Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 25

Thread: "Security Shield was installed successfully" Huh?

  1. #11
    Senior Member
    Join Date
    Sep 2010
    Posts
    631

    Default

    Hi MTnestRobin,

    Yes allow it to reboot. OTL should open and the log should appear after the reboot. If the log doesn't appear you can find it at C:\_OTL\Moved Files. It will me named some thing like 02032012_042020.log
    Member of UNITE and ASAP

  2. #12
    Member
    Join Date
    Mar 2006
    Location
    USA
    Posts
    50

    Default

    Hi Oldman960,

    Here is the OTL:

    All processes killed
    ========== SERVICES/DRIVERS ==========
    ========== FILES ==========
    C:\Documents and Settings\Robin\Local Settings\Application Data\jvlogkoegl.exe moved successfully.
    < ipconfig /flushdns /c >
    Windows IP Configuration
    Successfully flushed the DNS Resolver Cache.
    C:\Documents and Settings\Robin\Desktop\cmd.bat deleted successfully.
    C:\Documents and Settings\Robin\Desktop\cmd.txt deleted successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    User: LocalService
    ->Temp folder emptied: 66016 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: Robin
    ->Temp folder emptied: 19238274 bytes
    ->Temporary Internet Files folder emptied: 129557443 bytes
    ->Java cache emptied: 14392343 bytes
    ->FireFox cache emptied: 52282279 bytes
    ->Flash cache emptied: 2093568 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 10748 bytes
    %systemroot%\System32 .tmp files removed: 2577 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 1055201 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 61178054 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 1514460527 bytes

    Total Files Cleaned = 1,711.00 mb

    Restore point Set: OTL Restore Point (0)

    OTL by OldTimer - Version 3.2.31.0 log created on 02032012_190222

    Files\Folders moved on Reboot...

    Registry entries deleted on Reboot...

    ***********************************************

    And here is the MBAM:

    Malwarebytes Anti-Malware (Trial) 1.60.1.1000
    www.malwarebytes.org

    Database version: v2012.02.04.03

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    Robin :: ROBINSNETBOOK [administrator]

    Protection: Enabled

    2/4/2012 11:13:06 AM
    mbam-log-2012-02-04 (11-13-06).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 167881
    Time elapsed: 8 minute(s), 22 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 1
    HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)

  3. #13
    Senior Member
    Join Date
    Sep 2010
    Posts
    631

    Default

    Hi MTnestRobin,

    Everything looks good so far. Any problems?
    Member of UNITE and ASAP

  4. #14
    Member
    Join Date
    Mar 2006
    Location
    USA
    Posts
    50

    Default

    Hi Oldman960,

    Everything seems to be normal to me...meaning nothing blatantly obvious, and everything is smooth! Wow, you made it seem so ...easy! Is that it?

    Robin

  5. #15
    Member
    Join Date
    Mar 2006
    Location
    USA
    Posts
    50

    Default

    Hi Oldman960,

    Maybe I 'spoke' too soon. While most everything seems to be normal, I just noticed that I don't have an AVG icon in the 'tray??' by the clock anymore. When I click on the icon on the desktop I get the same message I had in the beginning when the problem started [AVG failed to start because the application configuration is incorrect. Reinstalling the application may fix this problem.]. Strangely, after one of the fixes, I remember it (AVG) updating itself.

    Should I just uninstall and reinstall? And if so, is AVG the best for the job or should I choose another like Avast or Antivir?

    Robin

  6. #16
    Senior Member
    Join Date
    Sep 2010
    Posts
    631

    Default

    Hi MTnestRobin,

    Sorry I thought I had replied earlier.


    Let's give this tool a run. Since AVG seems to be damaged you may as well uninstall it before running the tool. We will reinstall it or another one after we are sure there isn't anything left.

    Without an active antivirus program please limit the internet activity with this computer to downloading tools and posting in this thread.


    Please read through these instructions to familarize yourself with what to expect when this tool runs


    Download ComboFix from one of these locations:

    Link 1
    Link 2


    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

    Notes:

    1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.


    Please post back with the combofix log.
    Member of UNITE and ASAP

  7. #17
    Member
    Join Date
    Mar 2006
    Location
    USA
    Posts
    50

    Default

    Hi Oldman 960,

    Here is the ComboFix log:

    ComboFix 12-02-05.02 - Robin 02/05/2012 15:12:22.1.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.471 [GMT -5:00]
    Running from: c:\documents and settings\Robin\Desktop\ComboFix.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\system32\PowerToyReadme.htm
    c:\windows\system32\Thumbs.db
    .
    Infected copy of c:\windows\system32\d3d8.dll was found and disinfected
    Restored copy from - c:\windows\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\d3d8.dll
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-01-05 to 2012-02-05 )))))))))))))))))))))))))))))))
    .
    .
    2012-02-04 16:09 . 2012-02-04 16:09 -------- d-----w- c:\documents and settings\Robin\Application Data\Malwarebytes
    2012-02-04 16:09 . 2012-02-04 16:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2012-02-04 16:09 . 2012-02-04 16:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-02-04 16:09 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-02-04 00:02 . 2012-02-04 00:02 -------- d-----w- C:\_OTL
    2012-02-03 23:58 . 2012-02-03 23:58 -------- d-----w- c:\program files\Common Files\Java
    2012-01-27 03:18 . 2012-01-27 03:19 -------- d-----w- c:\program files\ERUNT
    2012-01-24 16:54 . 2012-01-24 16:54 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
    2012-01-24 16:54 . 2012-01-24 16:54 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
    2012-01-24 16:54 . 2012-01-24 16:54 43992 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
    2012-01-24 16:54 . 2012-01-24 16:54 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
    2012-01-18 19:19 . 2012-01-18 19:19 -------- d-----w- c:\documents and settings\Robin\Application Data\OverDrive
    2012-01-18 19:18 . 2012-01-18 19:18 -------- d-----w- c:\program files\OverDrive Media Console
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-11-25 21:57 . 2009-04-28 04:51 293376 ----a-w- c:\windows\system32\winsrv.dll
    2011-11-23 13:25 . 2009-04-28 04:51 1859584 ----a-w- c:\windows\system32\win32k.sys
    2011-11-18 12:35 . 2009-04-28 04:51 60416 ----a-w- c:\windows\system32\packager.exe
    2011-11-16 14:21 . 2009-04-28 04:51 354816 ----a-w- c:\windows\system32\winhttp.dll
    2011-11-16 14:21 . 2009-04-28 04:51 152064 ----a-w- c:\windows\system32\schannel.dll
    2011-11-10 10:54 . 2010-08-21 05:38 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-11-10 08:27 . 2010-04-26 06:09 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-04-26 05:50 . 2010-04-26 05:50 5254656 ----a-w- c:\program files\converter.exe
    2012-01-24 16:54 . 2011-12-10 02:28 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2011-12-05 19:17 94208 ----a-w- c:\documents and settings\Robin\Application Data\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2011-12-05 19:17 94208 ----a-w- c:\documents and settings\Robin\Application Data\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2011-12-05 19:17 94208 ----a-w- c:\documents and settings\Robin\Application Data\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
    @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
    2011-12-05 19:17 94208 ----a-w- c:\documents and settings\Robin\Application Data\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
    "AsusACPIServer"="c:\program files\EeePC\ACPI\AsAcpiSvr.exe" [2009-04-16 630784]
    "AsusEPCMonitor"="c:\program files\EeePC\ACPI\AsEPCMon.exe" [2009-03-13 98304]
    "AsusTray"="c:\program files\EeePC\ACPI\AsTray.exe" [2009-04-16 118784]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-06 1434920]
    "SynAsusAcpi"="c:\program files\Synaptics\SynTP\SynAsusAcpi.exe" [2009-03-06 79144]
    "LXBUCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXBUtime.dll" [2004-09-10 69632]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
    .
    c:\documents and settings\Robin\Start Menu\Programs\Startup\
    ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ SuperHybridEngine.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ SuperHybridEngine.lnk
    backup=c:\windows\pss\ SuperHybridEngine.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^Robin^Start Menu^Programs^Startup^Dropbox.lnk]
    path=c:\documents and settings\Robin\Start Menu\Programs\Startup\Dropbox.lnk
    backup=c:\windows\pss\Dropbox.lnkStartup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
    c:\windows\system32\dumprep 0 -k [X]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
    2005-09-09 05:18 57344 ----a-w- c:\program files\Adobe\Photoshop Elements 4.0\apdproxy.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2007-10-10 23:51 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
    2011-09-27 12:22 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eee Docking]
    2009-05-08 14:42 395776 ----a-w- c:\program files\ASUS\Eee Docking\Eee Docking.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
    2004-09-17 13:24 61440 ----a-w- c:\program files\Lexmark 6200 Series\ezprint.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
    2003-12-22 12:38 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
    2007-12-19 15:08 135168 ----a-w- c:\windows\system32\igfxtray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
    2008-04-14 12:00 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2011-11-13 05:24 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxbumon.exe]
    2004-09-22 10:43 188416 ----a-w- c:\program files\Lexmark 6200 Series\lxbumon.exE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
    2008-04-14 12:00 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
    2007-12-19 15:07 131072 ----a-w- c:\windows\system32\igfxpers.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
    2008-04-14 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
    2008-04-14 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-09-08 16:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
    2009-04-27 21:08 17881088 ----a-w- c:\windows\RTHDCPL.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
    2009-03-05 20:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2011-06-09 18:06 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\WINDOWS\\system32\\lxbucoms.exe"=
    "c:\\WINDOWS\\system32\\dpvsetup.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Documents and Settings\\Robin\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
    .
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2/4/2012 11:09 AM 652360]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2/4/2012 11:09 AM 20464]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [5/5/2009 11:00 AM 1684736]
    S3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [4/27/2009 8:59 PM 38912]
    S3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\SRS_PremiumSound_i386.sys [5/5/2009 12:16 PM 232872]
    S3 uvclf;uvclf;c:\windows\system32\drivers\uvclf.sys [3/16/2009 4:27 PM 39040]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - WS2IFSL
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-02-05 c:\windows\Tasks\User_Feed_Synchronization-{C1482AEE-FC7E-4A82-BD0A-2B591FC95935}.job
    - c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://my.yahoo.com/
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
    FF - ProfilePath - c:\documents and settings\Robin\Application Data\Mozilla\Firefox\Profiles\50spamrh.default\
    FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/|http://www.facebook.com/home.php?
    FF - prefs.js: network.proxy.type - 0
    .
    - - - - ORPHANS REMOVED - - - -
    .
    MSConfigStartUp-MsnMsgr - c:\program files\Windows Live\Messenger\msnmsgr.exe
    AddRemove-AudibleManager - c:\documents and settings\Robin\My Documents\Audible\Bin\Upgrade.exe
    AddRemove-WinZip - c:\program files\WinZip\WINZIP32.EXE
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-02-05 15:20
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    LXBUCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXBUtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-1511041104-3879260708-71502492-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
    "??"=hex:13,ba,4f,04,1e,d7,d5,3f,63,a4,c0,05,86,72,23,ba,6c,28,d1,e8,86,2d,3c,
    f7,70,48,2e,8f,cb,27,1b,8f,d3,25,fa,39,b5,f0,ea,36,36,6a,c2,9a,03,a7,fa,cf,\
    "??"=hex:33,a2,92,ba,44,d1,1d,12,98,06,30,04,7f,5d,44,bb
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(2856)
    c:\windows\system32\WININET.dll
    c:\documents and settings\Robin\Application Data\Dropbox\bin\DropboxExt.14.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\IEFRAME.dll
    c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
    c:\windows\system32\mshtml.dll
    c:\windows\system32\msls31.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\system32\igfxsrvc.exe
    c:\windows\system32\igfxext.exe
    .
    **************************************************************************
    .
    Completion time: 2012-02-05 15:24:32 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-02-05 20:24
    .
    Pre-Run: 43,585,724,416 bytes free
    Post-Run: 43,532,959,744 bytes free
    .
    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
    .
    - - End Of File - - 998FF166F89B22EA3D6B3E44B83BC42D

    Robin

  8. #18
    Senior Member
    Join Date
    Sep 2010
    Posts
    631

    Default

    Hi MTnestRobin,

    How's the computer now?


    *Note
    It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
    Please don't go surfing while your resident protection is disabled!
    Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.



    Go here to run an online scannner from
    ESET

    (Note: You can use Internet Explorer or FireFox for this scan. If you use FireFox you will be asked to install an additional component. Please allow this.)

    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the activex control to install
    • Disable your Antivirus software. You can usually do this with its Notfication Tray icon near the clock
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is Checked.
    • Click Scan.
    • Wait for the scan to finish.
    • When the scan completes, click List of found threats
    • click Export to Text file and save the file to your desktop using a unique name, such as ESETScan.
    • Include the contents of this report in your next reply

      Note - when ESET doesn't find any threats, no report will be created.
    • Push the back button.
    • Push Finish
    • Re-enable your Antivirus software.
    Member of UNITE and ASAP

  9. #19
    Member
    Join Date
    Mar 2006
    Location
    USA
    Posts
    50

    Default

    Hi Oldman960,

    Nothing noticed, but then I haven't used the computer much for anything but this.

    Here are the results from the online scan:

    C:\Documents and Settings\Robin\My Documents\Downloads\cnet2_AngryBirdsInstaller_1_5_1_exe.exe a variant of Win32/InstallCore.D application
    C:\_OTL\MovedFiles\02032012_190222\C_Documents and Settings\Robin\Local Settings\Application Data\jvlogkoegl.exe a variant of Win32/Kryptik.ZPL trojan

    SOOOO...having read what this scan found, I find myself a little alarmed by it! The word 'trojan' of course caught my eye, but the download for Angry Birds being there too upsets me! I always felt I was safe downloading from Cnet. If I have the Angry Birds installer (setup program) on my thumb drive does that mean I better delete it off there too? Uninstall the program too?

    Robin

  10. #20
    Senior Member
    Join Date
    Sep 2010
    Posts
    631

    Default

    Hi MTnestRobin,

    Don't worry about the Cnet detection. ESET is just warning you about the presence of the downloader used as a potentialy unwanted application. The other is all ready quarantined and was all that remained of the infection. The quarantined file will be removed when the tools are removed.

    From your desktop, please delete, if present
    • any notepads/logs that we created
    • aswMBR.exe
    • RogueKiller


    Next

    Click the Start button, click Run. [Vista users, go Start>"Start search"] Copy and paste the following line into the run box and click OK
    Combofix /uninstall


    Next

    Open OTL then click the Clean Up button. You may get prompted by your firewall that OTL wants to contact the internet - allow this. A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will do some clean up tasks and delete some of the tools you have downloaded plus itself.


    I suggest you keep MBAM. Keep it updated and use it regularly.


    Updates and upgrades

    You can either reinstall AVG or one of the other free antivirus programs in the links below:

    Avast
    Help and support can be found here Avast Forum
    AVG
    Help and support can be found here AVG Forum
    Antivir PersonalEditionClassic
    Help and support can be found here Avira Personal Support Forum
    Microsoft Security Essentials
    Support


    Adobe

    You have an older version of Adobe Reader. You can download the current version HERE

    You may want to consider Foxit Reader instead. It may be a bit lighter on resources. If you chose to use Foxit decline the Foxit Toolbar.

    Visit their support forum
    Foxit Forum

    In either case you should uninstall Adobe Reader 8.1.1 first. Be sure to move any PDF documents to another folder first though.


    Some Recommendations and prevention tips

    Basic security consists of 1 antivirus program, 1 resident antispyware program, 1 on demand antispyware program and a firewall.

    * If you are behind a router Windows firewall should be fine. Otherwise a 3rd party firewall with outbound monitoring is recommended.

    Click FIREWALL for links and tutorials to good, free and paid for firewalls. (Note: Zone Alarm is becoming bloatware)


    You should also use Spyware Blaster to help immunize your computer.

    - SpywareBlaster will add a large list of programs and sites into your Internet Explorer
    settings that will protect you from running and downloading known malicious programs.

    OR

    A guide to understanding and using the hosts file.

    Learn how your Hosts file can protect you and how you can protect it.
    Besides the Hosts file information, there are links to a very good updated hosts file, a host file manager. and some programs that can protect your hosts file.
    HOSTS

    Please read the info on disabling the DNS Client before installing a custom hosts file.



    -Secure your Internet Explorer

    From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialize and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub-frames across different domains to Prompt
    • When all these settings have been made, click on the OK button.
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    Next press the Apply button and then the OK to exit the Internet Properties page.


    - Keeping your Windows up-to-date is crucial to your computer's security. Please go to the Windows Update Site (using Internet Explorer) and download and install all critical updates on a regular basis


    - Make sure you have reset Automatic Updates to your chosen optionClick your start button > Control Panel > System > Automatic Updates tab


    - Keep your antivirus program updated, as well as any other security programs you have.


    -More tips and programs can be found HERE

    Please post back if you have any problems.

    Take care
    Member of UNITE and ASAP

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •