Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Related infections on home networked PCs


  • This topic is locked This topic is locked
18 replies to this topic

#1 Steve23

Steve23

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rochester New York area
  • Local time:09:08 PM

Posted 21 September 2011 - 12:46 PM

Dear Bleeping Computer!

Dell Dimension 1100 (B110) desktop, WinXP Home 2002 SP3, Celeron @ 2.53GHz, 1.0GB RAM, running Symantec Endpoint Protection 11.0.6300.803.

Logs: DDS.txt appended. Attach.txt and ARK.log attached.

Frequently, the HDD grinds seemingly endlessly. PC is slow, even after I went through the basic steps in Slow Computer/browser? Check Here First; It May Not Be Malware. PC is networked via router with two other PCs that experienced Vundo and other hijack / redirect behavior. PC had a couple known viruses a few months ago, and I am sorry I was not paying good attention but I do not remember the names. One I read up on had the ability to detect what you typed into search fields and keep track of that. Also, upon closing Microsoft Word there is a pop-up window: "Changes have been made that affect the global template, Noraml.dot. Do you want to save those changes?" This happens if I just open then close Microsoft Word.

My primary security concern is that I do internet banking on this PC. My next concern is the PCs re-infecting each other, especially since I just had one cleaned by BleepingComputer (THANKS to nasdaq! :thumbup2: )

Thanks to every potential helping BC member who reads this. Especially thank you to the person who picks this up for being willing to try helping. Its awesome that there are people like you. It makes up for the people who hijack PCs.

Steve

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Steve at 10:30:10 on 2011-09-21
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.156 [GMT -4:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Norton Ghost\Agent\VProTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Skype\Toolbars\Shared\SkypeNames2.exe
.
============== Pseudo HJT Report ===============
.
uSearch Bar = hxxp://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
uDefault_Page_URL = hxxp://www.dell.com
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
TB: {C7768536-96F8-4001-B1A2-90EE21279187} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_0_9
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [AdaptecDirectCD] c:\program files\adaptec\easy cd creator 5\directcd\DirectCD.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Norton Ghost 15.0] "c:\program files\norton ghost\agent\VProTray.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: microsoft.com\download.windowsupdate
Trusted Zone: microsoft.com\update
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} - hxxp://h30155.www3.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1141566989984
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E856B973-45FD-4559-8F82-EAB539144667} - hxxp://pccheckup.dellfix.com/rel/41/install/gtdownde.cab
TCP: DhcpNameServer = 192.168.2.1 209.18.47.61 209.18.47.62
TCP: Interfaces\{496C50E8-FA4A-4F86-BCB7-AD47FF0E4E6E} : DhcpNameServer = 192.168.2.1 209.18.47.61 209.18.47.62
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 192.168.2.3 DOWNSTAIRS
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-6-8 64512]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2011-6-4 108456]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2011-6-4 108456]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-5-25 2152152]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2010-1-18 94880]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-7-29 105592]
R3 GenericMount;Generic Mount Driver;c:\windows\system32\drivers\GenericMount.sys [2009-9-21 57840]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110920.002\NAVENG.SYS [2011-9-20 86136]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110920.002\NAVEX15.SYS [2011-9-20 1576312]
R3 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2011-6-4 1839888]
R3 SymSnapService;SymSnapService;c:\program files\norton ghost\shared\drivers\SymSnapService.exe [2009-9-21 1964528]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-5-18 136176]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2010-11-4 23888]
S3 GenericMount Helper Service;GenericMount Helper Service;c:\program files\norton ghost\shared\drivers\GenericMountHelper.exe [2009-9-21 1574408]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-5-18 136176]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-5-25 15232]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2010-1-9 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2010-1-9 40552]
S3 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [2004-8-10 5120]
.
=============== File Associations ===============
.
chm.file="hh.exe" %1
txtfile=c:\windows\notepad.exe %1
.
=============== Created Last 30 ================
.
2011-09-03 10:17:37 599040 ------w- c:\windows\system32\dllcache\crypt32.dll
.
==================== Find3M ====================
.
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-01 01:32:25 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-30 02:49:50 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36:30 1469440 ------w- c:\windows\system32\inetcpl.cpl
.
============= FINISH: 10:31:31.85 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:08 PM

Posted 22 September 2011 - 10:09 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

Is this the second computer.
Just saw you post in our pending topics list.

Nothing suspicious was found on your log.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please let me know of any pending issues.

#3 Steve23

Steve23
  • Topic Starter

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rochester New York area
  • Local time:09:08 PM

Posted 22 September 2011 - 10:57 AM

nasdaq,

Yes this is the second computer. I put a link in Malware, Trojan, Vundo? Router DNS Hijack?, but it was, by coincidence, so close to your last post there that it would be very easily missed.

The forum post are as follows:

Thank you for fixing the D620!
Thank you for informing me that there was "Nothing suspicious in the 1100 DDS log. I will deal with SecurityCheck for the 1100 tonight.
Let me know what you think of the 2400.

Have a Great Day!

Steve

Edited by Steve23, 22 September 2011 - 12:05 PM.


#4 Steve23

Steve23
  • Topic Starter

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rochester New York area
  • Local time:09:08 PM

Posted 23 September 2011 - 09:07 AM

I put this here so it can be associated with the correct post.

"Changes have been made that affect the global template, Noraml.dot. Do you want to save those changes?"


This might be just a setting that must be changed.

See if this Microsoft Article can help stopping this acticity.
http://support.microsoft.com/kb/291352
===

Your DDS log is clean.

To check further run this tool

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
===

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Post the logs for my review.



#5 Steve23

Steve23
  • Topic Starter

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rochester New York area
  • Local time:09:08 PM

Posted 23 September 2011 - 09:09 AM

I put this here so it can be associated with the correct post.

nasdaq,

Thank you so much for the link on the MS Word problem. I had one disabled WebPage Com-Add-in with on-demand start, which you would think would not be a problem, yet when I removed it this fixed the problem! So it wasnt a macro virus afterall. Thank you for sharing your wisdom and experience on that concern. :thumbsup: Because of prior Word macro virus experience, I have always enabled Prompt to save Normal template and then suspected random changes to Normal.dot, but thanks to you I know differently now.

The ESET scan has been running almost four hours. I will have to post ESET and SecurityCheck logs tomorrow evening, which is also when I hope to post a link to Logs for my final PC with problems. My apologies for the delays.

Regards,

Steve


I put this here so it can be associated with the correct post.

nasdaq,

ESET Scan Results:
No threats found
Scanned Files: 90421
Infected Files: 0
Cleaned Files: 0
Total scan time: 03:59:41
Scan status: Finished

Then there only is a Finish button; no List of found threats to export.

I enabled "Uninstall appplication on close," and clicked Finish.

Steve



#6 Steve23

Steve23
  • Topic Starter

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rochester New York area
  • Local time:09:08 PM

Posted 23 September 2011 - 09:13 AM

I put this here so it can be associated with the correct post.

Results of screen317's Security Check version 0.99.18
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
Symantec Endpoint Protection
```````````````````````````````
Anti-malware/Other Utilities Check:

Ad-Aware
Malwarebytes' Anti-Malware
CCleaner
Java™ 6 Update 26
Flash Player Out of Date!
Adobe Flash Player 10.0.45.2
````````````````````````````````
Process Check:
objlist.exe by Laurent

Norton ccSvcHst.exe
Ad-Aware AAWService.exe is disabled!
Ad-Aware AAWTray.exe is disabled!
``````````End of Log````````````

nasadaq,

I see some adobe stuff is out of date again. Is there a way I can set all this adobe stuff it for auto-update?

Also, the reason I disabled Aq-Aware is because it was sucking CPU cycles. Some Anti-Virus thing or other always seems to be doing an update or scanning and so the PC runs very slowly. Often it feels the anti-virus sw is slowing me down as much as a virus. :wink:

Steve


I put this here so it can be associated with the correct post.

Secure your system by updating 3rd party programs.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:

  • Download the latest version of Java SE Runtime Environment 6 Update 27.
  • In the box labeled "Java Platform, Standard Edition", click the "Download JRE" button to the right.
  • In the Window that opens, select Windows (or Windows x64), and check the "agree" box and click "Continue".
  • Click on the link to download Windows Offline Installation and save to your Desktop.
  • Then from your Desktop double-click on jre-6u27-windows-i586.exe that you have downloaded to install the newest version.

    For the x64 bit version download this on jre-6u27-windows-x64.exe). Make sure you download the corrent version.

    - Note: If you are running Vista or Windows 7, you may need to right-click on the installation file and select Run as Administrator.

If present remove the old version(s) of Java using the Add/Remove Programs applet.


list....

===

Critical vulnerabilities have been identified in Adobe Flash Player 10.3.183.7 and earlier versions... being exploited in the wild in active targeted attacks... update to Adobe Flash Player 10.3.183.10 ... Flash Player for Android update to Adobe Flash Player for Android 10.3.186.7

Direct download current version - executable Flash Player installer... to your Desktop, then double-click to install.

Download for Internet Explorer

Download for Firefox and other browsers
<<<>>>

Norton on a slow CPU can slowdown the computer.

These are two free programs.
avast!.
AntiVir

If you decide to change vendor make sure you delete Norton Completely.

Download and run the Norton Removal Tool FOR YOUR CURRENT PROGRAM.
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039?Open&src=&docid=2001092114452606&nsf=nav.nsf&view=docid&dtype=&prod=&ver=&osv=&osv_lvl=

As for Ad-Aware I would keep it in a disable state.
Run it On occasion just to check.

When all is well:

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

Delete the other tools we used.

When ready post the link here for the next computer.


I put this here so it can be associated with the correct post.

nasdaq,

As for Ad-Aware I would keep it in a disable state. Run it On occasion just to check.

Thank you for the suggestion. Good idea to run periodically. I will do that.


Thank you for the method to change from Symantec Endpoint Protection (SEP). I have wanted to do that for awhile. SEP downloads updates too often and it uses the CPU too much, yet it still has let malware through before. I think I will switch.


I see some adobe stuff is out of date again. Is there a way I can set all this adobe stuff for auto-update?

I had a chance to answer my own question and post it here for reference. I found these links for managing auto-update settings:

If present remove the old version(s) of Java using the Add/Remove Programs applet.

I did not, however, come across an answer to the above. Should I similarly remove old versions of Adobe products, i.e. Flash and Reader, as time goes on?

Regards,

Steve


I put this here so it can be associated with the correct post.

I did not, however, come across an answer to the above. Should I similarly remove old versions of Adobe products, i.e. Flash and Reader, as time goes on?


Then everything is fine.



#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:08 PM

Posted 24 September 2011 - 07:46 AM

Where do we stand?

#8 Steve23

Steve23
  • Topic Starter

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rochester New York area
  • Local time:09:08 PM

Posted 26 September 2011 - 11:09 PM

Where do we stand?

nasdaq,

Maybe you're looking for a much simpler answer than I'm about to give, but I am trying my best to help you be able to most easily work with me.

Im sorry it seems things have gotten unclear. For a while they were for me too, but I went through everything and am confident that I know what was done on each of the three PCs and where to find it in the forum posts. However, I am unsure of how to best share that understanding with you. I consider it my fault that the start of the confusion was that logs and a conversation for the newly opened Dell Dimension 1100 topic got threaded into the concluding posts of the Dell Latitude D620 topic. In doing so, I thought I was responding as you wanted me to, but I now see I was in error. My periodic PMs to you were meant to explain this, but you seem to not have received any; as you said, they were not in your mailbox. This has produced a degree of uncertainty as to where we left off and again, I apologize.

What would you like to do next to answer your question? I understand there is a chat function. Perhaps we could attempt that by appointment, if you are willing. I would also be very willing to talk on the phone. Or I can try to write up a clarification, one for each of the three PC topics, as to what was done when and why. For example:
Performed on Dimension 1100:
  • ran dds and posted log -- log looked ok
  • ran gmer and posted log -- log looked ok
  • disabled MSWord Add-in to fix prompt to save normal.dot
  • ran SecurityCheck and posted log -- Flash out of date; Ad-Aware disabled; JRE 6u26
  • ran ESET -- no threats found
  • updated JRE, Flash, run Ad-Aware as needed, set Java and Adobe products for auto-updates and removed prior versions where appropriate
  • you instructed me to uninstal ComboFix, but I had not run ComboFix on this PC -- did you want me to?

How would you like me to proceed to best enable the conclusion of your gratefully acknowledged aid?

In the meantime, if you want to see if they help, below are two of the intended clarifying PM's.

Sincerely,

Steve

nasdaq,

http://www.bleepingcomputer.com/forums/topic419886.html/page__view__findpost__p__2416421__fromsearch__1'>This should help you find where we left off. I'm sorry if this got confusing. I know it did for me :scratchhead:

Thanks for ALL your help and patience!!!

Steve

nasdaq,

I hope it was ok for me to quote a few posts from one Logs Forum topic to another.

I so appreciate your willingness to work with me on all three of my PC's (620, 1100, 2400). When I started on the 620, then moved on to the 1100 by posting a link top the 1100 post in the 620 post, some of the 1100 conversation and logs ended up in the 620 post. I simply quoted these, in chronological order into the 1100 post and tagged them with something like "moved here to be in the correct post."

This has made it much easier for me to see where I left off, and I hope for those who may read this in posterity for aid. To my knowledge the 620 matter is closed, the 1100 matter is closed, and I am waiting on your reply to my combofix log in the 2400 post. (note: your reply on that log was received 24 September 2011 - 10:14 AM)

The forum topics are as follows:


I don't know if you get my PM's, but I hoped to clarify some process items here that would not fit appropriately in a post.

Thank you so much for your help!

Steve


Edited by Steve23, 26 September 2011 - 11:11 PM.


#9 nasdaq

nasdaq

  • Malware Response Team
  • 38,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:08 PM

Posted 27 September 2011 - 07:57 AM

I worked on more that 20 open topics.

We need to keep it simple.

On each or your links for the 3 computers give me the status of the computer by replying to each one of them.

All I want to know what is what is the issues if any.

Will work on each system individually.

#10 Steve23

Steve23
  • Topic Starter

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rochester New York area
  • Local time:09:08 PM

Posted 27 September 2011 - 08:40 PM

nasdaq,

Are the initial logs at the top of this page ok?

Are you confident that this PC is safe for internet banking?

Thank you for your time.

Steve

#11 nasdaq

nasdaq

  • Malware Response Team
  • 38,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:08 PM

Posted 28 September 2011 - 08:41 AM

Keep an eye on it. If any problem please post.

If all is well this topic will be closed in 7 days.

#12 Steve23

Steve23
  • Topic Starter

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rochester New York area
  • Local time:09:08 PM

Posted 28 September 2011 - 11:04 AM

nasdaq,

Are the initial logs at the top of this page ok?

I am asking again because this is the PC where we got our threads crossed and I want to be sure you did indeed look at this PC's DDS and GMER logs and not those of another PC of mine. You did not instruct me to run any virus fixes, i.e. ComboFix, on this PC.

Regards,

Steve

#13 nasdaq

nasdaq

  • Malware Response Team
  • 38,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:08 PM

Posted 28 September 2011 - 01:25 PM

If you did not run the ComboFix on this computer please do it.

You can also execute the Eset Online Scan. Just to be sure.

Please post the results.

#14 Steve23

Steve23
  • Topic Starter

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rochester New York area
  • Local time:09:08 PM

Posted 01 October 2011 - 11:18 PM

nasdaq,

ComboFix log at bottom.

ESET Scan Results:
No threats found
Scanned Files: 90421
Infected Files: 0
Cleaned Files: 0
Total scan time: 03:59:41
Scan status: Finished

Then there only is a Finish button; no List of found threats to export.

I enabled "Uninstall appplication on close," and clicked Finish.

Steve

ComboFix 11-10-01.03 - Steve 10/01/2011 22:44:15.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.384 [GMT -4:00]
Running from: c:\documents and settings\Steve\Desktop\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Jonna\WINDOWS
c:\documents and settings\Megan\WINDOWS
c:\documents and settings\Steve\WINDOWS
c:\windows\system32\comct332.ocx
c:\windows\system32\d3d9caps.dat
c:\windows\system32\rnaph.dll
c:\windows\system32\spool\prtprocs\w32x86\LMPRINT.DLL
.
.
((((((((((((((((((((((((( Files Created from 2011-09-02 to 2011-10-02 )))))))))))))))))))))))))))))))
.
.
2011-09-23 03:08 . 2011-09-23 03:08 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-09-03 10:17 . 2011-09-09 09:12 599040 ------w- c:\windows\system32\dllcache\crypt32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-23 03:09 . 2011-05-19 01:22 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-23 03:08 . 2010-06-06 03:59 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-09 09:12 . 2004-08-10 18:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-07-15 13:29 . 2005-12-13 14:18 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2004-08-10 18:51 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2006-03-08 684032]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-27 204800]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"Norton Ghost 15.0"="c:\program files\Norton Ghost\Agent\VProTray.exe" [2010-03-04 2598760]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2011-06-04 115624]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2002-6-27 83360]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\Jonna\\Application Data\\Tencent\\QQ\\STemp\\SetupEx~0\\QQSetupEx.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundTimestampRequest"= 0 (0x0)
"AllowInboundMaskRequest"= 0 (0x0)
"AllowInboundRouterRequest"= 0 (0x0)
"AllowOutboundDestinationUnreachable"= 0 (0x0)
"AllowOutboundSourceQuench"= 0 (0x0)
"AllowOutboundParameterProblem"= 0 (0x0)
"AllowOutboundTimeExceeded"= 0 (0x0)
"AllowRedirect"= 0 (0x0)
"AllowOutboundPacketTooBig"= 0 (0x0)
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/8/2011 10:39 PM 64512]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [1/18/2010 12:34 AM 94880]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/29/2011 10:52 AM 105592]
R3 GenericMount;Generic Mount Driver;c:\windows\system32\drivers\GenericMount.sys [9/21/2009 9:26 PM 57840]
R3 SymSnapService;SymSnapService;c:\program files\Norton Ghost\Shared\Drivers\SymSnapService.exe [9/21/2009 9:19 PM 1964528]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/18/2011 10:01 AM 136176]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [5/25/2011 2:00 AM 2152152]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [11/4/2010 10:48 AM 23888]
S3 GenericMount Helper Service;GenericMount Helper Service;c:\program files\Norton Ghost\Shared\Drivers\GenericMountHelper.exe [9/21/2009 9:25 PM 1574408]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [5/18/2011 10:01 AM 136176]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [5/25/2011 2:00 AM 15232]
S3 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [8/10/2004 2:50 PM 5120]
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-30 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-05-25 07:40]
.
2011-10-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-05-18 13:59]
.
2011-10-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-05-18 13:59]
.
2011-09-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3151045201-3188106402-1006985496-1008Core.job
- c:\documents and settings\Megan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-30 05:10]
.
2011-10-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3151045201-3188106402-1006985496-1008UA.job
- c:\documents and settings\Megan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-30 05:10]
.
2011-06-13 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2010-11-18 15:13]
.
2011-10-01 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\pcdrcui.exe [2010-11-18 15:13]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
Trusted Zone: microsoft.com\download.windowsupdate
Trusted Zone: microsoft.com\update
TCP: DhcpNameServer = 192.168.2.1 209.18.47.61 209.18.47.62
.
.
------- File Associations -------
.
txtfile=c:\windows\notepad.exe %1
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe
SafeBoot-Symantec Antvirus
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-01 22:53
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3151045201-3188106402-1006985496-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2011-10-01 22:57:58
ComboFix-quarantined-files.txt 2011-10-02 02:57
.
Pre-Run: 34,550,513,664 bytes free
Post-Run: 34,598,354,944 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 7FA55883377C181A0372B566B75BBA2A

#15 nasdaq

nasdaq

  • Malware Response Team
  • 38,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:08 PM

Posted 02 October 2011 - 08:59 AM

The log is clean.

I enabled "Uninstall application on close," and clicked Finish.

Are you able to delete the application after a restart of the computer?

What issues are still pending?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users