infected with win32:falder[trj]

Hi,

I recently got infected with win32:falder[trj]. Every few minutes my anti virus software (Avast) detects it but I can't remove it. I select DELETE but it keeps coming back. Also, my internet is opening pages from weird sites. And, Script Blocker pops up every time I open a web page.

My computer is running much slower now and for some reason, it has disabled "Windows Automatic Updates" and it won't allow me to enable it. When I go to windows security center and click on "Turn on automatic updates", nothing happens.

If you can help me with this problem, I would really appreciate it.

Here are the reports from DDS:


DDS (Ver_09-03-16.01) - NTFSx86
Run by Carol & Robert at 16:52:56.68 on Mon 04/06/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.512.158 [GMT -4:00]

AV: avast! antivirus 4.8.1335 [VPS 090406-0] *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Cyberlink\Shared Files\brs.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\spoolsv.exe
C:\DOCUME~1\CAROL&~1\LOCALS~1\Temp\t87i6fn7.exe
C:\DOCUME~1\CAROL&~1\LOCALS~1\Temp\t87i6fn7.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\DOCUME~1\CAROL&~1\LOCALS~1\Temp\t87i6fn7.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Carol & Robert\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: {392ea4bb-b224-4474-8e1b-633d65b84b1d} - c:\windows\system32\opnmMeFx.dll
BHO: {885502ce-3c63-56da-e6f4-bc99f3905d94}: {49d5093f-99cb-4f6e-ad65-36c3ec205588} - c:\windows\system32\lmrfsh.dll
BHO: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\jkkKbXom.dll
BHO: c:\windows\system32\hsf73ikmdf3f.dll: {b2ba40a2-74f3-42bd-f434-2604812c8954} - c:\windows\system32\hsf73ikmdf3f.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [<NO NAME>] c:\docume~1\carol&~1\locals~1\temp\t87i6fn7.exe
uRun: [Windows Resurections] c:\docume~1\carol&~1\locals~1\temp\t87i6fn7.exe
mRun: [USRpdA] c:\windows\system32\usrmlnka.exe runservices \device\3cpipe-USRpdA
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [BDRegion] c:\program files\cyberlink\shared files\brs.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"
mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\paperport\11\config\ereg\Ereg.ini"
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [88226d7a] rundll32.exe "c:\windows\system32\swfgrljy.dll",b
StartupFolder: c:\docume~1\carol&~1\startm~1\programs\startup\webshots.lnk - c:\program files\webshots\Launcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1231185238339
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1231186212163
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab56649.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} - hxxp://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab64162.cab
Notify: Antiwpa - antiwpa.dll
Notify: jkkKbXom - jkkKbXom.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: c:\windows\system32\hsf73ikmdf3f.dll: {b2ba40a2-74f3-42bd-f434-2604812c8954} - c:\windows\system32\hsf73ikmdf3f.dll
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\jkkKbXom.dll
SEH: {2f252b77-d86c-5f38-34e4-9d18ca76090f}: {f09067ac-81d9-4e43-83f5-c68d77b252f2} - c:\windows\system32\lmrfsh.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\opnmMeFx

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\carol&~1\applic~1\mozilla\firefox\profiles\gjvrsdkx.default\
FF - prefs.js: browser.startup.homepage - www.msn.com
FF - plugin: c:\documents and settings\carol & robert\application data\mozilla\plugins\npPxPlay.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-1-5 114768]
R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};c:\program files\cyberlink\powerdvd\000.fcl [2008-1-30 41456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-1-13 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-1-5 138680]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-1-5 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-1-5 352920]

=============== Created Last 30 ================

2009-04-06 16:41 <DIR> --d----- c:\program files\Trend Micro
2009-04-06 08:57 99,328 a------- c:\windows\system32\pareigmm.dll
2009-04-06 08:57 99,328 a------- c:\windows\system32\lmrfsh.dll
2009-04-06 08:56 1,389,977 ---sh--- c:\windows\system32\yjlrgfws.ini
2009-04-06 08:56 75,264 a------- c:\windows\system32\swfgrljy.dll
2009-04-06 08:54 7,603 a--sh--- c:\windows\system32\xFeMmnpo.ini2
2009-04-06 08:54 7,603 a--sh--- c:\windows\system32\xFeMmnpo.ini
2009-04-06 08:54 237,056 a------- c:\windows\system32\opnmMeFx.dll
2009-04-06 08:45 15,000 a------- c:\windows\system32\hsf73ikmdf3f.dll
2009-04-06 08:39 <DIR> --d----- c:\program files\Lavasoft
2009-04-06 08:39 35,840 a------- c:\windows\system32\jkkKbXom.dll
2009-04-05 13:44 <DIR> --d----- c:\docume~1\carol&~1\applic~1\PC-FAX TX
2009-03-31 09:02 <DIR> --d----- c:\program files\MSXML 4.0
2009-03-30 17:55 <DIR> --d--r-- c:\docume~1\carol&~1\applic~1\Brother
2009-03-30 17:47 818 a------- c:\windows\Brpfx04a.ini
2009-03-30 17:47 153 a------- c:\windows\brpcfx.ini
2009-03-30 17:47 419 a------- c:\windows\BRWMARK.INI
2009-03-30 17:47 27 a------- c:\windows\BRPP2KA.INI
2009-03-30 17:46 25,856 ac------ c:\windows\system32\dllcache\usbprint.sys
2009-03-30 17:46 25,856 a------- c:\windows\system32\drivers\usbprint.sys
2009-03-30 17:46 32,128 ac------ c:\windows\system32\dllcache\usbccgp.sys
2009-03-30 17:46 32,128 a------- c:\windows\system32\drivers\usbccgp.sys
2009-03-30 17:40 176,128 -------- c:\windows\system32\BroSNMP.dll
2009-03-30 17:40 73,728 -------- c:\windows\system32\BrDctF2.dll
2009-03-30 17:40 5,120 -------- c:\windows\system32\BrDctF2L.dll
2009-03-30 17:40 3,072 -------- c:\windows\system32\BrDctF2S.dll
2009-03-30 17:40 167,936 -------- c:\windows\system32\NSSearch.dll
2009-03-30 17:40 <DIR> --d----- c:\program files\Brother
2009-03-30 17:38 <DIR> --d----- c:\program files\Nuance
2009-03-30 17:37 31,567 a------- c:\windows\maxlink.ini
2009-03-30 17:36 <DIR> --d----- c:\program files\common files\ScanSoft Shared
2009-03-30 17:36 <DIR> --d----- c:\program files\ScanSoft
2009-03-30 17:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Brother
2009-03-29 16:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\vsosdk
2009-03-29 10:04 87,608 a------- c:\docume~1\carol&~1\applic~1\inst.exe
2009-03-29 10:04 47,360 a------- c:\windows\system32\drivers\pcouffin.sys
2009-03-29 10:04 47,360 a------- c:\docume~1\carol&~1\applic~1\pcouffin.sys
2009-03-29 10:04 217,127 a------- c:\windows\system32\drv43260.dll
2009-03-29 10:04 208,935 a------- c:\windows\system32\drv33260.dll
2009-03-29 10:04 176,165 a------- c:\windows\system32\drv23260.dll
2009-03-29 10:04 102,439 a------- c:\windows\system32\sipr3260.dll
2009-03-29 10:04 65,602 a------- c:\windows\system32\cook3260.dll
2009-03-29 10:04 626,688 a------- c:\windows\system32\vp7vfw.dll
2009-03-29 10:04 1,184,984 a------- c:\windows\system32\wvc1dmod.dll
2009-03-29 10:04 <DIR> --d----- c:\program files\VSO
2009-03-14 17:12 <DIR> --d----- c:\windows\Dream Day Wedding - Married in Manhattan
2009-03-14 17:12 <DIR> --d----- c:\program files\Dream Day Wedding - Married in Manhattan
2009-03-13 06:24 73,728 a------- c:\windows\system32\javacpl.cpl
2009-03-12 11:04 354 a------- c:\windows\system32\hpguapi.ini
2009-03-11 19:51 221,184 a------- c:\windows\system32\wmpns.dll

==================== Find3M ====================

2009-03-13 06:24 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2001-08-23 08:00 94,784 ---sh--- c:\windows\twain.dll
2008-04-13 20:12 50,688 ---sh--- c:\windows\twain_32.dll
2008-04-13 20:11 1,028,096 ---sh--- c:\windows\system32\mfc42.dll
2008-04-13 20:12 57,344 ---sh--- c:\windows\system32\msvcirt.dll
2008-04-13 20:12 413,696 ---sh--- c:\windows\system32\msvcp60.dll
2008-04-13 20:12 343,040 ---sh--- c:\windows\system32\msvcrt.dll
2008-04-13 20:12 551,936 ---sh--- c:\windows\system32\oleaut32.dll
2008-04-13 20:12 84,992 ---sh--- c:\windows\system32\olepro32.dll
2008-04-13 20:12 11,776 ---sh--- c:\windows\system32\regsvr32.exe

============= FINISH: 16:54:07.58 ===============

Hello, poof

Welcome to the Bleeping Computer Forums. My name is Jat, and I will be helping you with your situation.

If you do not make a reply in 5 days, we will have to close your topic.

---

You may want to keep the link to this topic in your favourites. Alternatively, you can click the button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:

• Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
• If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
• Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
• Please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
• Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.

---

Registry Fix

Open Notepad and copy and paste the following fix:

REGEDIT 4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Then click File, then Save. In the box type fix.reg and save it to your Desktop.
Double click fix.reg
A confirmation message will pop up, click Yes and another message will pop up saying "Merged Successfully"
You may now delete the file.

MBAM

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

• Make sure you are connected to the Internet.
• Double-click on mbam-setup.exe to install the application.
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

• If an update is found, the program will automatically update itself.
• Press the OK button to close that box and continue.
• If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.

On the Scanner tab:

• Make sure the "Perform Quick Scan" option is selected.
• Then click on the Scan button.
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

• Click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad.
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

ReScan

Please rescan with DDS and post DDS.txt

---

In your next reply, please post:

• MBAM log
• DDS log

Edited by Jat90, 06 April 2009 - 05:18 PM.

DDS (Ver_09-03-16.01) - NTFSx86
Run by Carol & Robert at 20:07:26.47 on Mon 04/06/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.512.269 [GMT -4:00]

AV: avast! antivirus 4.8.1335 [VPS 090406-0] *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Cyberlink\Shared Files\brs.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat_sl.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Carol & Robert\Desktop\dds.scr

============== Pseudo HJT Report ===============

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [<NO NAME>] c:\docume~1\carol&~1\locals~1\temp\t87i6fn7.exe
mRun: [USRpdA] c:\windows\system32\usrmlnka.exe runservices \device\3cpipe-USRpdA
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [BDRegion] c:\program files\cyberlink\shared files\brs.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"
mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\paperport\11\config\ereg\Ereg.ini"
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
StartupFolder: c:\docume~1\carol&~1\startm~1\programs\startup\webshots.lnk - c:\program files\webshots\Launcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1231185238339
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1231186212163
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab56649.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} - hxxp://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab64162.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\carol&~1\applic~1\mozilla\firefox\profiles\gjvrsdkx.default\
FF - prefs.js: browser.startup.homepage - www.msn.com
FF - plugin: c:\documents and settings\carol & robert\application data\mozilla\plugins\npPxPlay.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-1-5 114768]
R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};c:\program files\cyberlink\powerdvd\000.fcl [2008-1-30 41456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-1-13 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-1-5 138680]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-1-5 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-1-5 352920]

=============== Created Last 30 ================

2009-04-06 19:36 <DIR> --d----- c:\docume~1\carol&~1\applic~1\Malwarebytes
2009-04-06 19:35 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-06 19:35 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:35 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-06 19:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-06 16:41 <DIR> --d----- c:\program files\Trend Micro
2009-04-06 08:39 <DIR> --d----- c:\program files\Lavasoft
2009-04-05 13:44 <DIR> --d----- c:\docume~1\carol&~1\applic~1\PC-FAX TX
2009-03-31 09:02 <DIR> --d----- c:\program files\MSXML 4.0
2009-03-30 17:55 <DIR> --d--r-- c:\docume~1\carol&~1\applic~1\Brother
2009-03-30 17:47 818 a------- c:\windows\Brpfx04a.ini
2009-03-30 17:47 153 a------- c:\windows\brpcfx.ini
2009-03-30 17:47 419 a------- c:\windows\BRWMARK.INI
2009-03-30 17:47 27 a------- c:\windows\BRPP2KA.INI
2009-03-30 17:46 25,856 ac------ c:\windows\system32\dllcache\usbprint.sys
2009-03-30 17:46 25,856 a------- c:\windows\system32\drivers\usbprint.sys
2009-03-30 17:46 32,128 ac------ c:\windows\system32\dllcache\usbccgp.sys
2009-03-30 17:46 32,128 a------- c:\windows\system32\drivers\usbccgp.sys
2009-03-30 17:40 176,128 -------- c:\windows\system32\BroSNMP.dll
2009-03-30 17:40 73,728 -------- c:\windows\system32\BrDctF2.dll
2009-03-30 17:40 5,120 -------- c:\windows\system32\BrDctF2L.dll
2009-03-30 17:40 3,072 -------- c:\windows\system32\BrDctF2S.dll
2009-03-30 17:40 167,936 -------- c:\windows\system32\NSSearch.dll
2009-03-30 17:40 <DIR> --d----- c:\program files\Brother
2009-03-30 17:38 <DIR> --d----- c:\program files\Nuance
2009-03-30 17:37 31,567 a------- c:\windows\maxlink.ini
2009-03-30 17:36 <DIR> --d----- c:\program files\common files\ScanSoft Shared
2009-03-30 17:36 <DIR> --d----- c:\program files\ScanSoft
2009-03-30 17:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Brother
2009-03-29 16:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\vsosdk
2009-03-29 10:04 87,608 a------- c:\docume~1\carol&~1\applic~1\inst.exe
2009-03-29 10:04 47,360 a------- c:\windows\system32\drivers\pcouffin.sys
2009-03-29 10:04 47,360 a------- c:\docume~1\carol&~1\applic~1\pcouffin.sys
2009-03-29 10:04 217,127 a------- c:\windows\system32\drv43260.dll
2009-03-29 10:04 208,935 a------- c:\windows\system32\drv33260.dll
2009-03-29 10:04 176,165 a------- c:\windows\system32\drv23260.dll
2009-03-29 10:04 102,439 a------- c:\windows\system32\sipr3260.dll
2009-03-29 10:04 65,602 a------- c:\windows\system32\cook3260.dll
2009-03-29 10:04 626,688 a------- c:\windows\system32\vp7vfw.dll
2009-03-29 10:04 1,184,984 a------- c:\windows\system32\wvc1dmod.dll
2009-03-29 10:04 <DIR> --d----- c:\program files\VSO
2009-03-14 17:12 <DIR> --d----- c:\windows\Dream Day Wedding - Married in Manhattan
2009-03-14 17:12 <DIR> --d----- c:\program files\Dream Day Wedding - Married in Manhattan
2009-03-13 06:24 73,728 a------- c:\windows\system32\javacpl.cpl
2009-03-12 11:04 354 a------- c:\windows\system32\hpguapi.ini
2009-03-11 19:51 221,184 a------- c:\windows\system32\wmpns.dll

==================== Find3M ====================

2009-03-13 06:24 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2001-08-23 08:00 94,784 ---sh--- c:\windows\twain.dll
2008-04-13 20:12 50,688 ---sh--- c:\windows\twain_32.dll
2008-04-13 20:11 1,028,096 ---sh--- c:\windows\system32\mfc42.dll
2008-04-13 20:12 57,344 ---sh--- c:\windows\system32\msvcirt.dll
2008-04-13 20:12 413,696 ---sh--- c:\windows\system32\msvcp60.dll
2008-04-13 20:12 343,040 ---sh--- c:\windows\system32\msvcrt.dll
2008-04-13 20:12 551,936 ---sh--- c:\windows\system32\oleaut32.dll
2008-04-13 20:12 84,992 ---sh--- c:\windows\system32\olepro32.dll
2008-04-13 20:12 11,776 ---sh--- c:\windows\system32\regsvr32.exe

============= FINISH: 20:07:54.16 ===============




Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 3

4/6/2009 7:56:09 PM
mbam-log-2009-04-06 (19-56-09).txt

Scan type: Quick Scan
Objects scanned: 70638
Time elapsed: 8 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 6
Registry Keys Infected: 21
Registry Values Infected: 6
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\opnmMeFx.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\swfgrljy.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\lmrfsh.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\jkkKbXom.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\hsf73ikmdf3f.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\antiwpa.dll (Trojan.I.Stole.Windows) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3388f0fd-f77a-4a7e-b33e-5ae9cd303963} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{3388f0fd-f77a-4a7e-b33e-5ae9cd303963} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{49d5093f-99cb-4f6e-ad65-36c3ec205588} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{49d5093f-99cb-4f6e-ad65-36c3ec205588} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\jkkkbxom (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{b2ba40a2-74f3-42bd-f434-2604812c8954} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{49d5093f-99cb-4f6e-ad65-36c3ec205588} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f09067ac-81d9-4e43-83f5-c68d77b252f2} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3388f0fd-f77a-4a7e-b33e-5ae9cd303963} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b2ba40a2-74f3-42bd-f434-2604812c8954} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b2ba40a2-74f3-42bd-f434-2604812c8954} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\antiwpa (Trojan.I.Stole.Windows) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\cs41275 (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\88226d7a (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{b2ba40a2-74f3-42bd-f434-2604812c8954} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{f09067ac-81d9-4e43-83f5-c68d77b252f2} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{f09067ac-81d9-4e43-83f5-c68d77b252f2} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows resurections (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\opnmmefx -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\opnmmefx -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\opnmMeFx.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\xFeMmnpo.ini (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\xFeMmnpo.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lmrfsh.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\jkkKbXom.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\swfgrljy.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\yjlrgfws.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hsf73ikmdf3f.dll (Trojan.Zlob.H) -> Delete on reboot.
C:\WINDOWS\system32\pareigmm.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carol & Robert\Local Settings\Temporary Internet Files\Content.IE5\HFRCUVGU\qw[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carol & Robert\Local Settings\Temporary Internet Files\Content.IE5\VDVICKDM\index[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\antiwpa.dll (Trojan.I.Stole.Windows) -> Delete on reboot.
C:\Documents and Settings\Carol & Robert\Local Settings\Temp\winlogqn.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carol & Robert\Local Settings\Temp\t87i6fn7.exe (Trojan.Agent) -> Delete on reboot.

Hi Jat,

I'm sorry that I didn't give you a personal update yesterday but I was very busy at the time.

I followed all the steps in your instructions and everything went very well. You will find the MBAM log and DDS log that you requested in my previous post.

Thank you very much for your time and help.

Poof

Your log looks much better. Let's perform an online scan to make sure we got everything.

ESET Online Scan

Please go to Eset website to perform an online scan. Please use Internet Explorer as it uses ActiveX.

• Check (tick) this box: YES, I accept the Terms of Use.
• Click on the Start button next to it.
• When prompted to run ActiveX. click Yes.
• You will be asked to install an ActiveX. Click Install.
• Once installed, the scanner will be initialized.
• After the scanner is initialized, click Start.
• Uncheck (untick) Remove found threats box.
• Check (tick) Scan unwanted applications.
• Click on Scan.
• It will start scanning. Please be patient.
• Once the scan is done, you will find a log in C:\Program Files\esetonlinescanner\log.txt. Please post this log in your next reply.

Hi Jat,

Here are the results from the ESET Online Scan:

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3994 (20090407)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=c5aaeccf011c29448dbed5af6b6359bb
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2009-04-07 11:22:06
# local_time=2009-04-07 07:22:06 (-0500, Eastern Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=264187
# found=1
# scan_time=5105
C:\Documents and Settings\Carol & Robert\My Documents\Incomplete\T-5045425-lean cuisine commercial.snd a variant of WMA/TrojanDownloader.GetCodec.gen trojan 7B5A8D1881BEA0299C2DED19AE82D192

Looks like an infected file from a P2P program.

P2P Warning

If you are going to use p2p file sharing, I suggest you choose a safe program from here: http://p2p.malwareremoval.com/.

If you use P2P software, make sure you are careful about what you open and what P2P program you install. Malware is all over the P2P networks and the programs often come bundled with Adware and Spyware.

Further readings of interest in regards to the p2p "issue" are: http://pcpitstop.com/spycheck/p2p.asp and this:
http://pcpitstop.com/spycheck/badtorrent.asp

Please do the following:

• Open My Computer
• Click on Local Disk (C:)
• Go to Documents and Settings
• Click on Carol & Robert
• Go into My Documents
• Find the folder named "Incomplete"
• Press Ctrl + a simultaneously to select all items. Now press the delete key on your keyboard.

Close that window and right click the Recycled Bin and click "Empty Recycle Bin"

ReScan

Please rescan with DDS and post DDS.txt

Hi Jat,

I followed your instructions and deleted the contents of the "Incomplete" folder and emptied the recycling bin.

Here is the new DDS.txt log file:


DDS (Ver_09-03-16.01) - NTFSx86
Run by Carol & Robert at 21:15:59.48 on Tue 04/07/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.512.187 [GMT -4:00]

AV: avast! antivirus 4.8.1335 [VPS 090407-0] *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Cyberlink\Shared Files\brs.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Carol & Robert\Desktop\dds.scr

============== Pseudo HJT Report ===============

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [<NO NAME>] c:\docume~1\carol&~1\locals~1\temp\t87i6fn7.exe
mRun: [USRpdA] c:\windows\system32\usrmlnka.exe runservices \device\3cpipe-USRpdA
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [BDRegion] c:\program files\cyberlink\shared files\brs.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"
mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\paperport\11\config\ereg\Ereg.ini"
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
StartupFolder: c:\docume~1\carol&~1\startm~1\programs\startup\webshots.lnk - c:\program files\webshots\Launcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1231185238339
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1231186212163
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab56649.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} - hxxp://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab64162.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\carol&~1\applic~1\mozilla\firefox\profiles\gjvrsdkx.default\
FF - prefs.js: browser.startup.homepage - www.msn.com
FF - plugin: c:\documents and settings\carol & robert\application data\mozilla\plugins\npPxPlay.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-1-5 114768]
R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};c:\program files\cyberlink\powerdvd\000.fcl [2008-1-30 41456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-1-13 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-1-5 138680]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-1-5 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-1-5 352920]

=============== Created Last 30 ================

2009-04-07 17:52 <DIR> --d----- c:\program files\EsetOnlineScanner
2009-04-06 19:36 <DIR> --d----- c:\docume~1\carol&~1\applic~1\Malwarebytes
2009-04-06 19:35 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-06 19:35 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:35 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-06 19:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-06 16:41 <DIR> --d----- c:\program files\Trend Micro
2009-04-06 08:39 <DIR> --d----- c:\program files\Lavasoft
2009-04-05 13:44 <DIR> --d----- c:\docume~1\carol&~1\applic~1\PC-FAX TX
2009-03-31 09:02 <DIR> --d----- c:\program files\MSXML 4.0
2009-03-30 17:55 <DIR> --d--r-- c:\docume~1\carol&~1\applic~1\Brother
2009-03-30 17:47 818 a------- c:\windows\Brpfx04a.ini
2009-03-30 17:47 153 a------- c:\windows\brpcfx.ini
2009-03-30 17:47 419 a------- c:\windows\BRWMARK.INI
2009-03-30 17:47 27 a------- c:\windows\BRPP2KA.INI
2009-03-30 17:46 25,856 ac------ c:\windows\system32\dllcache\usbprint.sys
2009-03-30 17:46 25,856 a------- c:\windows\system32\drivers\usbprint.sys
2009-03-30 17:46 32,128 ac------ c:\windows\system32\dllcache\usbccgp.sys
2009-03-30 17:46 32,128 a------- c:\windows\system32\drivers\usbccgp.sys
2009-03-30 17:40 176,128 -------- c:\windows\system32\BroSNMP.dll
2009-03-30 17:40 73,728 -------- c:\windows\system32\BrDctF2.dll
2009-03-30 17:40 5,120 -------- c:\windows\system32\BrDctF2L.dll
2009-03-30 17:40 3,072 -------- c:\windows\system32\BrDctF2S.dll
2009-03-30 17:40 167,936 -------- c:\windows\system32\NSSearch.dll
2009-03-30 17:40 <DIR> --d----- c:\program files\Brother
2009-03-30 17:38 <DIR> --d----- c:\program files\Nuance
2009-03-30 17:37 31,567 a------- c:\windows\maxlink.ini
2009-03-30 17:36 <DIR> --d----- c:\program files\common files\ScanSoft Shared
2009-03-30 17:36 <DIR> --d----- c:\program files\ScanSoft
2009-03-30 17:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Brother
2009-03-29 16:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\vsosdk
2009-03-29 10:04 87,608 a------- c:\docume~1\carol&~1\applic~1\inst.exe
2009-03-29 10:04 47,360 a------- c:\windows\system32\drivers\pcouffin.sys
2009-03-29 10:04 47,360 a------- c:\docume~1\carol&~1\applic~1\pcouffin.sys
2009-03-29 10:04 217,127 a------- c:\windows\system32\drv43260.dll
2009-03-29 10:04 208,935 a------- c:\windows\system32\drv33260.dll
2009-03-29 10:04 176,165 a------- c:\windows\system32\drv23260.dll
2009-03-29 10:04 102,439 a------- c:\windows\system32\sipr3260.dll
2009-03-29 10:04 65,602 a------- c:\windows\system32\cook3260.dll
2009-03-29 10:04 626,688 a------- c:\windows\system32\vp7vfw.dll
2009-03-29 10:04 1,184,984 a------- c:\windows\system32\wvc1dmod.dll
2009-03-29 10:04 <DIR> --d----- c:\program files\VSO
2009-03-14 17:12 <DIR> --d----- c:\windows\Dream Day Wedding - Married in Manhattan
2009-03-14 17:12 <DIR> --d----- c:\program files\Dream Day Wedding - Married in Manhattan
2009-03-13 06:24 73,728 a------- c:\windows\system32\javacpl.cpl
2009-03-12 11:04 354 a------- c:\windows\system32\hpguapi.ini
2009-03-11 19:51 221,184 a------- c:\windows\system32\wmpns.dll

==================== Find3M ====================

2009-03-13 06:24 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2001-08-23 08:00 94,784 ---sh--- c:\windows\twain.dll
2008-04-13 20:12 50,688 ---sh--- c:\windows\twain_32.dll
2008-04-13 20:11 1,028,096 ---sh--- c:\windows\system32\mfc42.dll
2008-04-13 20:12 57,344 ---sh--- c:\windows\system32\msvcirt.dll
2008-04-13 20:12 413,696 ---sh--- c:\windows\system32\msvcp60.dll
2008-04-13 20:12 343,040 ---sh--- c:\windows\system32\msvcrt.dll
2008-04-13 20:12 551,936 ---sh--- c:\windows\system32\oleaut32.dll
2008-04-13 20:12 84,992 ---sh--- c:\windows\system32\olepro32.dll
2008-04-13 20:12 11,776 ---sh--- c:\windows\system32\regsvr32.exe

============= FINISH: 21:16:25.71 ===============

Hello,

All looks clean, how is your pc now? Your Java is out of date.

Update Java

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

• Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
• Look for "Java Runtime Environment (JRE)" JRE 6 Update 13.
• Click the Download button to the right.
• Select your Platform: "Windows".
• Select your Language: "Multi-language".
• Read the License Agreement, and then check the box that says: "Accept License Agreement".
• Click Continue and the page will refresh.
• Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
• Close any programs you may have running - especially your web browser.

Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.

• Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.

-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.

Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

---

Congratulations you are now clean!

Deletions

Locate where you saved DDS.exe, right click the file and select Delete.

---

Take a read of this excellent tutorial:

Simple and easy ways to keep your computer safe and secure on the Internet

Disable and Enable System Restore.

You should disable and re-enable system restore to make sure there are no infected files found in a restore point. You should now create a new restore point, since your system is clean.

You can find instructions on how to disable and re-enable system restore here:

Windows XP System Restore Guide

Visit Microsoft's Windows Update Site Frequently

• It is important that you visit http://www.windowsupdate.com regularly.
• This will ensure your computer has always the latest security updates available installed on your computer.
• If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

System still slow?

You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.

Use a Firewall

Some good free firewalls are:

• ZoneAlarm
• Comodo
• Outpost

Make sure you only use one firewall though. A tutorial on understanding and using firewalls may be found here.

Next, I would recommend the download and installation of some (I would say two is enough) of the following programs:

Spybot© - Search and Destroy

• This will provide real-time spyware & hijacker protection on your computer alongside your virus protection.
• You should also scan your computer with program on a regular basis just as you would an anti virus software.

SUPERAntiSpyware

• You should also scan your computer with the program on a regular basis just as you would an anti virus software in conjunction with Spybot.
• Each antispyware product has different detection rates for different infections, using different products therefore increases your chances of finding and killing most malware.

MalwareBytes' Anti-Malware

• Malwarebytes' Anti-Malware can detect and remove malware that even the most well known anti-virus and anti-malware applications fail to detect.
• Ability to perform full scans for all drives.
• The "Quick Scan" option lets the user scan the computer quickly checking for the most damaging threats and completing in usually under 10 minutes.

Javacools© SpywareBlaster

• SpywareBlaster will added a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.

Update all these programs regularly - Make sure you update all the programs I have listed regularly.
Without regular updates you WILL NOT be protected when new malicious programs are released.

Glad I could Help

Hi Jat,

My computer is running much better now. I will definitely read the articles you sent me and install more protection.

Thank you very much for your time and help. You guys at bleeping computers are the best.

Thanks again,
Poof

Glad to hear that, and thanks for the compliment

Since the problem appears to be resolved, this topic is now Closed. Glad I could help.
If you need this topic reopened, please send me a message. In your message please include the address of this thread in your request.

This applies only to the original topic starter.

Everyone else please start a new topic.