Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspected Rootkit Installed, Computer Compromised through RDP


  • This topic is locked This topic is locked
14 replies to this topic

#1 WonderCody

WonderCody

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:04:31 PM

Posted 31 May 2012 - 09:04 AM

This computer had had rdp access open to the Internet for some time and a bot recently cracked the Administrator password and successfully logged in. Rdp access was disabled about 12 hours after the first successful login, but I'm almost certain there are now new or pre-existing viruses on the computer, and a quick scan with Spybot Search & Destroy showed a suspected "system service that has been identified as a threat" with the displayed name "!!!!" and the registry key "hide_evr2".

Thank you in advance for your time and assistance!


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.11
Run by Chaplain Dave at 18:18:42 on 2012-05-29
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1233 [GMT -7:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\afasrv32.exe
C:\WINDOWS\system32\astsrv.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\USIM Editor\iconcs1548416203.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\lexpps.exe
C:\Program Files\Ocloud\Mail Direct\MADY.exe
C:\Program Files\Evernote\Evernote\EvernoteClipper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.azhomeless.org/
uDefault_Page_URL = hxxp://www.dell4me.com/mywaybiz
uSearch Bar = hxxp://bfc.myway.com/search/de_srchlft.html
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/mywaybiz
uURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~4\office14\GROOVEEX.DLL
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~4\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Mail Direct] "c:\program files\ocloud\mail direct\MADY.exe"
uRun: [Google Update] "c:\documents and settings\chaplain dave\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [AdobeBridge]
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [PeachtreePrefetcher.exe] "c:\progra~1\peacht~1\PeachtreePrefetcher.exe" /configfile:peachtreeprefetcher.winstart.config
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [USBestCR] c:\program files\usim editor\iconcs1548416203.exe RunFromReg
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [Carbonite Backup] c:\program files\carbonite\carbonite backup\CarboniteUI.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [AdobeCS5.5ServiceManager] "c:\program files\common files\adobe\cs5.5servicemanager\CS5.5ServiceManager.exe" -launchedbylogin
mRun: [<NO NAME>]
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 10.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 10.0\acrobat\Acrotray.exe"
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
StartupFolder: c:\docume~1\chapla~1\startm~1\programs\startup\everno~1.lnk - c:\program files\evernote\evernote\EvernoteClipper.exe
IE: Add to Evernote 4.0 - c:\program files\evernote\evernote\EvernoteIE.dll/204
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~4\office14\ONBttnIE.dll/105
IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://c:\program files\evernote\evernote\EvernoteIE.dll/204
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: azhomeless.org\www
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.0.6.2.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.6.0.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-150-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 204.130.255.3 209.63.0.6
TCP: Interfaces\{9CC922CD-25D0-4BA8-94A4-CC2418C8E6E4} : DhcpNameServer = 204.130.255.3 209.63.0.6
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~4\office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\chaplain dave\application data\mozilla\firefox\profiles\wsb1xpqj.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.azhomeless.org/
FF - prefs.js: network.proxy.ftp - :0
FF - prefs.js: network.proxy.http - :0
FF - prefs.js: network.proxy.socks - :0
FF - prefs.js: network.proxy.ssl - :0
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\chaplain dave\local settings\application data\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\progra~1\micros~4\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~4\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\acrobat 10.0\acrobat\air\nppdf32.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_235.dll
.
============= SERVICES / DRIVERS ===============
.
R2 AfaService;Afa Card Reader Service;c:\windows\system32\afasrv32.exe [2010-11-2 65536]
R2 psqlWGE;Pervasive PSQL Workgroup Engine;c:\program files\pervasive software\psql\bin\w3dbsmgr.exe [2007-9-5 455968]
R3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\drivers\teamviewervpn.sys [2008-1-25 25088]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-5-29 257696]
S3 MHIKEY10;MHIKEY10;c:\windows\system32\drivers\MHIKEY10.sys [2010-11-2 51072]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2011-6-12 31125880]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-2 129976]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S4 hide_evr2;!!!!;\??\c:\windows\hide_evr2.sys --> c:\windows\hide_evr2.sys [?]
.
=============== Created Last 30 ================
.
2012-05-30 01:08:04 -------- d-----w- c:\documents and settings\chaplain dave\application data\Malwarebytes
2012-05-30 01:06:22 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-30 00:59:48 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-05-30 00:59:48 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2012-05-29 23:36:04 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-05-29 23:36:01 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-29 23:36:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-05-29 23:23:36 -------- d-----w- c:\program files\WinDirStat
2012-05-02 21:20:25 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-05-02 21:20:20 157352 ----a-w- c:\program files\mozilla firefox\maintenanceservice_installer.exe
2012-05-02 21:20:20 129976 ----a-w- c:\program files\mozilla firefox\maintenanceservice.exe
.
==================== Find3M ====================
.
2012-05-30 01:08:32 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-23 15:14:48 1409 ----a-w- c:\windows\QTFont.for
2012-03-01 01:25:04 832512 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 01:25:03 78336 ----a-w- c:\windows\system32\ieencode.dll
2012-03-01 01:25:03 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2012-03-01 01:25:03 17408 ----a-w- c:\windows\system32\corpol.dll
2011-07-05 16:17:01 58370688 ----a-w- c:\program files\Evernote_4.4.2.4912.exe
2011-06-30 15:42:37 58366592 ----a-w- c:\program files\Evernote_4.4.1.4892.exe
2011-06-29 17:10:04 23434568 ----a-w- c:\program files\winzip155.exe
2011-06-28 23:27:23 163547792 ----a-w- c:\program files\InDesignFamily_7_5_Content_ALL.exe
2011-06-28 23:12:47 126085712 ----a-w- c:\program files\Illustrator_15_1_Content_LS1.exe
2011-06-28 22:00:19 1228624 ----a-w- c:\program files\DesignPremium_CS5_5_LS1.exe
2011-06-28 21:58:02 184214800 ----a-w- c:\program files\WebPremium_DesignPremium_CS5_5_Content_ALL.exe
2010-01-26 20:46:11 16616176 ----a-w- c:\program files\Bejeweled2Setup.exe
2008-02-08 16:34:09 32279040 ----a-w- c:\program files\dell_support_center.msi
2005-11-18 22:36:18 4126240 ----a-w- c:\program files\picasa2-current.exe
.
============= FINISH: 18:19:35.13 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 WonderCody

WonderCody
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:04:31 PM

Posted 01 June 2012 - 08:31 PM

Sorry, I do not mean to bump this topic, but I don't seem to be able to edit my original post.

I have since run Spybot Search & Destroy and a full scan with Malwarebytes Anti-Malware and removed all threats detected by both scans. I then ran another Spybot scan in safe mode, which found no threats.

I will not have access to the Internet from June 3 through June 9, but despite my inevitable lack of response, I am still seeking assistance on this issue.

Thank you in advance!

#3 nasdaq

nasdaq

  • Malware Response Team
  • 39,543 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:31 PM

Posted 04 June 2012 - 08:52 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

hide_evr2 is a remnant service. The file is missing. Not causing any problems.

This will remove the entry in the registry.

Please run Notepad and copy the following text into a new file:

sc config hide_evr2 start= disabled
sc stop hide_evr2
sc delete hide_evr2


Save the file to the desktop as remove.bat and make sure the "Save as type" field says "All files". Locate remove.bat on the Desktop and double-click on it to run it. A DOS box will open and close, that is normal.
If any errors errors encountered please post.
When done you can delete the remove.bat file.

p.s. On a Vista/Windows7 Operating System run the remove.bat file as Administrator.

Restart the computer normally.
===

Third party programs if not up to date can be an open door for an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please let me know if the problem persists.

#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,543 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:31 PM

Posted 10 June 2012 - 09:23 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,543 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:31 PM

Posted 13 June 2012 - 01:34 PM

Topic reopened.

#6 WonderCody

WonderCody
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:04:31 PM

Posted 13 June 2012 - 07:53 PM

I got the error message "The specified service does not exist as an installed service." but I believe this is because the service was already removed by the Spybot S&D scan.

checkup.txt:

Results of screen317's Security Check version 0.99.41
Windows XP Service Pack 3 x86
Internet Explorer 7 Out of date!
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Microsoft Security Essentials
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Spybot - Search & Destroy
Malwarebytes Anti-Malware version 1.61.0.1400
Java™ 6 Update 17
Java™ 6 Update 5
Java™ 6 Update 7
Java 2 Runtime Environment, SE v1.4.2_06
Java version out of date!
Adobe Flash Player 11.2.202.235
Adobe Reader 8 Adobe Reader out of date!
Mozilla Firefox (13.0)
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
Microsoft Security Essentials msseces.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 14% Defragment your hard drive soon!
````````````````````End of Log``````````````````````

#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,543 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:31 PM

Posted 14 June 2012 - 08:33 AM

Secure your system by updating 3rd party programs.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

Check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

If present remove the old version(s) of Java using the Add/Remove Programs applet.


Java™ 6 Update 17
Java™ 6 Update 5
Java™ 6 Update 7
Java 2 Runtime Environment, SE v1.4.2_06


===

Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Include in your download" this is not required. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader using the Add/Remove Programs applet if present.
===

This may take awhile. Do it when you will be not using the computer for a few hours.
Total Fragmentation on Drive C:: 14% Defragment your hard drive soon!
===

Any other issues with this computer?

#8 WonderCody

WonderCody
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:04:31 PM

Posted 14 June 2012 - 11:25 AM

Alright, I've performed all of those steps now. I don't notice any other obvious symptoms, but is there another scan of some sort that we can run to verify that the system is clean?

Many thanks!

#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,543 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:31 PM

Posted 14 June 2012 - 01:01 PM

Try this.

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


#10 WonderCody

WonderCody
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:04:31 PM

Posted 16 June 2012 - 02:29 PM

I'm afraid I won't be able to complete these steps until Monday evening, but I will follow them as soon as possible then. Thank you again for your help and patience!

#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,543 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:31 PM

Posted 22 June 2012 - 12:54 PM

Are you still with me?

#12 WonderCody

WonderCody
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:04:31 PM

Posted 22 June 2012 - 02:26 PM

Yes, my sincere apologies! I neglected to collect the log file, but the scan came up clean and reported no infected files.

Are there any additional steps that need to be followed?

#13 nasdaq

nasdaq

  • Malware Response Team
  • 39,543 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:31 PM

Posted 23 June 2012 - 07:09 AM

Not unless you have issues with this computer.

When all is well:

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

Delete the other tools we used.

#14 WonderCody

WonderCody
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:04:31 PM

Posted 24 June 2012 - 01:27 PM

Those steps have been carried out. Many thanks once again!

#15 nasdaq

nasdaq

  • Malware Response Team
  • 39,543 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:31 PM

Posted 30 June 2012 - 08:42 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users