LennyB Posted November 17, 2008 ID:35243 Share Posted November 17, 2008 Hi,I may have a Google redirect virus.Selecting some Google search entries send me to unrelated sites.Ran McAfee VirusScan, it found found Trojan Pdf.php and removed it.I can't connect to Mcafee.com, Malwarebytes.com, Lavasoft.com, Kapersky.com and probably others. in both Firefox and Internet Explorer.My SpybotSD will not run.I downloaded Mbam-setup.exe on another computer, ran it from USB drive on infected PC, nogo. Renamed it and it seemed to install OK but will not run.I uploaded a suspected file to Kapersky.com from another PC, it responded with:"infected by Backdoor.Win32.TDSS.bns"The only thing that seems to run is Hijackthis V1.99.What is my next step? Link to post Share on other sites More sharing options...
JeanInMontana Posted November 17, 2008 ID:35288 Share Posted November 17, 2008 Hi LennyB and welcome to Malwarebytes. Please post a 1.99 HJT log and see if you can get http://www.prevx.com/freescan.asp to run. They are flagging MBAM and the new version of HJT and crippling them. So post me a log of the Prevx and the old HJT unless after Prevx scan you can run the new HJT and MBAM. Understand what I'm saying? If Prevx will run, it's probably going to get rid of enough to run the other stuff. And if D none of the above is the case we can try some other stuff. Link to post Share on other sites More sharing options...
LennyB Posted November 18, 2008 Author ID:35305 Share Posted November 18, 2008 Thanks for you input. I downloaded PrevxCSI 3.0 on this PC then installed it on my infected one and ran it. It found 5 infections, , but when I try to get the license to clean it up, I can't connect to www.prevx.com. It appears to be blocked!I am trying to find out how to get the license using this clean PC, do I have to actually run the program to get the promp to "Get a License" Link to post Share on other sites More sharing options...
LennyB Posted November 18, 2008 Author ID:35371 Share Posted November 18, 2008 Hi again,I've purchased the license for PrevxCSI and cleaned the problems. Am now able to get online to Adaware/Spybot/Mcafee, etc.I updated SpybotSD and ran, and cleaned more.It all appears to be running ok. Do you still recommend that I run Mbam and Hijackthis, and send you the logs?Thanks again,Lenny Link to post Share on other sites More sharing options...
JeanInMontana Posted November 18, 2008 ID:35433 Share Posted November 18, 2008 I didn't recommend you buy anything. I meant the free scan program. I'm sorry I don't ever send people to buy a program, especially when we sell one here. But, I'm glad your running and yes please post the logs so we can see if your fully clean. Link to post Share on other sites More sharing options...
LennyB Posted November 21, 2008 Author ID:35827 Share Posted November 21, 2008 I guess I misunderstood, but when I ran Prevx it found five problems and in order to Clean them Prevx required a license, which I bought.Anyway, it seemed to do the trick. As near as I can tell all problems are gone except, I can't access System Restore. It is turned Off and when I try to turn it back on I get "System Restore encountered an error trying to enable/disable one or more drives. Please Restart your machine and try again". Restarting doesn't help.Here is my HjackThis log, and thanks again for your assistance.Logfile of HijackThis v1.99.1Scan saved at 8:59:07 PM, on 11/20/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Digital Media Reader\shwiconem.exeC:\Program Files\CyberLink\PowerDVD\PDVDServ.exeC:\WINDOWS\SOUNDMAN.EXEC:\Program Files\Microsoft Hardware\Mouse\point32.exeC:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exeC:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exeC:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exeC:\Program Files\PrevxCSI\prevxcsi.exeC:\WINDOWS\System32\GEARSec.exeC:\WINDOWS\system32\libusbd-nt.exeC:\Program Files\Common Files\Network Associates\McShield\Mcshield.exeC:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exeC:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYSC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exeC:\WINDOWS\system32\UAService7.exeC:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exeC:\Program Files\McAfee\McAfee Firewall\CPD.EXEC:\Program Files\McAfee\McAfee Firewall\CPD.EXEC:\Program Files\McAfee\McAfee VirusScan\VsStat.exeC:\Program Files\PrevxCSI\prevxcsi.exeC:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exeC:\Program Files\McAfee\McAfee VirusScan\Avconsol.exeC:\Program Files\Mozilla Firefox\firefox.exeE:\More Programs\Internet Security\HijackThis\HijackThis V1.99.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://*.turbotax.comO15 - Trusted Zone: http://www.ulead.comO16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.gov.pe.ca/mapguide/viewers/mgaxctrl.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1222527545343O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dllO23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exeO23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exeO23 - Service: CSIScanner - Unknown owner - C:\Program Files\PrevxCSI\prevxcsi.exe" /service (file missing)O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: LibUsb-Win32 - Daemon, Version 0.1.8.0 (libusbd) - http://libusb-win32.sourceforge.net - C:\WINDOWS\system32\libusbd-nt.exeO23 - Service: McAfee Firewall - Unknown owner - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE (file missing)O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exeO23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exeO23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYSO23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exeO23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe Link to post Share on other sites More sharing options...
JeanInMontana Posted November 21, 2008 ID:35853 Share Posted November 21, 2008 The link I gave you for Prevx was free. No charge for anything. I have used it myself to see how it worked. Have you tried updating MBAM ? Move HJT to C:\Program Files\HiJack This not any secondary folder it's own folder. Make sure you have your system to show hidden files and folders.Please set your system to show all files; Click Start.Open My Computer.Select the Tools menu and click Folder Options.Select the View Tab.Under the Hidden files and folders heading select Show hidden files and folders.Uncheck the Hide protected operating system files (recommended) option.Click Yes to confirm.Click OK.C:\WINDOWS\System32\GEARSec.exe <====== delete that file. See if you can use MBAM and the current version of HJT. Link to post Share on other sites More sharing options...
LennyB Posted November 21, 2008 Author ID:35917 Share Posted November 21, 2008 I deleted GearSec.exe from C:\Windows\System32, and rebooted.I ran MBAM, full scan, one problem found but I am unsure as to whether this is a real Trojan or a False Positive.A also ran HijackThis V2.02, as it still has a reference to GearSec, should I now use HijackThis to remove it?Malwarebytes' Anti-Malware 1.30Database version: 1410Windows 5.1.2600 Service Pack 211/21/2008 8:34:39 AMmbam-log-2008-11-21 (08-34-30).txtScan type: Full Scan (C:\|)Objects scanned: 125443Time elapsed: 20 minute(s), 29 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\42b3yoju.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll (Trojan.Agent) -> No action taken.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 1:46:21 PM, on 11/21/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Digital Media Reader\shwiconem.exeC:\Program Files\CyberLink\PowerDVD\PDVDServ.exeC:\WINDOWS\SOUNDMAN.EXEC:\Program Files\Microsoft Hardware\Mouse\point32.exeC:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exeC:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exeC:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exeC:\Program Files\PrevxCSI\prevxcsi.exeC:\WINDOWS\system32\libusbd-nt.exeC:\Program Files\Common Files\Network Associates\McShield\Mcshield.exeC:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exeC:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYSC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exeC:\WINDOWS\system32\UAService7.exeC:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exeC:\Program Files\McAfee\McAfee Firewall\CPD.EXEC:\Program Files\McAfee\McAfee Firewall\CPD.EXEC:\Program Files\McAfee\McAfee VirusScan\VsStat.exeC:\Program Files\PrevxCSI\prevxcsi.exeC:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exeC:\Program Files\McAfee\McAfee VirusScan\Avconsol.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://*.turbotax.comO15 - Trusted Zone: http://www.ulead.comO16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.gov.pe.ca/mapguide/viewers/mgaxctrl.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1222527545343O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exeO23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exeO23 - Service: CSIScanner - Prevx - C:\Program Files\PrevxCSI\prevxcsi.exeO23 - Service: GEARSecurity - Unknown owner - C:\WINDOWS\System32\GEARSec.exe (file missing)O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: LibUsb-Win32 - Daemon, Version 0.1.8.0 (libusbd) - http://libusb-win32.sourceforge.net - C:\WINDOWS\system32\libusbd-nt.exeO23 - Service: McAfee Firewall - Network Associates, Inc. - C:\Program Files\McAfee\McAfee Firewall\CPD.EXEO23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exeO23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exeO23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYSO23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exeO23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe--End of file - 6173 bytes Link to post Share on other sites More sharing options...
LennyB Posted November 21, 2008 Author ID:35920 Share Posted November 21, 2008 I forgot to mention in my last reply that as near as I can tell everything is working OK except that I can not enable System Restore.I don't know if this problem is related to a Virus, and I am not sure when it first started as I haven't used System Restore in a few months. Link to post Share on other sites More sharing options...
JeanInMontana Posted November 21, 2008 ID:35921 Share Posted November 21, 2008 I need you to update MBAM, run a quick scan, post that log and a log from HJT. Link to post Share on other sites More sharing options...
LennyB Posted November 21, 2008 Author ID:35925 Share Posted November 21, 2008 OK, here they are.Malwarebytes' Anti-Malware 1.30Database version: 1414Windows 5.1.2600 Service Pack 211/21/2008 3:24:21 PMmbam-log-2008-11-21 (15-24-21).txtScan type: Quick ScanObjects scanned: 51442Time elapsed: 3 minute(s), 26 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)Logfile of Trend Micro HijackThis v2.0.2Scan saved at 3:24:50 PM, on 11/21/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Digital Media Reader\shwiconem.exeC:\Program Files\CyberLink\PowerDVD\PDVDServ.exeC:\WINDOWS\SOUNDMAN.EXEC:\Program Files\Microsoft Hardware\Mouse\point32.exeC:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exeC:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exeC:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exeC:\Program Files\PrevxCSI\prevxcsi.exeC:\WINDOWS\system32\libusbd-nt.exeC:\Program Files\Common Files\Network Associates\McShield\Mcshield.exeC:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exeC:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYSC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exeC:\WINDOWS\system32\UAService7.exeC:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exeC:\Program Files\McAfee\McAfee Firewall\CPD.EXEC:\Program Files\McAfee\McAfee Firewall\CPD.EXEC:\Program Files\McAfee\McAfee VirusScan\VsStat.exeC:\Program Files\PrevxCSI\prevxcsi.exeC:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exeC:\Program Files\McAfee\McAfee VirusScan\Avconsol.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://*.turbotax.comO15 - Trusted Zone: http://www.ulead.comO16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.gov.pe.ca/mapguide/viewers/mgaxctrl.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1222527545343O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exeO23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exeO23 - Service: CSIScanner - Prevx - C:\Program Files\PrevxCSI\prevxcsi.exeO23 - Service: GEARSecurity - Unknown owner - C:\WINDOWS\System32\GEARSec.exe (file missing)O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: LibUsb-Win32 - Daemon, Version 0.1.8.0 (libusbd) - http://libusb-win32.sourceforge.net - C:\WINDOWS\system32\libusbd-nt.exeO23 - Service: McAfee Firewall - Network Associates, Inc. - C:\Program Files\McAfee\McAfee Firewall\CPD.EXEO23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exeO23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exeO23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYSO23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exeO23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe--End of file - 6186 bytes Link to post Share on other sites More sharing options...
JeanInMontana Posted November 21, 2008 ID:35955 Share Posted November 21, 2008 Looking good. How are you running? Please run HJT in scan only mode put a check next to the following and then click fix.O23 - Service: GEARSecurity - Unknown owner - C:\WINDOWS\System32\GEARSec.exe (file missing)Now reboot and check for any updates in MBAM, quick scan again, post that log and a new HJT log please. Link to post Share on other sites More sharing options...
LennyB Posted November 21, 2008 Author ID:35971 Share Posted November 21, 2008 I think it is running OK except that I can't enable System restore.I have tried 3 times to Fix the GearSec entry in HijackThis, it comes back after I reboot!Any Ideas? Link to post Share on other sites More sharing options...
JeanInMontana Posted November 22, 2008 ID:36070 Share Posted November 22, 2008 Hi, OK we will need to kill the service in Computer Management. Click on Start===>My Computer==>Right click and choose Manage===>In the list find Services and Applications===> Scroll down until you see GEARSec.exe===> Right click and choose stop Reboot to normal mode. Update MBAM, quick scan, post the log and a new HJT log. Let's see if it's gone. Let me know how your running. Link to post Share on other sites More sharing options...
LennyB Posted November 23, 2008 Author ID:36103 Share Posted November 23, 2008 Ok, I finally got ris of the GearSec entry. I had to put Gearsec.exe back into C:\windows\System32 before I was allowed to select Stop in Services, then I removed it in HijackThis, then deleted it from the C:\windows\System32 folder. Seems to be gone for good.As near I can tell everything is working OK except that I can not enable System Restore.MBAM log and HijackThis log follows:Malwarebytes' Anti-Malware 1.30Database version: 1416Windows 5.1.2600 Service Pack 211/22/2008 8:31:20 PMmbam-log-2008-11-22 (20-31-20).txtScan type: Quick ScanObjects scanned: 51471Time elapsed: 3 minute(s), 28 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)Logfile of Trend Micro HijackThis v2.0.2Scan saved at 8:31:45 PM, on 11/22/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Digital Media Reader\shwiconem.exeC:\Program Files\CyberLink\PowerDVD\PDVDServ.exeC:\WINDOWS\SOUNDMAN.EXEC:\Program Files\Microsoft Hardware\Mouse\point32.exeC:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exeC:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exeC:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exeC:\Program Files\PrevxCSI\prevxcsi.exeC:\WINDOWS\system32\libusbd-nt.exeC:\Program Files\Common Files\Network Associates\McShield\Mcshield.exeC:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exeC:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYSC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exeC:\WINDOWS\system32\UAService7.exeC:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exeC:\Program Files\McAfee\McAfee Firewall\CPD.EXEC:\Program Files\McAfee\McAfee Firewall\CPD.EXEC:\Program Files\McAfee\McAfee VirusScan\VsStat.exeC:\Program Files\PrevxCSI\prevxcsi.exeC:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exeC:\Program Files\McAfee\McAfee VirusScan\Avconsol.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Malwarebytes' Anti-Malware\mbam.exeC:\WINDOWS\system32\NOTEPAD.EXEC:\Program Files\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://*.turbotax.comO15 - Trusted Zone: http://www.ulead.comO16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.gov.pe.ca/mapguide/viewers/mgaxctrl.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1222527545343O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exeO23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exeO23 - Service: CSIScanner - Prevx - C:\Program Files\PrevxCSI\prevxcsi.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: LibUsb-Win32 - Daemon, Version 0.1.8.0 (libusbd) - http://libusb-win32.sourceforge.net - C:\WINDOWS\system32\libusbd-nt.exeO23 - Service: McAfee Firewall - Network Associates, Inc. - C:\Program Files\McAfee\McAfee Firewall\CPD.EXEO23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exeO23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exeO23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYSO23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exeO23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe--End of file - 6179 bytes Link to post Share on other sites More sharing options...
JeanInMontana Posted November 24, 2008 ID:36322 Share Posted November 24, 2008 Yay! OK, you should post about the System Restore in PC Help, and see if someone can help there, or do some Google searches.You are running an outdated and unsafe version of Java. You must fix this. You need to uninstall it via Add/Remove programs and delete the program file also. Then go here Java Update and install the correct version for your system. Choose the offline installation.Many infections can be avoided with an added layer of prevention. All recommended programs are free and easy on system resources. You should install them as part of your protection arsenal. Keep MBAM and Spybot Search & Destroy and always immunize SBS&D when you update. You will also need at least one other scanning program Asquared or SuperAntiSpyware are good and there are several other excellent programs with free and paid versions. Read the overviews of what each program below does so you have an understanding of their importance and how to use.A firewall and antivirus are also essential. The Windows firewall in XP and Vista is not sufficient.Preform Windows Updates monthly on the second Tuesday or use automatic updates, and use your scanners weekly at the least. Always update before you scan.Keep other software known for vulnerabilities updated also. Use the Secunia Inspector free scan to identify risks in outdated versions.SpywareBlaster from Javacool SoftwareWinPatrol by BillPStudios SiteHound by FireTrustRogueRemoverhpHostsThe windows firewall is not sufficient to protect. It doesn't monitor outgoing traffic and this is a must. I use and recommend Online Armor Free Also the full protection of MBAM is offered at a very low price, from the link in my signature. Link to post Share on other sites More sharing options...
LennyB Posted November 25, 2008 Author ID:36397 Share Posted November 25, 2008 Thanks again for your help. I just updated Java and will look into adding more levels of protection.By the way, how strongly do you feel regarding the file Gearsec.exe? I did remove it but I found the following online, regarding Norton Ghost:"The Gearsec.exe (GearSecurity) driver is used by V2i Protector and Drive Image to write to optical drives. V2i Protector gives you the ability to create incremental backup images. Support for creating backup images directly from the Windows operating system. Create backup images directly to CD-R, CD-RW, DVD-R(W), DVD+RW (including spanned sets). Restore backup images directly from CD-R, CD-RW, DVD-R(W), DVD+RW and DVD-RAM, including spanned sets. Full support for saving backup images to USB and FireWire drives. Mounting and dismounting of multiple backup image files directly from Windows Explorer. Export backup image feature lets you combine or create spanned sets." Link to post Share on other sites More sharing options...
1972vet Posted November 30, 2008 ID:37011 Share Posted November 30, 2008 Greetings LennyB,Sorry for the late reply...holiday and all else. I am stepping in for Jean for the moment. With regard to your question:By the way, how strongly do you feel regarding the file Gearsec.exe? I did remove it but I found the following online, regarding Norton Ghost...I should say, the "Gearsec.exe" removal was a mistake in judgment but was undoubtedly mistaken to be part of the W32/Stubbot-B virus. Click the "More Information" tab there and you'll see the gearsec.exe is listed but in a different file path...additionally, the other elements are missing so I can safely say, you don't have this issue.As is typical with a rootkit infection such as what you had, anything is possible and I'm sure this is what she was thinking. You should restore that file using your Symantec product installation CD.Are you still having problems with System Restore? Link to post Share on other sites More sharing options...
1972vet Posted December 5, 2008 ID:38223 Share Posted December 5, 2008 Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you. Link to post Share on other sites More sharing options...
Recommended Posts