Help
Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.
We are running Windows XP Home, with AVG 8.0.237 as our AntiVirus and ZoneAlarm 8.0.065 as our firewall. Immediately after he tried to run the crack, he came to me and said that AVG caught a virus. At first we thought AVG had solved the problem, but as a few days passed we started receiving more and more alerts, so I started looking for help online.
Restore points are disabled and not an option, and I have followed instructions to delete old restore points just in case one of them was hiding the Trojan.
Yesterday, we disabled the internet and ran AVG, Malwarebyte's Anti-Malware, SpyBot Search and Destroy and Ad-Aware one after the other. All are updated. We then restarted the computer in safe mode and ran them all again, in that order. We then rebooted into normal mode and had SpyBot run on startup, and then ran them all again. Ever since then, things have actually been worse than ever.
Now whenever I run any software, I get an AVG resident shield alert that says
C:\WINDOWS\system32\user32.DLL is infected with 'Trojan horse Patched_c.BON'. Choosing to remove selected infections does nothing.
When I run SpyBot, I continually find Win32.Agent.icb and Win32.Delf.uc. SpyBot says it fixes them, but they always return.
When I run Ad Aware, I continually find Win32Worm.Pinit and other trojans.
I also continue to get alerts that ZoneAlarm has blocked '9.tmp' or 7.tmp' from accessing the internet.
May I just say, this forum is wonderful and the service you people perform for the PC community is quite admirable. If I hadn't found this forum, I would be out purchasing a new Windows disk right now (which is a bit of an expense on a tight budget). I am performing a new backup as we speak in case things can't be recovered, but we are having difficulty locating the Windows XP install disk, so I am hoping to solve this problem without having to do a re-install if at all possible. I would hate to have to purchase a new Windows XP disk when I still have my key printed on the side of my case.
My DDS log follows:
DDS (Ver_09-02-01.01) - NTFSx86
Run by Murphy at 11:08:53.79 on Wed 03/04/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1078 [GMT -5:00]
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
FW: ZoneAlarm Firewall *enabled*
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\CTHELPER.EXE
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Safari\Safari.exe
svchost.exe C:\WINDOWS\TEMP\VRT3.tmp
D:\Program Files\Pidgin\pidgin.exe
D:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
D:\Program Files\Azureus\Azureus.exe
C:\Documents and Settings\Murphy\Desktop\dds.scr
C:\Program Files\AVG\AVG8\avgcsrvx.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.netflix.com/WiHome?lnkctr=mhWN&lnkce=mhwi
uInternet Settings,ProxyOverride = *.local
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [XboxStat] "c:\program files\microsoft xbox 360 accessories\XboxStat.exe" silentrun
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [CTHelper] CTHELPER.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "d:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [reader_s] c:\windows\system32\reader_s.exe
mRun: [ZoneAlarm Client] "d:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
============= SERVICES / DRIVERS ===============
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-25 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-7-29 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-7-29 27656]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-2-15 353680]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-4 298264]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 950096]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2002-1-16 93696]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2008-6-27 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2008-6-27 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2008-6-27 566296]
S1 asbp2poa;asbp2poa;\??\c:\docume~1\murphy\locals~1\temp\asbp2poa.sys --> c:\docume~1\murphy\locals~1\temp\asbp2poa.sys [?]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2008-6-27 99352]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2008-6-27 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2008-6-27 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2008-6-27 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2008-6-27 566296]
S3 NB762_XP;NB 802.11g XG762 1211B Driver;c:\windows\system32\drivers\WlanUZXP.sys [2008-2-15 437760]
=============== Created Last 30 ================
2009-03-04 10:44 160 a---h--- C:\aaw7boot.cmd
2009-03-04 09:41 40 a------- c:\windows\system32\8.tmp
2009-03-03 20:12 40 a------- c:\windows\system32\6.tmp
2009-03-03 14:34 1 a------- c:\windows\system32\3.tmp
2009-03-03 14:34 124 a------- c:\windows\system32\2.tmp
2009-03-03 14:33 64,512 a------- c:\windows\system32\wer3.pf
2009-03-03 14:33 32,768 a------- c:\windows\system32\febbn.wa
2009-03-03 14:33 78,336 a------- c:\windows\system32\nvaux32.dll
2009-03-03 14:33 215,552 ac------ c:\windows\system32\dllcache\termsrv.dll
2009-03-03 14:33 207,872 a------- c:\windows\system32\azton.mt
2009-03-03 14:33 207,872 a------- c:\windows\system32\4.tmp
2009-03-03 01:49 <DIR> --d----- c:\docume~1\murphy\applic~1\Malwarebytes
2009-03-03 01:49 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-03 01:49 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-03 01:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-25 15:49 15,688 a------- c:\windows\system32\lsdelete.exe
2009-02-25 14:46 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-02-25 14:44 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-25 14:44 <DIR> --d----- c:\program files\Lavasoft
2009-02-25 13:14 578,560 a------- c:\windows\system32\mivqjw
2009-02-25 13:09 0 a------- c:\windows\mqcd.dbt
2009-02-25 13:08 28,672 a------- c:\windows\system32\kdoqmn.sr
2009-02-25 13:08 32,768 a------- c:\windows\system32\odjan.wa
2009-02-25 13:08 32,768 a------- c:\windows\system32\kei1w.an
2009-02-25 13:08 28,672 a------- c:\windows\system32\doqkm.zt
2009-02-25 13:08 77,312 a------- c:\windows\system32\rkoq.pxf
2009-02-24 15:29 127 a------- c:\windows\system32\55.tmp
2009-02-24 15:29 0 a------- c:\windows\system32\56.tmp
2009-02-24 15:29 84 a------- c:\windows\system32\54.tmp
2009-02-24 15:25 1,221,008 a------- c:\windows\system32\zpeng25.dll
2009-02-24 15:00 1 a------- c:\windows\system32\5E.tmp
2009-02-24 15:00 84 a------- c:\windows\system32\5D.tmp
2009-02-24 10:03 182,656 ac------ c:\windows\system32\dllcache\ndis.sys
2009-02-24 10:02 0 a------- c:\windows\system32\E81.tmp
2009-02-24 10:02 88 a------- c:\windows\system32\E7E.tmp
2009-02-23 08:55 <DIR> --d----- c:\docume~1\murphy\applic~1\Final Draft
2009-02-23 08:54 1,073,152 a----r-- c:\windows\system32\cdintf210.dll
2009-02-23 08:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Final Draft
2009-02-23 08:54 <DIR> --d----- c:\program files\Final Draft Tagger
2009-02-04 15:56 10,520 a------- c:\windows\system32\avgrsstx.dll
==================== Find3M ====================
2009-03-03 14:33 578,560 a------- c:\windows\system32\user32.DLL
2009-03-03 14:33 215,552 a------- c:\windows\system32\termsrv.dll
2009-02-24 15:26 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-02-24 10:03 182,656 a------- c:\windows\system32\drivers\ndis.sys
2009-02-23 09:30 13,836 a---h--- c:\windows\system32\mlfcache.dat
2009-02-04 15:56 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2008-12-20 18:15 826,368 a------- c:\windows\system32\wininet.dll
2008-12-07 14:28 34,308 a------- c:\windows\system32\Chip.dll
2008-12-07 14:28 22,004 a------- c:\windows\system32\Pvt.tmp
2008-12-07 13:47 410,984 a------- c:\windows\system32\deploytk.dll
============= FINISH: 11:10:11.37 ===============
I have not run a Kaspersky scan because I am afraid to disable my antivirus even for a moment!
Thank you for your help, I will be checking back frequently for your advice.
Attached File(s)
-
Attach.txt (11.35K)
Number of downloads: 4
Back to top
