Solved Trojan.Maljava!gen23

ehimes1 · Aug 7, 2012

Hi,
Symantec notified me that I have this virus this morning, and Symantec's recommended actions appear to have failed. I have attached the requested logs; please let me know what, if anything, can be done to get rid of it.
Thanks!
Beth

Pancake · Aug 8, 2012

Please download Malwarebytes Anti-Malware from Malwarebytes.org
Alternate link: Download Mirror

(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)

Double Click mbam-setup.exe to install the application.

(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If you are prompted to restart, please allow it to restart your computer. Failure to do this, will cause the infection to still be active on the computer.
Please save the log to a location you will remember.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
The log can also be found at C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
Copy and paste the entire report in your next reply.
If Malwarebytes fails to download please use the following link:

http://malwarebytes.org/mbam-download-exe-random.php

=============================================

Download Combofix from any of the links below, and save it to your desktop.
Link 1
Link 2
Link 3
When saving ComboFix rename it to PCHelpForum.exe to prevent it from being blocked by malware.

Refer to this image:
To prevent your anti-virus application interfering with ComboFix we need to disable it. See here for a tutorial regarding how to do so if you are unsure.

Close any open windows and double click PCHelpForum.exe to run it.
You will see the following image:

Click I Agree to start the program.
ComboFix will then extract the necessary files and you will see this:

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. This will not occur in Windows Vista and 7
It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
If you did not have it installed, you will see the prompt below. Choose YES.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.
When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.
Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

ehimes1 · Aug 8, 2012

Hi! Thanks for your response. I tried running the scan last night, and then again this morning, and the program keeps freezing. While I'm at work today my boyfriend is going to boot my laptop in safe mode and try to run the scan then. I will keep you posted!

Crush · Aug 8, 2012

Which program? Malwarebytes Anti Malware?

ehimes1 · Aug 8, 2012

Yes, sorry, that was vague. You are right, Malwarebytes Anti Malware is the program that has been freezing mid-scan.

Crush · Aug 8, 2012

Safe Mode should work, even though the program is not as powerful in that mode

ehimes1 · Aug 12, 2012

Sorry for the delay! Here's the Malwarebytes log:

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.07.09

Windows Vista Service Pack 2 x86 NTFS (Safe Mode)
Internet Explorer 9.0.8112.16421
Beth :: BETH-PC [administrator]

8/8/2012 12:44:40 PM
mbam-log-2012-08-08 (12-44-40).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 481516
Time elapsed: 1 hour(s), 27 minute(s), 10 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

And the Combofix Log:

ComboFix 12-08-10.02 - Beth 08/12/2012 12:50:44.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3002.1705 [GMT -4:00]
Running from: c:\users\Beth\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
AV: Symantec Endpoint Protection *Disabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Symantec Endpoint Protection *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-07-12 to 2012-08-12 )))))))))))))))))))))))))))))))
.
.
2012-08-12 17:02 . 2012-08-12 17:02--------d-----w-c:\users\Public\AppData\Local\temp
2012-08-12 17:02 . 2012-08-12 17:02--------d-----w-c:\users\Default\AppData\Local\temp
2012-08-12 17:02 . 2012-08-12 17:02--------d-----w-c:\users\Administrator\AppData\Local\temp
2012-08-12 05:58 . 2012-08-12 16:4656200----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{BD36F2A6-8ECB-4A1E-B239-13D9A1025371}\offreg.dll
2012-08-12 05:58 . 2012-08-12 05:5829904----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{BD36F2A6-8ECB-4A1E-B239-13D9A1025371}\MpKsle7da0892.sys
2012-08-12 05:54 . 2012-06-29 08:446891424----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{BD36F2A6-8ECB-4A1E-B239-13D9A1025371}\mpengine.dll
2012-08-12 01:32 . 2012-06-29 08:446891424----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-08-08 22:56 . 2012-08-12 17:02--------d-----w-c:\users\Beth\AppData\Local\temp
2012-08-08 22:36 . 2012-08-08 22:56--------d-----w-C:\PCHelpForum21463P
2012-08-08 22:29 . 2012-08-08 22:29--------d-----w-C:\PCHelpForum30475P
2012-08-08 22:24 . 2012-08-08 22:26--------d-----w-C:\PCHelpForum435P
2012-08-08 22:23 . 2012-08-08 22:23--------d-----w-C:\PCHelpForum24587P
2012-07-30 22:54 . 2012-07-30 22:54--------d-----w-c:\users\Beth\AppData\Local\Xfinity.com
2012-07-29 22:58 . 2012-07-29 23:05--------d-----w-c:\users\TEMP
2012-07-29 21:25 . 2012-08-08 22:16--------d-----w-c:\users\Beth\AppData\Local\NPE
2012-07-29 21:04 . 2009-06-30 14:3728552----a-w-c:\windows\system32\drivers\pavboot.sys
2012-07-29 21:04 . 2012-07-29 21:06--------d-----w-c:\program files\Panda Security
2012-07-27 23:53 . 2012-07-27 23:53--------d-----w-C:\PCHelpForum14719P
2012-07-27 17:34 . 2012-07-27 17:35--------d-----w-C:\PCHelpForum24515P
2012-07-24 15:36 . 2012-07-24 16:11--------d-----w-C:\PCHelpForum21374P
2012-07-15 20:36 . 2012-07-15 20:37--------d-----w-c:\windows\CD95F661A5C444F5A6AAECDD91C240CC.TMP
2012-07-15 20:22 . 2012-07-15 20:22--------d-----w-c:\program files\Conduit
2012-07-15 20:22 . 2012-07-15 20:41--------d-----w-c:\users\Beth\AppData\Local\Conduit
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-03 03:16 . 2012-04-11 15:57426184----a-w-c:\windows\system32\FlashPlayerApp.exe
2012-08-03 03:16 . 2011-11-10 13:4270344----a-w-c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-10 02:48 . 2012-07-10 02:4835560----a-w-c:\windows\system32\drivers\hssdrv6.sys
2012-07-03 17:46 . 2012-06-18 02:2722344----a-w-c:\windows\system32\drivers\mbam.sys
2012-06-13 13:40 . 2012-07-11 07:092047488----a-w-c:\windows\system32\win32k.sys
2012-06-05 16:47 . 2012-07-10 17:441401856----a-w-c:\windows\system32\msxml6.dll
2012-06-05 16:47 . 2012-07-10 17:441248768----a-w-c:\windows\system32\msxml3.dll
2012-06-04 15:26 . 2012-07-10 17:44440704----a-w-c:\windows\system32\drivers\ksecdd.sys
2012-06-02 22:19 . 2012-06-09 00:5545080----a-w-c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-09 00:5553784----a-w-c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-09 00:5535864----a-w-c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-09 00:55577048----a-w-c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-09 00:551933848----a-w-c:\windows\system32\wuaueng.dll
2012-06-02 22:12 . 2012-06-09 00:552422272----a-w-c:\windows\system32\wucltux.dll
2012-06-02 22:12 . 2012-06-09 00:5588576----a-w-c:\windows\system32\wudriver.dll
2012-06-02 19:19 . 2012-06-09 00:54171904----a-w-c:\windows\system32\wuwebv.dll
2012-06-02 19:12 . 2012-06-09 00:5433792----a-w-c:\windows\system32\wuapp.exe
2012-06-02 08:33 . 2012-07-11 07:031800192----a-w-c:\windows\system32\jscript9.dll
2012-06-02 08:25 . 2012-07-11 07:031129472----a-w-c:\windows\system32\wininet.dll
2012-06-02 08:25 . 2012-07-11 07:031427968----a-w-c:\windows\system32\inetcpl.cpl
2012-06-02 08:20 . 2012-07-11 07:03142848----a-w-c:\windows\system32\ieUnatt.exe
2012-06-02 08:16 . 2012-07-11 07:032382848----a-w-c:\windows\system32\mshtml.tlb
2012-06-02 00:04 . 2012-07-10 17:44278528----a-w-c:\windows\system32\schannel.dll
2012-06-02 00:03 . 2012-07-10 17:44204288----a-w-c:\windows\system32\ncrypt.dll
2012-05-24 21:18 . 2012-05-24 21:184472832----a-w-c:\windows\system32\GPhotos.scr
2012-07-25 20:42 . 2011-05-08 05:42136672----a-w-c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"Spotify Web Helper"="c:\users\Beth\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2012-08-12 1193176]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-11-11 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-11-11 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-11-11 154136]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-07-24 1348904]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-10-27 115560]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-10-10 206128]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"AmazonGSDownloaderTray"="c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe" [2009-10-23 326144]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-19 421888]
.
c:\users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKLM\~\startupfolder\C:^Users^Beth^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\Beth\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 03:07932288----a-r-c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-31 08:4435760----a-w-c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CLMLServer for HP TouchSmart]
2008-12-25 21:41189736------w-c:\program files\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2009-10-30 11:57369200----a-w-c:\program files\DAEMON Tools Lite\DTLite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-04-12 22:461135912----a-w-c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDAgent]
2008-11-29 02:041148200------w-c:\program files\Hewlett-Packard\Media\DVD\DVDAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Health Check Scheduler]
2008-10-09 15:5875008----a-w-c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2008-12-08 23:3454576----a-w-c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2008-06-09 18:162363392----a-w-c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-04-19 00:56421888----a-w-c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-03-09 14:0226100520----a-r-c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmartMenu]
2008-11-19 03:35914224----a-w-c:\program files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysTrayApp]
2009-06-04 04:43450652----a-w-c:\program files\IDT\WDM\sttray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-08-05 03:20202256----a-w-c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TSMAgent]
2008-12-25 21:411316136------w-c:\program files\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TVAgent]
2009-05-09 01:32206120------w-c:\program files\Hewlett-Packard\Media\TV\TVAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UCam_Menu]
2008-11-15 06:02218408------w-c:\program files\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateLBPShortCut]
2008-06-14 02:11210216------w-c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateP2GoShortCut]
2008-10-30 19:51210216------w-c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdatePDIRShortCut]
2008-06-14 02:11210216------w-c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdatePSTShortCut]
2008-11-26 19:34210216------w-c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:231008184----a-w-c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WirelessAssistant]
2008-12-08 19:25432432----a-w-c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonationREG_MULTI_SZ FontCache
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 18:14451872----a-w-c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-12 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-11 03:16]
.
2012-08-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-741665697-3335662302-3795194087-1000Core.job
- c:\users\Beth\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-29 21:07]
.
2012-08-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-741665697-3335662302-3795194087-1000UA.job
- c:\users\Beth\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-29 21:07]
.
2012-08-12 c:\windows\Tasks\WefiStartup.job
- c:\program files\WeFi\WefiStartup.exe [2010-09-06 14:43]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://xfinity.comcast.net/?cid=insDate07302012
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Beth\AppData\Roaming\Mozilla\Firefox\Profiles\b26e7yv9.default\
FF - prefs.js: browser.search.selectedEngine - XFINITY
FF - prefs.js: browser.startup.homepage - hxxp://xfinity.comcast.net/?cid=insDate07302012
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(yahoo.ytff.general.dontshowhpoffer, true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-12 13:02
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{55662437-DA8C-40c0-AADA-2C816A897A49}]
"ImagePath"="\??\c:\program files\Hewlett-Packard\Media\DVD\000.fcl"
.
Completion time: 2012-08-12 13:06:38
ComboFix-quarantined-files.txt 2012-08-12 17:06
ComboFix2.txt 2012-08-08 22:56
ComboFix3.txt 2012-07-28 00:12
.
Pre-Run: 8,326,053,888 bytes free
Post-Run: 8,295,329,792 bytes free
.
- - End Of File - - ED18F5E1A8507FEC09EBB27DB52FFAE5

Crush · Aug 12, 2012

Hi,

You had to run ComboFix 3 times? I see one run on 7/28 and 2 on 8/8

ehimes1 · Aug 12, 2012

Yes, combofix had been run before- a friend tried to fix my computer but couldn't get rid of the virus.

Crush · Aug 12, 2012

ComboFix shouldn't be run unless asked for.

How is the machine running now?

ehimes1 · Aug 12, 2012

It's running fine at the moment!

Crush · Aug 12, 2012

Congratulations!! Your PC is all clean!

To uninstall ComboFix

Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.

In the field, type in ComboFix /uninstall

(Note: Make sure there's a space between the word ComboFix and the forward-slash.)

Then, press Enter, or click OK.

This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.

=========

Please run OTL.exe.

Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

:Commands
[emptytemp]
[emptyflash]
[clearallrestorepoints]
[reboot]

Return to OTL.exe, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

Click the red Run Fix button.

A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.

Close OTL.exe

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

======

Remove OTL:

To remove all of the tools we used and the files and folders they created do the following:
Double click OTL.exe.

Click the CleanUp button.

Select Yes when the "Begin cleanup Process?" prompt appears.

If you are prompted to Reboot during the cleanup, select Yes.

The tool will delete itself once it finishes.

Note:If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
=======

Download Security Check by screen317 and save it to your Desktop.

Double-click Security Check.exe to start the application

Follow the onscreen instructions inside of the black box.

A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Note: if a security program requests permission from dig.exe to access the Internet, allow it to do so.
=======

There are many things you can do to keep this from happening again. You can think of a computer like a car. It requires basic maintenance to keep in tip top shape and ready to go. Would you drive your car 100,000 miles without changing the oil? The same principle applies here.

For some helpful tips regarding why you were infected in the first place, what you can do to keep this from happening again, and routine basic maintenance you should be performing on your PC to keep it running, you may wish to review the following threads:

So, you want to keep this from happening again?
How Did I Get Infected?

In your next reply:

Please confirm removal of the tools
Post the SecurityCheck log

ehimes1 · Aug 13, 2012

Great, thanks so much for your help!

ehimes1 · Aug 15, 2012

Tools have been removed, and this was the final security log results:

Results of screen317's Security Check version 0.99.43
Windows Vista Service Pack 2 x86 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Symantec Endpoint Protection
Microsoft Security Essentials
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Out of date HijackThis installed!
Spybot - Search & Destroy
Malwarebytes Anti-Malware version 1.62.0.1300
HijackThis 2.0.2
Panda Cloud Cleaner
Java(TM) 6 Update 24
Java(TM) 6 Update 7
Java version out of Date!
Adobe Flash Player11.3.300.270
Adobe Reader 9 Adobe Reader out of Date!
Mozilla Firefox (14.0.1)
Google Chrome 21.0.1180.60
Google Chrome 21.0.1180.75
Google Chrome VisualElementsManifest.xml..
````````Process Check: objlist.exe by Laurent````````
Norton ccSvcHst.exe
Microsoft Security Essentials MSMpEng.exe
Microsoft Security Essentials msseces.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 3 % Defragment your hard drive soon!
````````````````````End of Log``````````````````````

Crush · Aug 15, 2012

Hi,

Just this to uninstall:

Java(TM) 6 Update 24
Google Chrome 21.0.1180.60
Adobe Reader 9

and get the latest version of Adobe reader from get.adobe.com/reader, unless you'd like a more secure PDF reader in which case I would go for foxit reader

Log in or Join Us

Solved Trojan.Maljava!gen23

ehimes1 Bronze Member

Attached Files:

OTL.Txt 2.txt

Extras.Txt 2.txt

aswMBR.txt

Pancake Security Team

ehimes1 Bronze Member

Google Advertisement

Crush Administrator & Security Team Leader

ehimes1 Bronze Member

Crush Administrator & Security Team Leader

ehimes1 Bronze Member

Crush Administrator & Security Team Leader

ehimes1 Bronze Member

Crush Administrator & Security Team Leader

ehimes1 Bronze Member

Crush Administrator & Security Team Leader

ehimes1 Bronze Member

ehimes1 Bronze Member

Crush Administrator & Security Team Leader

Trojan.Maljava!gen23

Log in or Join Us

Solved Trojan.Maljava!gen23

ehimes1 Bronze Member

Attached Files:

OTL.Txt 2.txt

Extras.Txt 2.txt

aswMBR.txt

Pancake Security Team

ehimes1 Bronze Member

Google Advertisement

Crush Administrator & Security Team Leader

ehimes1 Bronze Member

Crush Administrator & Security Team Leader

ehimes1 Bronze Member

Crush Administrator & Security Team Leader

ehimes1 Bronze Member

Crush Administrator & Security Team Leader

ehimes1 Bronze Member

Crush Administrator & Security Team Leader

ehimes1 Bronze Member

ehimes1 Bronze Member

Crush Administrator & Security Team Leader

Trojan.Maljava!gen23

Useful Searches