Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

stick bugs

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: stick bugs

Unread postby shinybeast » February 8th, 2010, 12:11 pm

Hi drew,

Start Flash_Disinfector then attach the devices when it prompts you to, as in the instructions here.
User avatar
shinybeast
Retired Graduate
 
Posts: 1187
Joined: October 29th, 2008, 6:56 pm
Location: -5 hrs GMT (EST)
Advertisement
Register to Remove

Re: stick bugs

Unread postby drew » February 9th, 2010, 11:00 pm

Did the flash disinfector, no problem. I included my thumb drive (so will need to do memory stick and external drive).

I keep getting a comodo alert for "System is trying to receive a connection from the internet."
66.248.36.36 TCP.

It happened during the first download and now during the second as well. Downloads continue regardless. I don't normally get alerts on my firewall.

Is this something I should be approving? It is odd because it only happens during the downloads but doesn't appear to be from the download.
drew
Regular Member
 
Posts: 21
Joined: January 25th, 2010, 1:19 am

Re: stick bugs

Unread postby drew » February 9th, 2010, 11:27 pm

"I will plug in the memory stick and thumb drive before I begin ok?"

Sorry, I was tired and yea the directions were there. :thumbup:

I am just continuing on with the eset scan, will let you know if any problems. I did not allow that connection through the firewall.
drew
Regular Member
 
Posts: 21
Joined: January 25th, 2010, 1:19 am

Re: stick bugs

Unread postby shinybeast » February 9th, 2010, 11:35 pm

Hi drew,

I can't find much on that IP. I definitely wouldn't allow it, though.
User avatar
shinybeast
Retired Graduate
 
Posts: 1187
Joined: October 29th, 2008, 6:56 pm
Location: -5 hrs GMT (EST)

Re: stick bugs

Unread postby drew » February 9th, 2010, 11:39 pm

I wonder why that thing is popping up. Then again this computer is new to me and I haven't used it much. Ok, thanks for confirming that.

I will explain what I did here, FYI.

The instructions said-
"Note: You will need to disable your Anti-Virus.
To disable Comodo Internet Security

* Locate Comodo Image icon in the system tray at the bottom right of the desktop.
* Right-click the icon and select Exit
* The program will ask if you are sure; click Yes."

The newer Comodo firewall has combined anti virus. When you right click on the small Comodo icon on the lower right you get an option for "antivirus security level" and then an option to "disable". So I just have the anti virus disabled as I am not thinking you want my firewall off while online.

It's pretty cool the new comodo. From a right click on the icon you can set the firewall, anti virus, or defense plus security level settings.
drew
Regular Member
 
Posts: 21
Joined: January 25th, 2010, 1:19 am

Re: stick bugs

Unread postby shinybeast » February 9th, 2010, 11:48 pm

You did the right thing. :)
The AV is all that needs to be disabled and with that suspicious connection it is definitely wise to keep the firewall enabled. Let's see if ESET scan finds anything.
User avatar
shinybeast
Retired Graduate
 
Posts: 1187
Joined: October 29th, 2008, 6:56 pm
Location: -5 hrs GMT (EST)

Re: stick bugs

Unread postby drew » February 10th, 2010, 3:31 am

Hi Shinybeast,

Eset is giving me problems because it is taking so long to download the virus database, then errored out before it was finished. I started it again but doesn't seem to be loading right. My problem is probably because of a dial up connection. Is there any other online scan that is just as good? Thanks
drew
Regular Member
 
Posts: 21
Joined: January 25th, 2010, 1:19 am

Re: stick bugs

Unread postby shinybeast » February 10th, 2010, 6:38 pm

Hi drew,

OK, I didn't realize you were on dial-up, that complicates matters.

I would really like a second opinion.

This scan is a bit less of a download but will still take quite some time to download. Give it a try.


Panda Online Scan

Use Firefox for this scan.
Please visit Panda Active Scan to run an online scan
  • Once you are on the Panda site, click the Scan your PC now button
  • A new window will open...click the Scan Now button
  • Click Install to download and install the plug-in, follow the instructions provided.
  • Click Continue and the ActiveScan download/update will start.
  • The screen will then show the scanning progress - the scan will take a while to finish. Please be patient.
  • When the scan has finished, click on Export To:
  • Save the file as Activescan.txt to your Desktop
  • Close the Activescan window then go to your Desktop
  • Double-click on Activescan.txt and it will open in Notepad
  • In Notepad, click Edit > Select all, then Edit > Copy
  • Reply to this thread and click Ctrl+V to paste the log in your reply


COMODO logs

Also, let's get a look at the COMODO logs.

  • Double-click COMODO icon to open COMODO Internet Security
  • Click AntiVirus in top row
  • Click View Antivirus Events
  • In the events window, click More...
  • In the Log Viewer window, click File > Export to HTML > All
  • Save the logs to your desktop.
  • Open them one by one and Edit > Select All, then Copy the contents of the log.
  • Open notepad and paste them into it one after the other.
  • Save this as logs.txt to your desktop and copy/paste the contents of that file in your next reply.


OTL Quick Scan

  • Close all other open windows, then double-click OTL.exe to start OTL
  • Click Quick Scan to start the scan
  • Once it is finished, a log will open (OTL.txt)
  • Please copy and paste the contents of OTL.txt in your next reply.


Please reply with COMODO log, OTL log and Panda ActiveScan log, if applicable.
User avatar
shinybeast
Retired Graduate
 
Posts: 1187
Joined: October 29th, 2008, 6:56 pm
Location: -5 hrs GMT (EST)

Re: stick bugs

Unread postby drew » February 12th, 2010, 7:22 am

Shinybeast,

Thank you. I will get to work on this again today (Friday).
drew
Regular Member
 
Posts: 21
Joined: January 25th, 2010, 1:19 am

Re: stick bugs

Unread postby drew » February 13th, 2010, 7:57 am

Panda froze 4 times, at 11 percent of the scan done. It said at that point it found 10 infected files but didn't specify yet. It kept stopping on file qwin8\chu_c_c[1].gif. And that firewall alert for System wanting to connect happened again while I was downloading Panda Scan.

I tried ESET again, managed to get it done. It said it found 2 problems.
C:\Program Files\PC Magazine Utilities\HomePatrol\HomePatrol.exe probably unknown NewHeur_PE virus
Operating memory probably unknown NewHeur_PE virus

Homepatrol is a webcam program I have.

The Comodo logs, do you want any log besides the Anti Virus? Going by the directions I get the Firewall log only. I will do OTL ASAP. Took a long time to get the online scan done tonight.

Heres the Comodo Anti Virus log-
(That nircmd file was for the flash disinfector program)

COMODO Internet Security Logs

Table

:

Antivirus Logs

Date Created

:

2/13/2010 3:43:04 AM

Log Scope

:

All The Times

Records count

:

34
Date/Time Action Location Malware Name Status
1/11/2010 11:21:17 AM Detect C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Reboot.exe ApplicUnsaf.Win32.RiskTool.Reboot.g@6576133 Success
1/11/2010 11:21:28 AM Quarantine C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Reboot.exe ApplicUnsaf.Win32.RiskTool.Reboot.g@6576133 Success
1/11/2010 1:22:52 PM Detect C:\Driver Install Disk\CD_v3.2NM (H)\Install\Reboot.exe ApplicUnsaf.Win32.RiskTool.Reboot.g@6576133 Success
1/11/2010 1:23:00 PM Quarantine C:\Driver Install Disk\CD_v3.2NM (H)\Install\Reboot.exe ApplicUnsaf.Win32.RiskTool.Reboot.g@6576133 Success
1/11/2010 1:23:07 PM Detect C:\Driver Install Disk\CD_v3.2NM (H)\Utility\CoolnQuiet\Win2K\Athlon-64_CPU_driver_W2k1017.exe Heur.Suspicious@37228686 Success
1/11/2010 1:23:13 PM Quarantine C:\Driver Install Disk\CD_v3.2NM (H)\Utility\CoolnQuiet\Win2K\Athlon-64_CPU_driver_W2k1017.exe Heur.Suspicious@37228686 Success
1/11/2010 1:23:14 PM Detect C:\Driver Install Disk\CD_v3.2NM (H)\Utility\ProMagicPlus\FILES\PlusStart.exe TrojWare.Win32.Trojan.Agent.Gen@5226799 Success
1/11/2010 1:23:16 PM Quarantine C:\Driver Install Disk\CD_v3.2NM (H)\Utility\ProMagicPlus\FILES\PlusStart.exe TrojWare.Win32.Trojan.Agent.Gen@5226799 Success
1/11/2010 1:25:14 PM Detect H:\Install\Reboot.exe ApplicUnsaf.Win32.RiskTool.Reboot.g@6576133 Success
1/11/2010 1:25:27 PM Quarantine H:\Install\Reboot.exe ApplicUnsaf.Win32.RiskTool.Reboot.g@6576133 Failure
1/12/2010 3:09:29 PM Detect C:\System Volume Information\_restore{4681868C-B13C-4529-AB78-74BF2857C96D}\RP11\A0007694.exe ApplicUnsaf.Win32.RiskTool.Reboot.g@6576133 Success
1/12/2010 4:08:49 PM Detect C:\System Volume Information\_restore{4681868C-B13C-4529-AB78-74BF2857C96D}\RP11\A0007694.exe ApplicUnsaf.Win32.RiskTool.Reboot.g@6576133 Success
1/12/2010 5:08:49 PM Detect C:\System Volume Information\_restore{4681868C-B13C-4529-AB78-74BF2857C96D}\RP11\A0007694.exe ApplicUnsaf.Win32.RiskTool.Reboot.g@6576133 Success
1/12/2010 9:40:43 PM Detect C:\System Volume Information\_restore{4681868C-B13C-4529-AB78-74BF2857C96D}\RP11\A0007694.exe ApplicUnsaf.Win32.RiskTool.Reboot.g@6576133 Success
1/13/2010 1:49:38 AM Detect C:\System Volume Information\_restore{4681868C-B13C-4529-AB78-74BF2857C96D}\RP11\A0007694.exe ApplicUnsaf.Win32.RiskTool.Reboot.g@6576133 Success
1/13/2010 3:06:30 AM Detect C:\System Volume Information\_restore{4681868C-B13C-4529-AB78-74BF2857C96D}\RP11\A0007694.exe ApplicUnsaf.Win32.RiskTool.Reboot.g@6576133 Success
1/13/2010 4:03:43 AM Detect C:\System Volume Information\_restore{4681868C-B13C-4529-AB78-74BF2857C96D}\RP11\A0007694.exe ApplicUnsaf.Win32.RiskTool.Reboot.g@6576133 Success
1/13/2010 6:03:43 AM Detect C:\System Volume Information\_restore{4681868C-B13C-4529-AB78-74BF2857C96D}\RP11\A0007694.exe ApplicUnsaf.Win32.RiskTool.Reboot.g@6576133 Success
1/13/2010 8:03:43 AM Detect C:\System Volume Information\_restore{4681868C-B13C-4529-AB78-74BF2857C96D}\RP11\A0007694.exe ApplicUnsaf.Win32.RiskTool.Reboot.g@6576133 Success
1/13/2010 12:03:33 PM Detect C:\System Volume Information\_restore{4681868C-B13C-4529-AB78-74BF2857C96D}\RP11\A0007694.exe ApplicUnsaf.Win32.RiskTool.Reboot.g@6576133 Success
1/13/2010 6:45:38 PM Detect C:\System Volume Information\_restore{4681868C-B13C-4529-AB78-74BF2857C96D}\RP11\A0007694.exe ApplicUnsaf.Win32.RiskTool.Reboot.g@6576133 Success
1/14/2010 3:00:25 AM Detect C:\System Volume Information\_restore{4681868C-B13C-4529-AB78-74BF2857C96D}\RP11\A0007694.exe ApplicUnsaf.Win32.RiskTool.Reboot.g@6576133 Success
1/14/2010 3:00:33 AM Detect C:\System Volume Information\_restore{4681868C-B13C-4529-AB78-74BF2857C96D}\RP4\A0000271.exe ApplicUnsaf.Win32.RiskTool.Reboot.g@6576133 Success
1/14/2010 3:44:17 AM Quarantine C:\System Volume Information\_restore{4681868C-B13C-4529-AB78-74BF2857C96D}\RP11\A0007694.exe ApplicUnsaf.Win32.RiskTool.Reboot.g@6576133 Success
1/14/2010 3:44:17 AM Quarantine C:\System Volume Information\_restore{4681868C-B13C-4529-AB78-74BF2857C96D}\RP4\A0000271.exe ApplicUnsaf.Win32.RiskTool.Reboot.g@6576133 Success
2/9/2010 6:39:21 PM Detect C:\Documents and Settings\Owner\Local Settings\Temp\nircmd.exe ApplicUnsaf.Win32.NirCmd.A@5756747 Success
2/9/2010 6:39:31 PM Detect C:\Documents and Settings\Owner\Local Settings\Temp\nircmd.exe ApplicUnsaf.Win32.NirCmd.A@5756747 Success
2/9/2010 6:46:27 PM Detect C:\Documents and Settings\Owner\Local Settings\Temp\nircmd.exe ApplicUnsaf.Win32.NirCmd.A@5756747 Success
2/9/2010 6:46:31 PM Ignore C:\Documents and Settings\Owner\Local Settings\Temp\nircmd.exe ApplicUnsaf.Win32.NirCmd.A@5756747 Success
2/9/2010 6:46:31 PM Detect C:\Documents and Settings\Owner\Local Settings\Temp\nircmd.exe ApplicUnsaf.Win32.NirCmd.A@5756747 Success
2/9/2010 6:46:36 PM Ignore C:\Documents and Settings\Owner\Local Settings\Temp\nircmd.exe ApplicUnsaf.Win32.NirCmd.A@5756747 Success
2/9/2010 6:46:36 PM Detect C:\Documents and Settings\Owner\Local Settings\Temp\nircmd.exe ApplicUnsaf.Win32.NirCmd.A@5756747 Success
2/9/2010 6:46:37 PM Detect C:\Documents and Settings\Owner\Local Settings\Temp\nircmd.exe ApplicUnsaf.Win32.NirCmd.A@5756747 Success
2/9/2010 6:46:39 PM Ignore C:\Documents and Settings\Owner\Local Settings\Temp\nircmd.exe ApplicUnsaf.Win32.NirCmd.A@5756747 Success
End of The Report
drew
Regular Member
 
Posts: 21
Joined: January 25th, 2010, 1:19 am

Re: stick bugs

Unread postby drew » February 13th, 2010, 8:03 am

Um, can I have a link to OTL please. :)
drew
Regular Member
 
Posts: 21
Joined: January 25th, 2010, 1:19 am

Re: stick bugs

Unread postby shinybeast » February 13th, 2010, 11:03 am

User avatar
shinybeast
Retired Graduate
 
Posts: 1187
Joined: October 29th, 2008, 6:56 pm
Location: -5 hrs GMT (EST)

Re: stick bugs

Unread postby drew » February 14th, 2010, 10:32 pm

Ok, I am getting the programs confused, sorry about that. :confused3: That nircmd file was actually from GMER, I think.

Any junk you see, even borderline junk, I don't want on my computer so let me know if you see anything.

OTL logfile created on: 2/14/2010 6:20:53 PM - Run 2
OTL by OldTimer - Version 3.1.27.1 Folder = C:\Documents and Settings\Owner\My Documents\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 71.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 88.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 65.98 Gb Free Space | 88.53% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: EMILY
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Minimal
Quick Scan

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Owner\My Documents\Downloads\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO)
PRC - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe (COMODO)
PRC - C:\Program Files\LSI SoftModem\agrsmsvc.exe (LSI Corporation)
PRC - C:\Program Files\PC Magazine Utilities\HomePatrol\HomePatrol.exe (Ziff Davis Media, Inc)
PRC - C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation)
PRC - C:\WINDOWS\system32\wscntfy.exe (Microsoft Corporation)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\WINDOWS\RTHDCPL.EXE (Realtek Semiconductor Corp.)
PRC - C:\WINDOWS\vsnpstd3.exe ()
PRC - C:\WINDOWS\system32\LEXBCES.EXE (Lexmark International, Inc.)
PRC - C:\WINDOWS\system32\LEXPPS.EXE (Lexmark International, Inc.)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Owner\My Documents\Downloads\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\system32\guard32.dll (COMODO)


========== Win32 Services (SafeList) ==========

SRV - (cmdAgent) -- C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe (COMODO)
SRV - (AgereModemAudio) -- C:\Program Files\LSI SoftModem\agrsmsvc.exe (LSI Corporation)
SRV - (NVSvc) -- C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation)
SRV - (LexBceS) -- C:\WINDOWS\system32\LEXBCES.EXE (Lexmark International, Inc.)
SRV - (ose) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1.3
FF - prefs.js..extensions.enabledItems: {73a6fe31-595d-460b-a920-fcc0f8843232}:1.9.9.35

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/01/11 11:25:08 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/01/11 11:25:00 | 000,000,000 | ---D | M]

[2010/01/11 11:25:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2010/02/12 23:55:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\rx6nj4o2.default\extensions
[2010/01/12 21:08:08 | 000,000,000 | ---D | M] (NoScript) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\rx6nj4o2.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
[2010/01/12 21:10:53 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\rx6nj4o2.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/01/11 11:25:00 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2001/08/23 04:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [COMODO Internet Security] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [RTHDCPL] C:\WINDOWS\RTHDCPL.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SkyTel] C:\WINDOWS\SkyTel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe ()
O4 - HKCU..\Run: [HomePatrol] C:\Program Files\PC Magazine Utilities\HomePatrol\HomePatrol.exe (Ziff Davis Media, Inc)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 36
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = FF FF FF FF [binary data]
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: ([]msn in My Computer)
O15 - HKCU\..Trusted Domains: 25 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupda ... 3221622155 (WUWebControl Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shoc ... wflash.cab (Shockwave Flash Object)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\WINDOWS\system32\guard32.dll) - C:\WINDOWS\system32\guard32.dll (COMODO)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/01/10 22:00:51 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2010/02/09 18:47:22 | 000,000,000 | RHSD | M] - C:\autorun.inf -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 14 Days ==========

[2010/02/12 20:14:20 | 000,028,552 | ---- | C] (Panda Security, S.L.) -- C:\WINDOWS\System32\drivers\pavboot.sys
[2010/02/12 19:46:54 | 000,000,000 | ---D | C] -- C:\Program Files\Panda Security
[2010/02/09 19:27:46 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/02/09 18:47:22 | 000,000,000 | RHSD | C] -- C:\autorun.inf
[2010/02/07 23:02:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\MY STORY
[2010/02/04 23:21:46 | 000,454,656 | ---- | C] (Lexmark International Inc.) -- C:\WINDOWS\System32\LXBLJSWR.DLL
[2010/02/04 23:21:45 | 000,339,968 | ---- | C] (Lexmark International Inc.) -- C:\WINDOWS\System32\LXBLUTIL.DLL
[2010/02/04 23:21:44 | 000,090,112 | ---- | C] (Lexmark International Inc.) -- C:\WINDOWS\System32\LXBLCUR.DLL
[2010/02/04 23:21:44 | 000,069,632 | ---- | C] (Lexmark International Inc.) -- C:\WINDOWS\System32\LXBLCU.DLL
[2010/02/04 23:16:09 | 000,000,000 | ---D | C] -- C:\Program Files\Lexmark Z700-P700 Series
[2010/02/04 23:16:00 | 000,299,520 | ---- | C] (InstallShield Corporation, Inc.) -- C:\WINDOWS\uninst.exe
[2010/02/04 23:15:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\WINDOWS
[2010/02/04 23:15:46 | 000,000,000 | ---D | C] -- C:\Lxk700
[2010/02/03 17:32:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\Dorothea
[2010/02/02 21:52:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\Scans
[2010/01/11 10:12:06 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2010/01/11 10:12:06 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2010/01/11 10:12:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2010/01/11 10:12:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2007/03/12 11:41:52 | 000,061,440 | ---- | C] ( ) -- C:\WINDOWS\System32\vsnpstd3.dll
[2005/11/23 12:55:32 | 000,053,248 | ---- | C] ( ) -- C:\WINDOWS\System32\csnpstd3.dll
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2010/02/14 18:11:00 | 000,200,712 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/02/14 18:10:39 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/02/14 18:10:38 | 000,013,002 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/02/14 18:10:36 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/02/13 04:05:39 | 002,097,152 | -H-- | M] () -- C:\Documents and Settings\Owner\NTUSER.DAT
[2010/02/13 04:05:39 | 001,474,832 | ---- | M] () -- C:\WINDOWS\System32\drivers\sfi.dat
[2010/02/13 04:05:27 | 006,399,660 | -H-- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\IconCache.db
[2010/02/13 03:49:41 | 000,000,130 | ---- | M] () -- C:\WINDOWS\cfplogvw.INI
[2010/02/13 03:43:04 | 000,016,782 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\comodoanti.htm
[2010/02/13 03:41:49 | 000,416,192 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\comodo.htm
[2010/02/13 00:07:56 | 002,672,312 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\esetsmartinstaller_enu(2).exe
[2010/02/12 19:45:02 | 000,177,240 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\activescan2_en.exe
[2010/02/10 12:28:12 | 000,000,256 | ---- | M] () -- C:\WINDOWS\lexstat.ini
[2010/02/09 19:05:48 | 002,672,312 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\esetsmartinstaller_enu.exe
[2010/02/09 18:37:40 | 000,132,597 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Flash_Disinfector.exe
[2010/02/04 23:24:12 | 000,001,749 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Lexmark Z700-P700 Series Solution Center.lnk
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/02/13 03:43:04 | 000,016,782 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\comodoanti.htm
[2010/02/13 03:41:48 | 000,416,192 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\comodo.htm
[2010/02/12 23:48:37 | 002,672,312 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\esetsmartinstaller_enu(2).exe
[2010/02/12 19:43:49 | 000,177,240 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\activescan2_en.exe
[2010/02/09 20:25:47 | 000,000,130 | ---- | C] () -- C:\WINDOWS\cfplogvw.INI
[2010/02/09 18:50:19 | 002,672,312 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\esetsmartinstaller_enu.exe
[2010/02/09 18:36:34 | 000,132,597 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Flash_Disinfector.exe
[2010/02/04 23:24:12 | 000,001,749 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Lexmark Z700-P700 Series Solution Center.lnk
[2010/02/04 23:22:50 | 000,000,256 | ---- | C] () -- C:\WINDOWS\lexstat.ini
[2010/02/04 23:21:47 | 001,303,179 | ---- | C] () -- C:\WINDOWS\System32\LXBLLPA.HLP
[2010/02/04 23:21:47 | 000,003,589 | ---- | C] () -- C:\WINDOWS\System32\LXBLLPA.CNT
[2010/02/04 23:21:47 | 000,002,216 | ---- | C] () -- C:\WINDOWS\System32\LXBLDRV.CNT
[2010/02/04 23:21:47 | 000,000,200 | ---- | C] () -- C:\WINDOWS\System32\LXBLMA.CNT
[2010/02/04 23:21:46 | 000,649,156 | ---- | C] () -- C:\WINDOWS\System32\LXBLDRV.HLP
[2010/02/04 23:21:46 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\LXBLIH.EXE
[2010/02/04 23:21:46 | 000,000,451 | ---- | C] () -- C:\WINDOWS\System32\LXBL.LOC
[2010/02/04 23:21:43 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\INSTMON.EXE
[2010/02/04 23:21:42 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\LXBLLCNP.DLL
[2010/02/04 23:16:11 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxblvs.dll
[2010/01/11 21:03:35 | 000,000,044 | ---- | C] () -- C:\WINDOWS\StartupCopPro.INI
[2010/01/11 11:01:47 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/09/17 23:55:00 | 001,724,416 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2008/09/17 23:55:00 | 001,503,232 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2008/09/17 23:55:00 | 001,101,824 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2008/09/17 23:55:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2008/09/17 23:55:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2004/02/27 16:36:18 | 000,015,498 | ---- | C] () -- C:\WINDOWS\snpstd3.ini
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== LOP Check ==========

[2010/01/24 22:54:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/01/13 02:36:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\PC Magazine Utilities

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
< End of report >
drew
Regular Member
 
Posts: 21
Joined: January 25th, 2010, 1:19 am

Re: stick bugs

Unread postby shinybeast » February 15th, 2010, 10:57 am

Hi drew,

Nircmd came with Flash_Disinfector. It is a beefy command line tool. You can learn about it here. It is itself safe but as with all powerful tools, it can cause harm in the "wrong hands."

There is one thing of concern in the comodo logs - the PlusStart.exe executable which is part of ProMagicPlus which was on the "H" drive. It could be an infected copy or it could be a false positive. Comodo appears to have quarantined it. I suggest you not use the program.

As for the IP address that you are getting notifications about, it appears to be owned by PaeTec Communications. Does that mean anything to you?

The only other thing I see is ALCMTR.EXE in your startups. It is not malicious but technically spyware and certainly unneeded.

HijackThis

  • Start HijackThis and select Do a system scan only.
  • Place a check next to the lines listed below.
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

  • After placing a check next to the above line, close all windows except for HijackThis.
  • Click Fix checked, then click Yes to confirm.
  • Close HijackThis, then reboot the computer.


I see you have MalwareBytes' installed. Let's do a scan with it as you are having trouble with the online scans.

Update and Scan with MalwareBytes'

  • Start MalwareBytes' Anti-Malware (MBAM)
  • Click the Update tab, then click Check for Updates button
  • Allow MBAM to check for and download updates, then click OK
  • Click the Scanner tab and select (tick) Perform full scan
  • Click Scan to start then scan.
  • When it finishes, click OK in the window that pops up and then click Show Results in the main window
  • Check all items EXCEPT items in the C:\System Volume Information folder... then click on Remove Selected.
  • When the removal is complete, a logfile will open. Please copy and paste the entire contents of the logfile in your next reply. See NOTE below
  • If necessary, the logfile can also be accessed by running Malwarebytes' and clicking the Log tab. Double-click the current log to open it.
NOTE: If Malwarebytes' encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let it proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent Malwarebytes' from removing all the malware.


Please reply with the MalwareBytes' log and inform me of any remaining issues and your thoughts on PaeTec.
User avatar
shinybeast
Retired Graduate
 
Posts: 1187
Joined: October 29th, 2008, 6:56 pm
Location: -5 hrs GMT (EST)

Re: stick bugs

Unread postby drew » February 16th, 2010, 11:18 pm

Hi Shinybeast,

Ok flash disinfector it is then lol, thanks :).

The only problem I seem to have with this new computer, which I haven't tried in days, is printing online out of my email. That became a problem shortly after the thumb drive thing. That night on my dads printer it suddenly began printing nonsense. Then I got home and with my printer I still couldn't get emails printed, a box comes up saying there is some error and it can't print. There is no problem printing offline. The reason I am concerned about this is because after having to use one of the sticks on my old back up computer, then I got online on that computer to get those emails printed, at the end of the last email I printed was that nonsense again. Hope that makes sense. Maybe I just need to scan the old back up with Comodo, seems Comodo takes care of things ok. Or when I can I'll bring my old computer to the forum for a check.


I intend to format the other sticks then run flash disinfector on them, so that is settled because I know what I need to do.

Can you explain to me what the Comodo log shows as the infection it had? It seemed to have found a few problems (which I quarantined) and looking at it I don't understand what happened.

I am trying to figure out how anything is on the "H" drive. When I look in my drives "H" is shown as the DVD/CD-RW Drive. I don't know of any promagicplus program. It isn't listed in my programs either. Can we track it down and remove this program?

I am also wondering why Eset picked up HomePatrol as a problem. Do you think it was a false positive or maybe there is something to it? I don't find anything on a quick search.

Paetec doesn't look familiar to me at all. I looked through my programs and didn't find anything that appeared to match it. I didn't build this computer so am unsure if it is trying to connect because of something on it, I asked Dad to check the site to see if he recognized anything but no word back on that, will ask him again. It seems suspicious to me that it attempts to connect every time I am doing a download.

In my add/remove programs is a "Realtek high definition audio driver". It is running in my processes and is it connected to this O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)?

I killed ALCMTR.exe, thanks.

For Malwarebytes I only scanned C drive, should I do others or is that what you wanted? (shouldn't I have Windows 7?)

Malwarebytes' Anti-Malware 1.44
Database version: 3748
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

2/16/2010 6:33:59 PM
mbam-log-2010-02-16 (18-33-59).txt

Scan type: Full Scan (C:\|)
Objects scanned: 139127
Time elapsed: 18 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
drew
Regular Member
 
Posts: 21
Joined: January 25th, 2010, 1:19 am
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 46 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware