"File Loader", loader.exe/smss.exe, iexplore.exe, and Volume Control bugs.

[IndiGenus]

Okay no problem. We'll keep the thread open for you.

[RMIII]

Yikes, that was a commitment. The final scan time for the Kaspersky scanner was more than 300K files and almost 12 hours total. Here is that log, though.

Kaspersky Log
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, July 16, 2010
Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, July 15, 2010 16:43:23
Records in database: 4223335
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
L:\
M:\
N:\

Scan statistics:
Objects scanned: 300941
Threats found: 20
Infected objects found: 22
Suspicious objects found: 0
Scan duration: 11:39:42


File name / Threat / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\43F6283A.wmf Infected: Trojan-Downloader.Win32.Agent.acd 1
C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\49\3bbfbd71-7d48124c Infected: Trojan-Downloader.Java.Agent.y 1
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1345\A0147962.exe Infected: Trojan-Downloader.Win32.Agent.dilc 1
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1345\A0148008.exe Infected: Trojan-Downloader.Win32.Agent.doag 1
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1345\A0148051.exe Infected: Trojan-Downloader.Win32.Agent.cflj 1
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1345\A0148056.exe Infected: Trojan-Downloader.Win32.Agent.dobj 1
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1345\A0148078.exe Infected: Trojan-Downloader.Win32.Agent.dhbh 1
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1345\A0148097.exe Infected: Trojan-Downloader.Win32.Agent.eawr 1
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1345\A0148107.exe Infected: Trojan-Downloader.Win32.Agent.doag 1
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1345\A0148154.exe Infected: Trojan-Downloader.Win32.Agent.eacj 1
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1345\A0148186.exe Infected: Trojan-Downloader.Win32.Agent.eawo 1
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1345\A0148196.exe Infected: Trojan-Downloader.Win32.Agent.ddfc 1
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1345\A0148201.exe Infected: Trojan-Downloader.Win32.Agent.dilc 1
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1345\A0148213.exe Infected: Trojan-Downloader.Win32.Agent.czat 1
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1345\A0148222.exe Infected: Trojan-Downloader.Win32.Agent.dsyq 1
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1345\A0148229.exe Infected: Trojan-Downloader.Win32.Agent.bmad 1
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1345\A0148254.exe Infected: Trojan-Downloader.Win32.Agent.dkcc 1
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1345\A0148263.exe Infected: Trojan-Clicker.Win32.VBiframe.js 1
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1345\A0148277.exe Infected: Trojan-Downloader.Win32.Agent.dlqa 1
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1345\A0148298.exe Infected: Trojan-Downloader.Win32.Agent.dxrd 1
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1345\A0148304.exe Infected: Trojan-Downloader.Win32.Agent.eaus 1
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1347\A0149180.com Infected: Trojan-Dropper.Win32.Delf.fqn 1

Selected area has been scanned.

--------------------------------------------------

Ad-Aware AdWatch is currently telling me that SecurityCheck.exe is Trojan.Win32.Generic!BT - is it safe to run if I disable my antivirus program(s)?

[IndiGenus]

Ad-Aware AdWatch is currently telling me that SecurityCheck.exe is Trojan.Win32.Generic!BT - is it safe to run if I disable my antivirus program(s)?

Yes, that's a false positive. You shouldn't need to disable anything else. Just Adwatch. I'll get back to you on the items Kaspersky found.

[IndiGenus]

Uninstall Combofix

• Click START then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the /U, it needs to be there.

The above procedure will:

• Delete the following: ComboFix and its associated files and folders.
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Reset System Restore.

++++++++++++++++++++++++++

Updating Java:

• Download the latest version of Java Runtime Environment (JRE) 6.
• Scroll down to where it says "Java Runtime Environment (JRE) 6u20 allows end-users to run Java applications".
• Click the "Download" button to the right.
• Check the box that says: "Accept License Agreement".
• The page will refresh.
• Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u20-windows-i586-p.exe to install the newest version.

On this one, it looks like you had Norton AV at one time?

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\43F6283A.wmf Infected: Trojan-Downloader.Win32.Agent.acd 1

You can delete the folder:

C:\Documents and Settings\All Users\Application Data\Symantec

Once you post the security check log we'll see if there's anything else that needs doing.

[RMIII]

ComboFix is now gone, Java has been updated, and the Symantec folder has been deleted. A long LONG time ago I had a Norton AV/PC Suite program but I uninstalled it when my subscription ran out. I found it weird that it STILL showed up as "Firewall" in those early reports I posted.

Security Check Log
Results of screen317's Security Check version 0.99.4
Windows XP Service Pack 2
Out of date service pack!!
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
Avira AntiVir Personal - Free Antivirus
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:
Ad-Aware
Malwarebytes' Anti-Malware
HijackThis 2.0.2
Java(TM) 6 Update 21
Out of date Java installed!
Adobe Flash Player 9 (Out of date Flash Player installed!)
Adobe Flash Player 10.0.42.34
Adobe Reader 7.0
Out of date Adobe Reader installed!
Mozilla Firefox (3.5.10) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Ad-Aware AAWService.exe
Ad-Aware AAWTray.exe
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
````````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````


Look like a lot of red, but I JUST updated Java?

[IndiGenus]

Yes, Java is up to date, must be a bug.

The rest do need updating. Let me know if you need help with that.

So you do not have any Norton products on here any more? If so you should probably run the removal tool.

http://service1.symantec.com/support...05033108162039

Let me know how you make out and if you have any other questions.

[RMIII]

Yes, Java is up to date, must be a bug.

The rest do need updating. Let me know if you need help with that.

So you do not have any Norton products on here any more? If so you should probably run the removal tool.

http://service1.symantec.com/support...05033108162039

Let me know how you make out and if you have any other questions.

I skipped over the Java thing since that appears to be a blip, but I have upgraded to Service Pack 3 and updated Adobe Reader and FireFox to the newest editions.

I noticed on the Flash Player thing, though, that both 9 AND 10 show up in that list, and 10 is the newest I believe, so would it be safe to uninstall Version 9?

Also in regards to the Symantec program - I purchased this computer back in 2006 and Norton was the first antivirus I had... I honestly have NO idea what the exact version/suite I bought was called.

[IndiGenus]

I noticed on the Flash Player thing, though, that both 9 AND 10 show up in that list, and 10 is the newest I believe, so would it be safe to uninstall Version 9?

Yes, you can remove 9.

Also in regards to the Symantec program - I purchased this computer back in 2006 and Norton was the first antivirus I had... I honestly have NO idea what the exact version/suite I bought was called.

Probably you would use this one:

http://www.symantec.com/norton/suppo...080828154508EN

[RMIII]

Alright, Flash Version 9 has been uninstalled and I've run the Symantec Removal Tool.

[IndiGenus]

Good enough. Just some final words of "wisdom" then.

Now that you are clean please take some time to read through TonyKlein's So how did I get infected in the first place?