Jump to content

Recommended Posts

Today, I found out my computer had malware (Probably from a weird site I went on resulting from an internet search). I have Trend MicroVirus, but it expired 6 months or so ago, so that may be why it didn't detect anything........The way I found out my computer had been infected was, I was using DVD Decrypter to back up a DVD, and it came up with this error message: "The maximum number of secrets that may be stored in a single system has been exceeded"

Pretty odd error message......It comes up when I put a blank DVD in and try to burn a copy. It stays in "Locking volume for exclusive access" mode (Which normally takes less than 2 seconds), and comes up with that error message.......Also, DVD Decrypter now won't recognize the DVD drive unless I first close DVD Decrypter, put in a regular DVD, let a DVD-playing program start to function, close that, then open up DVD Decrypter while the DVD's still in there......Then, DVD Decrypter recognizes the DVD drive, and I can put in a blank, but it still comes up with that error message when I try to make a burn.

So, I did a search online for that error message, and came up with the answer that I most likely have a virus, and saw a suggestion for Malwarebytes.

I downloaded & used Malwarebytes, which showed my computer having 41 infected files, which I deleted via the program.......I then used Dr Web Cure It, which detected 2 more infected files, which I had moved (I don't know where the files got moved to, as I can't find a folder for Dr Web)......Hopefully, that won't be a problem.

I then used Malwarebytes again, a few hours later, just to be safe.......And I used hijackthis.

Not that this is a forum which focuses on DVD programs, but I'm wondering if I may need to replace DVD Decrypter, as it may have been permanently corrupted by a virus. I know it's an old program, but I never cared about that. The program works for me, in that home-recorded DVD's won't burn with DigitalMedia (For whatever reason), so I use DVD Decrypter for home-recorded DVD's.

Back to the virus/malware problem, which is a far more important topic.........I'll paste my first Malwarebytes log, which had the 41-infected files result.......Below that, I'll paste my logs from the second Malwarebytes session, along with the hijackthis logs. I'm probably going to check the computer out 3 times per day, for the rest of the week, in case something else pops up.

1st Malwarebytes log:

Malwarebytes' Anti-Malware 1.39

Database version: 2530

Windows 5.1.2600 Service Pack 2

7/30/2009 11:35:45 AM

mbam-log-2009-07-30 (11-35-45).txt

Scan type: Quick Scan

Objects scanned: 124929

Time elapsed: 12 minute(s), 38 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 18

Registry Values Infected: 2

Registry Data Items Infected: 2

Folders Infected: 9

Files Infected: 13

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\Interface\{38a7c9da-8db7-4d0f-a7b1-c4b1a305bddb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{8d292ec0-6792-4a38-82ed-73a087e41ba6} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{00a6faf6-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{98635087-3f5d-418f-990c-b1efe0797a3b} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\net (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\net (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{00a6faf6-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

C:\Program Files\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.

c:\program files\mywebsearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.

c:\program files\mywebsearch\bar\1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.

c:\program files\mywebsearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.

c:\program files\mywebsearch\SrchAstt (Adware.MyWebSearch) -> Quarantined and deleted successfully.

c:\program files\mywebsearch\SrchAstt\1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.

C:\Program Files\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.

c:\program files\funwebproducts\ScreenSaver (Adware.MyWebSearch) -> Quarantined and deleted successfully.

c:\program files\funwebproducts\screensaver\Images (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Files Infected:

C:\WINDOWS\system32\net.net (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.

c:\documents and settings\hp_administrator\local settings\Temp\acromewsxn.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

c:\documents and settings\hp_administrator\local settings\Temp\ceosmranwx.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.

c:\documents and settings\hp_administrator\local settings\Temp\nsacerowxm.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.

c:\documents and settings\hp_administrator\local settings\Temp\onswxcraem.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

c:\documents and settings\hp_administrator\local settings\Temp\UACec4e.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.

c:\program files\mywebsearch\bar\1.bin\F3HTMLMU.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.

c:\program files\mywebsearch\bar\1.bin\MWSOEMON.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.

c:\program files\mywebsearch\bar\1.bin\MWSOESTB.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.

c:\program files\mywebsearch\bar\Settings\s_pid.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\f3PSSavr.scr (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\UACd.sys (Trojan.Agent) -> Quarantined and deleted successfully.

Malwarebytes log, a few hours later:

Malwarebytes' Anti-Malware 1.39

Database version: 2530

Windows 5.1.2600 Service Pack 2

7/30/2009 4:36:42 PM

mbam-log-2009-07-30 (16-36-41).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 255539

Time elapsed: 42 minute(s), 28 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:37:03 PM, on 7/30/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe

C:\Program Files\Trend Micro\Antivirus\tmproxy.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Trend Micro\Antivirus\pccguide.exe

C:\Program Files\Trend Micro\Antivirus\PCClient.exe

C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe

C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe

C:\Program Files\DISC\DISCover.exe

C:\Program Files\Hewlett-Packard\HP Connections XP\HPConnectionsXP.exe

C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe

C:\PROGRA~1\AWS\WEATHE~1\Weather.exe

C:\PROGRA~1\MI3AA1~1\wcescomm.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\PROGRA~1\MI3AA1~1\rapimgr.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Palm\Hotsync.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\DISC\DiscStreamHub.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe

C:\HP\KBD\KBD.EXE

c:\windows\system\hpsysdrv.exe

C:\PROGRA~1\NETSCAPE\NETSCA~1\NETSCAPE.EXE

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Microsoft Office\Office12\WINWORD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: Yahoo!

Link to post
Share on other sites

Sorry for the long delay, if you still need help please let me know

Definitely still need help, just to be sure on my PC's status.

There have still been random odd things going on, such as the computer freezing and having to be rebooted with the files being checked before turning back on. Could've been coincidence, but considering the fact I did have a few different viruses, I'd prefer to be on the safe side.

Link to post
Share on other sites

  • Root Admin

Ok, please run the following scanners and post back the logs.

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log

Download
DDS
and save it to your desktop

Disable any script blocker if your Anti-Virus/Anti-Malware has it.

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click
dds.scr
to run the tool.

When done, the
DDS.txt
will open.

Click Yes at the next prompt for Optional Scan.
    When done, DDS will open two (2) logs:

  1. DDS.txt
  2. Attach.txt

  • Save both reports to your desktop
  • Please include the following logs in your next reply:
    DDS.txt
    and
    Attach.txt

Link to post
Share on other sites

MBAM log:

Malwarebytes' Anti-Malware 1.40

Database version: 2586

Windows 5.1.2600 Service Pack 2

8/9/2009 1:19:46 PM

mbam-log-2009-08-09 (13-19-46).txt

Scan type: Quick Scan

Objects scanned: 124865

Time elapsed: 20 minute(s), 30 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

DDS log:

DDS (Ver_09-07-30.01) - NTFSx86

Run by HP_Administrator at 13:21:13.48 on Sun 08/09/2009

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1034 [GMT -5:00]

FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Trend Micro\Antivirus\pccguide.exe

C:\Program Files\Trend Micro\Antivirus\PCClient.exe

C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe

C:\Program Files\DISC\DISCover.exe

C:\Program Files\Hewlett-Packard\HP Connections XP\HPConnectionsXP.exe

C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe

C:\PROGRA~1\AWS\WEATHE~1\Weather.exe

C:\PROGRA~1\MI3AA1~1\wcescomm.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\PROGRA~1\MI3AA1~1\rapimgr.exe

C:\Program Files\Palm\Hotsync.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\WINDOWS\system32\svchost.exe -k hpdevmgmt

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe

C:\PROGRA~1\NETSCAPE\NETSCA~1\NETSCAPE.EXE

svchost.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe

C:\Program Files\Trend Micro\Antivirus\tmproxy.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\DISC\DiscStreamHub.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe

C:\Program Files\Webroot\Spy Sweeper\SSU.EXE

C:\HP\KBD\KBD.EXE

c:\windows\system\hpsysdrv.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\DOCUMENTS AND SETTINGS\HP_ADMINISTRATOR\DESKTOP\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/

uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop

uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop

uURLSearchHooks: Yahoo!

Link to post
Share on other sites

  • Root Admin

Well the current logs don't seem to indicate any infection. You do have a lot of software installed and a bit of security software so it could just be age of the system and multiple apps installed. Unless its happening all the time or there are other indications of infections the system currently looks clean. We can run some deeper scans though if you like, its up to you.

You should remove all of your JAVA and update it though as you can easily get infected with old Java.

STEP 01

Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA

J2SE Runtime Environment 5.0 Update 10

J2SE Runtime Environment 5.0 Update 11

J2SE Runtime Environment 5.0 Update 6

Java

Link to post
Share on other sites

Please post an update on this.

Thanks.

Thank you.......The Eset scan showed 5 infected files.

Here are the actual log results.

First, the JavaRa log (I'm hoping it's the correct log, I closed it and had to search for it afterwards):

JavaRa 1.15 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Tue Aug 11 20:08:50 2009

Found and removed: C:\Program Files\Java\jre1.5.0_06

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\JavaPlugin.150_06

Found and removed: SOFTWARE\Classes\JavaPlugin.150_10

Found and removed: SOFTWARE\Classes\JavaWebStart.isInstalled.1.5.0.0

Found and removed: Software\Classes\JavaPlugin.160_05

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.5.0_06\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_05\

------------------------------------

Finished reporting.

And the Eset log:

ESETSmartInstaller@High as downloader log:

all ok

# version=6

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.5889

# api_version=3.0.2

# EOSSerial=44b3984f30c75247a87ed6949f29a8c3

# end=finished

# remove_checked=false

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2009-08-12 03:31:24

# local_time=2009-08-11 10:31:24 (-0600, Central Daylight Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 2

# scanned=126070

# found=5

# cleaned=0

# scan_time=4873

C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Citrix\GoToAssist\GoToAssist_phone_application_516_en.exe probably unknown NewHeur_PE virus 00000000000000000000000000000000 I

C:\Program Files\Internet Explorer\msimg32.dll Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I

D:\I386\APPS\APP02017\src\CompaqPresario_Spring06.exe a variant of Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I

D:\I386\APPS\APP02017\src\HPPavillion_Spring06.exe a variant of Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I

${Memory} Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I

Link to post
Share on other sites

Forgot to mention, I haven't deleted those 5 infected files yet.......Don't know how or whether I should access the stuff in my D:\ drive, as it's an HP recovery drive and says files shouldn't be deleted or altered due to risk of not being able to do a recovery later. I figured I'd wait on word from you before doing such.

The ${Memory} one looks kind of odd, so I think I'll skip that for that time being, as well.

I could delete the ones in the C:\ drive, but I'll just be safe and wait.

I did another Malwarebytes scan, and nothing bad came up.

Link to post
Share on other sites

Those don't appear to be an issue. The logs look okay.

How is the computer running now?

Are there still any signs of an infection?

You're correct, do not touch the recovery drive.

Seems to be running OK now. If any weird stuff occurs, I'll get back on this thread.

Thank you for all the help.

Link to post
Share on other sites

  • Root Admin

Great, all looks good now.

I'll close your post soon so that other don't post into it and leave you with this information and suggestions.

So how did I get infected in the first place?

At this time your system appears to be clean. Nothing else in the logs indicates that you are still infected.

Now that you appear to be clean, please follow these simple steps in order to keep your computer clean and secure:

Remove all but the most recent Restore Point on Windows XP

You should
Create a New Restore Point
to prevent possible reinfection from an old one.

Some of the malware you picked up could have been saved in System Restore.

Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point.

Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to
"roll-back"
to a clean working state.

The easiest and safest way to do this is

:
  • Go to
    Start
    >
    Programs
    >
    Accessories
    >
    System Tools
    and click "
    System Restore
    ".

  • If the shortcut is missing you can also click on
    START
    >
    RUN
    > and type in
    %SystemRoot%\system32\restore\rstrui.exe
    and click OK

  • Choose the radio button marked "
    Create a Restore Point
    " on the first screen then click "
    Next
    ".

  • Give the new Restore Point a name, then click "
    Create
    ".

  • The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

  • Then use the
    Disk Cleanup
    to remove all but the most recently created Restore Point.

  • Go to
    Start
    >
    Run
    and type:
    Cleanmgr.exe

  • Select the drive where Windows is installed and click "
    Ok
    ". Disk Cleanup will scan your files for several minutes, then open.

  • Click the "
    More Options
    " tab, then click the "
    Clean up
    " button under System Restore.

  • Click Ok. You will be prompted with "
    Are you sure you want to delete all but the most recent restore point?
    "

  • Click
    Yes
    , then click Ok.

  • Click
    Yes
    again when prompted with "
    Are you sure you want to perform these actions?
    "

  • Disk Cleanup will remove the files and close automatically.

  • On the
    Disk Cleanup
    tab, if the
    System Restore: Obsolete Data Stores
    entry is available remove them also.

  • These are files that were created before Windows was reformatted or reinstalled. They are obsolete and you can delete them.

selectdrivecleanup.pngselectdrivecleanup1.png

Additional information

Microsoft KB article: How to turn off and turn on System Restore in Windows XP

Bert Kinney's site: All about Windows System Restore

Here are some free programs I recommend that could help you improve your computer's security.

Install SpyWare Blaster

Download it from here

Find here the tutorial on how to use Spyware Blaster here

Install WinPatrol

Download it from here

Here you can find information about how WinPatrol works here

Install FireTrust SiteHound

You can find information and download it from here

Install hpHosts

Download it from here

hpHosts is a community managed and maintained hosts file that allows an additional layer of protection against access to ad,

tracking and malicious websites. This prevents your computer from connecting to these untrusted sites

by redirecting them to 127.0.0.1 which is your own local computer.

hpHosts Support Forum

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

You can use one of these sites to check if any updates are needed for your pc.

Secunia Software Inspector

F-secure Health Check

Visit Microsoft often to get the latest updates for your computer.

http://www.update.microsoft.com

Note 1: If you are running Windows XP SP2, you should upgrade to SP3.

Note 2: Users of Norton Internet Security 2008 should uninstall the software before they install Service Pack 3.

The security suite can then be reinstalled afterwards.

The windows firewall is not sufficient to protect your system. It doesn't monitor outgoing traffic and this is a must.

I recommend Online Armor Free

A little outdated but good reading on how to prevent Malware

Keep safe online and happy surfing.

Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you Fully Understand how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting Pre- HJT Post Instructions

Also don't forget that we offer FREE assistance with General PC questions and repair here PC Help

If you're pleased with the product Malwarebytes and the service provided you, please let your friends, family, and co-workers know. http://www.malwarebytes.org

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.