Solved

Spambot sent e-mails from computer

Posted on 2011-09-14
20
1,248 Views
Last Modified: 2013-12-06
Late yesterday my wife's computer sent e-mails to everyone in her AOL address book. They contained seemingly randomly generated links which redirected to mercolatab.com/ . AVG pops an alert which says AVG Alert "Accessed file is infected"; "Threat was blocked!";
File Name: mercolatab.com
Threat Name: Exploit Pharmacy Spam Site (type 1173)

AOL version 9.1 for W2KPro SP3, XP and Vista Revision 4334.5012

I ran a full computer scan using AVG Free and downloaded Trial F-Prot and ran a full scan with that as well. F-Prot found nothing, though there were several files which it said were encrypted and could not be scanned. AVG found 5 cookies, three which were a threat and could not be cleaned, but all were deleted and/or quarantined.

No more spontaneous e-mail has been sent from AOL as of this point, and we only use web-mail for everything else: No Outlook, No Outlook Express. I still do not feel comfortable using this computer until I have some expert help. The hijackthis log is below.

1) I am asking an expert to take a look here and see if anything appears to be wrong.

and

2) tell me what other steps I might take if HJT shows nothing.

(Negative comments regarding AOL will just waste time. BTW, this is only the 2nd virus/malware she has brought home since 1981, so we have been blessed and vigilant.)

Thanks in advance.

hijackthis log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:33:08 PM, on 9/14/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Mediafour\MacDrive 8\MacDrive8Service.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Common Files\AOL\1255161568\ee\AOLSoftware.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AOL 9.1\waol.exe
C:\Program Files\AOL 9.1\shellmon.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program

Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program

Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program

Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1255161568\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [F-PROT Antivirus Tray application] C:\Program Files\FRISK Software\F-PROT Antivirus for

Windows\FProtTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.1\AOL.EXE" -b
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1252126478765
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} -

C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} -

C:\WINDOWS\system32\browseui.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device

Support\AppleMobileDeviceService.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program

Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: F-PROT Antivirus for Windows system (FPAVServer) - FRISK Software International - C:\Program Files\FRISK

Software\F-PROT Antivirus for Windows\FPAVServer.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program

Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google

Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program

Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: MacDrive 8 service (MacDrive8Service) - Mediafour Corporation - C:\Program Files\Mediafour\MacDrive

8\MacDrive8Service.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program

Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Program

Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel Corporation - C:\Program

Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 9192 bytes


0
Comment
Question by:kdouglas10
  • 8
  • 7
  • 2
  • +1
20 Comments
 
LVL 21

Assisted Solution

by:Papertrip
Papertrip earned 50 total points
Comment Utility
Were the mails sent from her actual computer or were the mails just sent to people in her AOL address book through her AOL account?

It is quite possible, and likely, that her account was compromised over the web, not through her computer.  Change the password and you should be fine.
0
 

Author Comment

by:kdouglas10
Comment Utility
Papertrip-Thanks for the reply.

Before I accept your answer - since I am a worrier, do you have the expertise to see problems in  the HJT log?

These emails are NOT in her Personal Filing Cabinet (AOL), but of course there are bots which can hide them. I tend to think you have the right answer, but would feel more confident if I knew you were versed in HJT logs and current malware signatures.

Thanks for your help.

KD
0
 
LVL 21

Expert Comment

by:Papertrip
Comment Utility
No sorry I can't help with that part.

Good luck.
0
 

Author Comment

by:kdouglas10
Comment Utility
Thanks for your honesty and you response.
0
 
LVL 27

Accepted Solution

by:
Jonvee earned 300 total points
Comment Utility
HiJackThis has been unable to detect the more recent Malwares, and we would recommend Malwarebytes and TDSSKiller.

Meanwhile, while i study your HJT log, please try downloading & updating Malwarebytes anti-Malware, from here:
http://www.malwarebytes.org/products/malwarebytes_free

Run in normal mode.   Initially a "Quick scan" is all that is needed.

When installation has finished, ensure you leave both of these checked:
Update Malwarebytes' Anti-Malware.
Launch Malwarebytes' Anti-Malware.
Click Finish, and MBAM will automatically start.

Tutorial, if required:
http://www.bleepingcomputer.com/forums/lofiversion/index.php/t169669.html

The 2nd scanner is obtained here:
http://support.kaspersky.com/downloads/utils/tdsskiller.zip

Download the file TDSSKiller.zip and extract it into a folder
Execute the file TDSSKiller.exe.
Wait for the scan and disinfection process to be over.
Close all programs and press “Y” key to restart your computer.

More detail TDSSKiller tutorial:
http://support.kaspersky.com/viruses/solutions?qid=208280684
0
 
LVL 27

Expert Comment

by:Jonvee
Comment Utility
Incidently your wife's computer may not necessarily be compromised at this time, but by running the above two scanners we can certainly strengthen the fact that this is so.
Meanwhile you may also like to view these two excellent articles written by the top people around here, rpggamergirl and younghv ...

http://www.experts-exchange.com/Software/Internet_Email/Anti-Virus/A_1979-THINGS-YOU-NEED-TO-DO-WHEN-YOUR-PC-IS-INFECTED.html

http://www.experts-exchange.com/Software/Internet_Email/Anti_Spyware/A_6650-Malware-Fighting-Best-Practices.html
0
 
LVL 27

Expert Comment

by:Jonvee
Comment Utility
In the HJT log file there was just one HJT "deactivated" entry that can be fixed, but it's doing no harm if left well alone:
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)

IMHO your HJT logfile appears clean, but i still highly recommend that you scan with MBAM and TDSSKiller, as discussed above, just to be prudent.  TDSSKiller is looking for hidden rootkits.

You'll probably need to temporarily disable any resident AV & anti-Malware scanners you may have running, during the above scans.
0
 
LVL 23

Assisted Solution

by:phototropic
phototropic earned 50 total points
Comment Utility
Your HJT log appears to show that you are running AVG 9 AND F-Prot antivirus AND Microsoft Security Essentials.  All three of these are loading at startup.  You should uninstall two of these: you only want one av program running in real-time.  Having three will cause conflicts and may leave you less protected than having one av would.  

If you plan on continuing with AVG, you should upgrade to the latest version (AVG 2012) which is available here:

http://free.avg.com/us-en/download-free-antivirus-thank-you

Your HJT log shows no obvious sign of infection, but as Jonvee says above, it is not the tool it once was.  

You have both Spybot and Adaware on your computer.  Have you scanned with either of these?

If you run a TDSSKiller and/or Mbam scan, please post the log here for review.
0
 
LVL 23

Expert Comment

by:phototropic
Comment Utility
@Jonvee,

Sorry to jump in...I should have refreshed the page before I posted!!!
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 27

Expert Comment

by:Jonvee
Comment Utility
@ kdouglas10
About anti-Malware confliction, i agree with phototropic.  
If you do go ahead and remove two of them, my choice would be to keep Microsoft Security Essentials(MSE).
At present it has an excellent record, and appears to use less computer resources than any existing AVG product.

Regarding Spybot and Adaware, and just for the record, IMO the latter app has long since been overtaken by those products listed above.   However, there have been reports that Spybot has sometimes detected Malware that have been missed by other products ...but it still seems MBAM is far superior.
This simply demonstrates that its wise to occasionally run a number of anti-Malware products, but not more than one resident (real time) application.


@ phototropic
No problem, it's good to see you ;)
0
 

Author Comment

by:kdouglas10
Comment Utility
WOW - Thanks Jonvee & Phototropic for bringing me up to speed. Last 4 or 5 years, I have not really been involved in things tech (obviously). I appreciate the articles and suggestions. Will disable/uninstall AVG F-Prot and start w/ Jonvee's suggestions interspersed w/ reading. Hope to be back with requested logs before noon.

Re: Spybot and Adaware scans. Spybot came back with all clear, and Adaware picked up 10 Threat Level 3 cookies which were removed.

L8R
0
 

Author Comment

by:kdouglas10
Comment Utility
ACTIONS starting 9/15 0900 hrs EDT

Uninstalled AVG
reboot

Uninstalled F-Prot
reboot

HJT entry O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing) per Jonvee evidently fixed by AVG uninstall

Disabled Resident (Tea-Timer) Spybot S&D
reboot

Disabled System Restore & removed past restore files.
reboot

Disabled MSE real-time protection
Noticed Tea-Timer (SBS&D) is back.
Uninstalled Spy-bot Search and Destroy
reboot

Installed MBAM per Jonvee
Updated MBAM from v. 7622 -> 7722 current.

MBAM Quick Scan Results show 5 infected items
LOG: ===========Start================
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7722

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

9/15/2011 12:02:59 PM
1_mbam-log-2011-09-15 (12-02-42).txt

Scan type: Quick scan
Objects scanned: 182784
Time elapsed: 4 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogoff (PUM.Hijack.StartMenu) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\control panel\Homepage (PUM.Hijack.HomePageControl) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
=============END================

[I have manually disabled Windows Security Center nag for firewall & AV Products, so not sure if above IS infection, or just notification - expert advice needed.]

Saved log (posted above). Started MBAM Full Scan.

1211 hrs EDT
0
 
LVL 27

Expert Comment

by:Jonvee
Comment Utility
Reference MBAM's statement:  "Registry Data Items Infected":
The (PUM.Hijack.StartMenu) entry, and the other four similar entries, are almost certainly notifications and not due to infections.

A similar discussion took place here>
http://forums.malwarebytes.org/index.php?showtopic=70713

Incidently Microsoft's Defender is now contained within MSE.

>Started MBAM Full Scan<        <<Good.
0
 

Author Comment

by:kdouglas10
Comment Utility
Jonvee - Results same for MBAM Full Scan as previous quick scan.

Read the post referenced in your last post. DOH! Have been so focused on getting computer back to wife (she has a big meeting imminent & needs 'puter), have not been researching

BTW, other than the use of IE within AOL (which used to be pretty much a rebrand of IE by AOL with some minimal alterations), the default browser on computer is FireFox 6.0.2. Only odd thing I have noticed about the computer (which I am on only when there is a problem, or to clean temp files off the tiny 30GB HD), I have noticed that clicking the X to close FFox, there is a substantial time lag (last time was ~20 secs) before it closes. Trying it just now with stop watch at the ready to get an exact time to close, it is now closing normally (1-2 secs 'til window closed). FF vs IE Mentioned in case it is pertinent since so many tools seem specific to IE, which I quit using ('cept when forced to by certain sites) as soon as Netscape was available. IE version is 8.0.6001.18702; 128-bit Update versions: 0. However, IE, since last upgrade has only been launched w/in AOL. When I launched IE yesterday (to go to help.aol.com from w/in AOL), IE gave me the set-up tutorial for IE8.

One other note re: FF. Also running ghostery to kill many trackers as well as ADBlockPro - just in case those plug-ins could hide any malware.

I have printed out posts and will go back and read other forum postings/articles suggested by you after/while downloading/running Kaspersky's tdsskiller.

In last post you mention "Incidently Microsoft's Defender is now contained within MSE."

Does quote mean uninstall Defender and run only MSE?

Off to Kaspersky...

1350 hrs EDT
================================
0
 

Author Comment

by:kdouglas10
Comment Utility
Jonvee

TDSSKiller Scan Completed
Duration: 15secs
Processed: 227 objects
Infection: not found

Do you need to see TDSSKiller Log?

1405 EDT
======================================
0
 

Author Comment

by:kdouglas10
Comment Utility

OK - Reading the Kaspersky instructions I decided to run TDSSKiller using a couple of switches.

-tdlfs - detect the presence of TDLFS file system which the TDL 3/4 rootkits create ... was negative.

 -sigcheck switch (looking for unsigned files) gives me 8 unsigned files (mostly drivers), but checking Google they "seem" to be Dell supplied files.

2011/09/15 15:04:01.0171 2180      Detected object count: 8
2011/09/15 15:04:01.0171 2180      Actual detected object count: 8
2011/09/15 15:04:16.0515 2180      UnsignedFile.Multi.Generic(APPDRV) - User select action: Skip
2011/09/15 15:04:16.0531 2180      UnsignedFile.Multi.Generic(cercsr6) - User select action: Skip
2011/09/15 15:04:16.0531 2180      UnsignedFile.Multi.Generic(DellBIOS) - User select action: Skip
2011/09/15 15:04:16.0531 2180      UnsignedFile.Multi.Generic(nvport) - User select action: Skip
2011/09/15 15:04:16.0531 2180      UnsignedFile.Multi.Generic(OMCI) - User select action: Skip
2011/09/15 15:04:16.0531 2180      UnsignedFile.Multi.Generic(pfc) - User select action: Skip
2011/09/15 15:04:16.0546 2180      UnsignedFile.Multi.Generic(sanyomdm) - User select action: Skip
2011/09/15 15:04:16.0546 2180      UnsignedFile.Multi.Generic(sanyoser) - User select action: Skip

What now?

I guess you may be at work, since first post was this morning 0240 hrs or so. I will check back here every 1-2 hours. My reading of articles will continue. Thank you.
0
 
LVL 27

Expert Comment

by:Jonvee
Comment Utility
Dropping by, fleetingly ... thanks for the reports, have quickly read the contents ....

>>Does quote mean uninstall Defender and run only MSE?<<
Yes it does.

>>Do you need to see TDSSKiller Log?<<
No need thanks, you've answered it.

Well, in my opinion the computer is showing no signs of an infection, and can be returned to service.  However, having said that, it would be wise to ask the user to report SPAM, or anything else unusual.   If the problem does return, please comment below and we'll pick up this thread asap to investigate further.  Thanks.
0
 

Author Closing Comment

by:kdouglas10
Comment Utility
At this point I assume (particularly after checking on what the PW was) that it was compromised PW. 50 pts to Papertrip for quick response w/ suggestion that I didn't think of; 300 pts to Jonvee for the support I felt I needed when I asked the question, as well as bringing me up to speed w/ current anti-malware methods and tools; 50 pts to phototropic for jumping in w/ offer to help and tip regarding realtime protection and competing AV progs. Competing progs I knew, only left F-Prot installed while waiting for help; competition between MSSEssentials & Spybot Tea-Timer crossed my mind, but I didn't do the research to figure it out. Jonvee's suggestion re: MSDefender & MSSE led me to MS KB where I learned that when user installs MSSE, Defender is (supposed to be) uninstalled in XP & turned off in Vista & Win7. As we know -- supposed to be means your mileage may vary (YMMV).

Thanks to all experts. As an old school guy, I have major difficulty asking for help, but it wasn't too painful 'cause you all are professionals.

I need to spend some time here. Much to learn to stay current. Must admit that when I got the 1st phone call saying wife's computer was spamming I could not even think of the first troubleshooting step. Thank you Jonvee for gently showing the way.

Best to all...
0
 
LVL 27

Expert Comment

by:Jonvee
Comment Utility

kd,
You're very welcome.  Thanks for the illuminating reports throughout, it made the whole task easier.   Good luck.
Jonvee
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Most PC repair technicians (if not all) always start their cleanup process by emptying the temp folders before running any removal tools. It makes sense because temp folders are common places for malware installers to lurk and removing all the junk …
Sub-Titled: “My Way” (with apologies to Francis Albert Sinatra) Let me start by stating emphatically that I am one of those Experts who prefer doing things “My Way”. It’s kind of a no-brainer. “The following procedure works for me, so here is …
This video discusses moving either the default database or any database to a new volume.
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now