Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

Possible Virus/Trojan?

This is a discussion on Possible Virus/Trojan? within the Resolved HJT Threads forums, part of the Tech Support Forum category. I'm having issues with ZoneAlarm not being able to activate anti-virus/anti-spyware. I've updated the a.v. database as well as the


 
 
Thread Tools Search this Thread
Old 03-02-2011, 09:44 AM   #1
Registered Member
 
Join Date: Nov 2008
Posts: 33
OS: Win XP



I'm having issues with ZoneAlarm not being able to activate anti-virus/anti-spyware. I've updated the a.v. database as well as the app itself to the latest versions but still cannot get av/as to activate. It remains disabled and the option to turn it on is grayed out.

I'm also unable to get online more often than not. Something seems to be intermittently disabling my connection.

Below are the requested files and attachments.

DDS (Ver_10-12-12.02) - NTFSx86
Run by Dan Velcofsky at 9:11:22.48 on Wed 03/02/2011
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_19
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.481 [GMT -5:00]

AV: ZoneAlarm Extreme Security Antivirus *Disabled/Updated* {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Extreme Security Firewall *Disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdxserv.exe
C:\WINDOWS\system32\lxdxcoms.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\SOS Online Backup\OverlayCache.exe
C:\Program Files\Lexmark 3600-4600 Series\lxdxmon.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Lexmark 3600-4600 Series\lxdxMsdMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Intuit\QUICKB~1\COMPON~1\qbagent\QBDAGE~1.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Dan Velcofsky\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.forwardsolutions.net/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.dellnet.com
mSearch Bar =
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mCustomizeSearch = hxxp://ie.search.msn.com
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} -
uURLSearchHooks: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: ZoneAlarm Toolbar Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: ZoneAlarm Spy Blocker BHO: {f0d4b231-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\zonealarmsb\bar\1.bin\SPYBLOCK.DLL
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} -
TB: ZoneAlarm Spy Blocker: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\zonealarmsb\bar\1.bin\SPYBLOCK.DLL
TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
TB: ZoneAlarm Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [lxdxmon.exe] "c:\program files\lexmark 3600-4600 series\lxdxmon.exe"
mRun: [lxdxamon] "c:\program files\lexmark 3600-4600 series\lxdxamon.exe"
mRun: [FaxCenterServer] "c:\program files\lexmark fax solutions\fm3032.exe" /s
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: &AOL Toolbar Search
IE: &eBay Search
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922}
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: turbotax.com
DPF: Microsoft XML Parser for Java
DPF: {0000000A-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmsp9dmo.cab
DPF: {00000075-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxacm.CAB
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - hxxp://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} - hxxp://office.microsoft.com/productupdates/content/opuc.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://www.nick.com/common/groove/gx/GrooveAX27.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} - hxxp://www.snapfish.com/SnapfishUpload.cab
DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} - hxxps://a248.e.akamai.net/f/248/5462/2h/www.symantecstore.com/v2.0-img/operations/symbizpr/xcontrol/SymDlBrg.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} - hxxp://soam1.csuso.csu.ct.edu/dwa7W.cab
DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} - hxxp://h30155.www3.hp.com/ediags/hpfix/sj/en/check/xp/qdiagh.cab?326
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\danvel~1\applic~1\mozilla\firefox\profiles\dq5vz0bk.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.forwardsolutions.net/
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: [email protected] - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Autofill Forms: [email protected] - %profile%\extensions\[email protected]

============= SERVICES / DRIVERS ===============

R0 kl1;kl1;c:\windows\system32\drivers\kl1.sys [2011-3-2 128016]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2011-3-2 317072]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-4-11 528128]
R2 ISWKL;ZoneAlarm ForceField ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2009-10-14 26352]
R2 IswSvc;ZoneAlarm ForceField IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2009-10-14 493032]
R2 lxdx_device;lxdx_device;c:\windows\system32\lxdxcoms.exe -service --> c:\windows\system32\lxdxcoms.exe -service [?]
R2 lxdxCATSCustConnectService;lxdxCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdxserv.exe [2009-1-30 98984]
R3 dsdd;dsdd;c:\windows\system32\drivers\dsvideo.sys [2005-10-26 2111]
R3 icsak;icsak;c:\program files\checkpoint\zaforcefield\ak\icsak.sys [2010-3-16 35568]
R4 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-12-14 38224]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-12-26 136176]
S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2010-11-30 27064]
S3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-3-6 1174152]
UnknownUnknown dsload;dsload; [x]

=============== Created Last 30 ================

2011-03-02 06:04:37 -------- d-----w- c:\docume~1\danvel~1\applic~1\MailFrontier
2011-03-02 05:50:11 128016 ----a-w- c:\windows\system32\drivers\kl1.sys
2011-03-02 05:49:30 1238528 ----a-w- c:\windows\system32\zpeng25.dll
2011-02-27 16:36:51 -------- d-----w- c:\program files\Cabos
2011-02-04 01:57:15 398744 ----a-r- c:\windows\system32\cpnprt2.cid
2011-02-04 01:57:07 -------- d-----w- c:\program files\Coupons

==================== Find3M ====================

2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:08:45 832512 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:08:45 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-12-20 23:08:45 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-12-20 23:08:45 17408 ----a-w- c:\windows\system32\corpol.dll
2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55:25 389120 ----a-w- c:\windows\system32\html.iec
2010-12-09 15:15:09 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30:22 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:38:47 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07:05 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe

============= FINISH: 9:14:07.92 ===============
Attached Files
File Type: zip Attach.zip (11.7 KB, 59 views)
File Type: zip ark.zip (7.3 KB, 56 views)
Dan V. is offline  
Sponsored Links
Advertisement
 
Old 03-04-2011, 07:34 AM   #2
Security Team
Analyst
 
Join Date: Apr 2007
Location: Montreal, QC. Canada
Posts: 2,656
OS: Windows 2000 Pro. - Vista SP 2, W7



Hello, Welcome to TSF.
I'm nasdaq and will be helping you.

You may wish to Subscribe to this thread (Thread Tools > Subscribe to this thread) so that you are notified when you receive a reply.

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.

Note that the fix may take several posts. Please continue to respond to my instructions until I confirm that your logs are clean. Remember that although your symptoms may vanish, this does NOT mean that your system is clean.

If there is anything you don't understand, please ask BEFORE proceeding with the fixes.

Please ensure that you follow the instructions in the order I have them listed.

Please do not install or uninstall any programmes, or run any other scanners or software, unless I specifically ask you to do so. Also please copy and paste logs into the thread, rather than add them as attachments.
===

Quote:
It is really dangerous to go online without an antivirus. Without one, you are extremely likely to get infected and the consequences could be even worse next time. All of the following are excellent free versions of commercial antiviruses. Be sure to only install one.
avast!.
AntiVir
When the program is installed please run it and remove all items that it will find.
===

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do not mouse click ComboFix's window while it's running. That may cause it to stall
===

Let me know what problem perists.
__________________
nasdaq is offline  
Old 03-04-2011, 08:41 AM   #3
Registered Member
 
Join Date: Nov 2008
Posts: 33
OS: Win XP



Hi nasdaq. Thank you for helping. I was able yesterday to correct the av/as problem in ZoneAlarm by downloading and running their "updater" program. I then ran a complete scan but it found nothing.

I just ran ComboFix as instructed. After it ran, my screen was blank except for the wallpaper. No icons, no taskbar. I pressed ALT/Tab which revealed Outlook, so I was able to click on this thread link in my email to get back here, but it automatically opened Internet Explorer, which is NOT my default browser. I am also experiencing instability, although this was going on before running ComboFix. I get messages like, "Program XYZ has encountered a problem and needs to close..." I am also getting memory reference errors. A typical one is "The instruction at '0x10011d6c' referenced memory at '0x00f13558'. The memory could not be 'read'.

Anyway, here's the logfile for ComboFix:

ComboFix 11-03-03.04 - Dan Velcofsky 03/04/2011 11:01:26.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.486 [GMT -5:00]
Running from: c:\documents and settings\Dan Velcofsky\Desktop\ComboFix.exe
FW: ZoneAlarm Extreme Security Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Dan Velcofsky\g2mdlhlpx.exe
c:\documents and settings\Dan Velcofsky\System
c:\documents and settings\Dan Velcofsky\System\win_qs8.jqx
c:\program files\INSTALL.LOG
c:\windows\Downloaded Program Files\f3initialsetup1.0.0.8.inf
c:\windows\Downloaded Program Files\Oracle
c:\windows\Downloaded Program Files\Oracle\iMeeting\01c5da4d7fd46e94\cnsproxy.exe
c:\windows\Downloaded Program Files\Oracle\iMeeting\01c5da4d7fd46e94\console.exe
c:\windows\Downloaded Program Files\Oracle\iMeeting\01c5da4d7fd46e94\conuienu.dll
c:\windows\Downloaded Program Files\Oracle\iMeeting\01c5da4d7fd46e94\cubert.dll
c:\windows\Downloaded Program Files\Oracle\iMeeting\01c5da4d7fd46e94\dsdd.dll
c:\windows\Downloaded Program Files\Oracle\iMeeting\01c5da4d7fd46e94\dsdd.in_
c:\windows\Downloaded Program Files\Oracle\iMeeting\01c5da4d7fd46e94\dsengine.dll
c:\windows\Downloaded Program Files\Oracle\iMeeting\01c5da4d7fd46e94\dsgrab.dll
c:\windows\Downloaded Program Files\Oracle\iMeeting\01c5da4d7fd46e94\dshook.dll
c:\windows\Downloaded Program Files\Oracle\iMeeting\01c5da4d7fd46e94\dsload.sys
c:\windows\Downloaded Program Files\Oracle\iMeeting\01c5da4d7fd46e94\dspcube.dll
c:\windows\Downloaded Program Files\Oracle\iMeeting\01c5da4d7fd46e94\dsvideo.sys
c:\windows\Downloaded Program Files\Oracle\iMeeting\01c5da4d7fd46e94\gdihk16.dll
c:\windows\Downloaded Program Files\Oracle\iMeeting\01c5da4d7fd46e94\instctrl.dll
c:\windows\Downloaded Program Files\Oracle\iMeeting\01c5da4d7fd46e94\language.xml
c:\windows\Downloaded Program Files\Oracle\iMeeting\01c5da4d7fd46e94\setup.exe
c:\windows\Fonts\acrsec.fon
c:\windows\ST6UNST.000
c:\windows\system32\Cache
c:\windows\system32\drivers\etc\lmhosts
c:\windows\system32\Thumbs.db
.
.
((((((((((((((((((((((((( Files Created from 2011-02-04 to 2011-03-04 )))))))))))))))))))))))))))))))
.

2011-03-04 11:59 . 2011-03-04 12:00 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp
2011-03-02 06:04 . 2011-03-02 23:26 -------- d-----w- c:\documents and settings\Dan Velcofsky\Application Data\MailFrontier
2011-03-02 05:50 . 2009-10-12 23:15 128016 ----a-w- c:\windows\system32\drivers\kl1.sys
2011-03-02 05:49 . 2010-08-29 07:53 69120 ----a-w- c:\windows\system32\zlcomm.dll
2011-03-02 05:49 . 2010-08-29 07:53 103936 ----a-w- c:\windows\system32\zlcommdb.dll
2011-03-02 05:49 . 2010-08-29 07:53 1238528 ----a-w- c:\windows\system32\zpeng25.dll
2011-02-27 16:36 . 2011-02-27 16:36 -------- d-----w- c:\program files\Cabos
2011-02-04 01:57 . 2011-02-04 01:57 398744 ----a-r- c:\windows\system32\cpnprt2.cid
2011-02-04 01:57 . 2011-02-04 01:57 -------- d-----w- c:\program files\Coupons

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-21 14:44 . 2003-08-13 20:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2001-08-18 13:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2002-02-21 00:46 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2003-08-13 19:54 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:09 . 2009-12-14 23:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-12-20 23:08 . 2004-02-06 22:05 832512 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:08 . 2003-08-13 19:53 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-12-20 23:08 . 2001-08-18 13:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-12-20 23:08 . 2009-12-14 23:14 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-20 17:26 . 2001-08-18 13:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2004-08-04 05:59 389120 ----a-w- c:\windows\system32\html.iec
2010-12-09 15:15 . 2001-08-18 13:00 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2001-08-18 13:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:38 . 1980-01-01 06:00 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 1980-01-01 06:00 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\!0SharedFileOverlay]
@="{C85F4084-C3E3-453c-B242-4BDABA8F58FB}"
[HKEY_CLASSES_ROOT\CLSID\{C85F4084-C3E3-453c-B242-4BDABA8F58FB}]
2010-07-07 15:38 686464 ------w- c:\program files\SOS Online Backup\ShlOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\!1LiveProtectedFileOverlay]
@="{C26F9E4A-0BA6-4005-90FE-8665DBC229C8}"
[HKEY_CLASSES_ROOT\CLSID\{C26F9E4A-0BA6-4005-90FE-8665DBC229C8}]
2010-07-07 15:38 686464 ------w- c:\program files\SOS Online Backup\ShlOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\!2BackedupFileOverlay]
@="{3F1FB271-8290-4330-8069-310F32C030EF}"
[HKEY_CLASSES_ROOT\CLSID\{3F1FB271-8290-4330-8069-310F32C030EF}]
2010-07-07 15:38 686464 ------w- c:\program files\SOS Online Backup\ShlOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\!3ProtectedFileOverlay]
@="{A94C4834-6F18-491F-A205-3AFF24B16BC0}"
[HKEY_CLASSES_ROOT\CLSID\{A94C4834-6F18-491F-A205-3AFF24B16BC0}]
2010-07-07 15:38 686464 ------w- c:\program files\SOS Online Backup\ShlOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\!4ConflictedFileOverlay]
@="{D1542785-76CA-4d0c-9688-F290B1E77E01}"
[HKEY_CLASSES_ROOT\CLSID\{D1542785-76CA-4d0c-9688-F290B1E77E01}]
2010-07-07 15:38 686464 ------w- c:\program files\SOS Online Backup\ShlOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\!5SyncingFileOverlay]
@="{06DF45CB-D312-4306-B97D-6CDA50A10B30}"
[HKEY_CLASSES_ROOT\CLSID\{06DF45CB-D312-4306-B97D-6CDA50A10B30}]
2010-07-07 15:38 686464 ------w- c:\program files\SOS Online Backup\ShlOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\!6SyncedFileOverlay]
@="{58605E40-AE20-45d7-887B-08F3D9FF3651}"
[HKEY_CLASSES_ROOT\CLSID\{58605E40-AE20-45d7-887B-08F3D9FF3651}]
2010-07-07 15:38 686464 ------w- c:\program files\SOS Online Backup\ShlOverlays.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-14 68856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2001-12-31 3756032]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2006-01-14 196608]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
"lxdxmon.exe"="c:\program files\Lexmark 3600-4600 Series\lxdxmon.exe" [2008-06-13 668328]
"lxdxamon"="c:\program files\Lexmark 3600-4600 Series\lxdxamon.exe" [2008-06-13 16040]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2008-06-13 320168]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-08-29 1039360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-6 83360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Forget Me Not.lnk]
backup=c:\windows\pss\Forget Me Not.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks 2002 Delivery Agent.lnk]
backup=c:\windows\pss\QuickBooks 2002 Delivery Agent.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
2002-04-10 22:44 679936 -c--a-w- c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
2003-08-29 08:59 122880 ----a-w- c:\windows\BCMSMMSG.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2005-10-19 12:59 126976 -c--a-w- c:\windows\SYSTEM32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2005-10-19 12:59 155648 -c--a-w- c:\windows\SYSTEM32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2001-12-31 16:04 46080 -c--a-r- c:\windows\SYSTEM32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2001-12-31 16:04 831488 -c--a-r- c:\windows\SYSTEM32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2006-11-09 20:07 49263 -c--a-w- c:\program files\Java\jre1.5.0_10\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\SYSTEM32\\ZoneLabs\\vsmon.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R2 ISWKL;ZoneAlarm ForceField ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [10/14/2009 8:30 AM 26352]
R3 dsdd;dsdd;c:\windows\SYSTEM32\DRIVERS\dsvideo.sys [10/26/2005 11:53 AM 2111]
R3 icsak;icsak;c:\program files\CheckPoint\ZAForceField\AK\icsak.sys [3/16/2010 3:55 AM 35568]
S3 Revoflt;Revoflt;c:\windows\SYSTEM32\DRIVERS\revoflt.sys [11/30/2010 7:06 PM 27064]
UnknownUnknown dsload;dsload; [x]
.
Contents of the 'Scheduled Tasks' folder

2009-06-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-12-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-26 06:28]

2009-05-16 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-06 03:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.forwardsolutions.net/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.dellnet.com
mSearch Bar =
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar Search
IE: &eBay Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
Trusted Zone: turbotax.com
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\Dan Velcofsky\Application Data\Mozilla\Firefox\Profiles\dq5vz0bk.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.forwardsolutions.net/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Autofill Forms: [email protected] - %profile%\extensions\[email protected]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Share-to-Web Namespace Daemon - c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
AddRemove-imtclient - c:\windows\Downloaded Program Files\Oracle\iMeeting\01c5da4d7fd46e94\setup.exe
AddRemove-Mr. Hankey Screen Saver v1.1 - c:\program files\Fart Brothers
AddRemove-Smart Start Spanish - c:\sstspdlx\DeIsL1.isu


.
**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-03-04 11:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2291903390-2243138800-104724495-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(732)
c:\windows\system32\dsGinaLoader.dll
c:\program files\juniper networks\Network Connect 5.3.0\dsNcGina.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\program files\CheckPoint\ZAForceField\AK\icsak.dll

- - - - - - - > 'lsass.exe'(788)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\program files\CheckPoint\ZAForceField\AK\icsak.dll

- - - - - - - > 'csrss.exe'(708)
c:\program files\CheckPoint\ZAForceField\AK\akconsole.dll
.
Completion time: 2011-03-04 11:19:05
ComboFix-quarantined-files.txt 2011-03-04 16:19
.
Pre-Run: 9,094,856,704 bytes free
Post-Run: 9,830,477,824 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
.
- - End Of File - - 655C9A549D0E42D1960D013B52DDB312
Dan V. is offline  
Sponsored Links
Advertisement
 
Old 03-04-2011, 08:46 AM   #4
Security Team
Analyst
 
Join Date: Apr 2007
Location: Montreal, QC. Canada
Posts: 2,656
OS: Windows 2000 Pro. - Vista SP 2, W7



Quote:
"Program XYZ has encountered a problem and needs to close..." I am also getting memory reference errors. A typical one is "The instruction at '0x10011d6c' referenced memory at '0x00f13558'. The memory could not be 'read'.

Read more: Possible Virus/Trojan? - Tech Support Forum https://www.techsupportforum.com/foru...#ixzz1FeMyrH1h
Possible virus infection. Please install one of the Virus programs I suggested and run it.
__________________
nasdaq is offline  
Old 03-04-2011, 09:07 AM   #5
Registered Member
 
Join Date: Nov 2008
Posts: 33
OS: Win XP



So you don't think that ZoneAlarm Anti-Virus/Anti-Spyware was effective?

I downloaded Avira to my desktop but since my desktop is blank except for the wallpaper, I'm not sure how to get to it again to install it. I didn't want to restart Windows since you hadn't told me to.
Dan V. is offline  
Old 03-04-2011, 09:51 AM   #6
Registered Member
 
Join Date: Nov 2008
Posts: 33
OS: Win XP



OK, I'm not sure how, but I was able to restore my desktop and taskbar. I'm currently running a full scan with Avira. Will post back with the results.
Dan V. is offline  
Old 03-04-2011, 03:51 PM   #7
Registered Member
 
Join Date: Nov 2008
Posts: 33
OS: Win XP



I ran the full system scan with Avira. Nothing in the report except 3 hidden files.

Let me know if there's anything else I should do.
Dan V. is offline  
Old 03-05-2011, 06:33 AM   #8
Security Team
Analyst
 
Join Date: Apr 2007
Location: Montreal, QC. Canada
Posts: 2,656
OS: Windows 2000 Pro. - Vista SP 2, W7



If still receiving the error message, navigate to this page.
The instruction at "0x10011d6c: references memory at - Microsoft Answers

Run this scan.

2a. WinXP => Run the Windows Live Safety Center's 'Protection' scan (only!) in Safe Mode with Networking, if need be: https://onecare.live.com/site/en-us/center/howsafe.htm

Let me know what problem persists.
__________________
nasdaq is offline  
Old 03-05-2011, 08:25 PM   #9
Registered Member
 
Join Date: Nov 2008
Posts: 33
OS: Win XP



Ran the scan from Microsoft's OneCare site and this is what it found and was "unable to clean". I did a search through the ms encyclopedia for this and found only one entry dated Mar. 1, 2011. No tech info yet available.

Exploit:Java/CVE-2010-0840.BF

c:\documents and settings\dan velcofsky\application data\sun\java\deployment\cache\6.0\17\7a64aa11-36fb6f44

folder/ump_45.class
Dan V. is offline  
Old 03-06-2011, 06:19 AM   #10
Security Team
Analyst
 
Join Date: Apr 2007
Location: Montreal, QC. Canada
Posts: 2,656
OS: Windows 2000 Pro. - Vista SP 2, W7



Lets clean and install the latest Java program.

Secure your system by updating 3rd party programs.

Clean the old registry entries left over by older versions of Java.
Please download JavaRa

If you get this message:
Problems with the download? Please use this direct link or try another mirror.

Select the Direct link download unzip it to your Desktop.

Double click JavaRa.exe then click Remove Older Versions.
In Vista and Windows 7 right click the JavaRa.exe and select run as Administrator.

Make sure that all the previous versions of Java are removed.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add or Remove Programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
  • Java 2 Runtime Environment, SE v1.4.2
  • J2SE Runtime Environment 5.0
  • J2SE Runtime Environment 6.0 Update 2, etc...
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.

Why should I remove older versions of Java from my
Why should I remove older versions of Java from my system?

Next,

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6.
  • In the box labeled "Java Platform, Standard Edition", click the "Download JRE" button to the right.
  • In the Window that opens, select Windows (or Windows x64), and check the "agree" box and click "Continue".
  • Click on the link to download Windows Offline Installation and save to your Desktop.
  • Then from your Desktop double-click on jre-6u24-windows-i586.exe that you have downloaded to install the newest version (the x64 version is jre-6u24-windows-x64.exe).
    - Note: If you are running Vista or Windows 7, you may need to right-click on the installation file and select Run as Administrator.
__________________
nasdaq is offline  
Old 03-06-2011, 03:12 PM   #11
Registered Member
 
Join Date: Nov 2008
Posts: 33
OS: Win XP



OK, I did all that. Using the Windows Add or Remove Programs, I ran into an error trying to uninstall Java 6 Update 19. Message was Internal error 2753. regutils.dll Fatal error during install.

I tried again with Revo Uninstaller Pro and was able to remove all of it.
Dan V. is offline  
Old 03-07-2011, 04:52 AM   #12
Security Team
Analyst
 
Join Date: Apr 2007
Location: Montreal, QC. Canada
Posts: 2,656
OS: Windows 2000 Pro. - Vista SP 2, W7



Are you still getting memory reference errors?
__________________
nasdaq is offline  
Old 03-07-2011, 07:33 AM   #13
Registered Member
 
Join Date: Nov 2008
Posts: 33
OS: Win XP



I get them occasionally when I close a program. The program closes fine and then that message apears several seconds afterwards.

I also still get the "Program XYZ has encountered a problem and needs to close..." message.

I'm beginning to think that the pc itself is ready for the recycle bin. It's pretty old. It's a Dell Dimension 2300, circa 2002. It has only a 1GB RAM capacity, which in today's world is minuscule and not nearly enough.

I have no problem replacing the machine as I've been planning on it for awhile. I just want to make sure that it's virus/malware free before I back everything up for transfer to a new one.
Dan V. is offline  
Old 03-07-2011, 08:36 AM   #14
Security Team
Analyst
 
Join Date: Apr 2007
Location: Montreal, QC. Canada
Posts: 2,656
OS: Windows 2000 Pro. - Vista SP 2, W7



Please download DrWeb-CureIt and save it to your Desktop. Do NOT perform a scan yet
  • Double-click on drweb-cureit.exe to start the program.
    An Express Scan of your PC notice will appear.
  • Under Start the Express Scan Now, Click OK to start the scan.
    This is a short scan that will scan the files currently running in memory.
    If something is found, click the Yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the Scan tab and UNcheck Heuristic analysis
  • Back at the main window, click Custom Scan, then Select drives (a red dot will show which drives have been chosen).
  • Then click the Start/Stop Scanning button (green arrow on the right, and the scan will start.
  • When finished, a message will be displayed at the bottom advising if any viruses were found.
  • Click Yes to all if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can see the icon next to the files found.
    If so, click it, then click the next icon right below and select Move incurable.
    (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  • Save the DrWeb.csv report to your Desktop.
  • Exit Dr.Web Cureit when you have finished.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
__________________
nasdaq is offline  
Old 03-08-2011, 03:35 PM   #15
Registered Member
 
Join Date: Nov 2008
Posts: 33
OS: Win XP



Yikes! That was a looooong scan!

Anyway, here's the DrWeb report:

Pedaling through Attain.doc\Storage0;C:\Documents and Settings\Dan Velcofsky\Desktop\Forward Solutions\MS Navision\Marketing Materials\Pedaling through Attain.doc;XM.Laroux;;
Pedaling through Attain.doc;C:\Documents and Settings\Dan Velcofsky\Desktop\Forward Solutions\MS Navision\Marketing Materials;Container contains infected objects;Moved.;
CouponPrinter.ocx;C:\WINDOWS;Adware.Coupons.34;Incurable.Moved.;
Dan V. is offline  
Old 03-09-2011, 05:47 AM   #16
Security Team
Analyst
 
Join Date: Apr 2007
Location: Montreal, QC. Canada
Posts: 2,656
OS: Windows 2000 Pro. - Vista SP 2, W7



Does the problem persists?
__________________
nasdaq is offline  
Old 03-09-2011, 07:45 AM   #17
Registered Member
 
Join Date: Nov 2008
Posts: 33
OS: Win XP



Yes, occasionally. Both the memory reference when closing a program issue and the "Program XYZ has encountered a problem and needs to close..." It doesn't seem as frequent as it was. Could it be a physical RAM issue?
Dan V. is offline  
Old 03-09-2011, 08:10 AM   #18
Security Team
Analyst
 
Join Date: Apr 2007
Location: Montreal, QC. Canada
Posts: 2,656
OS: Windows 2000 Pro. - Vista SP 2, W7



I do not think so.

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
__________________
nasdaq is offline  
Old 03-09-2011, 03:23 PM   #19
Registered Member
 
Join Date: Nov 2008
Posts: 33
OS: Win XP



Here's the ESET scan list. I got the memory reference error upon closing ESET.

C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.41.2\setup.exe probably a variant of Win32/Agent.HZHBURL trojan cleaned by deleting - quarantined
C:\Program Files\RegistryFix\RegistryFix.exe a variant of Win32/Adware.ErrorClean application cleaned by deleting - quarantined
C:\Program Files\ZoneAlarmSB\bar\1.bin\NPZONESB.DLL Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\Program Files\ZoneAlarmSB\bar\1.bin\Z4PLUGIN.DLL a variant of Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
Dan V. is offline  
Old 03-10-2011, 07:11 AM   #20
Security Team
Analyst
 
Join Date: Apr 2007
Location: Montreal, QC. Canada
Posts: 2,656
OS: Windows 2000 Pro. - Vista SP 2, W7



Download and run this tool.

Ad-Aware by Lavasoft - Antivirus software, free spyware removal, firewall
Ad-Aware Free

To help you use this tool view this tutorial.
Using Ad-Aware 2007 Free to remove Spyware & Hijackers from Your Computer
__________________
nasdaq is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
Task Scheduler virus/trojan
Hi, I have been fighting this issue for days now and cannot seem to truly get rid of this infection. The system is running Windows XP SP3. The symptoms are: 1) Microsoft Security Essentials is turned off 2) Many services including Security Center are disabled 3) Internet Explorer does not...
smayo44 Resolved HJT Threads 8 03-19-2011 03:47 PM
Suspected Virus/Trojan Causing Slow Internet?
Around sunday, I have notcied that my computer is acting really strange. Internet is the main noticeable thing. It slows down to a crawl over time in a matter of a couple hours and I have to restart my computer for a better connection. I was thinking i may of caught a virus. So, I ran a full...
DonoJoshu Resolved HJT Threads 1 01-27-2011 12:01 AM
Virus/Trojan has KO'ed my computer. Please help!
Hello everyone, So my computer has been infected with a wicked, wicked virus/trojan and I'm lost on how to go about things. Let me fill you guys in on the history. Yesterday, I decided that I wanted to watch Inception with the misses. Unfortunately, because she's Japanese, I needed to grab...
therascaldude Resolved HJT Threads 7 01-16-2011 12:21 PM
Please Help! Possible virus / malware infection.
I believe that either a virus or malware has infected my system, and nothing I've tried has been able to remove it. I use my computer to work from home, and if this situation is not corrected, I will lose my job.:upset: My System... I have an Acer Aspire 9503EWSMi laptop. My operating system is...
Coastwizard Virus/Trojan/Spyware Help 19 01-05-2011 08:46 AM
Windows system32 problem, possibly a virus/trojan. Please help.
I am currently running Windows Vista on my Toshiba laptop and after a normal reboot of the computer was alerted with a BAD IMAGE message (topi.exe) that multiple application extensions within system32 are - "either not designed to run on Windows or it contains an error. Try installing the program...
Adam3105 Resolved HJT Threads 1 01-03-2011 01:02 PM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 12:39 PM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts