Unsolved
This post is more than 5 years old
6 Posts
0
3270
December 10th, 2010 19:00
just in time debugging pop up and IE browser redirects
JIT pops up continuosly. browser redirects to random sites and porn. Any help would be greatly appreciated
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:54:02 PM, on 12/10/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17080)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
c:\drivers\audio\stacsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\Program Files\LANDesk\LDCLient\localsch.exe
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\LANDesk\LDCLient\tmcsvc.exe
C:\PROGRA~1\LANDesk\LDCLient\issuser.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LANDesk\LDClient\policy.client.invoker.exe
C:\Program Files\LANDesk\LDCLient\antivirus\avservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rpcnet.exe
C:\Program Files\LANDesk\LDCLient\softmon.exe
C:\PROGRA~1\LANDesk\LDClient\collector.exe
C:\Program Files\LANDesk\LDCLient\antivirus\kavehost.exe
C:\PROGRA~1\LANDesk\LDCLient\rcgui.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\Program Files\Activ Software\Activdriver\ActivControl2.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\LANDesk\LDCLient\antivirus\LDav.exe
C:\Program Files\DellTPad\HidFind.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Activ Software\Activdriver\activmgr.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\COMMON~1\MICROS~1\VS7DEBUG\vs7jit.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://fultonschools.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6522
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
O4 - HKLM\..\Run: [ActivControl] C:\Program Files\Activ Software\Activdriver\ActivControl2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [Sprint SmartView] "C:\Program Files\Sprint\Sprint SmartView\SprintSV.exe" -a
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LANDesk Antivirus] "C:\Program Files\LANDesk\LDCLient\antivirus\LDav.exe" /systray
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [D-Link Network USB Utility] C:\Program Files\D-Link\SharePort\SharePort Network USB Utility.exe -mini
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\Shockwave 11\SwHelper_1151601.exe -Update -1151601 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)" -"http://www.shockwave.com/gamelanding/dailymahjong.jsp"
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.fcs.org
O15 - Trusted Zone: *.fultonschools.org
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1246475086505
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1246537486495
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fcs.org
O17 - HKLM\Software\..\Telephony: DomainName = fcs.org
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = fcs.org
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: LANDesk(R) Management Agent (CBA8) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\Shared Files\residentagent.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDCLient\localsch.exe
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDCLient\tmcsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDCLient\issuser.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LANDesk Policy Invoker - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\policy.client.invoker.exe
O23 - Service: LANDesk(R) Antivirus (LDAVService) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDCLient\antivirus\avservice.exe
O23 - Service: Remote Procedure Call (RPC) Net (Rpcnet) - Absolute Software Corp. - C:\WINDOWS\system32\rpcnet.exe
O23 - Service: LANDesk(R) Software Monitoring Service (Softmon) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDCLient\softmon.exe
O23 - Service: Sprint RcAppSvc (SprintRcAppSvc) - PCTEL - C:\Program Files\Sprint\Sprint SmartView\RcAppSvc.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\drivers\audio\stacsv.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 10129 bytes
kevinf80_1d0ac6
2 Intern
•
1.1K Posts
0
December 11th, 2010 03:00
Hello bellus.
I'm kevinf80 and I will be helping with any malware issues you may have with your system.
Please proceed as follows :-
Step 1
If you did not set the proxy in this fix continue with it, if it is your own proxy then ignore.
Please re-open HiJackThis and scan only. Check the boxes next to all the entries listed below.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6522
Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Reboot
Step 2
Alernative D/L mirror
Alternative D/L mirror
Double Click mbam-setup.exe to install the application.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
Step 3
We need to see some additional information about what is happening in your machine.
Please perform the following scan:
2. Attach.txt
Please note: You may have to disable any script protection running if the scan fails to run.
After downloading the tool, disconnect from the internet and disable all antivirus protection.
Run the scan, enable your A/V and reconnect to the internet.
Information on A/V control HERE
What i`d like in your reply :-
Kevin
bellus
6 Posts
0
December 11th, 2010 05:00
Kevin,
Thanks so much for your help with this. I will be travelling to Alabama today so if you give me further instructions I will not have access to computer/internet until later. I appreciate you volunteering to help with this and understand the "real job" , family, life thing.
Again thanks for helping me. This is my wife's computer we are working on and she routinely visits shockwave dot com and plays their online puzzle games. Do you think that could be where she is getting this from. She is a teacher and the only email she receives is through the school system servers which should be secure i would think. Anyway your thoughts on this would be appreciated.
Here are the logs.
Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org
Database version: 5293
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13
12/11/2010 8:23:47 AM
mbam-log-2010-12-11 (08-23-47).txt
Scan type: Quick scan
Objects scanned: 187178
Time elapsed: 10 minute(s), 37 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 9
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\WINDOWS\Temp\18.tmp (Rootkit.TDSS.Gen) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\19.tmp (Rootkit.TDSS.Gen) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\1C.tmp (Rootkit.TDSS.Gen) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\1D.tmp (Rootkit.TDSS.Gen) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\22.tmp (Rootkit.TDSS.Gen) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\23.tmp (Rootkit.TDSS.Gen) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\26.tmp (Rootkit.TDSS.Gen) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\2C.tmp (Rootkit.TDSS.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\local settings\temporary internet files\Content.IE5\6CS4WQRT\dm6[1].exe (Rootkit.TDSS.Gen) -> Quarantined and deleted successfully.
DDS (Ver_10-12-05.01) - NTFSx86
Run by MaplesL at 8:32:44.89 on Sat 12/11/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2003.1401 [GMT -5:00]
AV: LANDesk Antivirus client *On-access scanning enabled* (Updated) {C386CD1A-44E8-4B9D-885E-4751A79CE5BD}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
c:\drivers\audio\stacsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\Program Files\LANDesk\LDCLient\localsch.exe
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\LANDesk\LDCLient\tmcsvc.exe
C:\PROGRA~1\LANDesk\LDCLient\issuser.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LANDesk\LDClient\policy.client.invoker.exe
C:\Program Files\LANDesk\LDCLient\antivirus\avservice.exe
C:\PROGRA~1\LANDesk\LDClient\collector.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\rpcnet.exe
C:\Program Files\LANDesk\LDCLient\softmon.exe
C:\Program Files\LANDesk\LDCLient\antivirus\kavehost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\LANDesk\LDCLient\rcgui.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\Program Files\Activ Software\Activdriver\ActivControl2.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\LANDesk\LDCLient\antivirus\LDav.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\Activ Software\Activdriver\activmgr.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\maplesl\Desktop\dds.com
============== Pseudo HJT Report ===============
uStart Page = hxxp://fultonschools.org/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:6522
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockwave 11\SwHelper_1151601.exe -Update -1151601 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)" -"http://www.shockwave.com/gamelanding/dailymahjong.jsp"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
mRun: [ActivControl] c:\program files\activ software\activdriver\ActivControl2.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb11.exe
mRun: [HPHUPD06] c:\program files\hp\{aac4fc36-8f89-4587-8dd3-ebc57c83374d}\hphupd06.exe
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HPHmon06] c:\windows\system32\hphmon06.exe
mRun: [Sprint SmartView] "c:\program files\sprint\sprint smartview\SprintSV.exe" -a
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [LANDesk Antivirus] "c:\program files\landesk\ldclient\antivirus\LDav.exe" /systray
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [D-Link Network USB Utility] c:\program files\d-link\shareport\SharePort Network USB Utility.exe -mini
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-system: RunLogonScriptSync = 0 (0x0)
mPolicies-system: MaxGPOScriptWait = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: fcs.org
Trusted Zone: fultonschools.org
DPF: {15B782AF-55D8-11D1-B477-006097098764} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/authorware/awswaxd.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1246475086505
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1246537486495
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
============= SERVICES / DRIVERS ===============
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2010-8-5 320400]
R2 CBA8;LANDesk(R) Management Agent;c:\program files\landesk\shared files\residentAgent.exe [2009-11-10 155648]
R2 LANDesk Policy Invoker;LANDesk Policy Invoker;c:\program files\landesk\ldclient\policy.client.invoker.exe [2010-8-5 139264]
R2 LDAVService;LANDesk(R) Antivirus;c:\program files\landesk\ldclient\antivirus\AVService.exe [2010-8-5 554688]
R2 Softmon;LANDesk(R) Software Monitoring Service;c:\program files\landesk\ldclient\SoftMon.exe [2010-8-5 385024]
R3 ActivHidSerMini;Promethean Serial Board Driver;c:\windows\system32\drivers\activhidsermini.sys [2008-12-17 55424]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-10-14 112512]
R3 DlinkUDSMBus;UDS Master Bus of Kernel USB Software Bus by TCP;c:\windows\system32\drivers\DlinkUDSMBus.sys [2008-11-11 74624]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2009-10-14 110080]
R3 ldblank;Screen Blanking driver for Remote Control;c:\windows\system32\drivers\ldblank.sys [2010-8-5 14336]
R3 ldmirror;ldmirror;c:\windows\system32\drivers\ldmirror.sys [2010-8-5 5120]
R3 mirrorflt;Mirror Filter Driver for Uninstall;c:\windows\system32\drivers\mirrorflt.sys [2010-8-5 6144]
R3 prmvmouse;Promethean HID Mouse Service;c:\windows\system32\drivers\activmouse.sys [2009-12-11 4352]
S3 ACTIVhidmini;Promethean USB Board Driver;c:\windows\system32\drivers\ACTIVhidmini.sys [2009-12-11 58240]
S3 DlinkUDSTcpBus;DlinkUDSTcpBus;c:\windows\system32\drivers\DlinkUDSTcpBus.sys [2008-11-11 97664]
S3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\drivers\ozscr.sys [2009-7-1 92550]
=============== Created Last 30 ================
2010-12-10 03:43:53 388096 ----a-r- c:\docume~1\maplesl\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2010-12-10 03:43:52 -------- d-----w- c:\program files\Trend Micro
2010-12-10 03:43:28 1402880 ----a-w- C:\HiJackThis.msi
2010-12-01 00:26:03 -------- d-----w- c:\windows\system32\NtmsData
2010-12-01 00:24:04 -------- d-----w- c:\program files\D-Link
2010-11-28 04:44:58 472808 ----a-w- c:\windows\system32\deployJava1.dll
==================== Find3M ====================
2010-12-11 13:27:52 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2010-12-11 13:27:51 56680 ----a-w- c:\windows\system32\rpcnet.dll
2010-12-11 13:27:02 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2010-09-15 07:29:49 73728 ----a-w- c:\windows\system32\javacpl.cpl
=================== ROOTKIT ====================
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST980313AS rev.0003DEM1 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
device: opened successfully
user: MBR read successfully
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89D51446]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x89d57504]; MOV EAX, [0x89d57580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x89D7EAB8]
3 CLASSPNP[0xBA0F8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x89D84BF8]
\Driver\atapi[0x89DA3A08] -> IRP_MJ_CREATE -> 0x89D51446
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST980313AS______________________________0003DEM1#5&3975e6b1&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x89D51292
user != kernel MBR !!!
copy of MBR has been found in sector 61 !
copy of MBR has been found in sector 62 !
sectors 156301486 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
============= FINISH: 8:34:16.37 ===============
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_10-12-05.01)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 12/9/2009 8:52:18 AM
System Uptime: 12/11/2010 8:26:48 AM (0 hours ago)
Motherboard: Dell Inc. | | 0D695C
Processor: Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz | Microprocessor | 777/200mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 75 GiB total, 47.358 GiB free.
D: is CDROM ()
==== Disabled Device Manager Items =============
==== System Restore Points ===================
No restore point in system.
==== Installed Programs ======================
2007 Microsoft Office Suite Service Pack 2 (SP2)
32 Bit HP CIO Components Installer
Activdriver v5.1.1.25a
ActivInspire v1
Activstudio Docs (USA) v3.7.1
Activstudio Resources (USA) v3.5.1
Adobe Flash Player 10 ActiveX
Adobe Reader 9.4.1
Adobe Shockwave Player 11.5
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ATI Display Driver
Bonjour
Compatibility Pack for the 2007 Office system
Critical Update for Windows Media Player 11 (KB959772)
Dell Touchpad
Dell Wireless WLAN Card
Easy Grade Pro
FontasticToo
High Definition Audio Driver Package - KB835221
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB945436)
Hotfix for Windows XP (KB949764)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB953955)
Hotfix for Windows XP (KB954434)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB958244)
Hotfix for Windows XP (KB958347)
Hotfix for Windows XP (KB959252)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
HP Image Zone 4.0
HP Software Update
Intel(R) Graphics Media Accelerator Driver
iTunes
Java Auto Updater
Java(TM) 6 Update 22
LANDesk Advance Agent
LANDesk(R) Antivirus
LANDesk(R) Common Base Agent 8
LiveUpdate 2.0 (Symantec Corporation)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Converter Pack
Microsoft Office Excel MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Plus 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Office XP Media Content
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
NOOK for PC
OGA Notifier 2.0.0048.0
Overland
Photo Story 3 for Windows
Photosmart 320,370,7400,8100,8400 Series
PowerDVD
PS8100
PSPrinters06
QFolder
QuickTime
RealPlayer
Sagent Browser Controls
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969679)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB969682)
Security Update for Microsoft Office Outlook 2007 (KB2288953)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Windows Internet Explorer 7 (KB2183461)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
SharePort Network USB Utility
Spelling Dictionaries Support For Adobe Reader 9
Sprint SmartView
TrayApp
Unload
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Outlook 2007 Junk Email Filter (KB974810)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows XP (KB898461)
Update for Windows XP (KB943729)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB958752)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
VoiceOver Kit
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
==== Event Viewer Messages From Past Week ========
12/9/2010 9:14:44 AM, error: ACPIEC [1] - \Device\ACPIEC: The embedded controller (EC) hardware didn't respond within the timeout period. This may indicate an error in the EC hardware or firmware, or possibly a poorly designed BIOS which accesses the EC in an unsafe manner. The EC driver will retry the failed transaction if possible.
12/9/2010 9:10:52 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the ShellHWDetection service.
12/9/2010 9:10:17 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the HidServ service.
12/9/2010 9:09:17 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the BITS service.
12/9/2010 9:08:47 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the AudioSrv service.
12/9/2010 8:58:47 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the SENS service.
12/9/2010 8:58:17 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Schedule service.
12/9/2010 8:57:55 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the RasMan service.
12/9/2010 8:57:17 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the wuauserv service.
12/9/2010 8:56:48 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the W32Time service.
12/9/2010 10:39:58 PM, error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
12/7/2010 7:41:42 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.nist.gov,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
12/7/2010 7:41:40 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
12/7/2010 6:23:42 PM, error: ialm [43] - The system sleep operation failed
12/6/2010 7:21:39 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.nist.gov,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: No such service is known. The service cannot be found in the specified name space. (0x8007277C)
12/6/2010 7:20:46 AM, error: Dhcp [1002] - The IP address lease 192.168.0.195 for the Network Card with network address 904CE512EDB4 has been denied by the DHCP server 10.200.10.68 (The DHCP Server sent a DHCPNACK message).
12/6/2010 10:40:23 PM, error: NETLOGON [5719] - No Domain Controller is available for domain FCBOE due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
12/10/2010 12:47:29 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: agp440 IntelIde
12/10/2010 12:01:21 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the SharedAccess service.
==== End Of File ===========================
bellus
6 Posts
0
December 11th, 2010 08:00
Not aware what the proxy is , I removed it as per your recommendations, should I remove it again?
kevinf80_1d0ac6
2 Intern
•
1.1K Posts
0
December 11th, 2010 08:00
Step 1
We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
Combofix
Don`t forget Combofix must be saved to your desktop. <--Very important
Before you save Combofix to your Desktop rename it to Gotcha.exe as follows:
Ensure you have disabledyour Firewall and all anti virus and anti malware programs so they do not interfere with the running of ComboFix. <---Very important
Please include the C:\ComboFix.txt in your next reply for further review.
Examples of how to disable realtime protection available at the following link :-
Disable realtime protection
Note: Do not click combofix's window with your mouse while it's running. That action may cause it to stall.
*EXTRA NOTES*
Kevin
kevinf80_1d0ac6
2 Intern
•
1.1K Posts
0
December 11th, 2010 12:00
Check for proxy server settings in your browser, the following are the most common used.
Internet Explorer:
Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" and check to "Automatically detect settings". ok, apply (only if applicable), ok.
Firefox:
Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection. "No Proxy" should be selected, unless you have one set up yourself.
Chrome:
Select -> Tools menu -> then "Options", then go to "Change Proxy Settings", then "LAN Settings" , then take out the check mark for "Use a proxy server for your LAN" if set, unless you set this up yourself.
Safari
Continue with Combofix as instructed......
Kevin
bellus
6 Posts
0
December 12th, 2010 07:00
Kevin,
Got combofix run. She has the landesk security suite on her machine. I went controlpanel/admin tools/services and stopped all landesk applications. When combofix started it said the landesk antivirus was still running. I double checked and it was stopped so I ran combofix. here is the log. Thanks,
Jim
ComboFix 10-12-11.06 - MaplesL 12/12/2010 10:27:56.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2003.1486 [GMT -5:00]
Running from: c:\documents and settings\maplesl\Desktop\gotcha.exe
AV: LANDesk Antivirus client *Disabled/Updated* {C386CD1A-44E8-4B9D-885E-4751A79CE5BD}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\maplesl\Application Data\completescan
c:\documents and settings\maplesl\Application Data\install
c:\windows\system32\Temp
c:\windows\system32\Temp\JoinDomain.vbs
c:\windows\system32\Temp\RenameMachine.vbs
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
Infected copy of c:\windows\system32\autochk.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\autochk.exe
.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2010-11-12 to 2010-12-12 )))))))))))))))))))))))))))))))
.
2010-12-10 03:43 . 2010-12-10 03:43 388096 ------r- c:\documents and settings\maplesl\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-12-10 03:43 . 2010-12-10 03:43 -------- d-----w- c:\program files\Trend Micro
2010-12-10 03:43 . 2010-12-10 03:43 1402880 ----a-w- C:\HiJackThis.msi
2010-12-01 00:26 . 2010-12-11 16:36 -------- d-----w- c:\windows\system32\NtmsData
2010-12-01 00:24 . 2010-12-01 00:24 -------- d-----w- c:\program files\D-Link
2010-12-01 00:04 . 2010-12-01 00:07 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-11-28 04:45 . 2010-11-28 04:45 -------- d-----w- c:\program files\Common Files\Java
2010-11-28 04:44 . 2010-09-15 09:50 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-28 04:40 . 2010-11-28 04:41 -------- d-----w- c:\program files\Common Files\Adobe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-12 15:39 . 2009-10-15 12:58 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2010-12-12 15:39 . 2009-10-14 15:12 56680 ----a-w- c:\windows\system32\rpcnet.dll
2010-12-12 15:23 . 2009-10-15 12:58 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2010-11-29 22:42 . 2010-08-08 14:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 22:42 . 2010-08-08 14:20 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-15 07:29 . 2009-07-02 13:43 73728 ----a-w- c:\windows\system32\javacpl.cpl
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-09-15 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-09-15 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-09-15 150040]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-12-21 200704]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2008-12-16 729088]
"ActivControl"="c:\program files\Activ Software\Activdriver\ActivControl2.exe" [2009-01-20 1074688]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb11.exe" [2004-04-06 172032]
"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2006-01-07 49152]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2006-01-07 659456]
"Sprint SmartView"="c:\program files\Sprint\Sprint SmartView\SprintSV.exe" [2008-08-04 18968]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-10-13 198160]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"LANDesk Antivirus"="c:\program files\LANDesk\LDCLient\antivirus\LDav.exe" [2010-05-08 958464]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"D-Link Network USB Utility"="c:\program files\D-Link\SharePort\SharePort Network USB Utility.exe" [2008-12-26 2605312]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\digital imaging\bin\hpqtra08.exe [2004-5-28 241664]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"MaxGPOScriptWait"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1828855972-353634999-1236795852-14205\Scripts\Logon\0\0]
"Script"=\\fcs.org\NETLOGON\BScripts\SAPverify.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1828855972-353634999-1236795852-14205\Scripts\Logon\1\0]
"Script"=PowerConfig.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1828855972-353634999-1236795852-14205\Scripts\Logon\2\0]
"Script"=LScript1.cmd
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1828855972-353634999-1236795852-6723\Scripts\Logon\0\0]
"Script"=\\fcs.org\SysVol\fcs.org\scripts\BloodHound\bhound.cmd
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1828855972-353634999-1236795852-6723\Scripts\Logon\1\0]
"Script"=LScript1.cmd
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1828855972-353634999-1236795852-6723\Scripts\Logon\2\0]
"Script"=\\fcs.org\NETLOGON\BScripts\SAPverify.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1828855972-353634999-1236795852-81838\Scripts\Logon\0\0]
"Script"=PowerConfig.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1828855972-353634999-1236795852-81838\Scripts\Logon\1\0]
"Script"=LScript1.cmd
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\system32\\msgsys.exe"=
"c:\\Program Files\\LANDesk\\LDCLient\\tmcsvc.exe"=
"c:\\WINDOWS\\system32\\CBA\\pds.exe"=
"c:\\Program Files\\D-Link\\SharePort\\SharePort Network USB Utility.exe"=
"c:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"9535:UDP"= 9535:UDP:LANDesk(R) Remote Control Agent UDP Port
"9535:TCP"= 9535:TCP:LANDesk(R) Remote Control Agent TCP Port
"67:UDP"= 67:UDP:LANDesk(R) PXE UDP Port
"67:TCP"= 67:TCP:LANDesk(R) PXE TCP Port
"445:TCP"= 445:TCP:@xpsp2res.dll,-22005
"139:TCP"= 139:TCP:@xpsp2res.dll,-22004
"138:UDP"= 138:UDP:@xpsp2res.dll,-22002
"137:UDP"= 137:UDP:@xpsp2res.dll,-22001
"9303:UDP"= 9303:UDP:SharePort Network USB Utility UDP Port
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R2 CBA8;LANDesk(R) Management Agent;c:\program files\LANDesk\Shared Files\residentAgent.exe [11/10/2009 12:32 PM 155648]
R2 LANDesk Policy Invoker;LANDesk Policy Invoker;c:\program files\LANDesk\LDClient\policy.client.invoker.exe [8/5/2010 10:23 AM 139264]
R2 LDAVService;LANDesk(R) Antivirus;c:\program files\LANDesk\LDClient\Antivirus\AVService.exe [8/5/2010 10:23 AM 554688]
R2 Softmon;LANDesk(R) Software Monitoring Service;c:\program files\LANDesk\LDClient\SoftMon.exe [8/5/2010 10:23 AM 385024]
R3 ActivHidSerMini;Promethean Serial Board Driver;c:\windows\system32\drivers\activhidsermini.sys [12/17/2008 9:42 AM 55424]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [10/14/2009 11:39 AM 112512]
R3 DlinkUDSMBus;UDS Master Bus of Kernel USB Software Bus by TCP;c:\windows\system32\drivers\DlinkUDSMBus.sys [11/11/2008 3:01 PM 74624]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [10/14/2009 11:40 AM 110080]
R3 ldblank;Screen Blanking driver for Remote Control;c:\windows\system32\drivers\ldblank.sys [8/5/2010 10:23 AM 14336]
R3 ldmirror;ldmirror;c:\windows\system32\drivers\ldmirror.sys [8/5/2010 10:23 AM 5120]
R3 mirrorflt;Mirror Filter Driver for Uninstall;c:\windows\system32\drivers\mirrorflt.sys [8/5/2010 10:23 AM 6144]
R3 prmvmouse;Promethean HID Mouse Service;c:\windows\system32\drivers\activmouse.sys [12/11/2009 1:53 PM 4352]
S3 ACTIVhidmini;Promethean USB Board Driver;c:\windows\system32\drivers\ACTIVhidmini.sys [12/11/2009 1:53 PM 58240]
S3 DlinkUDSTcpBus;DlinkUDSTcpBus;c:\windows\system32\drivers\DlinkUDSTcpBus.sys [11/11/2008 3:01 PM 97664]
S3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\drivers\ozscr.sys [7/1/2009 1:50 PM 92550]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
2010-12-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
2010-12-11 c:\windows\Tasks\HP Usg Daily FY04.job
- c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\pexpress\hphped06.exe [2010-01-03 05:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://fultonschools.org/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: fcs.org
Trusted Zone: fultonschools.org
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-SysTrayApp - %ProgramFiles%\IDT\WDM\sttray.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-12 10:42
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(920)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(3704)
c:\windows\system32\WININET.dll
c:\documents and settings\All Users\Application Data\ACTIV Software\ActivApplications\ActivFocusHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\drivers\audio\stacsv.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\LANDesk\LDCLient\localsch.exe
c:\windows\system32\CBA\pds.exe
c:\program files\LANDesk\LDCLient\tmcsvc.exe
c:\progra~1\LANDesk\LDCLient\issuser.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\LANDesk\LDClient\collector.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\rpcnet.exe
c:\program files\LANDesk\LDCLient\antivirus\kavehost.exe
c:\progra~1\LANDesk\LDCLient\rcgui.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\IDT\WDM\sttray.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\HidFind.exe
c:\program files\DellTPad\Apntex.exe
c:\program files\Activ Software\Activdriver\activmgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2010-12-12 10:47:04 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-12 15:46
Pre-Run: 52,693,983,232 bytes free
Post-Run: 54,365,167,616 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - F65FE77BDBCDDB72675D8E6A90E906
E9
kevinf80_1d0ac6
2 Intern
•
1.1K Posts
0
December 12th, 2010 09:00
Combofix has done a good job for us, need to see if any remnants lurking in the background.
Run the following scans please :-
Run ESET Online Scan
You can refer to this animation by neomage if needed.
Frequently asked questions available Here Please read them before running the scan.
Also be aware this scan can take several hours to complete depending on the size of your
system.
Next,
Download Security Check by screen317 from HERE or HERE.
Save it to your Desktop.
Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.
Post the logs from ESET and Security Checks in your reply, also give update, improvements? issues?
Kevin
bellus
6 Posts
0
December 12th, 2010 11:00
Kevin,
Computer is much faster, no more JIT pop ups...still appears that we have some issues after doing the eset scan. I think it found 14 or so issues.
But overall lots lots better. No more browser redirects either.
C:\Documents and Settings\maplesl\Application Data\Sun\Java\Deployment\cache\6.0\1\4303e9c1-344f062c multiple threats
C:\Documents and Settings\maplesl\Application Data\Sun\Java\Deployment\cache\6.0\18\6bd08ed2-5a09e9d3 multiple threats
C:\Documents and Settings\maplesl\Application Data\Sun\Java\Deployment\cache\6.0\20\2ee45794-6a0d6207 multiple threats
C:\Documents and Settings\maplesl\Application Data\Sun\Java\Deployment\cache\6.0\23\26a2f957-3df316fe multiple threats
C:\Documents and Settings\maplesl\Application Data\Sun\Java\Deployment\cache\6.0\28\11d5729c-6411daaa multiple threats
C:\Documents and Settings\maplesl\Application Data\Sun\Java\Deployment\cache\6.0\54\168b2d76-155648bf multiple threats
C:\Documents and Settings\maplesl\Application Data\Sun\Java\Deployment\cache\6.0\60\7aedc63c-708e4db7 multiple threats
C:\Documents and Settings\maplesl\Application Data\Sun\Java\Deployment\cache\6.0\8\60babc48-5f713896 multiple threats
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\10\4c562fca-159e2c6d a variant of Java/TrojanDownloader.OpenStream.NAS trojan
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\17\47b9e491-2fb61afb a variant of Java/TrojanDownloader.OpenStream.NAS trojan
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\37\5faa3ea5-199c0dcb multiple threats
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\50\170b44f2-6bf08302 multiple threats
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\58\2606caba-4039aa48 multiple threats
C:\Qoobox\Quarantine\MBR_HardDisk0.mbr Win32/Olmarik.ADA trojan
Results of screen317's Security Check version 0.99.6
Windows XP Service Pack 3
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
Windows Security Center service is not running! This report may not be accurate![/col
Thanks
kevinf80_1d0ac6
2 Intern
•
1.1K Posts
0
December 12th, 2010 14:00
Absolutely nothing to worry us in that ESET log, PROCEED AS FOLLOWS PLEASE :-
Step 1
Remove Combofix now that we're done with it
The above procedure will delete the following:
Step 2
Step 3
Remove the ESET Online Scanner components from your computer, start the Add or Remove Programs applet from Control Panel, select the ESET Online Scanner entry and click Remove. The uninstall will happen very quickly, only re-boot if requested.
Step 4
It is very important to empty the Java cache, as you will have seen from the ESET log most of the issues were there, follow the instructions Here make sure you complete them all.
Step 5
Download and scan with CCleaner
1. Use either one of the two free links below the Premium version.
2. Before first use, select Options > Advanced and UNCHECK " Only delete files in Windows Temp folder older than 24 hours"
3. Then select the items you wish to clean up.
In the Windows Tab:
In the Applications Tab:
4. Click the " Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click " OK" and it will scan and clean your system.
7. Click " exit" when done.
Let me know if the above steps completed OK, especially the Combofix /Uninstall command <--- Very important because of the extra functions completed at the same time Also let me know if there any remaining issues or concerns.
bellus
6 Posts
0
December 12th, 2010 16:00
Completed everything, Combo fix uninstalled ok. Updated to IE8. I think we are running good. Thanks so much for all your help.
Jim
kevinf80_1d0ac6
2 Intern
•
1.1K Posts
0
December 13th, 2010 00:00
Apologies for getting your name wrong in my last reply, Thanks for letting me know the outcome. Your latest logs are clean and you say your system is running well, that is excellent.
Here are some tips to reduce the potential for malware infection in the future:
Make proper use of your antivirus and firewall
Antivirus and Firewall programs are integral to your computer security. However, just having them installed isn't enough. The definitions of these programs are frequently updated to detect the latest malware, if you don't keep up with these updates then you'll be vulnerable to infection. Many antivirus and firewall programs have automatic update features, make use of those if you can. If your program doesn't, then get in the habit of routinely performing manual updates, because it's important.
You should keep your antivirus and firewall guard enabled at all times, NEVER turn them off unless there's a specific reason to do so. Also, regularly performing a full system scan with your antivirus program is a good idea to make sure you're system remains clean. Once a week should be adequate. You can set the scan to run during a time when you don't plan to use the computer and just leave it to complete on its own.
Install and use WinPatrol This will inform you of any attempted unauthorized changes to your system.
WinPatrol features explained Here
You will have several programs installed, these maybe outdated and vulnerable to exploits also. To be certain, please run the free online scan by Secunia, available Here Before clicking the Start scan button, please check the box for the option Enable thorough system inspection. Just below the "Scan Options:" section, you'll see the status of what's currently processing....
...when the scan completes, the message "Detection completed successfully" will appear in the Programs/Result section. For each problem detected, Secunia will offer a "Solution" option. Please follow those instructions to download updated versions of the programs as recommended by Secunia.
Use a safer web browser
Internet Explorer is not the most secure tool for browsing the web. It has been known to be very susceptible to infection, and there are a few good free alternatives:
Firefox,
Opera, and
Chrome.
All of these are excellent faster, safer, more powerful and functional free alternatives to Internet Explorer. It's definitely worth the short period of adjustment to start using one of these. If you wish to continue using Internet Explorer, it would be a good idea to follow the tutorial HERE which will help you to make IE MUCH safer.
These browser add-ons will help to make your browser safer:
Web of Trust warns you about risky websites that try to scam visitors, deliver malware or send spam. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous ones:
Available for Firefox and Internet Explorer.
Green to go,
Yellow for caution, and
Red to stop.
Available for Firefox only. NoScript helps to block malicious scripts and in general gives you much better control over what types of things webpages can do to your computer while you're browsing.
These are just a couple of the most popular add-ons, if you're interested in more, take a look at THIS article.
Here a couple of links by two security experts that will give some excellent tips and advice.
So how did I get infected in the first place by Tony Klein
How to prevent Malware by Miekiemoes
Finally this link HERE will give a comprehensive upto date list of free Security programs. To include - Antivirus, Antispyware, Firewall, Antimalware, Online scanners and rescue CD`s.
Let me know if you have any remaining issues or questions. Don`t forget, the best form of defense is common sense. If you don`t recognize it, don`t open it. If something looks to good to be true, then it aint.
Kevin