[Resolved] Very Slow, had/have mail bot and EXP/2011-3544.BP infection

[1972vet]

Much better. Now please update your on board antivirus software manually, boot to safe mode and run a complete system scan. Allow the software to quarantine whatever it complains of. Reboot back to the normal Windows user mode and post back your results. Let me know how the system behaves at this point. Thanks!

[bohackyj]

Done.  System running very well. Virus scan found 1 bug.  I attached the scan report in case you want to see it.  Thanks for the help.



Avira Free Antivirus
Report file date: Friday, March 09, 2012  10:21

Scanning for 3541850 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee        : Avira AntiVir Personal - Free Antivirus
Serial number   : 0000149996-ADJIE-0000001
Platform        : Windows 7 x64
Windows version : (Service Pack 1)  [6.1.7601]
Boot mode       : Safe mode
Username        : BOHACKYJ
Computer name   : BOHACKYJ-PC

Version information:
BUILD.DAT       : 12.0.0.898     41963 Bytes   1/31/2012 14:50:00
AVSCAN.EXE      : 12.1.0.20     492496 Bytes   2/15/2012 12:00:34
AVSCAN.DLL      : 12.1.0.18      54224 Bytes   2/15/2012 12:00:34
LUKE.DLL        : 12.1.0.19      68304 Bytes   2/15/2012 12:00:34
AVSCPLR.DLL     : 12.1.0.22     100048 Bytes   2/15/2012 12:00:34
AVREG.DLL       : 12.1.0.29     228048 Bytes   2/15/2012 12:00:34
VBASE000.VDF    : 7.10.0.0    19875328 Bytes   11/6/2009 00:18:34
VBASE001.VDF    : 7.11.0.0    13342208 Bytes  12/14/2010 15:07:39
VBASE002.VDF    : 7.11.19.170 14374912 Bytes  12/20/2011 17:41:00
VBASE003.VDF    : 7.11.21.238  4472832 Bytes    2/1/2012 14:01:50
VBASE004.VDF    : 7.11.21.239     2048 Bytes    2/1/2012 14:01:50
VBASE005.VDF    : 7.11.21.240     2048 Bytes    2/1/2012 14:01:50
VBASE006.VDF    : 7.11.21.241     2048 Bytes    2/1/2012 14:01:51
VBASE007.VDF    : 7.11.21.242     2048 Bytes    2/1/2012 14:01:51
VBASE008.VDF    : 7.11.21.243     2048 Bytes    2/1/2012 14:01:51
VBASE009.VDF    : 7.11.21.244     2048 Bytes    2/1/2012 14:01:51
VBASE010.VDF    : 7.11.21.245     2048 Bytes    2/1/2012 14:01:51
VBASE011.VDF    : 7.11.21.246     2048 Bytes    2/1/2012 14:01:51
VBASE012.VDF    : 7.11.21.247     2048 Bytes    2/1/2012 14:01:51
VBASE013.VDF    : 7.11.22.33   1486848 Bytes    2/3/2012 12:03:48
VBASE014.VDF    : 7.11.22.56    687616 Bytes    2/3/2012 21:19:51
VBASE015.VDF    : 7.11.22.92    178176 Bytes    2/6/2012 12:00:40
VBASE016.VDF    : 7.11.22.154   144896 Bytes    2/8/2012 12:01:08
VBASE017.VDF    : 7.11.22.220   183296 Bytes   2/13/2012 22:02:51
VBASE018.VDF    : 7.11.23.34    202752 Bytes   2/15/2012 12:17:39
VBASE019.VDF    : 7.11.23.98    126464 Bytes   2/17/2012 12:00:20
VBASE020.VDF    : 7.11.23.150   148480 Bytes   2/20/2012 12:00:21
VBASE021.VDF    : 7.11.23.224   172544 Bytes   2/23/2012 12:00:49
VBASE022.VDF    : 7.11.24.52    219648 Bytes   2/28/2012 15:27:47
VBASE023.VDF    : 7.11.24.152   165888 Bytes    3/5/2012 12:00:22
VBASE024.VDF    : 7.11.24.204   177664 Bytes    3/7/2012 15:50:19
VBASE025.VDF    : 7.11.24.205     2048 Bytes    3/7/2012 15:50:20
VBASE026.VDF    : 7.11.24.206     2048 Bytes    3/7/2012 15:50:20
VBASE027.VDF    : 7.11.24.207     2048 Bytes    3/7/2012 15:50:21
VBASE028.VDF    : 7.11.24.208     2048 Bytes    3/7/2012 15:50:21
VBASE029.VDF    : 7.11.24.209     2048 Bytes    3/7/2012 15:50:21
VBASE030.VDF    : 7.11.24.210     2048 Bytes    3/7/2012 15:50:22
VBASE031.VDF    : 7.11.25.0     181760 Bytes    3/9/2012 15:14:07
Engineversion   : 8.2.10.14
AEVDF.DLL       : 8.1.2.2       106868 Bytes  10/26/2011 11:00:30
AESCRIPT.DLL    : 8.1.4.8       455034 Bytes    3/8/2012 12:04:01
AESCN.DLL       : 8.1.8.2       131444 Bytes   1/27/2012 12:06:42
AESBX.DLL       : 8.2.4.5       434549 Bytes   12/2/2011 12:00:27
AERDL.DLL       : 8.1.9.15      639348 Bytes    9/9/2011 03:16:06
AEPACK.DLL      : 8.2.16.5      803190 Bytes    3/8/2012 12:03:50
AEOFFICE.DLL    : 8.1.2.25      201084 Bytes  12/30/2011 13:49:30
AEHEUR.DLL      : 8.1.4.3      4444534 Bytes    3/8/2012 12:03:23
AEHELP.DLL      : 8.1.19.0      254327 Bytes   1/20/2012 13:59:00
AEGEN.DLL       : 8.1.5.23      409973 Bytes    3/8/2012 12:01:34
AEEXP.DLL       : 8.1.0.24       74101 Bytes    3/8/2012 12:04:03
AEEMU.DLL       : 8.1.3.0       393589 Bytes    9/2/2011 03:46:01
AECORE.DLL      : 8.1.25.5      201079 Bytes    3/8/2012 12:01:25
AEBB.DLL        : 8.1.1.0        53618 Bytes    9/2/2011 03:46:01
AVWINLL.DLL     : 12.1.0.17      27344 Bytes  10/11/2011 19:00:11
AVPREF.DLL      : 12.1.0.17      51920 Bytes  10/11/2011 19:00:09
AVREP.DLL       : 12.1.0.17     179408 Bytes  10/11/2011 19:00:09
AVARKT.DLL      : 12.1.0.23     209360 Bytes   2/15/2012 12:00:34
AVEVTLOG.DLL    : 12.1.0.17     169168 Bytes  10/11/2011 19:00:08
SQLITE3.DLL     : 3.7.0.0       398288 Bytes  10/11/2011 19:00:22
AVSMTP.DLL      : 12.1.0.17      62928 Bytes  10/11/2011 19:00:10
NETNT.DLL       : 12.1.0.17      17104 Bytes  10/11/2011 19:00:18
RCIMAGE.DLL     : 12.1.0.17    4450000 Bytes  10/11/2011 19:00:31
RCTEXT.DLL      : 12.1.1.16      96208 Bytes  12/21/2011 17:41:00

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: C:\Program Files (x86)\Avira\AntiVir Desktop\sysscan.avp
Logging.............................: default
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: extended

Start of the scan: Friday, March 09, 2012  10:21

Starting master boot sector scan:
Master boot sector HD0
    [INFO]      No virus was found!
Master boot sector HD1
    [INFO]      No virus was found!
Master boot sector HD2
    [INFO]      No virus was found!
Master boot sector HD3
    [INFO]      No virus was found!
Master boot sector HD4
    [INFO]      No virus was found!
Master boot sector HD5
    [INFO]      No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
    [INFO]      No virus was found!

Starting search for hidden objects.
The driver could not be initialized.

The scan of running processes will be started
Scan process 'avscan.exe' - '71' Module(s) have been scanned
Scan process 'avcenter.exe' - '76' Module(s) have been scanned

Starting to scan executable files (registry).
The registry was scanned ( '600' files ).


Starting the file scan:

Begin scan in 'C:\' <OS>
C:\Users\BOHACKYJ\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39\4a34b027-45273345
 

• Archive type: ZIP

  --> dhycnvdbqlpbdahs.class
      [DETECTION] Contains recognition pattern of the EXP/CVE-2011-3544.A.49 exploit

Beginning disinfection:
C:\Users\BOHACKYJ\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39\4a34b027-45273345
  [DETECTION] Contains recognition pattern of the EXP/CVE-2011-3544.A.49 exploit
  [NOTE]      The file was moved to the quarantine directory under the name '4abc8626.qua'.


End of the scan: Friday, March 09, 2012  10:50
Used time: 27:56 Minute(s)

The scan has been done completely.

  24139 Scanned directories
 548101 Files were scanned
      1 Viruses and/or unwanted programs were found
      0 Files were classified as suspicious
      0 Files were deleted
      0 Viruses and unwanted programs were repaired
      1 Files were moved to quarantine
      0 Files were renamed
      0 Files cannot be scanned
 548100 Files not concerned
   2365 Archives were scanned
      0 Warnings
      1 Notes

[1972vet]

Excellent. Did you uninstall Java previously? I know the two installations you had were old and exploited...Let me know if you did remove them and if you installed the latest version. I will offer a tweak for keeping temp java files at bay. Thanks!

[bohackyj]

Yes, I took out the old Java versions yesterday.

[bohackyj]

I forgot...I did install the new version.

[1972vet]

Very good! You can delete these now:
DDS and associated logs
TDSSKiller and associated log/folder

Next, please click start-->run...then copy and paste the Bold text below into the run box and click "OK":

ComboFix /Uninstall

Performing this function will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again for you automatically.

Please open Java from within the control panel. When the Java Control Panel opens, on the "General" tab, under the "Temporary Internet Files" (at the bottom), please click the Settings button. When the "Temporary Files Settings" box opens, please remove the check from the option box to "Keep temporary files on my computer". Please click "OK", then "Apply" to close the Java Control Panel. Reboot the system.

To assist in the prevention of malicious software intrusion and infections, you can begin by reading "How to boost your malware defense and protect your PC"...

Please remember to keep antivirus software on board and always use it's real time protection feature. Run a complete system scan at least once a week...preferably in Safe mode.

A word of caution
Security vendors, in recent years, have partnered with "Ask.com" in providing the "Ask Toolbar" bundled with their download(s).

Although the toolbar is considered to be a Legitimate program, it is nonetheless questionable as to it's behavior. It is alleged to be spyware/adware as the behavior of this application tracks a user's history and sends "search" information to it's servers in order to provide a user with targeted search results, many of these results may also be for questionable web sites. In fairness, one should keep in mind, google does the same thing regarding search results.

This tracking is considered by many of us in the security field, to be offensive.

Some of the "Download links" that I may provide, may also contain this program bundled with it. If you choose not to use it, the bundled software will always contain an "Opt Out" measure via some checkbox. The user can check (or uncheck) this box to prevent the download.

If a user isn't cautious and may have mistakenly installed this program, it can easily be removed via the "Uninstall" string provided with the software. Detailed instructions how to remove the program can be found Here.

If your antivirus program is a licensed version that is about to expire, you can consider using one of these available free on the public domain:

Microsoft Security Essentials
AntiVir Personal Edition Classic
Avast! 4 Home Edition

Those of us in the online safety/security community have tried and tested these programs to determine their abilities. Having in mind, nothing is ever a guarantee regarding computer security, these programs nevertheless, combined with the rest of these recommendations are certain to have an impact in helping to keep your system running free and clear. I personally have been completely satisfied from having tested and used each one of those at one time or another.

Immunize your browser by installing Spywareblaster. What does it do?

• Prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
• Blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
• Restricts the actions of potentially unwanted sites in Internet Explorer.

Keep your anti-virus and spyware definitions up to date. Be sure to scan often.

Web of Trust, (WOT,) warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

• Green to go
• Yellow for caution
• Red to stop

WOT has an add-on available for both Firefox and IE.

Install the Winpatrol security monitor utility. WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. What I hear most from users is how much they like the startup control feature and it's ease of use. Need help understanding something about Winpatol? Here it is.

Windows Vista and Windows 7 have a software firewall built in and activated by default. This native firewall is a big improvement and is fine by itself. However, there are third party software Firewalls that offer a bit more configuration options.

Below you can choose from several of the freeware Firewalls available on the public domain. Even though you may have a Firewall already installed, keep this list handy should you choose not to renew your subscription for whatever reason. I should also mention, if you choose to use a third party firewall, make certain the Windows firewall is turned off to prevent conflict issues.

...and please remember, you should have only one of these types of third party firewalls running on board:

Zone Alarm...Windows 2k/XP/Vista

Outpost Free

Comodo...I highly recommend this firewall, but it may just be best suited for advanced users.

Stay updated with the most recent Windows patches using Microsoft's Windows Update. Make it easy on yourself, and set this feature to Automatic.

Using an alternate browser can reduce your chance of certain infections installing themselves. I recommend installing Mozilla Firefox. If you don't already have "Firefox", please consider installing and using this browser for surfing.

If you still wish to use Internet Explorer, please make sure you install SpywareBlaster (from above) to protect you from most ActiveX infections.

Run CCleaner often. Please avoid using the "registry" cleaning feature of this utility unless you consider yourself an expert. Contrary to popular thought, the Windows Registry has no need of any "cleaning". I personally challenge anyone to show a substantial benefit from having used any of these "registry cleaning" programs. There is none. Any difference at all is so miniscule that it's nearly impossible to calculate.

On the flip side, rather than any benefit, there is the possibility of slicing out enough pieces of the registry to render things useless...and that includes the operating system.

By default, CCleaner will ask you if you want to backup what is removed, and I suggest you do just that. If you have already used this option and found that something no longer works properly, please find the backup that was created and use it to restore that particular item. Remember, using this to clean the disk is absolutely useful and beneficial. A novice needs only to use the disk cleaning feature...and avoid the registry cleaning aspect. It's not difficult...just don't bother to click the Registry button on the menu.

CCleaner is an excellent...and fast disk cleaning utility that can easily be configured to suit your needs. Often, users find a simple reboot resolves a quirky performance issue which can come about as a result of the collection of temp files while browsing the web...and if you configure CCleaner to run on start up, then your system could be kept running fast and clean with each new user session.

The Yahoo Toolbar is included by default during the installation of the CCleaner utility...if you DO NOT WANT IT, be sure to remove the check from the "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser" option during installation setup or else just download the Slim version (no toolbar...last download link at the bottom of that page)...

Or if you just want to run your on board Disk Cleanup ("Start--> Programs-->Accessories-->System Tools-->Disk Cleanup" ), just open the utility and check off the following:
Downloaded Program Files, Temporary Internet Files, Recycle Bin, and Temporary Files.

Or if you just want to run your on board Disk Cleanup ("Start--> Programs-->Accessories-->System Tools-->Disk Cleanup" ), just open the utility and check off the following:
Downloaded Program Files, Temporary Internet Files, Recycle Bin, and Temporary Files.

Don't forget to check your system's "defragmenter" settings. With Windows Vista, you have the option to set this as a scheduled event. It is best to have your system's "defrag" function scheduled for at least once a week.

So how did I get infected in the first place?
Regards, and Happy Surfing!

[1972vet]

This thread is now closed as the issue appears to be resolved.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.