Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

paladin antivirus did i get it all?


  • This topic is locked This topic is locked
3 replies to this topic

#1 youngmomma

youngmomma

  • Members
  • 169 posts
  • OFFLINE
  •  
  • Local time:05:27 AM

Posted 24 February 2010 - 04:09 AM

I started getting popups about antivirus and because i wass recently infected with the total security viirus i was aware of what it was right away but not fast enought o stop it from happening. i immediatly went to this site and was able to find a topic on removal before the virus eventually blocked me from here and other sites with the name of the virus in it( i guess you guys are well known enough that these virus makers do not care for you :thumbsup: i knew that this was yet another trick of the virus, so i tried browsing in sofe mode on my browser and same result wouldnt load the pages, i had read enough to know i needed to use the rkll program to stop it and tried to do so and was unsuccessful so i finally got a website to load that said try this program tdsskiller and had to run in safe mode for it to work. up until that piont i was unable to even use safe mode without the virus popping up . and could not get malwarebytes to run either(tried renaming and everything) so when i used tdsskiller in safe mode it worked and removed some stuff enough to where i could browse the internet again . something that bothers me is when in safe mode before i was able to use tdsskiller i was trying to locate my startup programs and thought you got to it by going to the c drive and right clicking and going to properties. well i am glad i thought that because when i was looking around in there i seen that file sharing for my complete drive was enabled to be shared with f$ and i knew i did not enable this and had to be the virus. when i rebooted before i got the tdss to work it was enabled again. after the tdss ran and rebooted i ran malware bytes successfully and removed some more stuff. then i booted into regular mode and checked the c drive and it was no longer shared. while in safe mode i also unchecke two things that were associated with the virus cant remember one name but when i looked it up on google said it was a trojan and the other one was something like paladin something so when i started back in normal mode i went there again and they were checked again and so i used windows defender and removed them both so they are gone now. i used atf cleaner to clear out temps and such and then i ran windows defender scan and was clean but then when i di a search for pav which is how some of the files started from the virus i found some and am worried about it coming back. is there a way to see if this was a back door trojan? i mean i dont have money so it wouldnt really do any damage if someone got my info but it would bother me to think someone could get in my stuff . so would you please suggest what i can do to feel better about this? i wish i would have wrote down the name of that thing in startup or looked at my history before i deleted it cause it said on taht page it was very dangerous? thank you ahead of time and i will post the logs i have so far now



malware bytes



Malwarebytes' Anti-Malware 1.44
Database version: 3782
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

2/24/2010 12:37:01 AM
mbam-log-2010-02-24 (00-37-01).txt

Scan type: Full Scan (F:\|)
Objects scanned: 192827
Time elapsed: 20 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\_VOID (Rootkit.TDSS) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
F:\RECYCLER\S-1-5-21-73586283-1343024091-1417001333-1003\Df7.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
F:\Documents and Settings\All Users\Application Data\mswintmp.dat (Malware.Trace) -> Quarantined and deleted successfully.
F:\Documents and Settings\All Users\Application Data\_VOIDkrl32mainweq.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
F:\Documents and Settings\All Users\Application Data\_VOIDmainqt.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
F:\Documents and Settings\Anyone\Local Settings\Temp\_VOIDeeea.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
F:\Documents and Settings\Anyone\Desktop\explorer.com (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.






tdsskiller




00:06:55:859 1080 TDSS rootkit removing tool 2.2.6 Feb 21 2010 21:24:13
00:06:55:859 1080 ================================================================================
00:06:55:859 1080 SystemInfo:

00:06:55:859 1080 OS Version: 5.1.2600 ServicePack: 3.0
00:06:55:859 1080 Product type: Workstation
00:06:55:859 1080 ComputerName: BLACKDREAM
00:06:55:859 1080 UserName: Anyone
00:06:55:859 1080 Windows directory: F:\WINDOWS
00:06:55:859 1080 Processor architecture: Intel x86
00:06:55:859 1080 Number of processors: 1
00:06:55:859 1080 Page size: 0x1000
00:06:55:859 1080 Boot type: Safe boot with network
00:06:55:859 1080 ================================================================================
00:06:55:859 1080 UnloadDriverW: NtUnloadDriver error 2
00:06:55:859 1080 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
00:06:55:875 1080 Initialize success
00:06:55:875 1080
00:06:55:890 1080 Scanning Services ...
00:06:55:890 1080 wfopen_ex: Trying to open file F:\WINDOWS\system32\config\system
00:06:55:890 1080 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
00:06:55:890 1080 wfopen_ex: Trying to KLMD file open
00:06:55:890 1080 wfopen_ex: File opened ok (Flags 2)
00:06:55:890 1080 wfopen_ex: Trying to open file F:\WINDOWS\system32\config\software
00:06:55:890 1080 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
00:06:55:890 1080 wfopen_ex: Trying to KLMD file open
00:06:55:890 1080 wfopen_ex: File opened ok (Flags 2)
00:06:56:234 1080 GetAdvancedServicesInfo: Raw services enum returned 325 services
00:06:56:234 1080 ScanTDL2Services: Heur detect _VOIDd.sys
00:06:56:234 1080 RegNode HKLM\SYSTEM\ControlSet001\services\_VOIDd.sys infected by TDSS rootkit ... 00:06:56:234 1080 will be deleted on reboot
00:06:56:234 1080 DeleteTDL2Service: SafeBoot Minimal doesn't infected
00:06:56:234 1080 DeleteTDL2Service: SafeBoot Network doesn't infected
00:06:56:265 1080 DeleteTDL2Service: ControlSet ControlSet002 doesn't infected
00:06:56:265 1080 File F:\WINDOWS\system32\drivers\_VOIDudrwtmrdkt.sys infected by TDSS rootkit ... 00:06:56:265 1080 will be deleted on reboot
00:06:56:265 1080 DeleteTDL2Service: Module enum: Name: _VOIDd. Type: 1
00:06:56:265 1080 DeleteTDL2Service: Module clone ImagePath, skipping
00:06:56:265 1080 DeleteTDL2Service: Module enum: Name: _VOIDc. Type: 1
00:06:56:265 1080 File F:\WINDOWS\system32\_VOIDlwaoetqskd.dll infected by TDSS rootkit ... 00:06:56:265 1080 will be deleted on reboot
00:06:56:281 1080 DeleteTDL2Service: Module enum: Name: _VOIDsrcr. Type: 1
00:06:56:281 1080 File F:\WINDOWS\system32\_VOIDqqobiqxffm.dat infected by TDSS rootkit ... 00:06:56:281 1080 will be deleted on reboot
00:06:56:281 1080 DeleteTDL2Service: Module enum: Name: _voidserf. Type: 1
00:06:56:281 1080 File F:\WINDOWS\system32\_VOIDdnmtbbgkvp.dll infected by TDSS rootkit ... 00:06:56:281 1080 will be deleted on reboot
00:06:56:281 1080 DeleteTDL2Service: Module enum: Name: _voidbbr. Type: 1
00:06:56:281 1080 File F:\WINDOWS\system32\_VOIDpjirilreht.dll infected by TDSS rootkit ... 00:06:56:281 1080 will be deleted on reboot
00:06:56:281 1080 ScanTDL2Services: DeleteEvilService(_VOIDd.sys) success
00:06:56:281 1080 fclose_ex: Trying to close file F:\WINDOWS\system32\config\system
00:06:56:281 1080 fclose_ex: Trying to close file F:\WINDOWS\system32\config\software
00:06:56:281 1080
00:06:56:281 1080 Scanning Kernel memory ...
00:06:56:281 1080 Devices to scan: 2
00:06:56:281 1080
00:06:56:281 1080 Driver Name: Disk
00:06:56:281 1080 IRP_MJ_CREATE : F78AABB0
00:06:56:281 1080 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
00:06:56:281 1080 IRP_MJ_CLOSE : F78AABB0
00:06:56:281 1080 IRP_MJ_READ : F78A4D1F
00:06:56:281 1080 IRP_MJ_WRITE : F78A4D1F
00:06:56:281 1080 IRP_MJ_QUERY_INFORMATION : 804FA88E
00:06:56:281 1080 IRP_MJ_SET_INFORMATION : 804FA88E
00:06:56:281 1080 IRP_MJ_QUERY_EA : 804FA88E
00:06:56:281 1080 IRP_MJ_SET_EA : 804FA88E
00:06:56:281 1080 IRP_MJ_FLUSH_BUFFERS : F78A52E2
00:06:56:281 1080 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
00:06:56:281 1080 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
00:06:56:281 1080 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
00:06:56:281 1080 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
00:06:56:281 1080 IRP_MJ_DEVICE_CONTROL : F78A53BB
00:06:56:281 1080 IRP_MJ_INTERNAL_DEVICE_CONTROL : F78A8F28
00:06:56:281 1080 IRP_MJ_SHUTDOWN : F78A52E2
00:06:56:281 1080 IRP_MJ_LOCK_CONTROL : 804FA88E
00:06:56:281 1080 IRP_MJ_CLEANUP : 804FA88E
00:06:56:281 1080 IRP_MJ_CREATE_MAILSLOT : 804FA88E
00:06:56:281 1080 IRP_MJ_QUERY_SECURITY : 804FA88E
00:06:56:281 1080 IRP_MJ_SET_SECURITY : 804FA88E
00:06:56:281 1080 IRP_MJ_POWER : F78A6C82
00:06:56:281 1080 IRP_MJ_SYSTEM_CONTROL : F78AB99E
00:06:56:281 1080 IRP_MJ_DEVICE_CHANGE : 804FA88E
00:06:56:281 1080 IRP_MJ_QUERY_QUOTA : 804FA88E
00:06:56:281 1080 IRP_MJ_SET_QUOTA : 804FA88E
00:06:56:296 1080 sion
00:06:56:296 1080 F:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
00:06:56:296 1080
00:06:56:296 1080 Driver Name: atapi
00:06:56:296 1080 IRP_MJ_CREATE : F77B16F2
00:06:56:296 1080 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
00:06:56:296 1080 IRP_MJ_CLOSE : F77B16F2
00:06:56:296 1080 IRP_MJ_READ : 804FA88E
00:06:56:296 1080 IRP_MJ_WRITE : 804FA88E
00:06:56:296 1080 IRP_MJ_QUERY_INFORMATION : 804FA88E
00:06:56:296 1080 IRP_MJ_SET_INFORMATION : 804FA88E
00:06:56:296 1080 IRP_MJ_QUERY_EA : 804FA88E
00:06:56:296 1080 IRP_MJ_SET_EA : 804FA88E
00:06:56:296 1080 IRP_MJ_FLUSH_BUFFERS : 804FA88E
00:06:56:296 1080 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
00:06:56:296 1080 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
00:06:56:296 1080 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
00:06:56:296 1080 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
00:06:56:296 1080 IRP_MJ_DEVICE_CONTROL : F77B1712
00:06:56:296 1080 IRP_MJ_INTERNAL_DEVICE_CONTROL : F77AD852
00:06:56:296 1080 IRP_MJ_SHUTDOWN : 804FA88E
00:06:56:296 1080 IRP_MJ_LOCK_CONTROL : 804FA88E
00:06:56:296 1080 IRP_MJ_CLEANUP : 804FA88E
00:06:56:296 1080 IRP_MJ_CREATE_MAILSLOT : 804FA88E
00:06:56:296 1080 IRP_MJ_QUERY_SECURITY : 804FA88E
00:06:56:296 1080 IRP_MJ_SET_SECURITY : 804FA88E
00:06:56:296 1080 IRP_MJ_POWER : F77B173C
00:06:56:296 1080 IRP_MJ_SYSTEM_CONTROL : F77B8336
00:06:56:296 1080 IRP_MJ_DEVICE_CHANGE : 804FA88E
00:06:56:296 1080 IRP_MJ_QUERY_QUOTA : 804FA88E
00:06:56:296 1080 IRP_MJ_SET_QUOTA : 804FA88E
00:06:56:312 1080 siohd: 0
00:06:56:312 1080 F:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Clean
00:06:56:312 1080 Reboot required for cure complete..
00:06:56:312 1080 Cure on reboot scheduled successfully
00:06:56:312 1080
00:06:56:312 1080 Completed
00:06:56:328 1080
00:06:56:328 1080 Results:
00:06:56:328 1080 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
00:06:56:328 1080 Registry objects infected / cured / cured on reboot: 1 / 0 / 1
00:06:56:328 1080 File objects infected / cured / cured on reboot: 5 / 0 / 5
00:06:56:390 1080
00:06:56:453 1080 KLMD(ARK) unloaded successfully










and i will again run malware bytes in normal boot now because i know it is better to run it at full power. and i will repost then. in the mean time i am going to search your list of programs that run on startup and maybe i can spot the other name i couldnt remember so i can tell you thank you so much








sorry i forgot i ran super anti spyware as well here is that log



SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/23/2010 at 11:26 PM

Application Version : 4.34.1000

Core Rules Database Version : 4583
Trace Rules Database Version: 2395

Scan type : Complete Scan
Total Scan Time : 00:25:21

Memory items scanned : 452
Memory threats detected : 0
Registry items scanned : 4853
Registry threats detected : 1
File items scanned : 30092
File threats detected : 0

Rogue.MalwareDefense
HKLM\Software\Malware Defense







please help me i am scared it is still on here i tried running mbam overnight and the computer shut down by itself i dont know why? i found the name of that process that was running in the startup menu it was listed in the event viewer it was : eventcreatexp. please help me i want to make sure my computer is clean. thank you.

Edited by youngmomma, 24 February 2010 - 12:35 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:27 AM

Posted 24 February 2010 - 03:26 PM

Hello, yes you will keep getting reinfected till we kill the root malware. We will need to use spoecialized and stronger too;s. We nee a DDS log


You will need to Download and Run DDS which will create a Pseudo HJT Report as part of its log..
If for some reason you cannot perform a step, move on to the next.
Please follow this guide. go and do steps 6 thru 8 ,, Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help . Then go here Virus, Trojan, Spyware, and Malware Removal Logs ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK.

I will Close the Other Topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 youngmomma

youngmomma
  • Topic Starter

  • Members
  • 169 posts
  • OFFLINE
  •  
  • Local time:05:27 AM

Posted 24 February 2010 - 04:31 PM

thank you very much and here is the newest malware bytes log





Malwarebytes' Anti-Malware 1.44
Database version: 3785
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/24/2010 3:29:02 PM
mbam-log-2010-02-24 (15-29-02).txt

Scan type: Full Scan (F:\|)
Objects scanned: 194174
Time elapsed: 28 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)








i will follow the steps above and repost in the appropriate forum with a title as soon as it is done thanks again

i am not sure what this is it just apeared on my desktop?

as a notepad file


#
# A fatal error has been detected by the Java Runtime Environment:
#
# EXCEPTION_ACCESS_VIOLATION (0xc0000005) at pc=0x6d8f65a5, pid=3072, tid=5264
#
# JRE version: 6.0_17-b04
# Java VM: Java HotSpot™ Client VM (14.3-b01 mixed mode windows-x86 )
# Problematic frame:
# V [jvm.dll+0xf65a5]
#
# If you would like to submit a bug report, please visit:
# http://java.sun.com/webapps/bugreport/crash.jsp
#

--------------- T H R E A D ---------------

Current thread (0x293b5400): JavaThread "Thread-6" [_thread_in_vm, id=5264, stack(0x37be0000,0x37ce0000)]

siginfo: ExceptionCode=0xc0000005, reading address 0x00000000

Registers:
EAX=0x00000000, EBX=0x00000000, ECX=0x00000006, EDX=0x00000004
ESP=0x37cdf350, EBP=0x37cdf36c, ESI=0x293b5510, EDI=0x293b5400
EIP=0x6d8f65a5, EFLAGS=0x00010246

Top of Stack: (sp=0x37cdf350)
0x37cdf350: 293b5510 293b5510 00000000 293b5400
0x37cdf360: 00000000 0b1d12c8 00000000 37cdf398
0x37cdf370: 67abb24f 293b5510 00000000 0b1d12c8
0x37cdf380: 67afc915 293b5510 00000000 293b5400
0x37cdf390: 2f69c7d0 2f69c7d0 37cdf3e0 29529e27
0x37cdf3a0: 29389fa0 37cdf3e8 37cdf3fc 37cdf3f8
0x37cdf3b0: 00000000 37cdf3f0 293c7044 fffffffe
0x37cdf3c0: 37cdf3c0 2f69c7d0 37cdf3fc 2f69c9f8

Instructions: (pc=0x6d8f65a5)
0x6d8f6595: 00 00 00 74 08 8d 4d f0 e8 1e 84 08 00 8b 45 0c
0x6d8f65a5: 8b 08 8b 51 04 8b 42 3c 50 56 e8 6c a4 01 00 89


Stack: [0x37be0000,0x37ce0000], sp=0x37cdf350, free space=1020k
Native frames: (J=compiled Java code, j=interpreted, Vv=VM code, C=native code)
V [jvm.dll+0xf65a5]
C [Opera.dll+0x3bb24f]
j com.opera.CertificateHandler.acceptCertificateChain([[BLcom/opera/CertificateHandler$SyncObject;Lcom/opera/CPointer;Ljava/lang/String;)V+0
j com.opera.CertificateHandler.checkCertificates(Ljava/security/CodeSource;Lcom/opera/CPointer;)Z+149
j com.opera.AppletClassLoader.allPermissionsGranted(Ljava/security/CodeSource;)Z+18
j com.opera.AppletClassLoader.getPermissions(Ljava/security/CodeSource;)Ljava/security/PermissionCollection;+291
j java.security.SecureClassLoader.getProtectionDomain(Ljava/security/CodeSource;)Ljava/security/ProtectionDomain;+33
j java.security.SecureClassLoader.defineClass(Ljava/lang/String;[BIILjava/security/CodeSource;)Ljava/lang/Class;+24
j java.net.URLClassLoader.defineClass(Ljava/lang/String;Lsun/misc/Resource;)Ljava/lang/Class;+253
j java.net.URLClassLoader.access$000(Ljava/net/URLClassLoader;Ljava/lang/String;Lsun/misc/Resource;)Ljava/lang/Class;+3
j java.net.URLClassLoader$1.run()Ljava/lang/Object;+43
v ~StubRoutines::call_stub
V [jvm.dll+0xecf9c]
V [jvm.dll+0x1741d1]
V [jvm.dll+0xed01d]
V [jvm.dll+0x11c2bf]
C [java.dll+0x1061]
j java.net.URLClassLoader.findClass(Ljava/lang/String;)Ljava/lang/Class;+13
j com.opera.AppletClassLoader.findClass(Ljava/lang/String;)Ljava/lang/Class;+113
j java.lang.ClassLoader.loadClass(Ljava/lang/String;Z)Ljava/lang/Class;+43
j com.opera.AppletClassLoader.loadClass(Ljava/lang/String;Z)Ljava/lang/Class;+97
j java.lang.ClassLoader.loadClass(Ljava/lang/String;)Ljava/lang/Class;+3
j com.opera.AppletPanel.runLoaderThread()V+14
j com.opera.AppletPanel.run()V+13
j java.lang.Thread.run()V+11
v ~StubRoutines::call_stub
V [jvm.dll+0xecf9c]
V [jvm.dll+0x1741d1]
V [jvm.dll+0xed167]
V [jvm.dll+0xed1dd]
V [jvm.dll+0x116290]
V [jvm.dll+0x1d0414]
V [jvm.dll+0x173e4c]
C [MSVCR71.dll+0x9565]
C [kernel32.dll+0xb729]

Java frames: (J=compiled Java code, j=interpreted, Vv=VM code)
j com.opera.CertificateHandler.acceptCertificateChain([[BLcom/opera/CertificateHandler$SyncObject;Lcom/opera/CPointer;Ljava/lang/String;)V+0
j com.opera.CertificateHandler.checkCertificates(Ljava/security/CodeSource;Lcom/opera/CPointer;)Z+149
j com.opera.AppletClassLoader.allPermissionsGranted(Ljava/security/CodeSource;)Z+18
j com.opera.AppletClassLoader.getPermissions(Ljava/security/CodeSource;)Ljava/security/PermissionCollection;+291
j java.security.SecureClassLoader.getProtectionDomain(Ljava/security/CodeSource;)Ljava/security/ProtectionDomain;+33
j java.security.SecureClassLoader.defineClass(Ljava/lang/String;[BIILjava/security/CodeSource;)Ljava/lang/Class;+24
j java.net.URLClassLoader.defineClass(Ljava/lang/String;Lsun/misc/Resource;)Ljava/lang/Class;+253
j java.net.URLClassLoader.access$000(Ljava/net/URLClassLoader;Ljava/lang/String;Lsun/misc/Resource;)Ljava/lang/Class;+3
j java.net.URLClassLoader$1.run()Ljava/lang/Object;+43
v ~StubRoutines::call_stub
j java.security.AccessController.doPrivileged(Ljava/security/PrivilegedExceptionAction;Ljava/security/AccessControlContext;)Ljava/lang/Object;+0
j java.net.URLClassLoader.findClass(Ljava/lang/String;)Ljava/lang/Class;+13
j com.opera.AppletClassLoader.findClass(Ljava/lang/String;)Ljava/lang/Class;+113
j java.lang.ClassLoader.loadClass(Ljava/lang/String;Z)Ljava/lang/Class;+43
j com.opera.AppletClassLoader.loadClass(Ljava/lang/String;Z)Ljava/lang/Class;+97
j java.lang.ClassLoader.loadClass(Ljava/lang/String;)Ljava/lang/Class;+3
j com.opera.AppletPanel.runLoaderThread()V+14
j com.opera.AppletPanel.run()V+13
j java.lang.Thread.run()V+11
v ~StubRoutines::call_stub

--------------- P R O C E S S ---------------

Java Threads: ( => current thread )
0x34061c00 JavaThread "Thread-9" [_thread_blocked, id=5392, stack(0x381e0000,0x382e0000)]
0x2937c800 JavaThread "AWT-EventQueue-3" [_thread_blocked, id=5324, stack(0x37ee0000,0x37fe0000)]
0x29383400 JavaThread "Thread-7" [_thread_blocked, id=5304, stack(0x37de0000,0x37ee0000)]
=>0x293b5400 JavaThread "Thread-6" [_thread_in_vm, id=5264, stack(0x37be0000,0x37ce0000)]
0x293adc00 JavaThread "AWT-EventQueue-2" [_thread_blocked, id=5288, stack(0x37ae0000,0x37be0000)]
0x2938a400 JavaThread "Thread-5" [_thread_blocked, id=5268, stack(0x379e0000,0x37ae0000)]
0x340c6800 JavaThread "Thread-4" [_thread_blocked, id=4676, stack(0x34320000,0x34420000)]
0x34088000 JavaThread "AWT-EventQueue-1" [_thread_blocked, id=5248, stack(0x293e0000,0x294e0000)]
0x340ba800 JavaThread "Thread-3" [_thread_blocked, id=5216, stack(0x34420000,0x34520000)]
0x293df400 JavaThread "AWT-EventQueue-0" [_thread_in_native, id=5192, stack(0x34220000,0x34320000)]
0x293d4000 JavaThread "AWT-Windows" daemon [_thread_in_native, id=5188, stack(0x33f20000,0x34020000)]
0x293d3000 JavaThread "AWT-Shutdown" [_thread_blocked, id=5184, stack(0x33e20000,0x33f20000)]
0x293d8800 JavaThread "Java2D Disposer" daemon [_thread_blocked, id=5144, stack(0x33d20000,0x33e20000)]
0x29374800 JavaThread "Low Memory Detector" daemon [_thread_blocked, id=5152, stack(0x33b20000,0x33c20000)]
0x2936e400 JavaThread "CompilerThread0" daemon [_thread_blocked, id=5160, stack(0x33a20000,0x33b20000)]
0x2936cc00 JavaThread "Attach Listener" daemon [_thread_blocked, id=5156, stack(0x33920000,0x33a20000)]
0x2936b800 JavaThread "Signal Dispatcher" daemon [_thread_blocked, id=5140, stack(0x33820000,0x33920000)]
0x2935b800 JavaThread "Finalizer" daemon [_thread_blocked, id=5136, stack(0x33720000,0x33820000)]
0x29356c00 JavaThread "Reference Handler" daemon [_thread_blocked, id=5132, stack(0x33620000,0x33720000)]
0x28706c00 JavaThread "main" [_thread_blocked, id=3076, stack(0x00030000,0x00130000)]

Other Threads:
0x29353c00 VMThread [stack: 0x33520000,0x33620000] [id=5104]
0x29376000 WatcherThread [stack: 0x33c20000,0x33d20000] [id=5148]

VM state:not at safepoint (normal execution)

VM Mutex/Monitor currently owned by a thread: None

Heap
def new generation total 960K, used 899K [0x2b520000, 0x2b620000, 0x2ba00000)
eden space 896K, 93% used [0x2b520000, 0x2b5f0ef0, 0x2b600000)
from space 64K, 100% used [0x2b600000, 0x2b610000, 0x2b610000)
to space 64K, 0% used [0x2b610000, 0x2b610000, 0x2b620000)
tenured generation total 5736K, used 4368K [0x2ba00000, 0x2bf9a000, 0x2f520000)
the space 5736K, 76% used [0x2ba00000, 0x2be44058, 0x2be44200, 0x2bf9a000)
compacting perm gen total 12288K, used 6654K [0x2f520000, 0x30120000, 0x33520000)
the space 12288K, 54% used [0x2f520000, 0x2fb9f810, 0x2fb9fa00, 0x30120000)
No shared spaces configured.

Dynamic libraries:
0x00400000 - 0x004cc000 F:\Program Files\Opera\opera.exe
0x7c900000 - 0x7c9b2000 F:\WINDOWS\system32\ntdll.dll
0x7c800000 - 0x7c8f6000 F:\WINDOWS\system32\kernel32.dll
0x7d1e0000 - 0x7d4a9000 F:\WINDOWS\system32\msi.dll
0x77dd0000 - 0x77e6b000 F:\WINDOWS\system32\ADVAPI32.dll
0x77e70000 - 0x77f02000 F:\WINDOWS\system32\RPCRT4.dll
0x77fe0000 - 0x77ff1000 F:\WINDOWS\system32\Secur32.dll
0x77f10000 - 0x77f59000 F:\WINDOWS\system32\GDI32.dll
0x7e410000 - 0x7e4a1000 F:\WINDOWS\system32\USER32.dll
0x77c10000 - 0x77c68000 F:\WINDOWS\system32\msvcrt.dll
0x7c9c0000 - 0x7d1d7000 F:\WINDOWS\system32\SHELL32.dll
0x77f60000 - 0x77fd6000 F:\WINDOWS\system32\SHLWAPI.dll
0x76390000 - 0x763ad000 F:\WINDOWS\system32\IMM32.DLL
0x629c0000 - 0x629c9000 F:\WINDOWS\system32\LPK.DLL
0x74d90000 - 0x74dfb000 F:\WINDOWS\system32\USP10.dll
0x773d0000 - 0x774d3000 F:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
0x76bf0000 - 0x76bfb000 F:\WINDOWS\system32\psapi.dll
0x67700000 - 0x68087000 F:\Program Files\Opera\Opera.dll
0x763b0000 - 0x76408000 F:\WINDOWS\system32\comdlg32.dll
0x774e0000 - 0x7761d000 F:\WINDOWS\system32\ole32.dll
0x77120000 - 0x771ab000 F:\WINDOWS\system32\OLEAUT32.dll
0x77c00000 - 0x77c08000 F:\WINDOWS\system32\VERSION.dll
0x76b40000 - 0x76b6d000 F:\WINDOWS\system32\WINMM.dll
0x71ab0000 - 0x71ac7000 F:\WINDOWS\system32\WS2_32.dll
0x71aa0000 - 0x71aa8000 F:\WINDOWS\system32\WS2HELP.dll
0x71ad0000 - 0x71ad9000 F:\WINDOWS\system32\WSOCK32.dll
0x76c30000 - 0x76c61000 F:\WINDOWS\system32\Wintrust.dll
0x77a80000 - 0x77b15000 F:\WINDOWS\system32\CRYPT32.dll
0x77b20000 - 0x77b32000 F:\WINDOWS\system32\MSASN1.dll
0x76c90000 - 0x76cb8000 F:\WINDOWS\system32\IMAGEHLP.dll
0x5ad70000 - 0x5ada8000 F:\WINDOWS\system32\uxtheme.dll
0x74720000 - 0x7476c000 F:\WINDOWS\system32\MSCTF.dll
0x755c0000 - 0x755ee000 F:\WINDOWS\system32\msctfime.ime
0x00c90000 - 0x01381000 F:\WINDOWS\system32\SETUPAPI.dll
0x5b860000 - 0x5b8b5000 F:\WINDOWS\system32\netapi32.dll
0x76380000 - 0x76385000 F:\WINDOWS\system32\Msimg32.dll
0x76fd0000 - 0x7704f000 F:\WINDOWS\system32\CLBCATQ.DLL
0x02a00000 - 0x02b57000 F:\WINDOWS\system32\COMRes.dll
0x662b0000 - 0x6630e000 F:\WINDOWS\system32\hnetcfg.dll
0x71a50000 - 0x71a8f000 F:\WINDOWS\system32\mswsock.dll
0x71a90000 - 0x71a98000 F:\WINDOWS\System32\wshtcpip.dll
0x76f20000 - 0x76f47000 F:\WINDOWS\system32\DNSAPI.dll
0x76fb0000 - 0x76fb8000 F:\WINDOWS\System32\winrnr.dll
0x76f60000 - 0x76f8c000 F:\WINDOWS\system32\WLDAP32.dll
0x76fc0000 - 0x76fc6000 F:\WINDOWS\system32\rasadhlp.dll
0x06fb0000 - 0x06fe6000 F:\WINDOWS\system32\rsaenh.dll
0x75cf0000 - 0x75d81000 F:\WINDOWS\system32\mlang.dll
0x72d20000 - 0x72d29000 F:\WINDOWS\system32\wdmaud.drv
0x72d10000 - 0x72d18000 F:\WINDOWS\system32\msacm32.drv
0x77be0000 - 0x77bf5000 F:\WINDOWS\system32\MSACM32.dll
0x77bd0000 - 0x77bdd000 F:\WINDOWS\system32\midimap.dll
0x767f0000 - 0x76818000 F:\WINDOWS\system32\schannel.dll
0x769c0000 - 0x76a74000 F:\WINDOWS\system32\USERENV.dll
0x10000000 - 0x10496000 F:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
0x3d930000 - 0x3da16000 F:\WINDOWS\system32\WININET.dll
0x07990000 - 0x07999000 F:\WINDOWS\system32\Normaliz.dll
0x78130000 - 0x78262000 F:\WINDOWS\system32\urlmon.dll
0x3dfd0000 - 0x3e1b8000 F:\WINDOWS\system32\iertutil.dll
0x73b30000 - 0x73b45000 F:\WINDOWS\system32\mscms.dll
0x73000000 - 0x73026000 F:\WINDOWS\system32\WINSPOOL.DRV
0x77b40000 - 0x77b62000 F:\WINDOWS\system32\appHelp.dll
0x27e20000 - 0x284af000 F:\WINDOWS\System32\cscui.dll
0x76600000 - 0x7664d000 F:\WINDOWS\System32\CSCDLL.dll
0x75f80000 - 0x76084000 F:\WINDOWS\system32\browseui.dll
0x76990000 - 0x769b8000 F:\WINDOWS\system32\ntshrui.dll
0x76b20000 - 0x76b31000 F:\WINDOWS\system32\ATL.DLL
0x77760000 - 0x778d0000 F:\WINDOWS\system32\shdocvw.dll
0x0f620000 - 0x0f733000 F:\WINDOWS\system32\CRYPTUI.dll
0x0fb90000 - 0x0fef1000 F:\WINDOWS\system32\xpsp2res.dll
0x76980000 - 0x76988000 F:\WINDOWS\system32\LINKINFO.dll
0x5cb00000 - 0x5d191000 F:\WINDOWS\system32\shimgvw.dll
0x4ec50000 - 0x4edfb000 F:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6001.22319_x-ww_f0b4c2df\gdiplus.dll
0x77690000 - 0x776b1000 F:\WINDOWS\system32\NTMARTA.DLL
0x71bf0000 - 0x71c03000 F:\WINDOWS\system32\SAMLIB.dll
0x6d800000 - 0x6da8b000 F:\Program Files\Java\jre6\bin\client\jvm.dll
0x7c340000 - 0x7c396000 F:\WINDOWS\system32\MSVCR71.dll
0x6d7b0000 - 0x6d7bc000 F:\Program Files\Java\jre6\bin\verify.dll
0x6d330000 - 0x6d34f000 F:\Program Files\Java\jre6\bin\java.dll
0x6d290000 - 0x6d298000 F:\Program Files\Java\jre6\bin\hpi.dll
0x6d7f0000 - 0x6d7ff000 F:\Program Files\Java\jre6\bin\zip.dll
0x6d000000 - 0x6d14a000 F:\Program Files\Java\jre6\bin\awt.dll
0x6d230000 - 0x6d284000 F:\Program Files\Java\jre6\bin\fontmanager.dll
0x4fdd0000 - 0x4ff76000 F:\WINDOWS\system32\d3d9.dll
0x28e90000 - 0x28e96000 F:\WINDOWS\system32\d3d8thk.dll
0x74e30000 - 0x74e9d000 F:\WINDOWS\system32\RICHED20.DLL
0x6d610000 - 0x6d623000 F:\Program Files\Java\jre6\bin\net.dll
0x6d630000 - 0x6d639000 F:\Program Files\Java\jre6\bin\nio.dll

VM Arguments:
jvm_args: abort exit -Xbootclasspath/p:F:\Program Files\Opera\java\opera.jar;F:\Program Files\Opera\program\plugins;F:\Program Files\Mozilla Firefox\plugins;F:\Program Files\Opera\program\plugins\npds.zip;F:\Program Files\Java\jre6\lib\jaws.jar;F:\Program Files\Java\jre6\lib\plugin.jar -Djava.security.policy=F:\Program Files\Opera\java\opera.policy -Dbrowser.opera.classpath=F:\Program Files\Opera\java\opera.jar
java_command: <unknown>
Launcher Type: generic

Environment Variables:
CLASSPATH=.;F:\Program Files\Java\jre6\lib\ext\QTJava.zip
PATH=F:\WINDOWS\system32;F:\WINDOWS;F:\WINDOWS\System32\Wbem;F:\Program Files\ATI Technologies\ATI Control Panel;F:\Program Files\QuickTime\QTSystem\
USERNAME=Anyone
OS=Windows_NT
PROCESSOR_IDENTIFIER=x86 Family 15 Model 3 Stepping 4, GenuineIntel



--------------- S Y S T E M ---------------

OS: Windows XP Build 2600 Service Pack 3

CPU:total 1 (1 cores per cpu, 2 threads per core) family 15 model 3 stepping 4, cmov, cx8, fxsr, mmx, sse, sse2, sse3, ht

Memory: 4k page, physical 1046624k(95652k free), swap 1733476k(737068k free)

vm_info: Java HotSpot™ Client VM (14.3-b01) for windows-x86 JRE (1.6.0_17-b04), built on Oct 11 2009 00:52:06 by "java_re" with MS VC++ 7.1

time: Tue Feb 23 19:48:09 2010
elapsed time: 9 seconds

Edited by youngmomma, 24 February 2010 - 06:46 PM.


#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,993 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:05:27 AM

Posted 25 February 2010 - 05:27 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/298351/paladin-antivirus-leftovers-and-eventcreatexp/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users