continuation of the viruses, correspondence with Ried, work computer #3

arda21 · 06-30-2009, 12:14 PM

-- dear ried i believe this computer is clean but just in case --

DDS (Ver_09-06-26.01) - NTFSx86
Run by Zak Malakan at 13:21:41.25 on Tue 06/30/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1790.1358 [GMT -4:00]

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\O2Micro Oz128 Driver\o2flash.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
C:\DOCUME~1\ZAKMAL~1\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Documents and Settings\Zak Malakan\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://en.us.acer.yahoo.com
uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
mDefault_Page_URL = hxxp://en.us.acer.yahoo.com
mStart Page = hxxp://en.us.acer.yahoo.com
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
mRun: [Preload] c:\windows\RUNXMLPL.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [WarReg_PopUp] c:\acer\wr_popup\WarReg_PopUp.exe /idle
mRun: [Acer ePresentation HPD] c:\acer\empowering technology\epresentation\ePresentation.exe
mRun: [ePower_DMC] c:\acer\empowering technology\epower\ePower_DMC.exe
mRun: [Boot] c:\acer\empowering technology\epower\Boot.exe
mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\eRAgent.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acerem~1.lnk - c:\acer\empowering technology\Acer.Empowering.Framework.Launcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Notify: AtiExtEvent - Ati2evxx.dll

============= SERVICES / DRIVERS ===============

R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2007-4-3 39680]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2007-4-2 35712]
S2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2006-4-14 28933976]

=============== Created Last 30 ================

2009-06-23 11:58 100 a------- c:\documents and settings\zak malakan\drvkeys.bat
2009-06-23 11:57 92 a------- c:\windows\GridV.UNI
2009-06-23 11:52 78,208 a------- c:\windows\system32\drivers\epm-shd.sys
2009-06-23 11:52 57,344 a------- c:\windows\system32\acpimof.dll
2009-06-23 11:52 45,056 a------- c:\windows\system32\Epm-Po.dll
2009-06-23 11:52 4,096 a------- c:\windows\system32\drivers\epm-psd.sys
2009-06-23 11:51 69,632 a------- c:\windows\system32\eRecUtil.dll
2009-06-23 11:51 602,112 a------- c:\windows\system32\Acer.Empowering.Windows.Forms_v820.dll
2009-06-23 11:51 602,112 a------- c:\windows\system32\Acer.Empowering.Windows.Forms.dll
2009-06-23 11:51 331,776 a------- c:\windows\system32\ScrollBarLib.dll
2009-06-23 11:51 53,248 a------- c:\windows\system32\Interop.Shell32.dll
2009-06-23 11:51 49,152 a------- c:\windows\system32\SysMonitor.exe
2009-06-23 11:51 <DIR> --d----- C:\Acer
2009-06-23 11:51 <DIR> --d----- c:\program files\Yahoo!
2009-06-23 11:50 631 -------- C:\PDVD.iss
2009-06-23 11:50 27,168 -------- c:\windows\system32\msxml3a.dll
2009-06-23 11:49 36,909,056 a------- c:\windows\system32\acer.scr
2009-06-23 11:49 9,178,170 a------- c:\windows\system32\acer.exe
2009-06-23 11:49 <DIR> --d----- c:\windows\ACER
2009-06-23 11:48 <DIR> --d----- c:\program files\Fingerprint Sensor
2009-06-23 11:45 <DIR> --d----- c:\program files\ATI Technologies
2009-06-23 11:44 <DIR> --d----- c:\documents and settings\Zak Malakan
2009-06-23 00:34 8,192 a------- c:\windows\REGLOCS.OLD
2009-06-23 00:32 <DIR> --d----- c:\program files\CONEXANT
2009-06-23 00:28 2,215 a--sh--- C:\Patch.rev
2009-06-23 00:25 3,072,056 a------- c:\windows\ACERTX.bmp
2009-06-23 00:25 988,800 a------- c:\windows\system32\drivers\HSF_DPV.sys
2009-06-23 00:25 730,112 a------- c:\windows\system32\drivers\HSF_CNXT.sys
2009-06-23 00:25 209,664 a------- c:\windows\system32\drivers\HSFHWAZL.sys
2009-06-23 00:25 176,128 a------- c:\windows\system32\UCI32M16.dll
2009-06-23 00:25 144,201 a------- c:\windows\system32\drivers\HSFProf.cty
2009-06-23 00:25 94,208 a------- c:\windows\system32\mdmxsdk.dll
2009-06-23 00:25 12,672 a------- c:\windows\system32\drivers\mdmxsdk.sys
2009-06-23 00:23 131,072 a------- c:\windows\PRELAUNCH.EXE
2009-06-23 00:23 <DIR> --d----- c:\windows\Lan
2009-06-23 00:23 39 a------- c:\windows\PreLaunch.ini

==================== Find3M ====================

============= FINISH: 13:21:48.26 ===============

Ried · 06-30-2009, 12:27 PM

It looks fine, arda21.

1. Make sure you get an AV installed asap. If you are in need of a good free AV, download Avira AntiVir Personal. Install it and be sure to update definitions.

2. Don't forget to download and install all critical Windows Updates.

3. To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

Green to go
Yellow for caution
Red to stop

WOT has an addon available for both Firefox and IE.

SpywareBlaster 4.0 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.

It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.

Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released.

4. Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

arda21 · 06-30-2009, 01:17 PM

Ried thats great, I am gonna actually save this page and show to my collegeaus so they can be educated a bit too, about keeping upto date,

Now just 2 more last questions, the only one left that I am having problems is my home desktop, I will do those scans today and just wait when You have time to look at the logs,

second and most important questions is that I am still suspicious about my USB drives (i deleted that program that you told me to) but the best way to keep this guys virus free is just scanning them again with virus scanners, or is there a special precaution/tool that you would suggest for USB drives?

Thanks.

Ried · 06-30-2009, 01:37 PM

Run this tool on all usb drives and computers:

Flash_Disinfector.exe and save it to the desktop.

Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.

The utility may ask you to Insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.

06-30-2009, 12:27 PM	#2 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,524 OS: WinXP and Vista	Re: continuation of the viruses, correspondence with Ried, work computer #3 It looks fine, arda21. 1. Make sure you get an AV installed asap. If you are in need of a good free AV, download Avira AntiVir Personal. Install it and be sure to update definitions. 2. Don't forget to download and install all critical Windows Updates. 3. To help protect your computer in the future I recommend that you get the following free programs if you do not already have them: WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites: Green to go Yellow for caution Red to stop WOT has an addon available for both Firefox and IE. SpywareBlaster 4.0 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items. It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page. Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released. 4. Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

06-30-2009, 01:17 PM	#3 (permalink)
arda21 Registered User Join Date: Jun 2008 Posts: 93 OS: XP Service Pack 2	Re: continuation of the viruses, correspondence with Ried, work computer #3 Ried thats great, I am gonna actually save this page and show to my collegeaus so they can be educated a bit too, about keeping upto date, Now just 2 more last questions, the only one left that I am having problems is my home desktop, I will do those scans today and just wait when You have time to look at the logs, second and most important questions is that I am still suspicious about my USB drives (i deleted that program that you told me to) but the best way to keep this guys virus free is just scanning them again with virus scanners, or is there a special precaution/tool that you would suggest for USB drives? Thanks.

06-30-2009, 01:37 PM	#4 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,524 OS: WinXP and Vista	Re: continuation of the viruses, correspondence with Ried, work computer #3 Run this tool on all usb drives and computers: Flash_Disinfector.exe and save it to the desktop. Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear. The utility may ask you to Insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well. Wait until it has finished scanning and then exit the program. Reboot your computer when done. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."