Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PUM.Hijack.StartMenu and Backdoor.Agent.RCGen


  • Please log in to reply
11 replies to this topic

#1 Arrrggghhhhh

Arrrggghhhhh

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Location:West Coast Canada
  • Local time:03:39 PM

Posted 18 April 2012 - 01:20 AM

Firefox crashed out of a normal website
Tried to restart - Avira kicked in and found "TR/Crypt.XPACK.Gen2"
Chose to remove. Appeared to work.

Then...

Popup opened
System Error. Hard disk failure detected - (close button [x] disabled)
"It's highly recommended to run complete HDD scan to prevent loss of personal files."
[scan and repair] [cancel and restart]

neither of which I did of course... still open now as I type this actually...


Desktop icons started to vanish...start menu programs list empty - rest of icons also vanishing till all were

gone
Quickly opened MBAM and ran it. Found 7 infected registry entries of PUM.Hijack.StartMenu - removed.

All during this time...
Warning Shield on QuickIcons bar threatening every couple minutes with warnings like...
"Device Initialization Error"
"Drive Sector not found"
"Data Error reading Drive"
etc....

And a cascade of popup windows about every 10 minutes... 23 at a time...
System message - Write Fault Error
A write command failed during the test has failed to complete. This may be due to media or read/write error.

The system generates an exception error when using a reference to an invalid system memory address
[Cancel] [Try Again] [Continue]


So found similar topic and dl'd and ran a few apps to help things along...
Restarted in Safemode and ran the apps... logs below.
here are the results...


=================================================
Results of screen317's Security Check version 0.99.24
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!
Avira Free Antivirus
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

SpywareBlaster 4.5
SUPERAntiSpyware Free Edition
CCleaner
Java™ 6 Update 18
Out of date Java installed!
Adobe Flash Player 11.2.202.228
````````````````````````````````
Process Check:
objlist.exe by Laurent

``````````End of Log````````````

=================================================

Farbar Service Scanner Version: 16-04-2012
Ran by ### (administrator) on 17-04-2012 at 22:51:16
Running from "C:\Documents and Settings\###\Desktop"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Nerwork
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv: "C:\WINDOWS\system32\wuauserv.dll".

BITS Service is not running. Checking service configuration:
The start type of BITS service is set to Demand. The default start type is Auto.
The ImagePath of BITS service is OK.
The ServiceDll of BITS: "C:\WINDOWS\system32\qmgr.dll".

EventSystem Service is not running. Checking service configuration:
The start type of EventSystem service is OK.
The ImagePath of EventSystem: "C:\WINDOWS\system32\svchost.exe -k netsvcs".
The ServiceDll of EventSystem: "C:\WINDOWS\system32\es.dll".


Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
DNE(8) Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)
0x080000000400000001000000020000000300000005000000060000000700000008000000
IpSec Tag value is correct.

**** End of log ****

=================================================

MiniToolBox by Farbar Version: 18-01-2012
Ran by ### (administrator) on 17-04-2012 at 22:53:00
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Nerwork
***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= FF Proxy Settings: ==============================

========================= Hosts content: =================================


127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.100888290cs.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 100sexlinks.com
127.0.0.1 www.10sek.com
127.0.0.1 10sek.com
127.0.0.1 www.123topsearch.com
127.0.0.1 123topsearch.com

There are 12900 more lines starting with "127.0.0.1"

========================= IP Configuration: ================================

Broadcom NetXtreme 57xx Gigabit Controller = Local Area Connection (Connected)
Dell Wireless 1490 Dual Band WLAN Mini-Card = Wireless Network Connection (Media disconnected)


# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp

# Interface IP Configuration for "Wireless Network Connection"

set address name="Wireless Network Connection" source=dhcp
set dns name="Wireless Network Connection" source=dhcp register=PRIMARY
set wins name="Wireless Network Connection" source=dhcp


popd
# End of interface IP configuration


Windows IP Configuration Host Name . . . . . . . . . . . . : MONTAGE_PORT1 Primary Dns Suffix . . . . .

. . : Node Type . . . . . . . . . . . . : Broadcast IP Routing Enabled. . . . . . . . : Yes WINS Proxy

Enabled. . . . . . . . : NoEthernet adapter Local Area Connection: Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Controller Physical Address. . . . . . . . . :

00-15-C5-B9-09-63 Dhcp Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IP

Address. . . . . . . . . . . . : 192.168.1.65 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway

. . . . . . . . . : 192.168.1.254 DHCP Server . . . . . . . . . . . : 192.168.1.254 DNS Servers . . . . . . . . . . . :

192.168.1.254 75.153.176.9 Lease Obtained. . . . . . . . . . : Tuesday, April 17,

2012 10:47:05 PM Lease Expires . . . . . . . . . . : Wednesday, April 18, 2012 10:47:05 PMEthernet adapter

Wireless Network Connection: Media State . . . . . . . . . . . : Media disconnected Description . . . . . . .

. . . . : Dell Wireless 1490 Dual Band WLAN Mini-Card Physical Address. . . . . . . . . :

00-16-CF-84-12-CEDNS request timed out.
timeout was 2 seconds.
Server: ns2.dns.telus.com
Address: 75.153.176.9

Name: google.com
Addresses: 173.194.33.33, 173.194.33.37, 173.194.33.39, 173.194.33.38
173.194.33.35, 173.194.33.36, 173.194.33.40, 173.194.33.41, 173.194.33.46
173.194.33.34, 173.194.33.32

Pinging google.com [173.194.33.41] with 32 bytes of data:Reply from 173.194.33.41: bytes=32 time=23ms

TTL=57Reply from 173.194.33.41: bytes=32 time=22ms TTL=55Ping statistics for 173.194.33.41: Packets:

Sent = 2, Received = 2, Lost = 0 (0% loss),Approximate round trip times in milli-seconds: Minimum = 22ms,

Maximum = 23ms, Average = 22msDNS request timed out.
timeout was 2 seconds.
Server: ns2.dns.telus.com
Address: 75.153.176.9

Name: yahoo.com
Addresses: 72.30.38.140, 98.139.183.24, 209.191.122.70

Pinging yahoo.com [209.191.122.70] with 32 bytes of data:Reply from 209.191.122.70: bytes=32 time=76ms

TTL=53Reply from 209.191.122.70: bytes=32 time=76ms TTL=53Ping statistics for 209.191.122.70:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),Approximate round trip times in milli-seconds: Minimum

= 76ms, Maximum = 76ms, Average = 76msDNS request timed out.
timeout was 2 seconds.
Server: ns2.dns.telus.com
Address: 75.153.176.9

Name: bleepingcomputer.com
Address: 208.43.87.2

Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:Reply from 208.43.87.2: Destination host

unreachable.Reply from 208.43.87.2: Destination host unreachable.Ping statistics for 208.43.87.2:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),Approximate round trip times in milli-seconds: Minimum

= 0ms, Maximum = 0ms, Average = 0msPinging 127.0.0.1 with 32 bytes of data:Reply from 127.0.0.1:

bytes=32 time<1ms TTL=128Reply from 127.0.0.1: bytes=32 time<1ms TTL=128Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average =

0ms===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 15 c5 b9 09 63 ...... Broadcom NetXtreme 57xx

Gigabit Controller - Packet Scheduler Miniport
0x3 ...00 16 cf 84 12 ce ...... Dell Wireless 1490 Dual Band

WLAN Mini-Card - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.65 10
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.65 192.168.1.65 10
192.168.1.65 255.255.255.255 127.0.0.1 127.0.0.1 10
192.168.1.255 255.255.255.255 192.168.1.65 192.168.1.65 10
224.0.0.0 240.0.0.0 192.168.1.65 192.168.1.65 10
255.255.255.255 255.255.255.255 192.168.1.65 192.168.1.65 1
255.255.255.255 255.255.255.255 192.168.1.65 3 1
Default Gateway: 192.168.1.254
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 02 C:\Windows\System32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 01 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 12 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 13 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 14 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 15 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (04/17/2012 10:51:22 PM) (Source: LoadPerf) (User: )
Description: Installing the performance counter strings for service WmiApRpl (%2) failed. The
Error code is the first DWORD in Data section.

Error: (04/17/2012 10:51:22 PM) (Source: LoadPerf) (User: )
Description: Unable to update the performance counter strings of the 009 language ID.
The Win32 status returned by the call is the first DWORD in Data section.

Error: (04/17/2012 10:51:19 PM) (Source: LoadPerf) (User: )
Description: Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The
Error code is the first DWORD in Data section.

Error: (04/17/2012 10:51:19 PM) (Source: LoadPerf) (User: )
Description: Unable to update the performance counter strings of the 009 language ID.
The Win32 status returned by the call is the first DWORD in Data section.

Error: (02/16/2012 09:52:59 AM) (Source: Microsoft Office 12) (User: )
Description: Faulting application outlook.exe, version 12.0.6562.5003, stamp 4e2f99fb, faulting module

unknown, version 0.0.0.0, stamp 00000000, debug? 0, fault address 0x00000004.

Error: (02/02/2012 05:27:02 PM) (Source: Application Hang) (User: )
Description: Fault bucket -1544775435.

Error: (02/02/2012 05:26:45 PM) (Source: Application Hang) (User: )
Description: Hanging application firefox.exe, version 9.0.1.4371, hang module hungapp, version 0.0.0.0,

hang address 0x00000000.

Error: (02/02/2012 10:50:53 AM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from:

<http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: This operation returned because the timeout period expired.

Error: (02/01/2012 06:11:18 PM) (Source: Application Hang) (User: )
Description: Hanging application Homesite+.exe, version 6.0.0.7658, hang module hungapp, version 0.0.0.0,

hang address 0x00000000.

Error: (01/14/2012 08:25:47 AM) (Source: Microsoft Office 12) (User: )
Description: Faulting application outlook.exe, version 12.0.6562.5003, stamp 4e2f99fb, faulting module

unknown, version 0.0.0.0, stamp 00000000, debug? 0, fault address 0x00000000.


System errors:
=============
Error: (04/17/2012 10:55:36 PM) (Source: DCOM) (User: ###)
Description: DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error: (04/17/2012 10:55:34 PM) (Source: DCOM) (User: ###)
Description: DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error: (04/17/2012 10:55:32 PM) (Source: DCOM) (User: ###)
Description: DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error: (04/17/2012 10:53:03 PM) (Source: DCOM) (User: ###)
Description: DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error: (04/17/2012 10:51:57 PM) (Source: DCOM) (User: ###)
Description: DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error: (04/17/2012 10:51:19 PM) (Source: DCOM) (User: ###)
Description: DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error: (04/17/2012 10:48:39 PM) (Source: DCOM) (User: ###)
Description: DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error: (04/17/2012 10:48:39 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
avipbb
avkmgr
Fips
intelppm
SASDIFSV
SASKUTIL
ssmdrv

Error: (04/17/2012 10:48:39 PM) (Source: Service Control Manager) (User: )
Description: The World Wide Web Publishing service depends on the IIS Admin service which failed to start

because of the following error:
%%1068

Error: (04/17/2012 10:47:52 PM) (Source: DCOM) (User: SYSTEM)
Description: DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}


Microsoft Office Sessions:
=========================
Error: (02/16/2012 09:52:50 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6562.5003,

Microsoft Office Version: 12.0.6425.1000. This session lasted 76621 seconds with 1200 seconds of active

time. This session ended with a crash.

Error: (01/14/2012 08:25:39 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6562.5003,

Microsoft Office Version: 12.0.6425.1000. This session lasted 224178 seconds with 7380 seconds of

active time. This session ended with a crash.

Error: (01/11/2012 10:46:25 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6562.5003,

Microsoft Office Version: 12.0.6425.1000. This session lasted 45 seconds with 0 seconds of active time.

This session ended with a crash.

Error: (09/23/2011 09:26:22 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6562.5003,

Microsoft Office Version: 12.0.6425.1000. This session lasted 168625 seconds with 3840 seconds of

active time. This session ended with a crash.

Error: (07/31/2011 08:54:40 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6557.5001,

Microsoft Office Version: 12.0.6425.1000. This session lasted 164181 seconds with 2520 seconds of

active time. This session ended with a crash.

Error: (03/02/2011 04:41:00 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6550.5003,

Microsoft Office Version: 12.0.6425.1000. This session lasted 181805 seconds with 10140 seconds of

active time. This session ended with a crash.

Error: (02/08/2011 01:03:13 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6550.5003,

Microsoft Office Version: 12.0.6425.1000. This session lasted 355662 seconds with 11460 seconds of

active time. This session ended with a crash.

Error: (01/14/2011 04:11:57 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6545.5000, Microsoft

Office Version: 12.0.6425.1000. This session lasted 1301 seconds with 900 seconds of active time. This

session ended with a crash.

Error: (10/19/2010 02:34:43 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6539.5000,

Microsoft Office Version: 12.0.6425.1000. This session lasted 9362 seconds with 2220 seconds of active

time. This session ended with a crash.

Error: (10/19/2010 11:58:22 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6539.5000,

Microsoft Office Version: 12.0.6425.1000. This session lasted 26840 seconds with 1800 seconds of active

time. This session ended with a crash.


=========================== Installed Programs ============================

7-Zip 4.65
Acrobat.com (Version: 0.0.0)
Adobe Acrobat 7.0 Professional (Version: 7.1.0)
Adobe Acrobat 7.1.0 Professional (Version: 7.1.0)
Adobe AIR (Version: 3.0.0.4080)
Adobe Common File Installer (Version: 1.00.0000)
Adobe Flash Player 10 ActiveX (Version: 10.1.53.64)
Adobe Flash Player 11 Plugin (Version: 11.2.202.228)
Adobe Help Center 1.0 (Version: 001.000.000)
Adobe Photoshop CS2 (Version: 9.0)
Adobe Shockwave Player 11.5 (Version: 11.5.2.602)
Adobe Stock Photos 1.0 (Version: 001.000.000)
ALPS Touch Pad Driver
Apple Application Support (Version: 2.1.6)
Apple Software Update (Version: 2.1.3.127)
Avira Free Antivirus (Version: 12.0.0.898)
Beyond Compare Version 3.1.10
Broadcom Advanced Control Suite (Version: 8.68.05)
BS.Player FREE (Version: 2.35.985)
Canon iP6600D
Canon MP Navigator EX 3.1
Canon MX870 series MP Drivers
Canon Utilities Easy-PhotoPrint EX
Canon Utilities My Printer
CCleaner (Version: 3.16)
Cisco WebEx Meetings
CoffeeCup HTML Editor
Compatibility Pack for the 2007 Office system (Version: 12.0.6612.1000)
Conexant HDA D110 MDC V.92 Modem
CuteFTP
Dell Wireless WLAN Card (Version: 4.10.47.3)
Digital Line Detect (Version: 1.15)
Google Chrome (Version: 18.0.1025.162)
GoToMeeting 5.1.0.874 (Version: 5.1.0.874)
J2SE Runtime Environment 5.0 Update 6 (Version: 1.5.0.60)
J2SE Runtime Environment 5.0 Update 9 (Version: 1.5.0.90)
Java Auto Updater (Version: 2.0.1.2)
Java™ 6 Update 18 (Version: 6.0.180)
Junk Mail filter update (Version: 14.0.8117.416)
Macromedia HomeSite+
Malwarebytes Anti-Malware version 1.61.0.1400 (Version: 1.61.0.1400)
Messenger Plus! 3
Microsoft .NET Compact Framework 2.0 SP2 (Version: 2.0.7045)
Microsoft .NET Compact Framework 3.5 (Version: 3.5.7283)
Microsoft .NET Framework 1.1 (Version: 1.1.4322)
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 1.1 Security Update (KB2656370)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Choice Guard (Version: 2.0.48.0)
Microsoft Device Emulator version 3.0 - ENU (Version: 9.0.21022)
Microsoft Document Explorer 2008
Microsoft Document Explorer 2008 (Version: 9.0.21022)
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Access MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Access Setup Metadata MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Enterprise 2007 (Version: 12.0.6612.1000)
Microsoft Office Excel MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)
Microsoft Office Groove MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Groove Setup Metadata MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office InfoPath MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Live Add-in 1.3 (Version: 2.0.2313.0)
Microsoft Office OneNote MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Outlook MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office PowerPoint MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Project 2007 Service Pack 3 (SP3)
Microsoft Office Project MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Project Standard 2007 (Version: 12.0.6612.1000)
Microsoft Office Project Standard 2007 Trial (Version: 12.0.6612.1000)
Microsoft Office Proof (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (French) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Word MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Silverlight (Version: 4.1.10111.0)
Microsoft Software Update for Web Folders (English) 12 (Version: 12.0.6612.1000)
Microsoft SQL Server 2005 Compact Edition [ENU] (Version: 3.1.0000)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (Version: 9.0.30729.5570)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (Version: 10.0.40219)
Mikogo 4 (Version: 4.4)
Modem Helper (Version: 3.02)
Mozilla Firefox (3.6.17) (Version: 3.6.17 (en-GB))
Mozilla Firefox 11.0 (x86 en-US) (Version: 11.0)
MSN
MSVCRT (Version: 14.0.1468.721)
MSXML 4.0 SP2 (KB927978) (Version: 4.20.9841.0)
MSXML 4.0 SP2 (KB936181) (Version: 4.20.9848.0)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
NTRU Hybrid TSS v2.0.25 (Version: 2.0.25)
NVIDIA Drivers (Version: 1.10)
NVIDIA System Monitor (Version: 6.5)
NVIDIA System Update (Version: 3.00)
OGA Notifier 2.0.0048.0 (Version: 2.0.0048.0)
QuickTime (Version: 7.71.80.42)
Safari (Version: 5.34.52.7)
Seagate Manager Installer (Version: 2.01.0600)
Segoe UI (Version: 14.0.4327.805)
SimpLite-MSN 2.5 (Version: 02.05.0001)
SpywareBlaster 4.5 (Version: 4.5.0)
SUPERAntiSpyware Free Edition (Version: 4.27.0.1002)
TweetDeck (Version: 0.37.6)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2598306) 32-Bit Edition
Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 8 (KB972636) (Version: 1)
Update for Windows Internet Explorer 8 (KB976662) (Version: 1)
Update for Windows Internet Explorer 8 (KB976749) (Version: 1)
Update for Windows Internet Explorer 8 (KB980182) (Version: 1)
Update for Windows XP (KB2492386) (Version: 1)
Update for Windows XP (KB2541763) (Version: 1)
Update for Windows XP (KB2607712) (Version: 1)
Update for Windows XP (KB2616676) (Version: 1)
Update for Windows XP (KB2641690) (Version: 1)
Update for Windows XP (KB971029) (Version: 1)
Visual C++ 2008 x86 Runtime - (v9.0.30729) (Version: 9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01 (Version: 9.0.30729.01)
WebEx Event Manager for Firefox or Chrome (Version: 6.23.2500)
WebFldrs XP (Version: 9.50.7523)
Winamp (Version: 5.56 )
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray (Version: 1.0)
Windows Genuine Advantage Notifications (KB905474) (Version: 1.9.0040.0)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7 (Version: 20061027.150806)
Windows Live Call (Version: 14.0.8117.0416)
Windows Live Communications Platform (Version: 14.0.8117.416)
Windows Live Essentials (Version: 14.0.8117.0416)
Windows Live Essentials (Version: 14.0.8117.416)
Windows Live Mail (Version: 14.0.8117.0416)
Windows Live Messenger (Version: 14.0.8117.0416)
Windows Live Photo Gallery (Version: 14.0.8117.416)
Windows Live Sync (Version: 14.0.8117.416)
Windows Live Upload Tool (Version: 14.0.8014.1029)
Windows Live Writer (Version: 14.0.8117.0416)
Windows Media Format Runtime
WinZip 12.1 (Version: 12.1.8519)
Xvid 1.1.3 final uninstall (Version: 1.1)

========================= Devices: ================================


========================= Memory info: ===================================

Percentage of memory in use: 17%
Total physical RAM: 2558.11 MB
Available physical RAM: 2097.8 MB
Total Pagefile: 4959.06 MB
Available Pagefile: 4739.47 MB
Total Virtual: 2047.88 MB
Available Virtual: 1973.12 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:93.1 GB) (Free:28.12 GB) NTFS

========================= Users: ========================================

User accounts for \\MONTAGE_PORT1

Administrator ASPNET Guest
HelpAssistant IUSR_MONTAGE_PORT1 IWAM_MONTAGE_PORT1
### SUPPORT_388945a0


**** End of log ****


=================================================

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.04.18.02

Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.6001.18702
### :: MONTAGE_PORT1 [administrator]

4/17/2012 10:57:56 PM
mbam-log-2012-04-17 (22-57-56).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP |

PUM
Scan options disabled: P2P
Objects scanned: 204232
Time elapsed: 3 minute(s), 21 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|aYiaqIoxFlurkK.exe (Backdoor.Agent.RCGen) ->

Data: C:\Documents and Settings\All Users\Application Data\aYiaqIoxFlurkK.exe -> Quarantined and deleted

successfully.

Registry Data Items Detected: 7
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowControlPanel

(PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowHelp

(PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer

(PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyDocs

(PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowRun

(PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch

(PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|NoDesktop (PUM.Hidden.Desktop)

-> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Documents and Settings\All Users\Application Data\aYiaqIoxFlurkK.exe (Backdoor.Agent.RCGen) ->

Quarantined and deleted successfully.

(end)


=================================================


aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-04-17 23:04:45
-----------------------------
23:04:45.531 OS Version: Windows 5.1.2600 Service Pack 3
23:04:45.531 Number of processors: 2 586 0xE08
23:04:45.546 ComputerName: MONTAGE_PORT1 UserName: ###
23:04:46.265 Initialize success
23:07:55.984 AVAST engine defs: 12041701
23:08:57.890 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
23:08:57.906 Disk 0 Vendor: Hitachi_HTS721010G9SA00 MCZOC10H Size: 95396MB BusType: 3
23:08:57.937 Disk 0 MBR read successfully
23:08:57.968 Disk 0 MBR scan
23:08:58.015 Disk 0 Windows XP default MBR code
23:08:58.031 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 62 MB offset 63
23:08:58.062 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 95331 MB offset 128520
23:08:58.093 Disk 0 scanning sectors +195366465
23:08:58.187 Disk 0 scanning C:\WINDOWS\system32\drivers
23:09:10.296 Service scanning
23:09:26.546 Service sptd C:\WINDOWS\System32\Drivers\sptd.sys **LOCKED** 32
23:09:31.015 Modules scanning
23:09:36.468 Disk 0 trace - called modules:
23:09:36.750 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys spgu.sys hal.dll >>UNKNOWN

[0x8aabd938]<<
23:09:37.000 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a9b9ab8]
23:09:37.250 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver ->

\Device\Ide\IdeDeviceP0T0L0-3[0x8aa3dd98]
23:09:38.187 AVAST engine scan C:\WINDOWS
23:09:42.453 AVAST engine scan C:\WINDOWS\system32
23:12:26.906 AVAST engine scan C:\WINDOWS\system32\drivers
23:12:44.390 AVAST engine scan C:\Documents and Settings\###
23:16:08.281 AVAST engine scan C:\Documents and Settings\All Users
23:17:03.031 Scan finished successfully
23:17:32.359 Disk 0 MBR has been saved successfully to "C:\Documents and

Settings\###\Desktop\MBR.dat"
23:17:32.375 The log file has been saved successfully to "C:\Documents and

Settings\###\Desktop\aswMBR.txt"

=================================================

Edited by Arrrggghhhhh, 18 April 2012 - 01:53 AM.


BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,710 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:12:39 PM

Posted 18 April 2012 - 11:09 AM

Please disable "word wrap" in Notepad as your logs are hard to read.

Let's see, if we can recover your missing features.
Download and run UnHide
Let me know, if it worked.

Any other issues beside missing stuff?

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 Arrrggghhhhh

Arrrggghhhhh
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Location:West Coast Canada
  • Local time:03:39 PM

Posted 18 April 2012 - 04:55 PM

So after previous post I rebooted to safe mode again.

Ran MalwareBytes = clean
and SUPERAntispyware...

SUPERAntispyware hit a false positive in the Malwarebytes folder... doh!

Details:

Trojan.Dropper/SVCHost-Fake
	C:\PROGRAM FILES\MALWAREBYTES' ANTI-MALWARE\CHAMELEON\SVCHOST.EXE
	C:\PROGRAM FILES\MALWAREBYTES' ANTI-MALWARE - 20120416\CHAMELEON\SVCHOST.EXE

20120418 >> These are false positives - no action taken.


But other than that things appear ok.

  • I did have some trouble restoring the Quick launch Toolbar but Googled that an resolved it.
  • I then ran unhide as suggested... which restored my desktop and start menu items. Brilliant!
  • Rebooted to normal windows and full MalwareBytes = clean and SUPERAntispyware = clean.

So only one question: Is my system still compromised/weakened by this? Is there any additional action I should take to provide peace of mind?

Thanks for your help. Look forward to your response.

#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,710 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:12:39 PM

Posted 18 April 2012 - 04:58 PM

Let's run couple more steps.

Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

=============================================================================

Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click on List of found threats
  • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    NOTE. If Eset doesn't find any threats it'll NOT produce any log.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#5 Arrrggghhhhh

Arrrggghhhhh
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Location:West Coast Canada
  • Local time:03:39 PM

Posted 18 April 2012 - 09:00 PM

Hey Broni

Temp File Cleaner (TFC) = Done
ESET Online Scanner = Done and nothing found.

#6 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,710 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:12:39 PM

Posted 18 April 2012 - 09:23 PM

1. Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

2. Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it.
  • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Do NOT post JavaRa log.

=============================================================================

Your computer is clean Posted Image

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll remove all old restore points and create fresh, clean restore point.

Turn system restore off.
Restart computer.
Turn system restore back on.

If you don't know how to do it...
Windows XP: http://support.microsoft.com/kb/310405
Vista and Windows 7: http://www.howtogeek.com/howto/windows-vista/disable-system-restore-in-windows-vista/

2. Make sure, Windows Updates are current.

3. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

4. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

5. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

6. Run Temporary File Cleaner (TFC) weekly.

7. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

8. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

9. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

10. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

11. Except for MBAM and TFC, which are keepers you can simply delete all other tools we used as they don't install.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#7 Arrrggghhhhh

Arrrggghhhhh
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Location:West Coast Canada
  • Local time:03:39 PM

Posted 22 April 2012 - 10:24 AM

So a quick update

I combed through your suggestions in your last post and most/all are or were in play.

Yet just this morning I was again notified my Avira that I have issues.


------------------


Avira Free Antivirus
Report file date: Sunday, April 22, 2012 03:44

Scanning for 3668575 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - Free Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : 1

Version information:
BUILD.DAT : 12.0.0.898 41963 Bytes 1/31/2012 14:50:00
AVSCAN.EXE : 12.1.0.20 492496 Bytes 2/15/2012 18:00:39
AVSCAN.DLL : 12.1.0.18 54224 Bytes 2/15/2012 18:00:39
LUKE.DLL : 12.1.0.19 68304 Bytes 2/15/2012 18:00:39
AVSCPLR.DLL : 12.1.0.22 100048 Bytes 2/15/2012 18:00:39
AVREG.DLL : 12.1.0.36 229128 Bytes 4/5/2012 17:00:47
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 03:18:34
VBASE001.VDF : 7.11.0.0 13342208 Bytes 12/14/2010 18:07:39
VBASE002.VDF : 7.11.19.170 14374912 Bytes 12/20/2011 09:13:08
VBASE003.VDF : 7.11.21.238 4472832 Bytes 2/1/2012 18:06:46
VBASE004.VDF : 7.11.26.44 4329472 Bytes 3/28/2012 17:11:30
VBASE005.VDF : 7.11.26.45 2048 Bytes 3/28/2012 17:11:30
VBASE006.VDF : 7.11.26.46 2048 Bytes 3/28/2012 17:11:30
VBASE007.VDF : 7.11.26.47 2048 Bytes 3/28/2012 17:11:30
VBASE008.VDF : 7.11.26.48 2048 Bytes 3/28/2012 17:11:30
VBASE009.VDF : 7.11.26.49 2048 Bytes 3/28/2012 17:11:30
VBASE010.VDF : 7.11.26.50 2048 Bytes 3/28/2012 17:11:30
VBASE011.VDF : 7.11.26.51 2048 Bytes 3/28/2012 17:11:30
VBASE012.VDF : 7.11.26.52 2048 Bytes 3/28/2012 17:11:30
VBASE013.VDF : 7.11.26.53 2048 Bytes 3/28/2012 17:11:30
VBASE014.VDF : 7.11.26.107 221696 Bytes 3/30/2012 17:01:51
VBASE015.VDF : 7.11.26.179 224768 Bytes 4/2/2012 17:00:44
VBASE016.VDF : 7.11.26.241 142336 Bytes 4/4/2012 17:02:42
VBASE017.VDF : 7.11.27.41 247808 Bytes 4/8/2012 17:00:47
VBASE018.VDF : 7.11.27.107 161280 Bytes 4/12/2012 17:01:07
VBASE019.VDF : 7.11.27.159 148992 Bytes 4/13/2012 17:01:05
VBASE020.VDF : 7.11.27.201 207360 Bytes 4/17/2012 17:04:21
VBASE021.VDF : 7.11.28.3 237568 Bytes 4/19/2012 17:02:36
VBASE022.VDF : 7.11.28.49 193536 Bytes 4/20/2012 17:01:44
VBASE023.VDF : 7.11.28.50 2048 Bytes 4/20/2012 17:01:45
VBASE024.VDF : 7.11.28.51 2048 Bytes 4/20/2012 17:01:45
VBASE025.VDF : 7.11.28.52 2048 Bytes 4/20/2012 17:01:45
VBASE026.VDF : 7.11.28.53 2048 Bytes 4/20/2012 17:01:46
VBASE027.VDF : 7.11.28.54 2048 Bytes 4/20/2012 17:01:46
VBASE028.VDF : 7.11.28.55 2048 Bytes 4/20/2012 17:01:47
VBASE029.VDF : 7.11.28.56 2048 Bytes 4/20/2012 17:01:47
VBASE030.VDF : 7.11.28.57 2048 Bytes 4/20/2012 17:01:47
VBASE031.VDF : 7.11.28.70 6656 Bytes 4/20/2012 17:01:21
Engineversion : 8.2.10.52
AEVDF.DLL : 8.1.2.2 106868 Bytes 10/25/2011 22:39:56
AESCRIPT.DLL : 8.1.4.17 446842 Bytes 4/19/2012 17:16:52
AESCN.DLL : 8.1.8.2 131444 Bytes 1/27/2012 17:58:21
AESBX.DLL : 8.2.5.5 606579 Bytes 3/12/2012 17:03:51
AERDL.DLL : 8.1.9.15 639348 Bytes 9/9/2011 06:16:06
AEPACK.DLL : 8.2.16.9 807287 Bytes 3/30/2012 17:06:22
AEOFFICE.DLL : 8.1.2.27 201082 Bytes 4/4/2012 17:06:34
AEHEUR.DLL : 8.1.4.19 4673910 Bytes 4/19/2012 17:16:33
AEHELP.DLL : 8.1.19.1 254327 Bytes 4/2/2012 17:00:54
AEGEN.DLL : 8.1.5.27 422261 Bytes 4/19/2012 17:03:54
AEEXP.DLL : 8.1.0.29 82293 Bytes 4/13/2012 17:01:10
AEEMU.DLL : 8.1.3.0 393589 Bytes 9/2/2011 06:46:01
AECORE.DLL : 8.1.25.6 201078 Bytes 3/15/2012 17:01:26
AEBB.DLL : 8.1.1.0 53618 Bytes 9/2/2011 06:46:01
AVWINLL.DLL : 12.1.0.17 27344 Bytes 10/11/2011 22:00:11
AVPREF.DLL : 12.1.0.17 51920 Bytes 10/11/2011 22:00:09
AVREP.DLL : 12.1.0.17 179408 Bytes 10/11/2011 22:00:09
AVARKT.DLL : 12.1.0.23 209360 Bytes 2/15/2012 18:00:39
AVEVTLOG.DLL : 12.1.0.17 169168 Bytes 10/11/2011 22:00:08
SQLITE3.DLL : 3.7.0.0 398288 Bytes 10/11/2011 22:00:22
AVSMTP.DLL : 12.1.0.17 62928 Bytes 10/11/2011 22:00:10
NETNT.DLL : 12.1.0.17 17104 Bytes 10/11/2011 22:00:18
RCIMAGE.DLL : 12.1.0.17 4450000 Bytes 10/11/2011 22:00:31
RCTEXT.DLL : 12.1.1.16 96208 Bytes 12/23/2011 09:13:08

Configuration settings for the scan:
Jobname.............................: Local Hard Disks
Configuration file..................: c:\program files\avira\antivir desktop\alldiscs.avp
Logging.............................: default
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: Intelligent file selection
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: extended

Start of the scan: Sunday, April 22, 2012 03:44

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting search for hidden objects.

The scan of running processes will be started
Scan process 'rsmsink.exe' - '1' Module(s) have been scanned
Scan process 'msdtc.exe' - '1' Module(s) have been scanned
Scan process 'dllhost.exe' - '1' Module(s) have been scanned
Scan process 'dllhost.exe' - '1' Module(s) have been scanned
Scan process 'vssvc.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'OUTLOOK.EXE' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'HidFind.exe' - '1' Module(s) have been scanned
Scan process 'Apntex.exe' - '1' Module(s) have been scanned
Scan process 'SUPERAntiSpyware.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'StxMenuMgr.exe' - '1' Module(s) have been scanned
Scan process 'stsystra.exe' - '1' Module(s) have been scanned
Scan process 'WLTRAY.exe' - '1' Module(s) have been scanned
Scan process 'Apoint.exe' - '1' Module(s) have been scanned
Scan process 'Explorer.EXE' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'M4-Capture.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'avshadow.exe' - '1' Module(s) have been scanned
Scan process 'UpdateCenterService.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'PSIA.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'M4-Service.exe' - '1' Module(s) have been scanned
Scan process 'inetinfo.exe' - '1' Module(s) have been scanned
Scan process 'FreeAgentService.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'SASCORE.EXE' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'SCardSvr.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'bcmwltry.exe' - '1' Module(s) have been scanned
Scan process 'WLTRYSVC.EXE' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned

Starting to scan executable files (registry).
The registry was scanned ( '1089' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\Documents and Settings\###\Local Settings\Temp\jar_cache6881295066591515164.tmp
[0] Archive type: ZIP
--> Etui.class
[DETECTION] Contains recognition pattern of the JAVA/Dldr.OpenS.V Java virus
--> xxx.class
[DETECTION] Contains recognition pattern of the EXP/12-0507.W.1 exploit
--> ulk.class
[DETECTION] Contains recognition pattern of the EXP/11-3544.CR.2 exploit
--> ovm.class
[DETECTION] Contains recognition pattern of the EXP/11-3544.DY.1 exploit
--> bfb.class
[DETECTION] Contains recognition pattern of the EXP/08-5353.DH.1 exploit

Beginning disinfection:
C:\Documents and Settings\###\Local Settings\Temp\jar_cache6881295066591515164.tmp
[DETECTION] Contains recognition pattern of the EXP/08-5353.DH.1 exploit
[NOTE] The file was moved to the quarantine directory under the name '5308b7f8.qua'.


End of the scan: Sunday, April 22, 2012 07:18
Used time: 1:30:45 Hour(s)

The scan has been done completely.

17102 Scanned directories
576975 Files were scanned
5 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 Files were deleted
0 Viruses and unwanted programs were repaired
1 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
576970 Files not concerned
7210 Archives were scanned
0 Warnings
1 Notes
48715 Objects were scanned with rootkit scan
0 Hidden objects were found


Is this just dumb luck or is there still something under the skin of my system. Look forward to your insight.

#8 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,710 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:12:39 PM

Posted 22 April 2012 - 02:06 PM

Clear Java cache as described here: http://support.f-secure.com/enu/home/virusproblem/howtoclean/cleanjavacache.shtml

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#9 Arrrggghhhhh

Arrrggghhhhh
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Location:West Coast Canada
  • Local time:03:39 PM

Posted 22 April 2012 - 05:07 PM

checked... and empty

#10 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,710 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:12:39 PM

Posted 22 April 2012 - 05:09 PM

Run TFC.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#11 Arrrggghhhhh

Arrrggghhhhh
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Location:West Coast Canada
  • Local time:03:39 PM

Posted 22 April 2012 - 05:41 PM

and done...



Aside : Do you recommend Avira or Avast?

I have used Avira for a few years now, but now I question it's effectiveness. Thoughts?

And again... thanks for your time. You guys are amazing!

#12 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,710 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:12:39 PM

Posted 22 April 2012 - 05:45 PM

You're very welcome Posted Image

Avira is a good program but I don't recommend it anymore since they force you to install Ask Toolbar.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users