Author Topic: Vista antispyware 2012 infection  (Read 3164 times)

0 Members and 1 Guest are viewing this topic.

Offline HilltownJohn

  • Jr. Member
  • **
  • Posts: 5
    • View Profile
Vista antispyware 2012 infection
« on: January 13, 2012, 03:14:11 PM »
    Hello, and thank you in advance for you help. Two days ago I became infected with the subject malware which started popping up many warnings about viruses that I quickly realized were fake. Most disturbing, when i try to open a program it says that program is infected and blocks it. I discovered this when I tried to use a snipping tool to capture a pop up warning generated by the malware.
    Please note that my computer is shutdown and I am posting to your forum from my wife's iPad (or alternately from her laptop). While I am no expert, I consider myself to be tech-savy and I am not afraid to  "get my hands dirty."
    The infected computer is a Dell 531, about 3 years old, running the original Windows Vista OS. I also have Norton 360 running and run nightly backups to a USB drive. I keep the OS and Norton updated and try to do the same with Adobe Reader, Flash Player, etc, but I'm sure there are gaps.
    Before discovering this forum, I Googled the program name and wound up at malwareexperts.com. I went through many of there steps: booted into safe mode with networking, downloaded and ran rkill (it was not clear whether it worked), downloaded malewarebytes, but not sure if it ran because then started getting the malware pop up windows again, even though I was still safe mode. And when tried to start IE from the Run box I got the pop up that it was infectected. So, being basically "dead in the water," I shut down the machine, took a day off, and today did more research and found you. Thanks for any help you can provide.

Offline HilltownJohn

  • Jr. Member
  • **
  • Posts: 5
    • View Profile
Re: Vista antispyware 2012 infection
« Reply #1 on: January 13, 2012, 03:25:27 PM »
Perhaps I should have noted that I rarely run my computer from an administrator login as I understand that increases risk. If I should choose the administrator login when I follow you instructions please let me know. Thanks.

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 14804
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Vista antispyware 2012 infection
« Reply #2 on: January 13, 2012, 04:28:19 PM »
Hi, HilltownJohn.  Welcome to LandzDown Forum.

We will do our best to assist you.  However, in order to do so, please follow all instructions provided in the sequence given.  Do not install/re-install any programs or run any fixes or scanners that you have not been instructed to use.  This may cause conflicts with the tools being used in the cleanup process.   

If you have questions regarding any of the instructions or problems running any tools, please let us know.

For the purposes of cleanup, yes, please use your administrator login.  In the event you are unable to download any of the needed files please transfer them from a known clean computer (your wife's laptop).

1)  Please download the following two files (RKill link repeated in case you did not keep a copy).  In the event you are blocked by the malware from downloading, it will be necessary to go to an uninfected computer and then transfer the files to the infected computer via CD/DVD, external drive, or USB flash drive.

FixNCR.reg
Bleeping Computer Downloads: RKill

2)  Insert the removable device into the infected computer and open the folder the drive letter associated with it. Double-click the FixNCR.reg file to fix the Registry on your infected computer.

3)  Copy the downloaded RKill file to the desktop of the infected computer.
  • Double-click rkill to run.
  • A command window will open then disappear upon completion, this is normal.
  • Please leave rkill on the Desktop until otherwise advised.
  • Do NOT restart your computer after running rkill as the malware program(s) will start again.
Notes:

If you you receive security warnings about rkill, please ignore and allow the download to continue.

4)  Since you already downloaded MBAM, please proceed as follows:
  • Launch Malwarebytes' Anti-Malware then click the Update tab and "Check for Updates
  • Once the update has been installed and the program has loaded, select Quick scan
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, EXCEPT items in System Restore as shown in this sample:

  • Click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See the Note below)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Please post contents of that file in your next reply.
** Note **

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

In addition to the MBAM log, please return to the "Log Posting Instructions" topic and provide the requested logs from that topic, noting that it may take more than one reply.

Thank you.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline HilltownJohn

  • Jr. Member
  • **
  • Posts: 5
    • View Profile
Re: Vista antispyware 2012 infection
« Reply #3 on: January 13, 2012, 08:37:42 PM »
Thank you Corrine, things are looking up. I am working from the infected computer now, so that is an improvement and I haven't seen the phony popups today. I downloaded all the suggested files on another computer onto a thumb drive, logged into the infected computer as administrator, moved the files to the desktop and ran FixNCR first, which seemed to run fine, but I do not think it created a log. I then ran Rkill, MalwareBytes, DDS (two logs), and SecurityCheck. Those logs are copied in order below.

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 01/13/2012 at 14:33:24.
Operating System: Windows Vista (TM) Home Premium


Processes terminated by Rkill or while it was running:

C:\Users\Public\Downloads\Norton\{N360S_prod_1.6.18_5.1.0.29}\N360Downloader.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Windows\System32\grpconv.exe


Rkill completed on 01/13/2012 at 14:35:03.




Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 912011304

Windows 6.0.6002 Service Pack 2
Internet Explorer 9.0.8112.16421

1/13/2012 4:50:43 PM
mbam-log-2012-01-13 (16-50-43).txt

Scan type: Quick scan
Objects scanned: 229078
Time elapsed: 5 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{2AA2FBF8-9C76-4E97-A226-25C5F4AB6358} (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions\Zango@Zango.com (Adware.Zango) -> Value: Zango@Zango.com -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\Users\webmaster\AppData\Roaming\Zango (Adware.Zango) -> Delete on reboot.
c:\programdata\ZangoSA (Adware.Zango) -> Quarantined and deleted successfully.
c:\programdata\microsoft\Windows\start menu\Programs\Zango (Adware.180Solutions) -> Quarantined and deleted successfully.

Files Infected:
c:\programdata\ZangoSA\ZangoSA.dat (Adware.Zango) -> Quarantined and deleted successfully.
c:\programdata\ZangoSA\zangosaabout.mht (Adware.Zango) -> Quarantined and deleted successfully.
c:\programdata\ZangoSA\zangosaeula.mht (Adware.Zango) -> Quarantined and deleted successfully.
c:\programdata\microsoft\Windows\start menu\Programs\Zango\reset cursor.lnk (Adware.180Solutions) -> Quarantined and deleted successfully.
c:\programdata\microsoft\Windows\start menu\Programs\Zango\Weather.lnk (Adware.180Solutions) -> Quarantined and deleted successfully.
c:\programdata\microsoft\Windows\start menu\Programs\Zango\zango customer support center.lnk (Adware.180Solutions) -> Quarantined and deleted successfully.
c:\programdata\microsoft\Windows\start menu\Programs\Zango\zango games!.lnk (Adware.180Solutions) -> Quarantined and deleted successfully.
c:\programdata\microsoft\Windows\start menu\Programs\Zango\zango library.lnk (Adware.180Solutions) -> Quarantined and deleted successfully.
c:\programdata\microsoft\Windows\start menu\Programs\Zango\zango screensavers!.lnk (Adware.180Solutions) -> Quarantined and deleted successfully.
c:\programdata\microsoft\Windows\start menu\Programs\Zango\zango uninstall instructions.lnk (Adware.180Solutions) -> Quarantined and deleted successfully.
c:\programdata\microsoft\Windows\start menu\Programs\Zango\zango videos!.lnk (Adware.180Solutions) -> Quarantined and deleted successfully.





.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421  BrowserJavaVersion: 1.6.0_21
Run by Webmaster at 17:09:23 on 2012-01-13
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.2046.925 [GMT -5:00]
.
AV: Norton 360 *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton 360 *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton 360 *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\AERTSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Windows\system32\CTsvcCDA.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Nexon\MapleStory\npkcmsvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\ico.exe
C:\Program Files\Creative\SBAudigy\Volume Panel\VolPanlu.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\System32\Pmxmiced.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Windows\system32\msiexec.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4071019
uWindow Title = Internet Explorer provided by Dell
mDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4071019
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\5.1.0.29\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\5.1.0.29\ips\IPSBHO.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\5.1.0.29\coIEPlg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [Dell DataSafe Scheduler] "c:\program files\dell datasafe online\bin\DataSafeOnlineScheduler.exe"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Bluetooth HCI Monitor] RunDll32 HCIMNTR.DLL,RunCheckHCIMode
mRun: [PMX Daemon] ICO.EXE
mRun: [VolPanel] "c:\program files\creative\sbaudigy\volume panel\VolPanlu.exe" /r
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [<NO NAME>]
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe"  -osboot
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\audibl~1.lnk - c:\program files\audible\bin\AudibleDownloadHelper.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: Web-Based Email Tools - hxxp://email03.secureserver.net/Download.CAB
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {5C0E257E-9DFE-4955-AA93-0A9B166BAB50} - hxxp://demo.synology.com:5000/surveillance/object/SSObject.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
TCP: DhcpNameServer = 192.168.10.1
TCP: Interfaces\{5489F633-89D5-47B8-9C73-29358228756F} : DhcpNameServer = 192.168.10.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\webmaster\appdata\roaming\mozilla\firefox\profiles\i5yh8bs7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4071019
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\coffplgn_2010_9_0_6\components\coFFPlgn.dll
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.2432.1652\npCIDetect14.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\mozilla firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0501000.01d\SymDS.sys [2012-1-6 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0501000.01d\SymEFA.sys [2012-1-6 744568]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\definitions\bashdefs\20111223.001\BHDrvx86.sys [2011-11-30 820344]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\definitions\ipsdefs\20120112.002\IDSvix86.sys [2012-1-13 368248]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0501000.01d\Ironx86.sys [2012-1-6 136312]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\n360\0501000.01d\symtdiv.sys [2012-1-6 331384]
R2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-5 77824]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-6-12 21504]
R2 N360;Norton 360;c:\program files\norton 360\engine\5.1.0.29\ccSvcHst.exe [2012-1-6 130008]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-11-9 106104]
R3 pmxmouse;PMXMOUSE;c:\windows\system32\drivers\pmxmouse.sys [2007-10-18 23232]
R3 pmxusblf;PMXUSBLF;c:\windows\system32\drivers\pmxusblf.sys [2007-10-18 19008]
S2 gupdate1c98596cb068ad0;Google Update Service (gupdate1c98596cb068ad0);c:\program files\google\update\GoogleUpdate.exe [2009-2-2 133104]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-10-18 30192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-2-2 133104]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2008-6-12 21504]
S3 PCDSRVC{E9D79540-57D5953E-06020101}_0;PCDSRVC{E9D79540-57D5953E-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\dell support center\pcdsrvc.pkms [2011-12-13 21744]
.
=============== Created Last 30 ================
.
2012-01-13 19:54:28   --------   d-----w-   c:\users\webmaster\appdata\roaming\Malwarebytes
2012-01-13 19:53:32   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2012-01-13 19:53:31   --------   d-----w-   c:\programdata\Malwarebytes
2012-01-13 19:53:15   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-01-13 19:53:14   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2012-01-11 16:46:52   1205064   ----a-w-   c:\windows\system32\ntdll.dll
2012-01-11 16:46:47   189952   ----a-w-   c:\windows\system32\winmm.dll
2012-01-11 16:46:46   23552   ----a-w-   c:\windows\system32\mciseq.dll
2012-01-11 16:46:43   66560   ----a-w-   c:\windows\system32\packager.dll
2012-01-11 16:46:40   376320   ----a-w-   c:\windows\system32\winsrv.dll
2012-01-11 16:46:37   1314816   ----a-w-   c:\windows\system32\quartz.dll
2012-01-11 16:46:36   497152   ----a-w-   c:\windows\system32\qdvd.dll
2012-01-06 17:24:47   26600   ----a-w-   c:\windows\system32\drivers\GEARAspiWDM.sys
2012-01-06 16:39:46   744568   ----a-r-   c:\windows\system32\drivers\n360\0501000.01d\SymEFA.sys
2012-01-06 16:39:46   516216   ----a-r-   c:\windows\system32\drivers\n360\0501000.01d\srtsp.sys
2012-01-06 16:39:46   50168   ----a-r-   c:\windows\system32\drivers\n360\0501000.01d\srtspx.sys
2012-01-06 16:39:46   340088   ----a-r-   c:\windows\system32\drivers\n360\0501000.01d\SymDS.sys
2012-01-06 16:39:46   331384   ----a-r-   c:\windows\system32\drivers\n360\0501000.01d\symtdiv.sys
2012-01-06 16:39:46   296568   ----a-r-   c:\windows\system32\drivers\n360\0501000.01d\symnets.sys
2012-01-06 16:39:46   136312   ----a-r-   c:\windows\system32\drivers\n360\0501000.01d\Ironx86.sys
2012-01-06 16:39:30   --------   d-----w-   c:\windows\system32\drivers\n360\0501000.01D
2012-01-03 13:22:02   103864   ----a-w-   c:\program files\mozilla firefox\plugins\nppdf32.dll
2012-01-03 13:22:02   103864   ----a-w-   c:\program files\internet explorer\plugins\nppdf32.dll
2011-12-24 19:06:55   --------   d-----w-   c:\program files\iPod
2011-12-24 19:06:51   --------   d-----w-   c:\program files\iTunes
2011-12-21 03:04:27   --------   d-----w-   c:\program files\Bonjour
2011-12-15 00:39:58   3602816   ----a-w-   c:\windows\system32\ntkrnlpa.exe
2011-12-15 00:39:58   3550080   ----a-w-   c:\windows\system32\ntoskrnl.exe
2011-12-15 00:39:56   429056   ----a-w-   c:\windows\system32\EncDec.dll
2011-12-15 00:39:54   2043904   ----a-w-   c:\windows\system32\win32k.sys
2011-12-15 00:39:51   49152   ----a-w-   c:\windows\system32\csrsrv.dll
2011-12-15 00:39:48   2048   ----a-w-   c:\windows\system32\tzres.dll
.
==================== Find3M  ====================
.
2012-01-06 17:23:29   126584   ----a-w-   c:\windows\system32\drivers\SYMEVENT.SYS
2011-12-22 02:49:02   414368   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-03 22:47:42   1798144   ----a-w-   c:\windows\system32\jscript9.dll
2011-11-03 22:40:21   1427456   ----a-w-   c:\windows\system32\inetcpl.cpl
2011-11-03 22:39:47   1127424   ----a-w-   c:\windows\system32\wininet.dll
2011-11-03 22:31:57   2382848   ----a-w-   c:\windows\system32\mshtml.tlb
2011-11-01 22:11:51   979456   ----a-w-   c:\windows\system32\MFH264Dec.dll
2011-11-01 22:08:54   4096   ----a-w-   c:\windows\system32\drivers\en-us\dxgkrnl.sys.mui
2011-11-01 22:08:53   519680   ----a-w-   c:\windows\system32\d3d11.dll
2011-11-01 22:08:53   369664   ----a-w-   c:\windows\system32\WMPhoto.dll
2011-11-01 22:08:53   252928   ----a-w-   c:\windows\system32\dxdiag.exe
2011-11-01 22:08:53   195584   ----a-w-   c:\windows\system32\dxdiagn.dll
2011-11-01 22:08:52   974848   ----a-w-   c:\windows\system32\WindowsCodecs.dll
2011-11-01 22:08:52   321024   ----a-w-   c:\windows\system32\PhotoMetadataHandler.dll
2011-11-01 22:08:52   189440   ----a-w-   c:\windows\system32\WindowsCodecsExt.dll
.
============= FINISH: 17:10:15.83 ===============






.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume3
Install Date: 10/18/2007 2:32:40 PM
System Uptime: 1/13/2012 4:57:17 PM (1 hours ago)
.
Motherboard: Dell Inc. |  | 0RY206
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 5600+ | Socket AM2  | 2800/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 288 GiB total, 55.676 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 4.534 GiB free.
E: is CDROM ()
F: is CDROM ()
G: is Removable
H: is Removable
I: is Removable
J: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {6bdd1fc6-810f-11d0-bec7-08002be2092f}
Description: HP Photosmart C6100
Device ID: ROOT\IMAGE\0000
Manufacturer: Hewlett-Packard
Name: HP Photosmart C6100
PNP Device ID: ROOT\IMAGE\0000
Service: StillCam
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
32 Bit HP CIO Components Installer
Adobe AIR
Adobe Community Help
Adobe Dreamweaver CS5
Adobe Flash Player 10 Plugin
Adobe Flash Player 11 ActiveX
Adobe Media Player
Adobe Reader 9.5.0
AIO_CDA_ProductContext
AIO_CDA_Software
AIO_Scan
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Audacity 1.2.6
Audible Download Manager
Bonjour
Brother HL-4040CDN
Browser Address Error Redirector
BufferChm
C6100
c6100_Help
CadStd
Compatibility Pack for the 2007 Office system
Conexant D850 PCI V.92 Modem
Copy
Creative MediaSource 5
CSOL
Dell Support Center
Dell System Customization Wizard
DellSupport
Destination Component
DeviceDiscovery
DeviceManagementQFolder
Digital Line Detect
DivX Content Uploader
DivX Web Player
DocProc
DocProcQFolder
eSupportQFolder
Fax
Games, Music, & Photos Launcher
getPlus(R) for Adobe
GOM Player
GoodSync
Google Desktop
Google Earth
Google Toolbar for Internet Explorer
Google Update Helper
Google Updater
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Imaging Device Functions 8.0
HP OCR Software 8.0
HP Photosmart Essential
HP Photosmart.All-In-One Driver Software 8.0 .A
HP Product Assistant
HP Solution Center 8.0
HP Update
HP_Network_UserGuide
HPDiagnosticAlert
HPProductAssistant
HPSSupply
InfraRecorder
iTunes
Japanese Fonts Support For Adobe Reader 9
Java Auto Updater
Java(TM) 6 Update 2
Java(TM) 6 Update 21
Java(TM) 6 Update 3
Java(TM) 6 Update 4
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6
Magellan Content Manager
Malwarebytes' Anti-Malware
MapleStory
Micro Logic Info Select 7
Microsoft .NET Framework 3.5 SP1
Microsoft FrontPage 2000
Microsoft Office File Validation Add-In
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Standard Edition 2003
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Microsoft_VC80_CRT_x86
Microsoft_VC80_MFC_x86
Microsoft_VC80_MFCLOC_x86
Microsoft_VC90_ATL_x86
Microsoft_VC90_CRT_x86
Microsoft_VC90_MFC_x86
Modem Diagnostic Tool
Mouse Suite for Desktop Computers
Mozilla Firefox (3.6.11)
Mozilla Thunderbird (3.1.4)
MSVCMergeModules
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NetWaiting
Network
Norton 360
NVIDIA Display Control Panel
NVIDIA Drivers
NVIDIANetworkDiagnostic
OGA Notifier 2.0.0048.0
oggcodecs 0.71.0946
OpenOffice.org 2.4
OverDrive Media Console
Pando Media Booster
Product Documentation Launcher
PVSonyDll
QualxServ Service Agreement
QuickTime
RealPlayer
Realtek High Definition Audio Driver
Rhapsody Player Engine
Roxio Creator Audio
Roxio Creator BDAV Plugin
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler
Roxio MyDVD DE
Roxio Update Manager
Scan
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Semper Driver Backup
Serif AlbumPlus 4
Serif MoviePlus X3
Serif MoviePlus X3 Resources
Serif PagePlus Starter Edition
Serif PagePlus X4
Serif PhotoPlus X4
Serif WebPlus X2
Serif WebPlus X2 Resources
Skype Toolbars
Skype™ 5.0
SolutionCenter
Sonic Activation Module
Sound Blaster Audigy ADVANCED MB
Spelling Dictionaries Support For Adobe Reader 9
Status
System Requirements Lab
Toolbox
TrayApp
UnloadSupport
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
User's Guides
VC 9.0 Runtime
WebReg
WIDCOMM Bluetooth Software 6.0.1.4300
.
==== Event Viewer Messages From Past Week ========
.
1/6/2012 2:07:55 PM, Error: Microsoft-Windows-PrintSpooler [6161]  - The document Microsoft Word - Document1, owned by John, failed to print on printer HP Photosmart C6100 series. Try to print the document again, or restart the print spooler.  Data type: NT EMF 1.008. Size of the spool file in bytes: 65536. Number of bytes printed: 0. Total number of pages in the document: 1. Number of pages printed: 0. Client computer: \\BSD-531. Win32 error code returned by the print processor: 6. The handle is invalid.
1/6/2012 2:05:16 PM, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the stisvc service.
1/6/2012 12:50:55 PM, Error: Service Control Manager [7022]  - The Windows Update service hung on starting.
1/6/2012 12:46:17 PM, Error: Service Control Manager [7009]  - A timeout was reached (30000 milliseconds) while waiting for the Windows Media Player Network Sharing Service service to connect.
1/6/2012 12:46:17 PM, Error: Service Control Manager [7000]  - The Windows Media Player Network Sharing Service service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.
1/6/2012 1:55:15 PM, Error: Microsoft-Windows-PrintSpooler [6161]  - The document Alan_Porsche_Pics1.ppp, owned by John, failed to print on printer HP Photosmart C6100 series. Try to print the document again, or restart the print spooler.  Data type: NT EMF 1.008. Size of the spool file in bytes: 51179112. Number of bytes printed: 0. Total number of pages in the document: 1. Number of pages printed: 0. Client computer: \\BSD-531. Win32 error code returned by the print processor: 6. The handle is invalid.
1/13/2012 5:01:46 PM, Error: Service Control Manager [7009]  - A timeout was reached (30000 milliseconds) while waiting for the Windows Search service to connect.
1/13/2012 5:01:46 PM, Error: Service Control Manager [7000]  - The Windows Search service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.
1/13/2012 5:01:46 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1053" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
1/13/2012 5:00:24 PM, Error: Service Control Manager [7022]  - The HP CUE DeviceDiscovery Service service hung on starting.
1/13/2012 4:59:17 PM, Error: Service Control Manager [7000]  - The SupportSoft Sprocket Service (dellsupportcenter) service failed to start due to the following error:  The system cannot find the file specified.
1/13/2012 4:59:17 PM, Error: Service Control Manager [7000]  - The Parallel port driver service failed to start due to the following error:  The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
1/13/2012 2:53:14 PM, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the TrkWks service.
1/11/2012 5:03:35 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
1/11/2012 5:01:10 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
1/11/2012 5:01:00 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
1/11/2012 5:00:56 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
1/11/2012 5:00:41 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
1/11/2012 5:00:29 PM, Error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  BHDrvx86 eeCtrl IDSVix86 spldr SRTSP SRTSPX SymIRON SYMTDIv Wanarpv6
1/11/2012 5:00:29 PM, Error: Service Control Manager [7001]  - The Computer Browser service depends on the Server service which failed to start because of the following error:  The dependency service or group failed to start.
1/11/2012 4:55:13 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1115" attempting to start the service hpqcxs08 with arguments "" in order to run the server: {1DAEDD8A-30ED-4585-9CF1-13BDF7791DDE}
1/11/2012 4:50:35 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "109" attempting to start the service HPSLPSVC with arguments "" in order to run the server: {10DA4F3C-CC99-4190-BE4D-58330754E882}
1/11/2012 4:45:22 PM, Error: Service Control Manager [7043]  - The Group Policy Client service did not shut down properly after receiving a preshutdown control.
.
==== End Of File ===========================






 Results of screen317's Security Check version 0.99.24 
 Windows Vista Service Pack 2 x86 (UAC is enabled) 
 Internet Explorer 9 
``````````````````````````````
Antivirus/Firewall Check:

 Windows Firewall Disabled! 
 Norton 360     
 WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

 Malwarebytes' Anti-Malware   
 Java(TM) 6 Update 21 
 Java(TM) SE Runtime Environment 6
 Java(TM) 6 Update 2 
 Java(TM) 6 Update 3 
 Java(TM) 6 Update 4 
 Java(TM) 6 Update 5 
 Java(TM) 6 Update 7 
 Out of date Java installed!
  Adobe Flash Player (   10.3.183.7) Flash Player Out of Date! 
 Mozilla Firefox (3.6.11) Firefox Out of Date! 
 Mozilla Thunderbird (3.1.4) Thunderbird Out of Date! 
````````````````````````````````
Process Check: 
objlist.exe by Laurent

 Norton ccSvcHst.exe
``````````End of Log````````````


Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 14804
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Vista antispyware 2012 infection
« Reply #4 on: January 13, 2012, 11:35:10 PM »
Hi, HilltownJohn. 

With the old, vulnerable versions of Java, you are actually lucky that your computer hasn't been more severely infected.  Unfortunately, it doesn't matter if the most recent Java is installed (although it isn't in your case), if older versions are still on the computer, a program (malware) can call up the older, vulnerable version of Java! 

So, let's get Java cleaned up.  Please uninstall the following:

Java(TM) 6 Update 21
Java(TM) SE Runtime Environment 6
 Java(TM) 6 Update 2
 Java(TM) 6 Update 3
 Java(TM) 6 Update 4
 Java(TM) 6 Update 5
 Java(TM) 6 Update 7 


Please download JavaRa and unzip it to your desktop.

  • Double-click on JavaRa.exe to start the program.  (Windows Vista users Right-click JavaRa.exe > Select Run as Administrator)
  • Click on Remove Older Versions to remove older versions of Java.
  • A logfile will pop up. Please save it to a convenient location.  (No need to post the log.)

Then download and install Java SE Runtime Environment 6u30.   

Note:  UNCHECK any pre-checked toolbar and/or software options presented with the update.  They are not part of the software update and are completely optional.   

Adobe Flash Player recently had critical security updates as well.  Please download the current versions for IE and Firefox:
Flash Player 11 (32-Bit)

    IE 32-Bit:  http://fpdownload.macromedia.com/pub/flashplayer/current/licensing/win/install_flash_player_11_active_x_32bit.exe
    Non-IE 32-Bit (Opera, Firefox etc):  http://fpdownload.macromedia.com/pub/flashplayer/current/licensing/win/install_flash_player_11_plugin_32bit.exe

Note:  Be careful to UNCHECK the "Free McAfee® Security Scan Plus (optional)" scan.  It is not needed for the Flash Player update.  In addition, any toolbar offered with Adobe products can be unchecked if not wanted.

The current version of Firefox is 9.0.1.  I realize it is quite a change from version 3.  You need to either update to version 9.0.1 or at least install the most recent update for version 3 from the localized versions:  https://www.mozilla.org/en-US/firefox/all-older.html (Scroll down the page for English (US), 3.6.25.

Similarly, Thunderbird is also at version 9.0.1:  http://www.mozilla.org/en-US/thunderbird/
The localized English version of updated Thunderbird 3.1.17 is available from https://www.mozilla.org/en-US/thunderbird/all-older.html

Once all that has been completed, let's clean temp files.  Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean
Please confirm that all is well now.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline HilltownJohn

  • Jr. Member
  • **
  • Posts: 5
    • View Profile
Re: Vista antispyware 2012 infection
« Reply #5 on: January 14, 2012, 12:28:48 AM »
Thank you so much Corrine! I will do these before any other work on the computer. One quick question: Do I use Windows Remove Programs on the various versions of Java and then run JavaRa or is JavaRa all I need to do the uninstalls? Sorry for being dense and thanks again.

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 14804
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Vista antispyware 2012 infection
« Reply #6 on: January 14, 2012, 01:05:52 AM »
Hi, HilltownJohn.

Use Windows Remove Programs on the Java versions first.  Then JavaRa will clean up any leftovers that Java likes to leave behind in the uninstall process.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline HilltownJohn

  • Jr. Member
  • **
  • Posts: 5
    • View Profile
Re: Vista antispyware 2012 infection
« Reply #7 on: January 14, 2012, 02:27:13 PM »
Corrine, I can't thank you enough for your very thorough and extremely prompt directions! I have been through all the clean-up and update steps you gave and all seems well. You made a complex process manageable, and I could never have figured out all these steps and software apps. I have logged back onto my non-administrator user and both Firefox and Thunderbird are running well there. I went with the current versions of these and am adjusting to the new look and feel without much problem. Thunderbird was perfect about bringing in all my accounts and folders and saved emails. I will also start checking other applications like Adobe Reader to make sure they are up-to-date.

Two things to note. One, extremely minor, that is strictly an FYI, is that the link you provided for JavaRa now brings up a "file not found" message. Of course, it is not hard to locate and I found it at http://singularlabs.com/software/javara/javara-download/     The second is that the JavaRa log, in addition to many entries of successfully removing files, included roughly 20 lines that look like this:
There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-ABCDEFFDCBA}. The error returned was 124.
(The only difference among the lines is the 4-dgit string after "CAFEEFAC-0016"). I assume this is not a problem? Especially since I ran JavaRa before upgrading Fifefox.

Anyway, thanks again.

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 14804
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Vista antispyware 2012 infection
« Reply #8 on: January 14, 2012, 07:39:23 PM »
Hi, HilltownJohn.

You are very welcome.  I'm glad I was able to help.  Also, thank you for the information about JavaRa.  I'll fix my standard instructions.  You are very astute in picking up the 4-digit string in the log regarding Java.  The reason is that uninstalling older versions of JRE may not uninstall the Java Console for that version, causing Firefox to accumulate multiple Java Console extensions located in the Firefox > Tools > Add-ons list (explained here).  So,  here's how you can take care of that:
  • Make sure you already have the most recent version, Java SE Runtime Environment 6u30.
  • Go to C:\Program Files > Mozilla Firefox > extensions.
  • Delete the folders "{CAFEEFAC-0016-0000-xxxx-ABCDEFFEDCBA}", where xxxx is the number of the JRE-version.  Keep the highest number as this is the latest version, i.e., 0030.

To help you stay on top of third-party software updates like Adobe and Java as well as others, I suggest Secunia which will check if your system is missing security updates or has insecure applications.  Install Secunia Personal Software Inspector or, alternatively, visit http://secunia.com/software_inspector/ .  The Secunia Software Inspector runs through your browser with no installation or download required and does the following:
  • Detects insecure versions of applications installed
  • Verifies that all Microsoft patches are applied
  • Assists you in updating your system and applications

Install and update SpywareBlaster to prevent the installation of spyware and other potentially unwanted software: http://www.javacoolsoftware.com/spywareblaster.html

My favorite security software is WinPatrol which includes the features described at http://www.winpatrol.com/features.html.  If you have questions about WinPatrol, we have a forum here at LzD:  WinPatrol Help & Information.

Please let me know if you have any questions.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.