The '!' icon in system tray, and more

[Swen1]

Parport and Serial show up again in my devicemanager (and marked with a '!', are these two things related to malware/troijan/virus? I think they returned after the SDfix scan. I'm currently at 13% of the Kaspersky scan. So far it only spotted my ftp server program as being risky, which is understandable.

I'm quite curious on what was(/or still is?) all harming my pc, do you have any idea how bad it was infected and for what I should look out for, to make sure I wont get infected again? I presume it is not an bad idea to keep some of the used programs, for scanning on a regular basis, but I do not have the knowledge to understand/interpret Hijack this logs and such.
I did not see any '!' in a yellow triangle appear since yesterday 14.21, but I'm watching the logs for new signals. I'll get back when I have the cmplete system scan of Kaspersky finished.

 

[mflynn]

Ok they may have been damaged by a virus or malware,

But if after the AVP tool finishes clean you are clear of malware and viruses.

The parport.sys file should only exist in \Windows\system32\drivers.

So do a search with advance search to search hidden system and folder and let me know.

The serial.sys should be in same place.
but with serialui.dll in ..\system32\drivers and ..\system32\dllcache

Uninstall them and run DAF Dial-a-fix again do only the first page.

Mike
.

 

[Swen1]

Kaspersky is at 25% 'already'. I got to go back to university for class, so tonight I'll be able to post results. The parport.sys is also found in C:\Windows\Driver cache\i386\driver.cab
Do I need to delete that file as well?
Thanks for all the help so far,
Swen

 

[mflynn]

No no!

We don't delete any of these we make sure they exist in these places and if not get them there.

Go on to school we will deal with it tonight or evening.

The AVP tool is I think the most thorough of all Virus Cleaners, but if you are scanning you music drive well....

Later,

Mike

 

[Bobbye]

Based on the HijackThis log in Post #20:

FYI: CLSID {7E853D72-626A-48EC-A868-BA8D5E23E045} is for the Windows Live Messenger and almost always has the 'no file' entry. The CLSID is valid.

Some additional information:
Java:

The most current Java is v6u10. Update can be found here: http://java.com/en/download/manual.jsp
Please install it and then reboot your computer.
All older versions should be uninstalled in Add/Remove Programs in the Control Panel.

EDIT: The yellow triangle w/black! indicates an error. While the same icon can be found in the Device Manager indicating a driver error, it is also use for other error conditions.Try doing a right click on the icon> Properties and see if any information is available as to it's origin.
Consider:
C:\Program Files\UltraMon\UltraMon.exe>> only run if you are using multiple monitors

Acrobat Assistant should not be running at startup:

O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"ACROTRAY.EXE
Status: . Can be a virus, spyware, Trojan, or some other sort of malicious program. Use a virus scanner, and/or spyware removal tool to remove it.

Online scanner still being loaded. Remove and uninstall.

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

 

[Swen1]

Ok, kaspersky was all clean. 9 hour scan :stickout:

Hi Bobbye, thanks for your reply!
I have downloaded java again, and after a reboot it should be the latest one.
How do I remove the two lines you posted, simply with checking the box in hijackthis and click on 'fix', or are there other programs/proceedings that I need to use/do as well to make sure they do not show up again?

I'll run a new Hijack this after the next reboot. Got to wait a moment for a chkdsk on d: finishes.

Edit: HJT log updated and attached, did not do anything with the two lines Bobbye suggested, I'll wait with that till I'm sure how to do it.
One thing that happens now is that my 'quickstart' icons do not load automaticly, not sure if that is because of programs scanning in the background or something. Do you guys know any cause for this? It is an option in CClearer, but I would imagine this only happens after a scan, not after a reboot.
Thanks for your time guys! Cannot tell how much I appreciate your help,
Swen

 

[mflynn]

Hi Swen

Just got back from Dinner!

What about the devices?

Mike

 

[Swen1]

Hi Mike, hope dinner was nice
I just did the deal-a-fix for the 'repair' of serial and parport in the device manager. They have not returned yet. Here is the hijackthis of directly after my reboot.

So, what's the plan for now?

 

[mflynn]

You did it my friend!

Great job!

I will be back tomorrow with a final thread cleanup and shutdown but for now burn out and squak the processors in 2nd 3rd and 4th gears!

From now on do one these scans every couple weeks until all are done then begin again.

Boot drive is most important! Leave it scanning when you go to bed or work. For sure do it at the first sign of trouble, slowdown or suspicion.

Don't let it get too far gone and it will be easier to handle. And sooner or later it will. But I think you will be ready!!:grinthumb

Night,
Mike

 

[Bobbye]

I didn't go into the 'official' malware cleaning dialog because I wasn't sure that's where you were headed. Some threads are being pulled in different directions. I am only addressing what I am seeing in the HijackThis log.

Please re-open HiJackThis and scan.*Check* the boxes next to all the entries listed below.

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"ACROTRAY.EXE
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot into Safe Mode:
Start> Run> type in 'msconfig' without quotes> enter>Selective Startup> Startup tab> UNCHECK

Acrobat Assistant
BDSCANONLINE

Reboot into Normal Mode. You will get a nag message that you can close after checking 'don't show message again'. Stay in Selective Startup.

FYI: I've been having some problems lately acquiring the NAT address for the wireless. When there is a delay, I get the same yellow triangle w/Black ! in the Notification Area. It is actually over the network icon. When address is obtained, error icon goes away.

 

[Swen1]

Hi Bobbye,
I followed your steps, and did not find the two applications you mentioned in the list (Acrobat Assistant & BDSCANONLINE). I did uncheck all adobe features, as I think I do not need them being loaded at startup (CS4 master edition is quite an heavy package, which I do not use that much). I will test wether or not photoshop and such will still work, but this after a good night sleep, and class tomorrow at 8.30. (almost 02.15 atm)
I installed the Comodo firewall, I hope it gives better protection than the windows firewall, but still allowes me to play games on Lan or internet.

To Mike:
'Parport' and 'Serial' returned again in the devicemanager, being marked with a '!' again. I hope this does not mean we are still not finished.

I am curious on final remarks or such you might have Mike (especially to what was harming my pc), as I am not sure what you mean with a "final thread cleanup and shutdown" Is it some nice conclusion of what could be learned of the process we did together, or is it simply closing and clearing the thread?

Goodnight to you both (and NunjaBusiness as well), thanks a lot! I have learned quite a bit, and became aware of a lot of hidden processes that should be given a lot more attention by me, in order to keep my pc running smooth and lovely. I'll try to get more knowledge on which processes are 'usually' to be found in Hijackthis, so when something strange comes up, I could spot it easily and with help of this forum and google, find out if it is any good or bad. In the near future I'll go to africa with a laptop, for a MSC project, a continent infested by virusses, also computervirusses and such. I really think that all programs and processes used the last couple of days should enable me to stay clear of most of the digital dangers around. (my homemate came home from Ghana with a laptop which was almost useless ever since, he only uploaded some mp3's of an african usb drive :stickout


(PS oh and on the ultramon, I run 2 21" crt's almost continuesly, and often hook up a tv to my pc also, for watching southpark and movies with my housemates in my studenthome, I really love the program, its is easier than nvidia controll panel or windows)

Edit: Added one last Hijackthis log

 

[Bobbye]

When we are thurought, we will remove the cleaning ools:

*

Download OTCleanIt (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe)

* Click the CleanUp! button.
* It will go thorough the list and remove all of the tools it finds and then delete itself (requiring a reboot).

Clear your existing System Restore points and establish a new clean restore point:

Go to Start > All Programs > Accessories > System Tools > System Restore> Select Create a restore point> OK.
Next, go to Start > Run and type in cleanmgr> Select the More options tab> Choose the option to clean up System Restore and OK it.
This will remove all restore points except the new one you just created./QUITE]

The responsibilities for the other program suggestions are for the additional person who recommended them to handle their removal and setups.

EDIT: I just wanted to add that the only processes to need o Start at boot are the antivirus, firewall, touchpad if laptop and network process if on network. All other-including printer-can be started manually when needed. Taking process off of startup doesn't mean they can't be use,d only that they won't load when you boot.

 

[Swen1]

I tested my system a day, and all looks great.
Figured that most of the harddisk'crashes' were related to a program called DC++ which I use to download/upload stuff with (sometimes at 100mbit/s (we got glassfiber connections between studentbuildings ) Not completely in the clear yet. But going the right way.
Tomorrow my system really has to hold, as I have a night ahead watching movies with two very nice french girls... (would be really stupid if my pc would fail me then )

 

[mflynn]

Hi Swen

Two girls and French even!!!!!!!!!!!!! You da man Swen you da man!

Ok the only thing I was wondering about was the paraport and serial port. If the errors come back look back at my post where I listed the locations of these files Do a disk search for these and put them in the correct location.

DAF may do this for you.

----------------------------------------------------------------------------------------------------------------------------------
Thread closing

Run CCleaner again twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean.

Then

D/L install and run ATF-Cleaner clear all except passwords in all browsers you have. Run repeatedly until no more found.

http://www.majorgeeks.com/ATF_Cleaner_d4949.html
----------------------------------------------------------------------------------------------------------------------

The issue found is in System Restore so do the below

Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "After cleanup at TechSpot".

Then

Start-Programs-Accessories-System Tools-Disk Cleanup
Click OK to accept C:
Select all Boxes
Then click More Options
Here click System Restore and OK to "Are you sure" and the OK to Run.

As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

It clears what is known as Shadow copies which are used by specialized back up programs.

This is if you have the Volume Shadow Copy running which is the default.
----------------------------------------------------------------------------------------------------------------------
Please download OTCleanIt Bobbye has already posted this.
----------------------------------------------------------------------------------------------------------------------

Every 2 weeks or so run mbam and sas until clean. If they find something they can not clean then get back to us. (do while asleep or work!)

Additionally run CCleaner.

I have been using ThreatFire for more than a year, it just went from ver 3 to ver 4.

It was designed to co-exist with other Virus scanners.

Additionally it uses totally different process to protect. While conventional Virus scanners work from definitions ThreatFire works on recognizing Virus/Malware activity. It's like looking at it with 2 sets of eyes and from a different angle.

http://www.threatfire.com/Download/
----------------------------------------------------------------------------------------------------------------------
Look at http://www.javacoolsoftware.com/spywareblaster.html

Run SpyBot ocassionally and use the Immunize function.

Hostman http://www.abelhadigital.com/2008/07...-released.html

Good luck
Mike