[Aristazi]

No problems with Firefox today so that's good

Vino's Event Viewer v01c run on Windows 2008 in English
Report run at 18/10/2012 10:38:28 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 19/10/2012 3:34:25 AM
Type: Warning Category: 0
Event: 4001 Source: Microsoft-Windows-WLAN-AutoConfig
WLAN AutoConfig service has successfully stopped.

[Advertisements]

System logs look good. How about the Application logs?

Copy the following:

:Commands
[CLEARALLRESTOREPOINTS]
[Reboot]

Right click on OTL and Run As Administrator. In the Custom Scans/Fixes box at the bottom, paste in the copied text (Ctrl + v) and then hit Run Fix.

That will get the last of the malware off the system.

Let's see if there are any programs hogging the CPU:
Get Process Explorer

http://live.sysinter...com/procexp.exe
Save it to your desktop then run it (Vista or Win7 - right click and Run As Administrator).

View, Select Column, check Verified Signer, OK
Options, Verify Image Signatures


Click twice on the CPU column header to sort things by CPU usage with the big hitters at the top.

Wait a minute for things to settle down.

File, Save As, Save. Open the file Procexp.txt on your desktop and copy and paste the text to a reply.

Is there anything else we need to try and fix?

I'm going on a 10 day trip this Sunday and once on the trip I may not have Internet Access every night so expect delays.

[RKinner]

System logs look good. How about the Application logs?

Copy the following:

:Commands
[CLEARALLRESTOREPOINTS]
[Reboot]

Right click on OTL and Run As Administrator. In the Custom Scans/Fixes box at the bottom, paste in the copied text (Ctrl + v) and then hit Run Fix.

That will get the last of the malware off the system.

Let's see if there are any programs hogging the CPU:
Get Process Explorer

http://live.sysinter...com/procexp.exe
Save it to your desktop then run it (Vista or Win7 - right click and Run As Administrator).

View, Select Column, check Verified Signer, OK
Options, Verify Image Signatures


Click twice on the CPU column header to sort things by CPU usage with the big hitters at the top.

Wait a minute for things to settle down.

File, Save As, Save. Open the file Procexp.txt on your desktop and copy and paste the text to a reply.

Is there anything else we need to try and fix?

I'm going on a 10 day trip this Sunday and once on the trip I may not have Internet Access every night so expect delays.

[Aristazi]

Thanks RKinner! I think that's all of it


Process PID CPU Private Bytes Working Set Description Company Name Verified Signer
System Idle Process 0 97.44 0 K 24 K
procexp64.exe 2988 1.22 34,668 K 59,696 K Sysinternals Process Explorer Sysinternals - www.sysinternals.com (Verified) Sysinternals
Interrupts n/a 0.41 0 K 0 K Hardware Interrupts and DPCs
firefox.exe 2788 0.37 119,068 K 146,064 K Firefox Mozilla Corporation (Verified) Mozilla Corporation
dwm.exe 3228 0.25 28,664 K 35,068 K Desktop Window Manager Microsoft Corporation (Verified) Microsoft Windows
System 4 0.06 152 K 812 K
BrStsW64.exe 3660 0.05 3,788 K 9,492 K brstswnd brother (Verified) Brother Industries
csrss.exe 532 0.05 3,508 K 10,176 K Client Server Runtime Process Microsoft Corporation (Verified) Microsoft Windows
spoolsv.exe 1628 0.03 7,824 K 14,108 K Spooler SubSystem App Microsoft Corporation (Verified) Microsoft Windows
ccsvchst.exe 1812 0.03 27,052 K 20,264 K Symantec Service Framework Symantec Corporation (Verified) Symantec Corporation
wisptis.exe 3604 0.02 5,712 K 11,996 K Microsoft Pen and Touch Input Component Microsoft Corporation (Verified) Microsoft Windows
brpjp04a.exe 1744 0.02 2,020 K 5,788 K brcdcmon brother (Verified) Brother Industries
svchost.exe 740 0.01 5,800 K 10,580 K Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows
explorer.exe 2892 0.01 39,660 K 66,204 K Windows Explorer Microsoft Corporation (Verified) Microsoft Windows
Pen_Tablet.exe 2920 0.01 12,384 K 21,560 K Tablet Service for consumer driver Wacom Technology, Corp. (Verified) Wacom Technology Corp.
XBoxStat.exe 856 < 0.01 3,508 K 7,344 K XBoxStat.exe Microsoft Corporation (Verified) Microsoft Corporation
svchost.exe 1012 < 0.01 13,316 K 26,284 K Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows
svchost.exe 1456 < 0.01 17,216 K 18,636 K Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows
svchost.exe 1752 < 0.01 9,276 K 49,376 K Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows
nusb3mon.exe 2256 < 0.01 2,116 K 5,808 K USB 3.0 Monitor NEC Electronics Corporation (Unable to verify) NEC Electronics Corporation
svchost.exe 4436 < 0.01 11,604 K 14,900 K Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows
daemonu.exe 4064 < 0.01 3,356 K 7,896 K NVIDIA Settings Update Manager NVIDIA Corporation (Verified) NVIDIA Corporation
wmpnetwk.exe 3184 < 0.01 14,040 K 5,588 K Windows Media Player Network Sharing Service Microsoft Corporation (Verified) Microsoft Windows
svchost.exe 1084 < 0.01 10,496 K 17,856 K Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows
svchost.exe 132 < 0.01 26,588 K 42,776 K Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows
TabTip.exe 3788 < 0.01 5,980 K 14,724 K Tablet PC Input Panel Accessory Microsoft Corporation (Verified) Microsoft Windows
svchost.exe 1548 < 0.01 86,844 K 87,440 K Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows
nvvsvc.exe 1360 < 0.01 6,580 K 13,408 K NVIDIA Driver Helper Service, Version 295.73 NVIDIA Corporation (Verified) NVIDIA Corporation
csrss.exe 428 < 0.01 2,992 K 5,172 K Client Server Runtime Process Microsoft Corporation (Verified) Microsoft Windows
Dropbox.exe 3584 < 0.01 49,652 K 56,816 K Dropbox Dropbox, Inc. (Verified) Dropbox
svchost.exe 1656 < 0.01 11,452 K 14,240 K Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows
WmiPrvSE.exe 4448 3,444 K 6,852 K WMI Provider Host Microsoft Corporation (Verified) Microsoft Windows
wisptis.exe 1336 4,856 K 9,208 K Microsoft Pen and Touch Input Component Microsoft Corporation (Verified) Microsoft Windows
winlogon.exe 628 4,284 K 8,964 K Windows Logon Application Microsoft Corporation (Verified) Microsoft Windows
wininit.exe 504 2,084 K 4,988 K Windows Start-Up Application Microsoft Corporation (Verified) Microsoft Windows
taskhost.exe 3776 3,552 K 8,728 K Host Process for Windows Tasks Microsoft Corporation (Verified) Microsoft Windows
TabTip32.exe 3900 916 K 2,932 K Tablet PC Input Panel Helper Microsoft Corporation (Verified) Microsoft Windows
svchost.exe 872 5,832 K 9,540 K Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows
svchost.exe 968 21,412 K 24,580 K Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows
svchost.exe 1276 2,380 K 5,980 K Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows
svchost.exe 2816 2,512 K 5,924 K Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows
smss.exe 340 732 K 1,392 K Windows Session Manager Microsoft Corporation (Verified) Microsoft Windows
services.exe 564 5,652 K 10,512 K Services and Controller app Microsoft Corporation (Verified) Microsoft Windows
SearchIndexer.exe 2108 29,820 K 19,320 K Microsoft Windows Search Indexer Microsoft Corporation (Verified) Microsoft Windows
procexp.exe 2500 2,580 K 7,712 K Sysinternals Process Explorer Sysinternals - www.sysinternals.com (Verified) Microsoft Corporation
Pen_TouchUser.exe 2756 5,172 K 11,780 K Touch User Mode Driver Wacom Technology, Corp. (Verified) Wacom Technology Corp.
Pen_TouchService.exe 1260 2,640 K 5,676 K Touch Service Wacom Technology, Corp. (Verified) Wacom Technology Corp.
Pen_TabletUser.exe 2652 2,932 K 6,616 K Tablet user module for consumer driver Wacom Technology, Corp. (Verified) Wacom Technology Corp.
Pen_Tablet.exe 1916 2,628 K 6,348 K Tablet Service for consumer driver Wacom Technology, Corp. (Verified) Wacom Technology Corp.
NvXDSync.exe 1348 10,816 K 21,348 K NVIDIA User Experience Driver Component NVIDIA Corporation (Verified) NVIDIA Corporation
nvvsvc.exe 804 3,580 K 7,980 K NVIDIA Driver Helper Service, Version 295.73 NVIDIA Corporation (Verified) NVIDIA Corporation
nvtray.exe 1332 6,508 K 12,632 K NVIDIA Settings NVIDIA Corporation (Verified) NVIDIA Corporation
nvSCPAPISvr.exe 828 2,688 K 5,876 K Stereo Vision Control Panel API Server NVIDIA Corporation (Verified) NVIDIA Corporation
lsm.exe 600 3,136 K 4,904 K Local Session Manager Service Microsoft Corporation (Verified) Microsoft Windows
lsass.exe 592 5,776 K 12,996 K Local Security Authority Process Microsoft Corporation (Verified) Microsoft Windows
jusched.exe 3504 1,448 K 4,756 K Java™ Update Scheduler Sun Microsystems, Inc. (Verified) Oracle America
InputPersonalization.exe 4736 3,696 K 1,760 K Input Personalization Server Microsoft Corporation (Verified) Microsoft Windows
ijplmsvc.exe 1788 1,152 K 3,684 K Inkjet Printer/Scanner/Fax Extended Survey Program Service (Verified) Canon Inc.
Greenshot.exe 1384 18,596 K 23,220 K Greenshot (Unable to verify) (null)
dllhost.exe 3288 3,208 K 6,968 K COM Surrogate Microsoft Corporation (Verified) Microsoft Windows
ccsvchst.exe 2868 14,108 K 10,264 K Symantec Service Framework Symantec Corporation (Verified) Symantec Corporation
BambooCore.exe 2472 2,460 K 6,936 K BambooDock back-end application (Verified) Wacom Europe GmbH
acrotray.exe 3852 1,560 K 5,056 K AcroTray Adobe Systems Inc. (Verified) Adobe Systems

[RKinner]

Looks good. I think we can clean up:


You can uninstall or delete any tools we had you download and their logs.
To uninstall combofix, copy the next line:

"%userprofile%\Desktop\combofix.exe" /Uninstall

Start, All Programs, Accessories then right click on Command Prompt and Run As Administrator.
then right click, Paste, then hit Enter.

OTL has a cleanup tab but DO NOT USE IT!. There are reports that it leaves the PC unbootable. Instead just delete OTL.exe and the folder c:\_OTL.

To hide hidden files again:

Vista or Win7

# Open the Control Panel menu and click Folder Options.
# After the new window appears select the View tab.
# Remove the check in the checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the radio button labeled Do not Show hidden files and folders.
# Check the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and exit My Computer.

Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat.

Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.

To help keep your programs up-to-date you should download and run the UpdateChecker:
http://www.filehippo.../updatechecker/
(You don't need to download Betas and if there is a program you don't use you can just uninstall it rather than update it. Exception is MSN messenger which appears to be part of Windows.)
If you get a blocked program notice after installing updatechecker then change it to not run at start then manually run it once a week.
Seems to work best if Firefox is the default browser. You can also try Secunia PSI http://secunia.com/v...l/download_psi/ Same kind of info. You don't need both.
If you use Firefox then get the AdBlock Plus Add-on. WOT (Web of Trust) is another you might want to try.
The equivalent to AdBlock Plus for IE is called Simple Adblock and you should install it too: http://simple-adblock.com/
The free version only blocks 200 ads a day so another reason to use Firefox or Chrome.

If Firefox is slow loading make sure it only has the current Java add-on. Then download and run Speedy Fox.
http://www.crystalidea.com/speedyfox . You can run it any time that Firefox seems slow.

Be warned: If you use Limewire, utorrent or any of the other P2P programs you will almost certain be coming back to the Malware Removal forum. If you must use P2P then submit any files you get to http://virustotal.com before you open them.


If you have a router, log on to it today and change the default password! If using a Wireless router you really should be using encryption on the link. Use the strongest (newest) encryption method that your router and PC wireless adapter support especially if you own a business. See http://www.king5.com...-120637284.html and http://www.seattlepi...ted-1344185.php for why encryption is important. If you don't know how, visit the router maker's website. They all have detailed step by step instructions or a wizard you can download.

Special note on Java. Currently there is an exploit out that works on all Java Version 7 software so we are recommending that if you do not visit websites that absolutely require Java that you turn it off in your browser per the instructions in http://www.geekstogo...ur-web-browser/
If you use websites that require Java and you trust them then we recommend that you use either Firefox with the NoScript add-on or Chrome with the ScriptNo add-on and avoid IE. NoScript/ScriptNo will turn off Java and Javascript on all websites you visit except for those that you specifically approve. More info on the exploit is here: http://krebsonsecuri...y-java-exploit/
A new Java 7 Version 9 was released recently which is supposed to fix all known security holes.

Make sure Windows Updates is turned and that it works. Go to Control panel, Windows Updates and see if it works.

You definitely need to have KB2744842. This patches a major flaw in IE.

My help is free but if you wish to show your appreciation, please donate to Kwiaht instead of me. It's a local environmental organization that I volunteer with: http://www.kwiaht.org/donate.htm
(The name means something like "clean place" in one of the local native-American dialects)

Ron

[Aristazi]

Thanks so much for your help Ron!!