Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Update Not Working/Google Redirects


  • This topic is locked This topic is locked
13 replies to this topic

#1 ajwgator

ajwgator

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lexington KY
  • Local time:08:47 AM

Posted 16 January 2011 - 03:35 AM

This is New Topic as directed by Orange Blossom's reply to my original post.

Thanks in advance for any help.

My System is as follows:

Microsoft Windows XP
Home Edition
Version 2002
Service Pack 3

Dell DIMENSION DIM2350
Intel Pentium 4 CPU 1.80GHz
1.79GHz 1.00 GB RAM


Windows Update no longer works from Start Menu or manually from Microsoft's website. From the start menu, when selecting Windows Update, it opens IE window but IE reports that "Internet Explorer cannot display the webpage" and has the "Diaognose Connection Problems" box. Typing the url to Mircosoft.com connects fine. Once on the Windows Update page it starts Checking to see if the computer has the latest version and then stops and reoports "X The website has encountered a problem and cannot display the page you are trying to view."

Connecting to internet using the Desktop IE icon works and navigates to other sites ok too but often getting a Windows box stating "Generic Host Process for Win 32 Service has encountered a problem and needs to close. Do you want to report this to Microsoft..etc." I have selected to report it many times and then IE will usually shut down. Typing a search phrase in the IE search box returns Google results to the page but when selecting any of the search results it ends in a redirect to some unrelated page. This does not happen if you type the url for Google in the address box and then do the search. All of these things happening seems to be some kind of virus infection that keeps coming back from somewhere in the software.

I am using AVG Free Edition 2011 antivirus. I have run the scans quite often and keep it running in the background. AVG still updates the database everyday. It has removed an identity theft threat a couple of times after doing its scans. It is also catching attempts and I move them to the vault. It has also detected Worm & Trojan Horse threats in the past ok and removed them. I also use MalwareBytes' Anti Malware program and it removed 4 threats.

The computer no longer seems to update automatically using Windows Update like it used to do. I am not sure how long that has not taken place. It has been a while since I have see the Update shield in the Sys Tray telling me that I had updates ready to install. I have a feeling that this may have started with the Windows SP3 but I don't know that to be a fact. I can only assume that I have some type of infection that can't be detected with the tools that I am using. Any thoughts, advice, and help is much apprecited.

After completing all requested steps, I am unable to post with the above listed computer. Once all information is assembled in the new topic box and the post new topic button is clicked, the IE displays "Internet Explorer cannot display the webpage" and has the "Diaognose Connection Problems" box. I am posting this with another computer.

The requested steps have been completed and the logs are posted and/or attached as per instructions.


DDS (Ver_10-12-12.02) - NTFSx86
Run by Susan at 1:25:19.43 on Sun 01/16/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.456 [GMT -5:00]

AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxebcoms.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\Program Files\Lexmark Pro200-S500 Series\lxebmon.exe
C:\Program Files\Lexmark Pro200-S500 Series\ezprint.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Susan\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1258574460&rver=6.0.5285.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx&lc=1033&id=64855&mkt=en-us
uSearch Page =
uWindow Title = Windows Internet Explorer provided by Windstream
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
mSearchAssistant =
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - Lexmark Toolbar
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Lexmark Printable Web: {d2c5e510-be6d-42cc-9f61-e4f939078474} - c:\program files\lexmark printable web\bho.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} -
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {83B28A74-640D-48F4-9F51-E80EED7CC7E0} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [MMTray] c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe
mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [<NO NAME>]
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [lxebmon.exe] "c:\program files\lexmark pro200-s500 series\lxebmon.exe"
mRun: [EzPrint] "c:\program files\lexmark pro200-s500 series\ezprint.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVWSzItQUxZTUYtU0xLTFUtQVoyVUItNkdPS0ItSkhGTkg"&"inst=NzctNDc2NjY5MjEyLVQxNy1VODUrMS1LVjMrNy1CQSsxLVhMKzEtRlA5KzYtQkFSOUcrMS1UQjkrMi1GTCs5LUYxME0rNS1RSVgxKzQtWDIwMTArMi1GMTBNMTBEKzE"&"prod=90"&"ver=10.0.1187
dRun: [wxkdjokw] c:\windows\temp\ctgvokryg\eilcsrruerb.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {3E230861-5C87-11D3-A1C6-00105A1B41B8} - {83B28A74-640D-48F4-9F51-E80EED7CC7E0}
Trusted Zone: alltel.com\care
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} - hxxp://download.mcafee.com/molbin/Shared/MGBrwFld.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} - hxxp://download.microsoft.com/download/0/5/c/05c905f4-dd30-427d-a3de-373c3e5552fc/msSecAdv.cab?1094201179296
DPF: {254AA86E-5655-4518-AA87-185D7CC41801} - hxxps://secure.logmeinrescue.com/TechConsole/x86/RescueControl.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.snapfish.com/SnapfishActivia.cab
DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - hxxp://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - hxxp://www.sidestep.com/get/k42037/sb028.cab
DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} - hxxps://www.ehansel.com/eHansel/ActiveX/arview2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37906.665775463
DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} - hxxp://kohler1.view22.com/view22/V22RTE.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CEDDF50D-9FA7-41A8-BCD0-6350D1ED2306} - hxxps://care.alltel.com/lwp/static/installers/WebflowActiveXInstaller_3-0-0.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} - hxxp://h30043.www3.hp.com/dj/qdiagh.cab?306
DPF: {EFD3EA56-234D-4240-90EA-CC9FA3AF5A01} - hxxps://care.alltel.com/lwp/static/installers/ALLTELControls.cab
DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} - hxxp://by1fd.bay1.hotmail.msn.com/activex/HMAtchmt.ocx
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 251728]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 299984]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-9-25 189736]
R2 lxeb_device;lxeb_device;c:\windows\system32\lxebcoms.exe -service --> c:\windows\system32\lxebcoms.exe -service [?]
R2 mrtRate;mrtRate;c:\windows\system32\drivers\MrtRate.sys [2003-2-14 34712]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2009-11-18 632792]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-11-23 6128208]
S2 lxebCATSCustConnectService;lxebCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxebserv.exe [2010-7-15 193192]
S2 Secunia Update Agent;Secunia Update Agent;"c:\program files\secunia\psi\sua.exe" --start-service --> c:\program files\secunia\psi\sua.exe [?]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2011-1-15 517448]

=============== Created Last 30 ================

2011-01-15 21:19:28 -------- d--h--w- C:\$AVG
2011-01-15 20:55:28 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2011-01-15 20:53:15 -------- d-----w- c:\windows\system32\drivers\AVG
2011-01-15 17:57:54 98816 ----a-w- c:\windows\sed.exe
2011-01-15 17:57:54 89088 ----a-w- c:\windows\MBR.exe
2011-01-15 17:57:54 256512 ----a-w- c:\windows\PEV.exe
2011-01-15 17:57:54 161792 ----a-w- c:\windows\SWREG.exe
2011-01-15 17:57:26 -------- d-s---w- C:\ComboFix
2011-01-15 12:30:52 -------- d-----w- c:\docume~1\susan\locals~1\applic~1\Real
2011-01-15 12:26:05 -------- d-----w- c:\docume~1\susan\locals~1\applic~1\Temp
2011-01-15 11:54:54 -------- d-----w- c:\docume~1\susan\locals~1\applic~1\Secunia PSI
2011-01-15 01:51:16 -------- d-----w- c:\docume~1\alluse~1\applic~1\bPjJl08600
2011-01-14 21:37:59 -------- d--h--w- c:\program files\WindowsUpdate
2011-01-14 18:00:35 -------- d-----w- c:\docume~1\susan\applic~1\ElevatedDiagnostics
2011-01-12 16:25:18 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-01-12 16:25:18 -------- d-----w- c:\windows\system32\wbem\Repository
2011-01-03 17:54:20 -------- d-----w- c:\docume~1\susan\locals~1\applic~1\Oberon Media

==================== Find3M ====================

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-12 23:53:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-12 21:34:10 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-06 23:05:00 1015812 ----a-w- c:\documents and settings\all users\SPL1.tmp
2010-11-06 20:41:25 1015812 ----a-w- c:\documents and settings\all users\SPLD6.tmp
2010-11-06 20:38:29 1015816 ----a-w- c:\documents and settings\all users\SPLCE.tmp
2010-11-06 20:35:38 1015816 ----a-w- c:\documents and settings\all users\SPLBE.tmp
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2008-12-01 16:40:25 12590710 ----a-w- c:\program files\weddingassistant_setup.exe
2008-06-27 12:12:25 5377834 ----a-w- c:\program files\WedOrg.exe
2007-11-04 18:41:01 35378168 ----a-w- c:\program files\Avery_Wizard_Holiday.exe

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: IC35L060AVV207-0 rev.V22OA63A -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86F34555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x86f3a7b0]; MOV EAX, [0x86f3a82c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x86F71AB8]
3 CLASSPNP[0xF75E3FD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\0000005b[0x86F51F18]
5 ACPI[0xF755A620] -> nt!IofCallDriver[0x804E37D5] -> [0x86F50D98]
\Driver\atapi[0x86F61030] -> IRP_MJ_CREATE -> 0x86F34555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskIC35L060AVV207-0________________________V22OA63A#5&3ae3be71&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x86F3439B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 1:27:52.96 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:47 PM

Posted 17 January 2011 - 04:15 PM

Good evening. :)

Download TDSSKiller.zip from Kaspersky from here and save it to your Desktop.
  • You will then need to extract the file(s) from the zipped folder.

  • To do this: Right-click on the zipped folder and from the menu that appears, click on Extract All...
    In the Extraction Wizard window that opens, click on Next> and in the next window that appears, click on Next> again.
    In the final window, click on Finish


  • Please close all open programs as this may result in a reboot being necessary.
  • Double click TDSSKiller.exe to begin.
  • Click Start scan and allow the tool to do just that.
  • One the scan has completed, if the tool has identified anything allow it to carry out it's default action(s) - you'll need to click Continue where appropriate.
  • Finally, if it prompts you to reboot your machine, please click Reboot Now and ensure that your machine does so.

  • If the scan finds nothing, please click the Report button and let me have a copy of the text file that opens.
  • If you reboot your machine, the log, which i'd like to see, will be located at the root of you hard drive as C:\TDSSKiller.Version_Date_Time_log.txt.
    Please check that you get the one with the right date and time. :)

So long, and thanks for all the fish.

 

 


#3 ajwgator

ajwgator
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lexington KY
  • Local time:08:47 AM

Posted 17 January 2011 - 09:31 PM

Noviciate I have downloaded the TDSSKiller program as you instructed and ran the scan. The scan did find an object and the TDSSKiller log is attached. I will be standing by for further instructions. Thanks AJ

P.S. I just now noticed that the Update Shield is now showing in the taskbar indicating that I have updates ready to install. This is progress! I will wait to hear back as far as if you want me to install them or not now. I thought it might be best to just stand still here until you say so.

Attached Files


Edited by ajwgator, 17 January 2011 - 09:36 PM.


#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:47 PM

Posted 18 January 2011 - 02:47 PM

Good evening. :)

Now's as good a time as any to find out whether all's well - crack on with the updates.

Once you've done that, and i'd like to know how it went, work through the rest and post accordingly:

Pay a visit to the ESET Online Scanner.

  • Click the ESET Online Scanner button, read the info in the new window, check the appropriate box and click Start.
  • Accept the ActiveX download, and allow it to install.
  • Once this has been completed, you will see the Computer Scan settings page - ensure that you UNCHECK the "Remove found threats" box and then click Start.
  • The virus signature database will now need to be downloaded, so don't forget to instruct your firewall to permit it if it asks.
  • The above will take a little time, so now is a good time to fire up the kettle and open the biccies.
  • Once the scan has completed you will be shown the results - assuming that the scanner has found anything.
  • Click List of found threats and then Export to text file... and save the log somewhere convenient.
  • You can then close out the scanner - don't bother uninstalling it as you may need to use it again.
  • Please post the contents of this file in your next reply, or let me know that nothing was identified.

I'd also like a fresh DDS log as well.

So long, and thanks for all the fish.

 

 


#5 ajwgator

ajwgator
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lexington KY
  • Local time:08:47 AM

Posted 19 January 2011 - 12:49 AM

Good evening Noviciate

Windows Update went ahead and applied the updates on its own after I left last night sometime. When I returned this morning the update shield was no longer yellow but showed green. It was waiting for a restart of the computer to apply the updates. After I got your reply this evening, I went on and did the restart and all went just fine as far as shutting down and restarting.

I compelted the ESET Online Scan of my computer as per your instructions above. It did find two infected files close to end of the scan. The list of threats found are attached. I ran the DDS program again and those logs are also attached.

I will wait for further instructions. Thanks very much!

A J


DDS (Ver_10-12-12.02) - NTFSx86
Run by Susan at 0:22:28.70 on Wed 01/19/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.410 [GMT -5:00]

AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\Program Files\Lexmark Pro200-S500 Series\lxebmon.exe
C:\Program Files\Lexmark Pro200-S500 Series\ezprint.exe
C:\WINDOWS\system32\lxebcoms.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgchsvx.exe
C:\Program Files\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Documents and Settings\Susan\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1258574460&rver=6.0.5285.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx&lc=1033&id=64855&mkt=en-us
uSearch Page =
uWindow Title = Windows Internet Explorer provided by Windstream
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
mSearchAssistant =
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - Lexmark Toolbar
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Lexmark Printable Web: {d2c5e510-be6d-42cc-9f61-e4f939078474} - c:\program files\lexmark printable web\bho.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} -
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {83B28A74-640D-48F4-9F51-E80EED7CC7E0} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [MMTray] c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe
mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [<NO NAME>]
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [lxebmon.exe] "c:\program files\lexmark pro200-s500 series\lxebmon.exe"
mRun: [EzPrint] "c:\program files\lexmark pro200-s500 series\ezprint.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVWSzItQUxZTUYtU0xLTFUtQVoyVUItNkdPS0ItSkhGTkg"&"inst=NzctNDc2NjY5MjEyLVQxNy1VODUrMS1LVjMrNy1CQSsxLVhMKzEtRlA5KzYtQkFSOUcrMS1UQjkrMi1GTCs5LUYxME0rNS1RSVgxKzQtWDIwMTArMi1GMTBNMTBEKzE"&"prod=90"&"ver=10.0.1187
dRun: [wxkdjokw] c:\windows\temp\ctgvokryg\eilcsrruerb.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {3E230861-5C87-11D3-A1C6-00105A1B41B8} - {83B28A74-640D-48F4-9F51-E80EED7CC7E0}
Trusted Zone: alltel.com\care
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} - hxxp://download.mcafee.com/molbin/Shared/MGBrwFld.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} - hxxp://download.microsoft.com/download/0/5/c/05c905f4-dd30-427d-a3de-373c3e5552fc/msSecAdv.cab?1094201179296
DPF: {254AA86E-5655-4518-AA87-185D7CC41801} - hxxps://secure.logmeinrescue.com/TechConsole/x86/RescueControl.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.snapfish.com/SnapfishActivia.cab
DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - hxxp://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - hxxp://www.sidestep.com/get/k42037/sb028.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} - hxxps://www.ehansel.com/eHansel/ActiveX/arview2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37906.665775463
DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} - hxxp://kohler1.view22.com/view22/V22RTE.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CEDDF50D-9FA7-41A8-BCD0-6350D1ED2306} - hxxps://care.alltel.com/lwp/static/installers/WebflowActiveXInstaller_3-0-0.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} - hxxp://h30043.www3.hp.com/dj/qdiagh.cab?306
DPF: {EFD3EA56-234D-4240-90EA-CC9FA3AF5A01} - hxxps://care.alltel.com/lwp/static/installers/ALLTELControls.cab
DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} - hxxp://by1fd.bay1.hotmail.msn.com/activex/HMAtchmt.ocx
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 251728]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 299984]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-11-23 6128208]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-9-25 189736]
R2 lxeb_device;lxeb_device;c:\windows\system32\lxebcoms.exe -service --> c:\windows\system32\lxebcoms.exe -service [?]
R2 mrtRate;mrtRate;c:\windows\system32\drivers\MrtRate.sys [2003-2-14 34712]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2009-11-18 632792]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]
S2 lxebCATSCustConnectService;lxebCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxebserv.exe [2010-7-15 193192]
S2 Secunia Update Agent;Secunia Update Agent;"c:\program files\secunia\psi\sua.exe" --start-service --> c:\program files\secunia\psi\sua.exe [?]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2011-1-15 517448]

=============== Created Last 30 ================

2011-01-19 03:43:41 -------- d-----w- c:\program files\ESET
2011-01-15 21:19:28 -------- d--h--w- C:\$AVG
2011-01-15 20:55:28 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2011-01-15 20:53:15 -------- d-----w- c:\windows\system32\drivers\AVG
2011-01-15 17:57:54 98816 ----a-w- c:\windows\sed.exe
2011-01-15 17:57:54 89088 ----a-w- c:\windows\MBR.exe
2011-01-15 17:57:54 256512 ----a-w- c:\windows\PEV.exe
2011-01-15 17:57:54 161792 ----a-w- c:\windows\SWREG.exe
2011-01-15 17:57:26 -------- d-s---w- C:\ComboFix
2011-01-15 12:30:52 -------- d-----w- c:\docume~1\susan\locals~1\applic~1\Real
2011-01-15 12:26:05 -------- d-----w- c:\docume~1\susan\locals~1\applic~1\Temp
2011-01-15 11:54:54 -------- d-----w- c:\docume~1\susan\locals~1\applic~1\Secunia PSI
2011-01-15 01:51:16 -------- d-----w- c:\docume~1\alluse~1\applic~1\bPjJl08600
2011-01-14 21:37:59 -------- d--h--w- c:\program files\WindowsUpdate
2011-01-14 18:00:35 -------- d-----w- c:\docume~1\susan\applic~1\ElevatedDiagnostics
2011-01-12 16:25:18 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-01-12 16:25:18 -------- d-----w- c:\windows\system32\wbem\Repository
2011-01-03 17:54:20 -------- d-----w- c:\docume~1\susan\locals~1\applic~1\Oberon Media

==================== Find3M ====================

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-12 23:53:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-12 21:34:10 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-09 14:52:35 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 23:05:00 1015812 ----a-w- c:\documents and settings\all users\SPL1.tmp
2010-11-06 20:41:25 1015812 ----a-w- c:\documents and settings\all users\SPLD6.tmp
2010-11-06 20:38:29 1015816 ----a-w- c:\documents and settings\all users\SPLCE.tmp
2010-11-06 20:35:38 1015816 ----a-w- c:\documents and settings\all users\SPLBE.tmp
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2008-12-01 16:40:25 12590710 ----a-w- c:\program files\weddingassistant_setup.exe
2008-06-27 12:12:25 5377834 ----a-w- c:\program files\WedOrg.exe
2007-11-04 18:41:01 35378168 ----a-w- c:\program files\Avery_Wizard_Holiday.exe

============= FINISH: 0:24:19.96 ===============

Attached Files


Edited by Noviciate, 19 January 2011 - 02:35 PM.
To add DDS log from attachment.


#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:47 PM

Posted 19 January 2011 - 02:53 PM

Good evening. :)

Please work through the following, in the order listed, and post accordingly:

Download TFC (Temporary File Cleaner) by OldTimer from here and save it to your Desktop.

  • You will need to close all open programs and save any work as TFC will require a reboot.
  • Double-click TFC.exe to run it. (Note: If you are using Vista, right-click the file and select Run As Administrator from the menu that appears).
  • Click the Start button to begin. Depending on how often you clean temp files, execution time could be anywhere from a few seconds to a minute or two - just sit back and enjoy the view.
  • Once it has finished it should reboot your PC all by itself. If it does not, please manually reboot.
  • Once rebooted your PC will run like a Cray supercomputer, or at least have less junk on the hard drive - OT's not a miracle worker you know!
  • Please note that this tool will empty the Recycle Bin as part of it's actions. If you have anything in there that you haven't finished with, move it first.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download JavaRa from here and save it to your Desktop.
You will need to extract the file(s):
Right click on the zipped folder and from the menu that appears, click on Extract All...
In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish


***Please close any instances of Internet Explorer before continuing!***
  • Double-click JavaRa.exe to begin.
  • Pick your preferred language from the drop-down menu and click Select.
  • Click on Remove Older Versions to remove older version of Java - obvious really, isn't it!
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location, just in case you have any problems with Java afterwards.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copy and paste the following into Notepad (Start > All Programs > Accessories > Notepad):

DDS::
dRun: [wxkdjokw] c:\windows\temp\ctgvokryg\eilcsrruerb.exe


Save it to your Desktop with the following filename: CFScript
Drag and drop CFScript.txt onto your copy of Combofix and let it do it's thing.
Let me have the log produced, as before, and a description of how the PC is behaving.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The first part will clean out any crud that happens to be filling up your Temp folders, the second removes old versions of Sun Java that you may have left on your system and the third tidies up a little slime that has been left by something at sometime.

So long, and thanks for all the fish.

 

 


#7 ajwgator

ajwgator
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lexington KY
  • Local time:08:47 AM

Posted 20 January 2011 - 12:27 AM

Good evening Noviciate,

I downloaded and ran TFC program and it completed just fine. The computer speed increased greatly!

The JavaRa was downloaded next, extracted all, and then ran. The logfile was created and I saved it per instructions.

I copied and created the CFScript.txt on my desktop. I had to download ComboFix from the the site. I dragged the CFScript file into ComboFix and it started up. It did not run too long because I still had AVG 2011 on my computer and it stated that I had to uninstall it. I uninstalled it and then started over again by dragging the CFScript file into ComboFix. This time in ran but there were two times that a notice came up about a java file not being able to run and would have to shut down (also asked if I wanted to report the problem to Microsoft, but in both cases I selected Do Not Report and that closed the notice). In each case Combofix continued to run and it completed as per the ComboFix guide. The ComboFix.txt log is below. In addition I will attach the JavaRa log even though you did not request it. I am doing this because of the two notices that came up during the running of ComboFix. Thanks again very much and I will await further instructions.

ComboFix 11-01-19.02 - Susan 01/19/2011 23:29:45.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.685 [GMT -5:00]
Running from: c:\documents and settings\Susan\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Susan\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\INSTALL.LOG
c:\program files\Shared
c:\windows\AutoRun.ini
c:\windows\Downloaded Program Files\x64
c:\windows\Downloaded Program Files\x64\racodec.ax
c:\windows\Downloaded Program Files\x86
c:\windows\Downloaded Program Files\x86\racodec.ax
c:\windows\system32\drivers\fad.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_FAD
-------\Service_6to4


((((((((((((((((((((((((( Files Created from 2010-12-20 to 2011-01-20 )))))))))))))))))))))))))))))))
.

2011-01-19 03:43 . 2011-01-19 03:43 -------- d-----w- c:\program files\ESET
2011-01-15 21:19 . 2011-01-15 21:19 -------- d-----w- C:\$AVG
2011-01-15 13:13 . 2011-01-15 13:13 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2011-01-15 12:30 . 2011-01-15 12:30 -------- d-----w- c:\documents and settings\Susan\Local Settings\Application Data\Real
2011-01-15 12:26 . 2011-01-15 12:36 -------- d-----w- c:\documents and settings\Susan\Local Settings\Application Data\Temp
2011-01-15 12:26 . 2011-01-15 12:26 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2011-01-15 11:54 . 2011-01-15 11:54 -------- d-----w- c:\documents and settings\Susan\Local Settings\Application Data\Secunia PSI
2011-01-15 01:51 . 2011-01-15 01:59 -------- d-----w- c:\documents and settings\All Users\Application Data\bPjJl08600
2011-01-15 00:53 . 2011-01-15 00:54 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-01-14 18:00 . 2011-01-14 18:00 -------- d-----w- c:\documents and settings\Susan\Application Data\ElevatedDiagnostics
2011-01-12 16:25 . 2011-01-12 16:25 -------- d-----w- c:\windows\system32\wbem\Repository
2011-01-12 03:41 . 2011-01-12 03:41 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-01-03 17:54 . 2011-01-03 17:54 -------- d-----w- c:\documents and settings\Susan\Local Settings\Application Data\Oberon Media

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-20 23:09 . 2010-05-12 01:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2010-05-12 01:48 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-18 18:12 . 2002-08-29 11:00 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-12 23:53 . 2010-07-19 05:27 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-12 21:34 . 2007-05-19 04:53 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-09 14:52 . 2003-10-28 01:09 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 23:05 . 2010-11-06 23:04 1015812 ----a-w- c:\documents and settings\All Users\SPL1.tmp
2010-11-06 20:41 . 2010-11-06 20:41 1015812 ----a-w- c:\documents and settings\All Users\SPLD6.tmp
2010-11-06 20:38 . 2010-11-06 20:38 1015816 ----a-w- c:\documents and settings\All Users\SPLCE.tmp
2010-11-06 20:35 . 2010-11-06 20:35 1015816 ----a-w- c:\documents and settings\All Users\SPLBE.tmp
2010-11-06 00:26 . 2004-02-06 22:05 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2002-08-29 11:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2002-08-29 11:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2004-09-13 18:56 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2002-08-29 11:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2002-08-29 11:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2002-08-29 11:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2008-12-01 16:40 . 2008-12-01 16:39 12590710 ----a-w- c:\program files\weddingassistant_setup.exe
2008-06-27 12:12 . 2008-06-27 12:12 5377834 ----a-w- c:\program files\WedOrg.exe
2007-11-04 18:41 . 2007-11-04 18:36 35378168 ----a-w- c:\program files\Avery_Wizard_Holiday.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2002-08-14 90112]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-04-10 679936]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-16 28672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-05-26 1468296]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-09-26 185640]
"lxebmon.exe"="c:\program files\Lexmark Pro200-S500 Series\lxebmon.exe" [2010-05-05 770728]
"EzPrint"="c:\program files\Lexmark Pro200-S500 Series\ezprint.exe" [2009-10-01 139944]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2003-2-14 45056]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\SYSTEM32\\fxsclnt.exe"=
"c:\\WINDOWS\\SYSTEM32\\lxebcoms.exe"=
"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\scan\\scanman6.exe"=

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [9/25/2009 10:32 PM 189736]
R2 lxeb_device;lxeb_device;c:\windows\system32\lxebcoms.exe -service --> c:\windows\system32\lxebcoms.exe -service [?]
R2 mrtRate;mrtRate;c:\windows\SYSTEM32\DRIVERS\MrtRate.sys [2/14/2003 2:10 PM 34712]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [11/18/2009 1:46 PM 632792]
S2 lxebCATSCustConnectService;lxebCATSCustConnectService;c:\windows\SYSTEM32\SPOOL\DRIVERS\W32X86\3\lxebserv.exe [7/15/2010 2:20 PM 193192]
S2 Secunia Update Agent;Secunia Update Agent;"c:\program files\Secunia\PSI\sua.exe" --start-service --> c:\program files\Secunia\PSI\sua.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2011-01-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1258574460&rver=6.0.5285.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx&lc=1033&id=64855&mkt=en-us
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
Trusted Zone: alltel.com\care
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {254AA86E-5655-4518-AA87-185D7CC41801} - hxxps://secure.logmeinrescue.com/TechConsole/x86/RescueControl.cab
DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - hxxp://www.sidestep.com/get/k42037/sb028.cab
DPF: {CEDDF50D-9FA7-41A8-BCD0-6350D1ED2306} - hxxps://care.alltel.com/lwp/static/installers/WebflowActiveXInstaller_3-0-0.cab
DPF: {EFD3EA56-234D-4240-90EA-CC9FA3AF5A01} - hxxps://care.alltel.com/lwp/static/installers/ALLTELControls.cab
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
Toolbar-Locked - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-19 23:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
MMTray = c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe?w???g?T??V??g?T??SOFTWARE\MusicMatch\MusicMatch Jukebox\4.0\TrayApp??????? ?w?????????????\?wp ?w???????w???g ??????????g?????CY????????g?T??2???????????<???? @???X???X???????????????????Y?????F?Q?????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3000)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\System32\drivers\CDAC11BA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxebcoms.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
c:\windows\BCMSMMSG.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-01-19 23:50:54 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-20 04:50

Pre-Run: 14,394,023,936 bytes free
Post-Run: 14,260,887,552 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 24443CEF4B57E3CDAAAD9AA75E9094C4

Attached Files



#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:47 PM

Posted 21 January 2011 - 04:06 PM

Good evening. :)

Apologies about the AVG uninstall. It doesn't play nicely with CF, blocking some of it's actions, and I have a habit of forgetting that CF won't run with it present.
You can reinstall AVG or any other AV that takes your fancy, if you haven't already done so. I have some links to other free AVs if you fancy a change from AVG - ask if you want them.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Your log doesn't appear to show a third-party software firewall installed - if you have one, and i've missed it, please ignore this.
If you are relying the firewall that comes with Service Pack 2, then you need to install one. While the SP2 firewall is better than nothing, it doesn't monitor outgoing traffic, so anything malicious on your computer can 'phone home' at will.
If you are using a wireless router that comes with a NAT hardware firewall, this also doesn't monitor outgoing connections.

There are a few free firewalls available, of which the following are just three (all of which i've used at one time or another) :

Comodo Firewall Pro, available here.
PC Tools Firewall Plus, available here.
Online Armor Free, available here.

It is important to note that you should only have one firewall installed at a time, but you can download them all to your Desktop and install each in turn to see which one you prefer.

Understanding and Using Firewalls: http://www.bleepingcomputer.com/tutorials/understanding-and-using-firewalls/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Your copy of Adobe Reader is out of date. You can get the latest version here, feel free to uncheck the McAfee download first, or you can update from within the program itself: Help > Check for Updates...

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I want you to run your PC as normal for a few days and when you are happy that everything is fine, do the following:

Go to Start > Run, enter the following into the textbox and click OK: ComboFix /Uninstall
This will uninstall Combofix and do a little housework besides.

Create a new Restore Point with a memorable name - this will give a clean one should you need it in the future. If you use a Restore Point from before this point you may reinstall any infection that was present at the time, so only do so if using this latest one doesn't solve any issues.
A tutorial for System Restore is available here.

Some bedtime reading: This is a very good tutorial about keeping your computer safe and secure on the internet.
It's a little old, but still contains some good ideas.

So long, and thanks for all the fish.

 

 


#9 ajwgator

ajwgator
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lexington KY
  • Local time:08:47 AM

Posted 21 January 2011 - 04:50 PM

Hi Noviciate,

NP concerning the uninstall of AVG and no appoligy needed. Pretty much out or your control anyway. I did a reinstall of AVG after finishing the steps from your last post, but I am interested in your opinion of AVG and am interested in your links for others to consider.

It is apparent that Windows firewall isn't adequate and neither is my Linksys wireless router's hardware firewall. I will be sure and do my homework concerning firewalls with the link your provided. It looks as though I a bit more to learn.

I will upgrade the Adobe Reader; run as normal a few days; do a restore point named "Cleaned" for the future after I do the unstall of Combofix.

Question: Should I leave all of the others on my computer? ie: Defogger, DSS, TDSSKiller, TFC, gmer, JavaRa.... Just wondering...

I will reply back after a few days once I have done the uninstall of ComboFix and report how things are running.

Thanks greatly!

A J

#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:47 PM

Posted 21 January 2011 - 06:18 PM

I am interested in your opinion of AVG and am interested in your links for others to consider.

At one time AVG was the popular choice for free AVs, but it seems to have lost some of it's lustre for some reason. The other generally offered options are as follows:

avast! 4 Home Edition: Available here
AntiVir Personal Edition Classic : Available here
Microsoft Security Essentials: Available here

While i've had a dabble of all of them at one time or another, I currently use MSE on a Windows 7 64 bit laptop and it seems happy enough.
The cynical view is that AVs are not a 100% guarantee of PC cleanliness, so choose the one that best gives you a false sense of security and forget about it - it's sad, but probably more than a grain of truth there!

Should I leave all of the others on my computer? ie: Defogger, DSS, TDSSKiller, TFC, gmer, JavaRa.... Just wondering...

Run Defogger, if it disabled anything, to re-enable it and then it can go.
DDS probably won't be updated in the near future, but I would delete it and download a fresh copy should you need it again to ensure you have the latest version. Likewise GMER.
JavaRa shouldn't be necessary again as the latest versions of Java do their own tidying up and there shouldn't be anything left behind that needs attention after future updates.
TDSSKiller can go. If you did need it in the future you would definitely want to be sure you were up-to-date.
TFC is a handy tool to keep the dross from building up on your machine so i'd keep that and use it once a week.

If i've missed anything, please ask.

So long, and thanks for all the fish.

 

 


#11 ajwgator

ajwgator
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lexington KY
  • Local time:08:47 AM

Posted 25 January 2011 - 12:40 AM

Hi Noviciate,

Well all looks good and things have been running just fine. I am getting a notice every day that states the following: "jusched.exe has encountered a problem and needs to close" It asks do I want to report this to Microsoft, Send report - Do Not Send. Rsearching this file name comes up with it being an auto update program for Java. I am not sure if this is a problem or not but it looks as though Java is auto checking each day (sometimes more) to see if it has any new updates.

I installed Comodo Firewall after your last reply. I went to uninstall ComboFix tonight and ran into a number of issues. I am sure that it did not complete its uninstall process. Here are events that happened once I ran ComboFix /Uninstall:

1. Comodo Firewall interupted every command that ComboFix issued in the uninstall process.

2. ComboFix displayed an Operating System box stating it could only run on Windows 2000 & Windows XP.

3. ComboFix displayed that it detected AVG and I am sure that it stopped.

I assume that I will have to stop Comodo Firewall, install AVG again, and then do the uninstall. I did want to check with you first before I did that. Also would it be best for me to disconnect the connections to the home network and internet while I am preforming all this?

I will wait for your reply before continuing.

Thanks, A J

#12 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:47 PM

Posted 25 January 2011 - 02:48 PM

Good evening. :)

Sun Java does indeed check for updates, although I can't say how often that is. If it's not happy, the usual method is to uninstall and reinstall and see what effect that has - it's often a cure-all.

Rather than struggle with CF, download OTL by OldTimer from here and save it to your Desktop.

Run the file and click CleanUp near the top.

Also, if you have a copy of ComboFix on your Desktop, just delete it.

So long, and thanks for all the fish.

 

 


#13 ajwgator

ajwgator
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lexington KY
  • Local time:08:47 AM

Posted 26 January 2011 - 01:57 AM

Hi Noviciate

Looks as though all is still well. I had to disable Comodo Firewall to allow OTL to run uninterupted. It completed the cleanup and removed itself after the reboot. I deleted ComboFix.

My add/remove programs screen in the control panel was showing three Java items. I removed all of them there and then ran JavaRa once to remove old programs and then again to check for updates. It let me select from Sun's website and I downloaded and installed the lastest Java ver6 with update 23. It looks as thought that took care of the update error problem I reported above; just as you said it most likely would. I did a manual check for updates and it when out and checked then reported that I had the lastest update.

I am going to make a new Clean restore point now.

Thanks so much for all your help and assistance! Lifesaver for sure!

A J

P.S. I suppose you can mark this as cleaned, completed, and/or closed.

Edited by ajwgator, 26 January 2011 - 01:59 AM.


#14 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:47 PM

Posted 26 January 2011 - 02:56 PM

As this issue appears to have been resolved, Go Team Numpty, this thread is now closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users