Video and power management issues

[zenjimc]

Hello,

Computer has been running pretty well. Power management elements are now working; video window issue also seems to have resolved. Java is where I have been having some problems before - what do I do about the threats listed below?

C:\Documents and Settings\James Collins\Application Data\Sun\Java\Deployment\cache\6.0\10\69f70b4a-54532d0c multiple threats
C:\Documents and Settings\James Collins\Application Data\Sun\Java\Deployment\cache\6.0\28\2172b79c-147ef176 a variant of Java/TrojanDownloader.OpenStream.NAY trojan


Thanks,
Jim C

[ken545]

Good Morning Jim,

Those entries are in your Java Cache, run ATF Cleaner again and make sure Java Cache is checked.

Then to make sure
1. Click Start > Settings > Control Panel.
2. Double-click the Java Plug-in icon in the control panel.
3. Click the Cache tab.
4. Click Clear A confirmation dialog box appears.
5. Click Yes to confirm.
6. Click Apply.




You need to enable windows to show all files and folders, instructions Here

Go to VirusTotal and submit this file for analysis, just use the browse feature and then Send File, you will get a report back, post the report into this thread for me to see. If the site says this file has been checked before, have them check it again

c:\windows\System32\drivers\goyxxt.sys <--This file, but it may be gone

If the site is busy you can try this one
http://virusscan.jotti.org/en






Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

• Double click GMER.exe.
  
• If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
• In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
    
    Click the image to enlarge it
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
• Save the log where you can easily find it, such as your desktop.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please copy and paste the report into your Post.

[zenjimc]

Hello,

I ran the ATF Cleaner again (Java Cache was checked).

I am having trouble following the next steps. When I click Start, I don't have a Settings option. I do have a Control Panel option at Start, but I don't think it is the same Control Panel that you are referencing ( this is the Control Panel that has Appearance and Themes, Network and Internet Connections, Add or Remove Programs, Performance and Maintenance, etc.).

I did follow the steps to show all files and folders, thinking that might help, but I still can't seem to find the Java Plug-in icon in the control panel.

Please advise.

thank you,
Jim C

[ken545]

Thats the one Jim,

I need to fix my reply
Should be
1. Click Start > Control Panel.

Your in Category view in the Control Panel, switch to Classic View ( you can do this up at the top left)

[zenjimc]

Hello,

I found the Java Cache - thanks. I did need to empty it that way.

Here is the GMER scan

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2011-01-31 07:57:01
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST325082 rev.3.AD
Running: gmer.exe; Driver: C:\DOCUME~1\JAMESC~1\LOCALS~1\Temp\pxloapod.sys


---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xB9D120E0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xB9D120F4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB9D12120]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB9D12176]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xB9D120CC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xB9D120A4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xB9D120B8]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xB9D1210A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xB9D1214C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xB9D12136]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB9D121A0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB9D1218C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xB9D12160]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- Devices - GMER 1.0.15 ----

Device \Driver\iastor \Device\Ide\iaStor0 sdcplh.sys
Device \Driver\iastor \Device\Ide\IAAStorageDevice-0 sdcplh.sys
Device \Driver\iastor \Device\Ide\IAAStorageDevice-1 sdcplh.sys

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----

[zenjimc]

I forgot to add, I did try the VirusTotal scan too, but the noted file was not there.

Thanks again.

[ken545]

OK, GMER looks ok.

Things running ok ?

[zenjimc]

Yes, it does seem much better, as noted above original issue seem to have resolved.

thank you for your assistance,

Jim C.

[ken545]

Your welcome Jim

Open OTL and click on Clean Up and it will remove programs we used to clean your system along with there backups

• How did I get infected in the first place ?
  Read these links and find out how to prevent getting infected again.
• Tutorial for System Restore <-- Do this first to prevent yourself from being reinfected.
• WhattheTech
• Grinler BleepingComputer
• GeeksTo Go
• Dslreports

Safe Surfn
Ken