Firewall problem
I had a major virus attack last Sunday. My AVG quarantined 18 infections, Ad-aware removed three and Malwarebytes removed a Trojan. Now all three detect [u]no infection[/u], plus I just ran Microsoft system anti-spyware and it detected nothing, BUT my computer Firewall keeps popping off at least once or twice a day. Is this an indication that there is an infection that is not being detected by any of the anti-spyware and virus control?
0
-
Offhand, I would say something is accessing the internet or your system, depending on how you have your firewall rights set up. Can you tell what's setting off the firewall warning? 0 -
[quote name='visitor' post='124186' date='Dec 18 2010, 04:23 AM']Offhand, I would say something is accessing the internet or your system, depending on how you have your firewall rights set up. Can you tell what's setting off the firewall warning?[/quote]
It might have been my password. It happened when I was logging into my bank and then again when I was logging in here. Not always though. Sometimes it pops off when I'm writing an email. I have the Firewall set to ON and checked "no exceptions" and it still popped off when I logged on here a while ago. I can't think of anything else to check, so will probably have to take it in for repair next week.0 -
Can you write the exact message from the firewall here? Then it would be easier to know what's going on.
Which firewall is installed?0 -
[quote name='CeciliaB' post='124189' date='Dec 18 2010, 10:30 AM']Can you write the exact message from the firewall here? Then it would be easier to know what's going on.
Which firewall is installed?[/quote]
It's my computer (Microsoft) Firewall. I have it set to "On" all the time (Recommended). The balloon at the bottom right pops on that says "my computer is at risk because the Firewall is off, click balloon to turn back on". Something is turning the Firewall off. I click the balloon and it takes me to the Firewall to turn back on. I've run AVG, Malwarebytes, Ad-aware, and Microsoft Security and nothing shows a virus. There has to be something left of the viruses (18+) that attack my computer last Sunday when I clicked on a google link for Roxanne's Glue. I don't know what else to do but take it in for repair.0 -
We can check if we can find some more malicious files in the computer. Please, perform steps #1 and #3 on the page [url="http://www.lavasoftsupport.com/index.php?showtopic=13639"]http://www.lavasoftsupport.com/index.php?showtopic=13639[/url] including the posting of the GMER log.
I possible, post also the logs from AVG, Ad-Aware and Malwarebyte's Anti-Malware (MBAM) that shows which malicious files that were removed.
Save DDS to your desktop: [url="http://download.bleepingcomputer.com/sUBs/dds.scr"]http://download.bleepingcomputer.com/sUBs/dds.scr[/url]
Double-click on the DDS tool to run it.
When finished, DDS will open two (2) logs:
1. DDS.txt
2. Attach.txt
Save them to your desktop and paste their content into your answer.
-------
I will try to move this thread to forum "Help with Stubborn Infections ...".0 -
[quote name='CeciliaB' post='124195' date='Dec 18 2010, 03:57 PM']We can check if we can find some more malicious files in the computer. Please, perform steps #1 and #3 on the page [url="http://www.lavasoftsupport.com/index.php?showtopic=13639"]http://www.lavasoftsupport.com/index.php?showtopic=13639[/url] including the posting of the GMER log.
I possible, post also the logs from AVG, Ad-Aware and Malwarebyte's Anti-Malware (MBAM) that shows which malicious files that were removed.
Save DDS to your desktop: [url="http://download.bleepingcomputer.com/sUBs/dds.scr"]http://download.bleepingcomputer.com/sUBs/dds.scr[/url]
Double-click on the DDS tool to run it.
When finished, DDS will open two (2) logs:
1. DDS.txt
2. Attach.txt
Save them to your desktop and paste their content into your answer.
-------
I will try to move this thread to forum "Help with Stubborn Infections ...".[/quote]
I'm pretty much a beginner at this. In the erunt folder there is AUTOBACK. Is that the same as Erunt.exe? There is also ERDNT.E_E I'm not sure what to click on to back up, since nothing is exactly the same as the #1 instructions.0 -
[quote name='BLOU' post='124197' date='Dec 18 2010, 07:05 PM']I'm pretty much a beginner at this. In the erunt folder there is AUTOBACK. Is that the same as Erunt.exe? There is also ERDNT.E_E I'm not sure what to click on to back up, since nothing is exactly the same as the #1 instructions.[/quote]
FILE CONTENTS REMOVED LAST SUNDAY:
Ad-aware....[i]I don't see the quarantine log[/i]
Malwarebytes...Trojan. agent Registry Key HKEY_CLASSES_ROOT/D
AVG...
Unable to copy contents of vault.
After looking at the erunt folder contents again I think the erunt.exe must be the same as ERUNT with the icon. ERUNTBACK also has an icon.0 -
Very good that you ask when you don't understand /smile.png' class='bbc_emoticon' alt=':)' />
Did you download Erunt.zip or Erunt-setup.exe?
I think that Erunt-setup.exe, that is the link "or version with installer", is easier to handle.
Double-click Erunt-setup.exe to install the program and then you should be able to find Erunt.exe in the folder.
If you have Windows Vista or Windows 7 you need to disable UAC before you start Erunt. You find the setting here:
[url="http://www.howtogeek.com/howto/windows-vista/disable-user-account-control-uac-the-easy-way-on-windows-vista/"]http://www.howtogeek.com/howto/windows-vis...-windows-vista/[/url]
Enable when Erunt has finished.
You will find the log from Ad-Aware here:
XP - C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Logs\Scan_<date information>.log
Vista and 7 - C:\ProgramData\Lavasoft\Ad-Aware\Logs\Scan_<date information>.log
Attach it to your answer.
Start MBAM and in the tab "Logs" you will find all previous logs. Open the log showing what MBAM removed, copy all content and paste it into your answer.
Open AVG, select History - Scan results. Mark the log from last Sunday and click on "View details". Click on "Export overview to file..." and save the log on your desktop. Attach it to your answer. This is valid for AVG 2011 if you have an earlier version it might be different.0 -
[quote name='BLOU' post='124206' date='Dec 18 2010, 11:25 PM']MSG [2644] 2010/12/14 14:25:56: Configure new scan with profile: full
MSG [2644] 2010/12/14 14:25:56: -> scanning critical objects
MSG [2644] 2010/12/14 14:25:56: -> scanning running processes
MSG [2644] 2010/12/14 14:25:56: -> scanning registry
MSG [2644] 2010/12/14 14:25:56: -> scanning lsp
MSG [2644] 2010/12/14 14:25:56: -> scanning ads
MSG [2644] 2010/12/14 14:25:56: -> scanning hosts file
MSG [2644] 2010/12/14 14:25:56: -> scanning mru objects
MSG [2644] 2010/12/14 14:25:56: -> scanning browser hijacks
MSG [2644] 2010/12/14 14:25:56: -> scanning cookies
MSG [2644] 2010/12/14 14:25:56: -> neutralizing rootkits
MSG [2644] 2010/12/14 14:25:56: -> use mild rootkit detection
MSG [2644] 2010/12/14 14:25:56: -> use spyware heuristics
MSG [2644] 2010/12/14 14:25:56: -> use medium heuristics
MSG [2644] 2010/12/14 14:25:56: -> scan archives
MSG [2644] 2010/12/14 14:25:56: -> file size limit = 20480 kB (0 = unlimited)
MSG [2644] 2010/12/14 14:25:56: -> validating system critical files
MSG [2644] 2010/12/14 14:25:56: -> scan file/path = C:\
MSG [2644] 2010/12/14 14:25:56: -> scan file/path = D:\
ERR [2644] 2010/12/14 14:25:57: SDKController::GetInfectionList -> Not in found infections state
MSG [1272] 2010/12/14 16:11:00: Scan was completed in 6303 seconds
MSG [1272] 2010/12/14 16:11:00: Objects processed: 133418, infections detected: 3
MSG [2236] 2010/12/14 16:11:02: Remediating 3 infections
MSG [2236] 2010/12/14 16:11:03: Infections quarantined: 2, removed: 1, repaired: 0
MSG [2236] 2010/12/14 16:11:03: Infections ignored by remediation: 0 (0 whitelisted, 0 skipped).
MSG [2644] 2010/12/14 16:11:09: Dumping scan report:
>>> Logfile created: 12/14/2010 14:25:57
>>> Ad-Aware version: 9.0.0
>>> Extended engine: 3
>>> Extended engine version: 3.1.2770
>>> User performing scan: HP_Administrator
>>>
>>> *********************** Definitions database information ***********************
>>> Lavasoft definition file: 150.200
>>> Genotype definition file version: 2010/12/10 11:42:00
>>> Extended engine definition file: 7642.0
>>>
>>> ******************************** Scan results: *********************************
>>> Scan profile name: Full Scan (ID: full)
>>> Objects scanned: 133418
>>> Objects detected: 3
>>>
>>>
>>> Type Detected
>>> ==========================
>>> Processes.......: 0
>>> Registry entries: 0
>>> Hostfile entries: 0
>>> Files...........: 2
>>> Folders.........: 0
>>> LSPs............: 0
>>> Cookies.........: 1
>>> Browser hijacks.: 0
>>> MRU objects.....: 0
>>>
>>>
>>>
>>> Removed items:
>>> Description: *doubleclick* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408875 Family ID: 0
>>>
>>> Quarantined items:
>>> Description: c:\windows\web\wallpaper\welcome\awhelper.dll Family Name: webHancer Engine: 3 Clean status: Success Item ID: 1 Family ID: 0 MD5: 2dcaa711c9b64ff6cdeba93202b4f408
>>> Description: c:\system volume information\_restore{106cf321-99a3-4e3a-9103-1bd027606a99}\rp13\a0006864.exe Family Name: AdWare.Win32.Agent.aeh Engine: 3 Clean status: Success Item ID: 2 Family ID: 0 MD5: ee49973d3a8efc5f4ae8f5dd121a1fa0
>>>
>>> Scan and cleaning complete: Finished correctly after 6303 seconds
>>>[/quote]
Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org
Database version: 5273
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
12/12/2010 11:11:40 AM
mbam-log-2010-12-12 (11-11-40).txt
Scan type: Full scan (C:\|D:\|)
Objects scanned: 254148
Time elapsed: 39 minute(s), 15 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\D (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
[b]FOR AVG
The viruses are there in Event History and Virus Vault but there isn't a "View Details" to click on and no "Export". This is a new hard drive and the AVG was just installed a few days before the virus attack. I can't figure out why I can't export them. There are 18 viruses. [/b]
I copied these by hand out of the Virus Vault.
VIRUS VAULT
C:/PROGRAM FILES/ONLINE SERVICES/PEOPLEPC/ISP5900/BRANDING/PPAL3PPC.EXE
C:/DOCUMENTS AND SETTINGS/HP_ADMINISTRATOR/MY DOCUMENTS/DOWNLODS/SYSTEMPACK107_2209.EXE
C:/DOCUMENTS AND SETTINGS/HP_ADMINISTRATOR/LOCAL SETTINGS/TEMP/XRGLJSR2.EXE.PART
C:/DOCUMENTS AND SETTINGS/HP_ADMINISTRATOR/LOCAL SETTINGS/TEMP/UWP2GIY7.EXE.PART
C:/DOCUMENTS AND SETTINGS/HP_ADMINISTRATOR/LOCAL SETTINGS/TEMP/U9EAATZW.EXE.PART
C:/DOCUMENTS AND SETTINGS/HP_ADMINISTRATOR/LOCAL SETTINGS/TEMP/U6AGDP_M.EXE.PART
C:/DOCUMENTS AND SETTINGS/HP_ADMINISTRATOR/LOCAL SETTINGS/TEMP/RACYJNDY.EXE.PART
C:/DOCUMENTS AND SETTINGS/HP_ADMINISTRATOR/LOCAL SETTINGS/TEMP/QD1_VI0.EXE.PART
C:/DOCUMENTS AND SETTINGS/HP_ADMINISTRATOR/LOCAL SETTINGS/TEMP/OBODZDKC.EXE.PART
C:/DOCUMENTS AND SETTINGS/HP_ADMINISTRATOR/LOCAL SETTINGS/TEMP/GIUZVQXE.EXE.PART
C:/DOCUMENTS AND SETTINGS/HP_ADMINISTRATOR/LOCAL SETTINGS/TEMP/FJFURZFH.EXE.PART
C:/DOCUMENTS AND SETTINGS/HP_ADMINISTRATOR/LOCAL SETTINGS/APPLICATION DATA/MOZILLA/FIREFOX/PROFILES/Y3DZ3Q8V.DEFAULT/CACHE/D405132DD01
C:/DOCUMENTS AND SETTINGS/HP_ADMINISTRATOR/LOCAL SETTINGS/APPLICATION DATA/MOZILLA/FIREFOX/PROFILES/Y3DZ3Q8V.DEFAULT/CACHE/BDD42EF8DO1
C:/DOCUMENTS AND SETTINGS/HP_ADMINISTRATOR/LOCAL SETTINGS/APPLICATION DATA/MOZILLA/FIREFOX/PROFILES/Y3DZ3Q8V.DEFAULT/CACHE/929BFB20D01
C:/DOCUMENTS AND SETTINGS/HP_ADMINISTRATOR/LOCAL SETTINGS/APPLICATION DATA/MOZILLA/FIREFOX/PROFILES/Y3DZ3Q8V.DEFAULT/CACHE/71039C1DD01
C:/DOCUMENTS AND SETTINGS/HP_ADMINISTRATOR/LOCAL SETTINGS/APPLICATION DATA/MOZILLA/FIREFOX/PROFILES/Y3DZ3Q8V.DEFAULT/CACHE/6F1B3F21D01
C:/DOCUMENTS AND SETTINGS/HP_ADMINISTRATOR/LOCAL SETTINGS/APPLICATION DATA/MOZILLA/FIREFOX/PROFILES/Y3DZ3Q8V.DEFAULT/CACHE/35E8FC90D01
C:/DOCUMENTS AND SETTINGS/HP_ADMINISTRATOR/LOCAL SETTINGS/APPLICATION DATA/MOZILLA/FIREFOX/PROFILES/Y3DZ3Q8V.DEFAULT/CACHE/2EA60762D01
C:/DOCUMENTS AND SETTINGS/HP_ADMINISTRATOR/LOCAL SETTINGS/APPLICATION DATA/MOZILLA/FIREFOX/PROFILES/Y3DZ3Q8V.DEFAULT/CACHE/2549C368D010 -
[quote name='CeciliaB' post='124201' date='Dec 18 2010, 09:12 PM']Very good that you ask when you don't understand /smile.png' class='bbc_emoticon' alt=':)' />
Did you download Erunt.zip or Erunt-setup.exe?
I think that Erunt-setup.exe, that is the link "or version with installer", is easier to handle.
Double-click Erunt-setup.exe to install the program and then you should be able to find Erunt.exe in the folder.
If you have Windows Vista or Windows 7 you need to disable UAC before you start Erunt. You find the setting here:
[url="http://www.howtogeek.com/howto/windows-vista/disable-user-account-control-uac-the-easy-way-on-windows-vista/"]http://www.howtogeek.com/howto/windows-vis...-windows-vista/[/url]
Enable when Erunt has finished.
You will find the log from Ad-Aware here:
XP - C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Logs\Scan_<date information>.log
Vista and 7 - C:\ProgramData\Lavasoft\Ad-Aware\Logs\Scan_<date information>.log
Attach it to your answer.
Start MBAM and in the tab "Logs" you will find all previous logs. Open the log showing what MBAM removed, copy all content and paste it into your answer.
Open AVG, select History - Scan results. Mark the log from last Sunday and click on "View details". Click on "Export overview to file..." and save the log on your desktop. Attach it to your answer. This is valid for AVG 2011 if you have an earlier version it might be different.[/quote]
MSG [2644] 2010/12/14 14:25:56: Configure new scan with profile: full
MSG [2644] 2010/12/14 14:25:56: -> scanning critical objects
MSG [2644] 2010/12/14 14:25:56: -> scanning running processes
MSG [2644] 2010/12/14 14:25:56: -> scanning registry
MSG [2644] 2010/12/14 14:25:56: -> scanning lsp
MSG [2644] 2010/12/14 14:25:56: -> scanning ads
MSG [2644] 2010/12/14 14:25:56: -> scanning hosts file
MSG [2644] 2010/12/14 14:25:56: -> scanning mru objects
MSG [2644] 2010/12/14 14:25:56: -> scanning browser hijacks
MSG [2644] 2010/12/14 14:25:56: -> scanning cookies
MSG [2644] 2010/12/14 14:25:56: -> neutralizing rootkits
MSG [2644] 2010/12/14 14:25:56: -> use mild rootkit detection
MSG [2644] 2010/12/14 14:25:56: -> use spyware heuristics
MSG [2644] 2010/12/14 14:25:56: -> use medium heuristics
MSG [2644] 2010/12/14 14:25:56: -> scan archives
MSG [2644] 2010/12/14 14:25:56: -> file size limit = 20480 kB (0 = unlimited)
MSG [2644] 2010/12/14 14:25:56: -> validating system critical files
MSG [2644] 2010/12/14 14:25:56: -> scan file/path = C:\
MSG [2644] 2010/12/14 14:25:56: -> scan file/path = D:\
ERR [2644] 2010/12/14 14:25:57: SDKController::GetInfectionList -> Not in found infections state
MSG [1272] 2010/12/14 16:11:00: Scan was completed in 6303 seconds
MSG [1272] 2010/12/14 16:11:00: Objects processed: 133418, infections detected: 3
MSG [2236] 2010/12/14 16:11:02: Remediating 3 infections
MSG [2236] 2010/12/14 16:11:03: Infections quarantined: 2, removed: 1, repaired: 0
MSG [2236] 2010/12/14 16:11:03: Infections ignored by remediation: 0 (0 whitelisted, 0 skipped).
MSG [2644] 2010/12/14 16:11:09: Dumping scan report:
>>> Logfile created: 12/14/2010 14:25:57
>>> Ad-Aware version: 9.0.0
>>> Extended engine: 3
>>> Extended engine version: 3.1.2770
>>> User performing scan: HP_Administrator
>>>
>>> *********************** Definitions database information ***********************
>>> Lavasoft definition file: 150.200
>>> Genotype definition file version: 2010/12/10 11:42:00
>>> Extended engine definition file: 7642.0
>>>
>>> ******************************** Scan results: *********************************
>>> Scan profile name: Full Scan (ID: full)
>>> Objects scanned: 133418
>>> Objects detected: 3
>>>
>>>
>>> Type Detected
>>> ==========================
>>> Processes.......: 0
>>> Registry entries: 0
>>> Hostfile entries: 0
>>> Files...........: 2
>>> Folders.........: 0
>>> LSPs............: 0
>>> Cookies.........: 1
>>> Browser hijacks.: 0
>>> MRU objects.....: 0
>>>
>>>
>>>
>>> Removed items:
>>> Description: *doubleclick* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408875 Family ID: 0
>>>
>>> Quarantined items:
>>> Description: c:\windows\web\wallpaper\welcome\awhelper.dll Family Name: webHancer Engine: 3 Clean status: Success Item ID: 1 Family ID: 0 MD5: 2dcaa711c9b64ff6cdeba93202b4f408
>>> Description: c:\system volume information\_restore{106cf321-99a3-4e3a-9103-1bd027606a99}\rp13\a0006864.exe Family Name: AdWare.Win32.Agent.aeh Engine: 3 Clean status: Success Item ID: 2 Family ID: 0 MD5: ee49973d3a8efc5f4ae8f5dd121a1fa0
>>>
>>> Scan and cleaning complete: Finished correctly after 6303 seconds
>>>0 -
If you use "Fast reply" or "Add reply" buttons your answer will not quote the previous post.
Maximize the Virus Vault window and expand the columns so the content of "Virus name" and "Path to file" columns are visible. Take a screen shot (Print Screen) and upload the picture somewhere and include the link to the picture in your answer.
Have you been able to use Erunt?
Then run Gmer and DDS.0 -
[b]Yes, I went back and downloaded the erunt installer and saved the registry. GMER just finished running. I'll copy the results here. I'll run DDS next and take a screen shot of the AVG log. I'll upload it to Photobucket. My Firewall is still turning off a lot.[/b]
GMER 1.0.15.15530 - [url="http://www.gmer.net"]http://www.gmer.net[/url]
Rootkit scan 2010-12-18 18:35:40
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST3500418AS rev.CC38
Running: gmer.exe; Driver: C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\kwxyafod.sys
---- System - GMER 1.0.15 ----
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF766087E]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xEEF7E6C0]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF7660BFE]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xEEF7E770]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xEEF7E810]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xEEF7E8B0]
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwCallbackReturn + 3038 805048D4 4 Bytes CALL CB5937D0
---- Devices - GMER 1.0.15 ----
Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp Lbd.sys (Boot Driver/Lavasoft AB)
Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Files - GMER 1.0.15 ----
File C:\WINDOWS\Temp\TMP00000023035B02E006FB9F08 0 bytes
---- EOF - GMER 1.0.15 ----0 -
I'm not sure I gave you the right information on the GMER log. Was I suppose to click on the next page? I copied the scan page. I see now there were some (Malware) arrows to go inside.
I have the DDS and attach on my desktop. Do you want it [u]all[/u] copied here?0 -
I'm not sure this is going to work. It was expanded and I I had to take two pictures to get it all, and it looks small.
[url="http://img.photobucket.com/albums/v175/paoniapoodles/VIRUSVAULT1.jpg"]http://img.photobucket.com/albums/v175/pao...VIRUSVAULT1.jpg[/url]
[url="http://img.photobucket.com/albums/v175/paoniapoodles/VIRUSVAULT2.jpg"]http://img.photobucket.com/albums/v175/pao...VIRUSVAULT2.jpg[/url]
( Have this all copied in previous post)0 -
Thanks!
The Gmer log shows what it usually does.
The pictures shows what type of malware that was found.
Please, paste the whole DDS.txt into your answer, but you can attach the Attach.txt (use "Add reply" button).0 -
DDS (Ver_10-12-12.02) - NTFSx86
Run by HP_Administrator at 19:56:02.93 on Sat 12/18/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.412 [GMT -7:00]
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
============== Running Processes ===============
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\arservice.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\ScsiAccess.EXE
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdateMgr.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\DISC\DiscGui.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Documents and Settings\HP_Administrator\My Documents\Downloads\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe
mRun: [DISCover] c:\program files\disc\DISCover.exe
mRun: [DiscUpdateManager] c:\program files\disc\DiscUpdateMgr.exe
mRun: [<NO NAME>]
mRun: [PCDrProfiler]
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPwuSchd2.exe
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
StartupFolder: c:\docume~1\hp_adm~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodaks~1.lnk - c:\program files\kodak\kodak software updater\7288971\program\Kodak Software Updater.exe
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
Trusted Zone: trymedia.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\hp_adm~1\applic~1\mozilla\firefox\profiles\y3dz3q8v.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msnbc.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\hp_administrator\application data\mozilla\firefox\profiles\y3dz3q8v.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\hp_administrator\application data\mozilla\firefox\profiles\y3dz3q8v.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg10\Firefox
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
============= SERVICES / DRIVERS ===============
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-12-13 64288]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 249424]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-9 299984]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-11-10 6127184]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-8-12 1389400]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-8-12 15264]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-10 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
=============== Created Last 30 ================
2010-12-18 17:32:29 -------- d-----w- C:\_OTM
2010-12-18 16:54:53 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-12-18 16:54:53 215920 ----a-w- c:\windows\system32\muweb.dll
2010-12-18 16:54:53 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-12-18 01:40:28 6273872 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{cedf12a6-cb0a-4e1e-bb65-9037a74113dd}\mpengine.dll
2010-12-18 01:40:17 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-12-18 01:36:31 -------- d-----w- c:\program files\Microsoft Security Client
2010-12-16 05:08:43 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-16 05:05:38 45568 ------w- c:\windows\system32\dllcache\wab.exe
2010-12-15 14:14:19 1409 ----a-w- c:\windows\QTFont.for
2010-12-14 23:11:08 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-12-14 04:50:55 -------- d-----w- c:\windows\system32\QuickTime
2010-12-14 04:50:05 -------- d-----w- c:\program files\common files\Kodak
2010-12-14 04:50:00 -------- d-----w- c:\windows\system32\color
2010-12-14 04:49:46 -------- d-----w- c:\windows\system32\BWKDLogs
2010-12-14 04:49:06 -------- d-----w- c:\program files\Kodak
2010-12-14 04:48:09 -------- d-----w- c:\docume~1\alluse~1\applic~1\Kodak
2010-12-14 04:30:34 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-12-14 04:30:28 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-12-14 04:21:02 -------- d-----w- c:\docume~1\hp_adm~1\locals~1\applic~1\Sunbelt Software
2010-12-14 04:20:26 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{ECC164E0-3133-4C70-A831-F08DB2940F70}
2010-12-14 04:19:55 -------- d-----w- c:\program files\Lavasoft
2010-12-13 21:10:37 -------- d-----w- c:\docume~1\hp_adm~1\applic~1\HPQ
2010-12-12 01:52:41 -------- d-----w- c:\windows\BBSTORE
2010-12-12 01:48:48 -------- d-----w- c:\program files\common files\MGI Shared
2010-12-12 01:48:16 -------- d-----w- c:\program files\Broderbund
2010-12-12 01:47:24 299520 ----a-w- c:\windows\uninst.exe
2010-12-12 01:33:54 -------- d-----w- c:\docume~1\hp_adm~1\applic~1\GeoVid
2010-12-12 01:33:45 60416 ----a-w- c:\windows\system32\dsetup.dll
2010-12-12 01:33:44 -------- d-----w- c:\program files\GeoVid
2010-12-12 01:29:31 -------- d-----w- c:\program files\CleanUp!
2010-12-12 00:13:25 77824 ----a-r- c:\windows\system32\HPZIDS01.dll
2010-12-12 00:13:24 74240 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\hpzpp054.dll
2010-12-12 00:13:24 38400 ----a-w- c:\windows\system32\hpz3l054.dll
2010-12-12 00:07:20 49664 ----a-r- c:\windows\system32\drivers\HPZid412.sys
2010-12-12 00:01:17 -------- d-----w- c:\windows\system32\wbem\repository\FS
2010-12-12 00:01:17 -------- d-----w- c:\windows\system32\wbem\Repository
2010-12-11 23:31:17 -------- d-----w- c:\docume~1\hp_adm~1\locals~1\applic~1\HP
2010-12-10 19:32:47 -------- d-----w- c:\program files\IrfanView
2010-12-10 19:07:10 -------- d-----w- c:\program files\CleanUp!(2)
2010-12-10 06:29:30 -------- d-----w- c:\docume~1\hp_adm~1\locals~1\applic~1\IsolatedStorage
2010-12-10 06:20:19 -------- d-----w- c:\program files\NetLibrary
2010-12-09 23:16:14 -------- d-----w- c:\docume~1\hp_adm~1\locals~1\applic~1\Identities
2010-12-09 23:02:54 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-12-09 23:02:54 25856 ----a-w- c:\windows\system32\dllcache\usbprint.sys
2010-12-09 23:02:09 254026 ----a-r- c:\windows\system32\hpovst09.dll
2010-12-09 23:02:08 827392 ----a-r- c:\windows\system32\hpotiop2.dll
2010-12-09 23:02:07 659456 ----a-r- c:\windows\system32\hpowiax2.dll
2010-12-09 23:02:06 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-12-09 23:02:06 15104 ----a-w- c:\windows\system32\dllcache\usbscan.sys
2010-12-09 22:14:52 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-12-09 22:14:52 32128 ----a-w- c:\windows\system32\dllcache\usbccgp.sys
2010-12-08 18:09:10 -------- d-----w- c:\docume~1\hp_adm~1\locals~1\applic~1\Temp
2010-12-08 17:48:29 -------- d--h--w- C:\$AVG
2010-12-08 17:40:44 -------- d-----w- c:\docume~1\hp_adm~1\locals~1\applic~1\Adobe
2010-12-08 17:35:46 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-12-08 17:35:46 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-08 17:27:39 -------- d-----w- c:\docume~1\hp_adm~1\applic~1\Malwarebytes
2010-12-08 17:27:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-08 17:27:10 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-12-08 17:27:07 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-08 17:27:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-08 17:23:51 -------- d-----w- c:\docume~1\hp_adm~1\applic~1\AVG10
2010-12-08 17:22:33 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
2010-12-08 17:21:46 -------- d-----w- c:\windows\system32\drivers\AVG
2010-12-08 17:21:46 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2010-12-08 17:21:32 -------- d-----w- c:\program files\AVG
2010-12-08 17:17:43 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2010-12-08 16:39:39 -------- d-----w- c:\windows\system32\winrm
2010-12-08 16:39:39 -------- d-----w- c:\windows\system32\GroupPolicy
2010-12-08 16:39:36 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2010-12-08 16:33:59 7680 ------w- c:\windows\system32\dllcache\iecompat.dll
2010-12-08 16:33:44 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-12-08 16:33:44 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-12-08 16:33:08 247808 ------w- c:\program files\internet explorer\SET6E9.tmp
2010-12-08 16:33:08 12800 ------w- c:\program files\internet explorer\SET6E7.tmp
2010-12-08 16:32:35 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2010-12-08 16:14:01 -------- d-----w- c:\windows\system32\scripting
2010-12-08 16:14:01 -------- d-----w- c:\windows\l2schemas
2010-12-08 16:14:00 -------- d-----w- c:\windows\system32\en
2010-12-08 16:14:00 -------- d-----w- c:\windows\system32\bits
2010-12-08 16:11:54 -------- d-----w- c:\windows\network diagnostic
2010-12-08 16:04:33 -------- d-sh--w- c:\documents and settings\hp_administrator\PrivacIE
2010-12-08 16:02:17 -------- d-----w- c:\windows\system32\appmgmt
2010-12-08 15:57:23 -------- d-----w- c:\windows\ServicePackFiles
2010-12-08 01:55:44 -------- d-sh--w- c:\documents and settings\hp_administrator\IETldCache
2010-12-08 01:48:59 42240 ------w- c:\windows\system32\drivers\viaagp.sys
2010-12-08 01:47:59 94208 ------w- c:\windows\system32\eappgnui.dll
2010-12-08 01:46:14 -------- d-----w- c:\program files\MSXML 4.0
2010-12-08 01:43:35 -------- d-----w- c:\windows\ie8updates
2010-12-08 01:43:25 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-12-08 01:43:24 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-12-08 01:43:24 602112 ------w- c:\windows\system32\dllcache\msfeeds.dll
2010-12-08 01:43:24 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-12-08 01:43:24 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-12-08 01:43:24 1991680 ------w- c:\windows\system32\dllcache\iertutil.dll
2010-12-08 01:43:24 11080704 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-12-08 01:42:25 -------- dc-h--w- c:\windows\ie8
2010-12-08 01:33:02 -------- d-----w- c:\windows\system32\XPSViewer
2010-12-08 01:27:24 -------- d-----w- c:\windows\system32\LogFiles
2010-12-08 01:14:38 53248 ------w- c:\windows\system32\tsgqec.dll
2010-12-08 01:14:38 290304 ------w- c:\windows\system32\rhttpaa.dll
2010-12-08 01:14:38 136192 ------w- c:\windows\system32\aaclient.dll
2010-12-08 01:11:00 272128 ------w- c:\windows\system32\dllcache\bthport.sys
2010-12-08 01:10:59 272128 ------w- c:\windows\system32\drivers\bthport.sys
2010-12-08 01:10:31 357248 ------w- c:\windows\system32\dllcache\srv.sys
2010-12-08 01:10:07 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-12-08 01:08:28 81920 ------w- c:\windows\system32\dllcache\fontsub.dll
2010-12-08 01:08:28 119808 ------w- c:\windows\system32\dllcache\t2embed.dll
2010-12-08 01:08:27 203136 ------w- c:\windows\system32\dllcache\rmcast.sys
2010-12-08 01:08:22 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-12-08 01:07:20 23040 ------w- c:\windows\kb913800.exe
2010-12-08 01:06:23 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-12-08 01:00:02 337408 ------w- c:\windows\system32\dllcache\netapi32.dll
2010-12-08 00:58:31 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-12-08 00:58:30 218112 ------w- c:\windows\system32\dllcache\wordpad.exe
2010-12-08 00:51:54 -------- d-----w- c:\windows\system32\PreInstall
2010-12-08 00:48:57 -------- d-sh--w- c:\documents and settings\hp_administrator\UserData
2010-12-08 00:40:17 -------- d-----w- c:\windows\system32\SoftwareDistribution
2010-12-08 00:22:12 -------- d-----w- c:\windows\I386
2010-12-08 00:15:24 -------- d-----r- c:\documents and settings\all users\Documents
2010-12-08 00:14:25 -------- d-----r- c:\windows\Offline Web Pages
2010-12-08 00:13:28 -------- d-sh--r- c:\windows\system32\dllcache
2010-12-07 23:01:33 12288 ----a-w- c:\windows\system32\dllcache\wb32.exe
2010-12-07 23:01:33 12288 ----a-w- c:\program files\netmeeting\wb32.exe
2010-12-07 23:00:25 61440 ----a-w- c:\program files\netmeeting\rrcm.dll
2010-12-07 22:58:46 188416 ----a-w- c:\windows\system32\msh261.drv
2010-12-07 22:58:45 118784 ----a-w- c:\windows\system32\msg723.acm
2010-12-07 22:58:42 69632 ----a-w- c:\windows\system32\msconf.dll
2010-12-07 22:58:32 34560 ----a-w- c:\windows\system32\mnmdd.dll
2010-12-07 22:58:32 32768 ----a-w- c:\windows\system32\mnmsrvc.exe
2010-12-07 22:56:43 32768 ----a-w- c:\windows\system32\isrdbg32.dll
2010-12-07 22:56:36 81920 ----a-w- c:\windows\system32\ils.dll
2010-12-07 22:56:23 57344 ----a-w- c:\program files\netmeeting\h323cc.dll
2010-12-07 22:53:00 40960 ----a-w- c:\program files\netmeeting\dcap32.dll
2010-12-07 22:52:50 45056 ----a-w- c:\program files\netmeeting\confmrsl.dll
2010-12-07 22:52:50 1032192 ----a-w- c:\program files\netmeeting\conf.exe
2010-12-07 22:52:37 12288 ----a-w- c:\windows\system32\dllcache\cb32.exe
2010-12-07 22:52:37 12288 ----a-w- c:\program files\netmeeting\cb32.exe
2010-12-07 22:52:36 385024 ----a-w- c:\program files\netmeeting\callcont.dll
==================== Find3M ====================
2010-12-08 16:15:45 61440 ----a-w- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\modemutil.dll
2010-12-08 16:15:45 45056 ----a-w- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\uninstallui\eHelpSetup.exe
2010-12-08 16:15:45 44032 ----a-w- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\scripts\devcon.exe
2010-12-08 16:15:45 40960 ----a-w- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\ScDmi.dll
2010-12-08 16:15:45 341048 ----a-w- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\HPBasicDetection3.dll
2010-12-08 16:15:45 32768 ----a-w- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\uploadHSC.dll
2010-12-08 16:15:45 32768 ----a-w- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\Scom.dll
2010-12-08 16:15:45 163840 ----a-w- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\modemcheck.dll
2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys
============= FINISH: 19:57:18.56 ===============0 -
I suggest that you remove trymedia.com from the "trusted zone" in Internet Options, Security tab, due to the opinions on [url="http://www.mywot.com/sv/scorecard/trymedia.com"]http://www.mywot.com/sv/scorecard/trymedia.com[/url]
You should have only one antivirus program running at the same time to avoid conflicts and strange behaviour. It seems that you have three.
Ad-Aware, which in the latest version has been expanded to include an antivirusprogram
AVG 2011
Microsoft Security Essentials
Uninstall two of them. Instead it is also possible to uninstall AVG or MSE and disable the real-time protection in Ad-Aware.
Restart the computer and remove any left-overs with AppRemover [url="http://www.appremover.com/"]http://www.appremover.com/[/url]
Uninstall "J2SE Runtime Environment 5.0 Update 5" since it is an old version with known security holes.
Restart the computer and check if the firewall behaves better now.0 -
I'm sorry, but I need to clarify. I went to Tools>Options>Security. I don't see where to block trymedia.com. That isn't a site I've ever gone to.
When I had my new hard drive installed a week ago the tech put AVG Free and Malwarebytes on my computer. I've always liked Ad-Aware and would rather have that than Malwarebytes. Should I uninstall Malwarebytes and Microsoft Security and leave AVG and Ad-aware? Is AVG Free sufficient for both virus and anti-spyware? I use to need both.
Do I just delete these programs you had me download? I don't see an "uninstall" on any of them. (OTM, DDS, ERUNT, GMER)....or should I just delete the shortcut and leave the programs in my computer?0 -
On the Security tab you first click on Trusted zone and then on Places. You should then see trymedia.com and be able to remove it.
The free version of Malwarebyte's Anti-Malware does not contain any real-time protection and can be combined with any antivirus and antimalware program. Uninstall Microsoft Security. I cannot judge between AVG and Ad-Aware, since Ad-Aware with antivirus is rather new there are few independent tests of it.
I am not an expert of Ad-Aware but there are descriptions of how to turn off real-time protection in Ad-Aware in other topics, see if you can find it in the forum [url="http://www.lavasoftsupport.com/index.php?showforum=176"]http://www.lavasoftsupport.com/index.php?showforum=176[/url]
Wait with removing DDS etc until we know that your firewall problem is solved by removing antivirus programs.0 -
I have Firefox and don't see anything like that on the Security tab. 0 -
I was able to change trymedia.com from trusted to block in Internet Explorer. Not sure how to do the same in Firefox.
ps....
[b]I've done everything. Now will wait and see if the balloon pops up. I discovered if I don't click on the balloon it will disappear and the Firewall will turn back on automatically.[/b]0 -
Nice /smile.png' class='bbc_emoticon' alt=':)' />
There are no corresponding setting in Firefox.0 -
Late last night when the balloon popped on I decided to completely uninstall Ad-Aware and just leave Malwarebytes and AVG. This morning the balloon popped on again. Guess I should just not worry about it, since the settings turn the Firewall back on within a few seconds. I don't know what else to do. If I take it in for repair there is no guarantee they can find the problem either.
Thank you[u] so[/u] much for all your help! /wub.png' class='bbc_emoticon' alt=':)' />0 -
/blush.png' class='bbc_emoticon' alt=':)' />
I guess that if you take it in for repair they will format and install Windows, and I believe that you can do that yourself.
Run Eset online scanner [url="http://www.eset.com/onlinescan/"]http://www.eset.com/onlinescan/[/url] and see if it finds something.
To minimize the scanning time turn off your antivirus program while scanning.
Uncheck the option "Remove found threats"
Check "Scan Archives
Click on "Advanced Settings"
Check:
Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth Technology
Click on Scan
When the scanner has finished the log file C:\Program\Eset\Eset Online Scanner\log.txt is created.
Open it in Notepad and paste the content in your answer.0 -
I've finished the ESET scan, in fact ran it twice because I don't see where to access the log. It shows no infected files.
I searched for ESET and did find this text log. Can't be sure this is what you're looking for, as I ran it once 50%, stopped and started over. The second scan finished 100%
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6419
# api_version=3.0.2
# EOSSerial=9e4e19c3ea62a2489699f769f28ad08a
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-12-21 01:14:34
# local_time=2010-12-20 06:14:34 (-0700, Mountain Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1032 16777173 100 97 0 49617725 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=98638
# found=0
# cleaned=0
# scan_time=40040 -
Nice that no infections were found. /smile.png' class='bbc_emoticon' alt=':)' />
Now when you have uninstalled Ad-Aware maybe a new run of Gmer would show more. This time turn off all programs, including antivirus, before you run Gmer.
The page [url="http://www.bleepingcomputer.com/forums/topic114351.html"]http://www.bleepingcomputer.com/forums/topic114351.html[/url] should describe how to turn off your security programs.0 -
I'll re-run the gmer later, after AVG has run today. I talked on a chat to HP and they had me uncheck the Security Center Service box (MSC-Services). They didn't seem concerned that the balloon was popping up. It didn't seem right to do that so I went back and re-checked it. If something is turning my Firewall off I at least want to know it. I'm not too worried now because the Firewall setting turns it back on within 15-20 seconds. 0 -
I couldn't find where to disable Malwarebytes. It was left on.
GMER 1.0.15.15530 - [url="http://www.gmer.net"]http://www.gmer.net[/url]
Rootkit scan 2010-12-21 14:13:52
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST3500418AS rev.CC38
Running: gmer.exe; Driver: C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\kwxyafod.sys
---- System - GMER 1.0.15 ----
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xEFEF46C0]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xEFEF4770]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xEFEF4810]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xEFEF48B0]
---- Devices - GMER 1.0.15 ----
Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
AttachedDevice bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- EOF - GMER 1.0.15 ----0 -
That is looking al-right for me.
Maybe you can see if System File Checker (sfc /scannow) finds some corrupt Windows file: [url="http://support.microsoft.com/kb/310747/en-us"]http://support.microsoft.com/kb/310747/en-us[/url]0 -
Please, do not change your post after long time since no notification is sent for changes. I thought everything was fine.
If you don't have any issues with the computer there is no need for running System File Checker.0
![http://img.photobucket.com/albums/v175/paoniapoodles/VIRUSVAULT1.jpg"]http://img.photobucket.com/albums/v175/pao...VIRUSVAULT1.jpg[/url](http://img.photobucket.com/albums/v175/paoniapoodles/VIRUSVAULT1.jpg%22%5Dhttp://img.photobucket.com/albums/v175/pao...VIRUSVAULT1.jpg%5B/url){kind=link}
![http://img.photobucket.com/albums/v175/paoniapoodles/VIRUSVAULT2.jpg"]http://img.photobucket.com/albums/v175/pao...VIRUSVAULT2.jpg[/url](http://img.photobucket.com/albums/v175/paoniapoodles/VIRUSVAULT2.jpg%22%5Dhttp://img.photobucket.com/albums/v175/pao...VIRUSVAULT2.jpg%5B/url){kind=link}
Please sign in to leave a comment.
Comments
46 comments