03:25:21 7302 ----a-w- c:\windows\system32\rrt_vf.wav
2010-02-21 03:25:21 7148 ----a-w- c:\windows\system32\rrt_tv.wav
2010-02-21 03:25:21 6282 ----a-w- c:\windows\system32\rrt_tn.wav
2010-02-21 03:25:21 16244 ----a-w- c:\windows\system32\rrt_is.wav

==================== Find3M ====================

2010-02-23 05:32:50 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-07 21:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-31 16:58:07 92804 ----a-w- c:\windows\fonts\Strayhorn_MT.ttf
2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27:51 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43:50 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-11-27 17:11:44 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:11:44 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 16:07:35 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07:35 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07:34 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07:34 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:07:34 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-07-03 16:12:15 2633 --sha-w- c:\windows\system32\mmf.sys
2008-09-20 22:51:38 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092020080921\index.dat

============= FINISH: 1:48:57.42 ===============




Attached Files



#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:46 AM

Posted 23 February 2010 - 08:24 PM

Right let's clear up the DDS log. I will give you some advice about other options than Trend later. wink.gif

Backup Your Registry with ERUNT
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

We need to execute an OTM script
  1. Please download OTM by OldTimer and save it to your desktop.
  2. Double click the icon on your desktop.
  3. Paste the following code under the area. Do not include the word "Code".
    CODE
    :Files
    c:\documents and settings\owner\local settings\temp\PCD64X3.sys
    :Services
    PCD64X3
    :Reg
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "F0F8ECBE-D460-4B34-B007-56A92E8F84A7"=-
    [-HKEY_CLASSES_ROOT\CLSID\{F0F8ECBE-D460-4B34-B007-56A92E8F84A7}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "2318C2B1-4965-11D4-9B18-009027A5CD4F"=-
    [-HKEY_CLASSES_ROOT\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}]
    [-HKEY_CLASSES_ROOT\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}]
    :Commands
    [EmptyTemp]
    [Reboot]
  4. Push the large button.
  5. OTM may ask to reboot the machine. Please do so if asked.
  6. Copy/Paste the contents under the line here in your next reply.
  7. If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Post the OTM log.


Please also post a new DDS log so I can check we're good. thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#13 Storm3

Storm3
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:46 AM

Posted 23 February 2010 - 11:30 PM

Per your instructions, below is the OTM report. Just for my own curiosity as I try to learn new things while doing stuff like this, what files were removed because of this procedure? Is this something that needs to be done every few months or just something you came up with based on my reports? Anyway, here you go:

All processes killed
========== FILES ==========
File/Folder c:\documents and settings\owner\local settings\temp\PCD64X3.sys not found.
========== SERVICES/DRIVERS ==========
Service PCD64X3 stopped successfully!
Service PCD64X3 deleted successfully!
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\F0F8ECBE-D460-4B34-B007-56A92E8F84A7 not found.
Registry key HKEY_CLASSES_ROOT\CLSID\{F0F8ECBE-D460-4B34-B007-56A92E8F84A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F0F8ECBE-D460-4B34-B007-56A92E8F84A7}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\2318C2B1-4965-11D4-9B18-009027A5CD4F not found.
Registry key HKEY_CLASSES_ROOT\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CLASSES_ROOT\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Denise
->Temp folder emptied: 74581 bytes
->Temporary Internet Files folder emptied: 12399183 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 104818511 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Owner
->Temp folder emptied: 5748615 bytes
->Temporary Internet Files folder emptied: 7161961 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 92325828 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2162307 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 2576447 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 500388 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 217.00 mb


OTM by OldTimer - Version 3.1.9.0 log created on 02232010_231505

Files moved on Reboot...
File move failed. C:\WINDOWS\SFE85A31E.tmp scheduled to be moved on reboot.

Registry entries deleted on Reboot...


And, for your reading pleasure, the newest DDS report:


DDS (Ver_09-12-01.01) - NTFSx86
Run by Owner at 23:23:33.31 on Tue 02/23/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1579 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
BHO: {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [UpdatePDRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
mPolicies-explorer: NoWindowsUpdate = 0 (0x0)
mPolicies-explorer: NoViewOnDrive = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\26dbocp0.default\
FF - plugin: c:\documents and settings\owner\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\owner\application data\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\owner\application data\move networks\plugins\npqmp071705000014.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 uliagpkx;ULi AGP Bus Filter Driver;c:\windows\system32\drivers\AGPKX.SYS [2007-8-9 45056]
R1 SSHDRV64;SSHDRV64;c:\windows\system32\drivers\SSHDRV64.sys [2008-7-2 109568]
R3 BENDER;Pinnacle DV/AV Capture;c:\windows\system32\drivers\bender.sys [2006-11-21 203264]
R3 ULI5261XP;ULi M526X Ethernet NT Driver;c:\windows\system32\drivers\ULILAN51.SYS [2007-8-9 28672]
S3 cpuz130;cpuz130;\??\c:\docume~1\owner\locals~1\temp\cpuz130\cpuz_x32.sys --> c:\docume~1\owner\locals~1\temp\cpuz130\cpuz_x32.sys [?]
S3 MOSUMAC;MosChip 7830 USB-Ethernet Driver;c:\windows\system32\drivers\MOSUMAC.SYS [2007-8-9 28800]
S3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [2008-1-14 223128]
S4 asurscsi;asurscsi;c:\program files\voyetra\audiosurgeon 5\asurscsi.exe [2002-10-2 208688]
S4 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [2008-2-2 2560]

=============== Created Last 30 ================

2010-02-24 04:15:05 0 d-----w- C:\_OTM
2010-02-23 05:33:04 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-02-22 02:36:22 0 d-----w- c:\program files\ESET
2010-02-21 03:25:21 7302 ----a-w- c:\windows\system32\rrt_vf.wav
2010-02-21 03:25:21 7148 ----a-w- c:\windows\system32\rrt_tv.wav
2010-02-21 03:25:21 6282 ----a-w- c:\windows\system32\rrt_tn.wav
2010-02-21 03:25:21 16244 ----a-w- c:\windows\system32\rrt_is.wav

==================== Find3M ====================

2010-02-23 05:32:50 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-07 21:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-31 16:58:07 92804 ----a-w- c:\windows\fonts\Strayhorn_MT.ttf
2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27:51 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43:50 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-11-27 17:11:44 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:11:44 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 16:07:35 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07:35 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07:34 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07:34 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:07:34 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-07-03 16:12:15 2633 --sha-w- c:\windows\system32\mmf.sys
2008-09-20 22:51:38 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092020080921\index.dat

============= FINISH: 23:23:56.81 ===============

Attached Files



#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:46 AM

Posted 24 February 2010 - 07:49 AM

My plan was to:

1) Stop and remove the bad driver that was loading
2) Remove remnants of the old Java version
3) Remove toolbar registry entries which are now just remnants of programs.

1 and 2 worked fine but, as often happens, the toolbars are still there. Don't worry it doesn't matter at all. smile.gif


The PC is now...

...clean. Good stuff! thumbup2.gif

Let's firstly do some housekeeping

Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.

Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
------------------------------------------------------------------------------------------------------------------------------------------


Here's a list of ways you can avoid problems in the future:

Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Use a Firewall

I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Other recommended, and free, AntiSpyware programs are Spybot - Search and Destroy and Ad-Aware Personal.

Installing these programs will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.

Tutorials on using these programs can be found below:

Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer


That's it, happy surfing!

Cheers,


m0le



Posted Image
m0le is a proud member of UNITE

#15 Storm3

Storm3
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:46 AM

Posted 24 February 2010 - 11:22 AM

Thanks, m0le. I really appreciate all the help!

One last thing, I read your notes on Spyware protection, but do you have any recommendations for my anti-virus software? My Trend Micro is about to expire so I'm trying to decide if I should renew it or look into one of the free anti-virus programs. Do you have any recommendations on this? Is there any particular anti-virus program that you prefer to use?

Regardless, once again, thanks for all the help! thumbup.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users