Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32/Cryptor infection, I think


  • Please log in to reply
12 replies to this topic

#1 burtchth

burtchth

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:21 AM

Posted 06 May 2009 - 06:16 PM

Hey guys, I sure hope you can help out.
My problem started when I used Google and new pop-ups opened up when I would click the link. It happened in both Firefox and IE. While using IE, everything froze up and I was unable to do anything, even restart. I force shutdown and started up again. Since then everything seems fine until after I log in to my computer account. This happened both in normal and Safe Modes. Now nothing on my desktop shows up, nor does the Start menu and toolbar on the bottom show up. Right now I can use the internet on the computer and I was able to run AVG. It was unable to remove a few things that were labeled Win32/Cryptor. I can also run Trend Micro HijackThis if that will help. I'm not sure if I'll be able to get back on the internet if I restart, so I'll wait until you get back to me. Here's the log from DDS:


DDS (Ver_09-03-16.01) - NTFSx86
Run by at 18:50:47.65 on Wed 05/06/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.269

[GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
AV: Norman Security Suite ver. 7.00 *On-access scanning enabled*

(Updated)
AV: McAfee VirusScan *On-access scanning enabled* (Outdated)
FW: McAfee Personal Firewall Plus *enabled*

============== Running Processes ===============

C:\Program Files\Norman\Npm\Bin\Elogsvc.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Norman\Npm\Bin\Zanda.exe
C:\Program Files\Norman\npm\bin\nvoy.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Norman\Npm\Bin\Njeeves.exe
C:\Program Files\Norman\Npm\Bin\Nvcsched.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Norman\Nse\Bin\NSESVC.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norman\Nvc\Bin\nvcoas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\LocalService\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.msu.edu/
uSearchMigratedDefaultURL =

hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.micro

soft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: SFCDisable=4 (0x4)
mWinlogon: userinit=c:\windows\system32\sdra64.exe,
BHO: Adobe PDF Reader Link Helper:

{06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat

7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} -

c:\program files\avg\avg8\avgssie.dll
BHO: McAfee AntiPhishing Filter: {41d68ed8-4cff-4115-88a6-6ebb8af19000}

- c:\progra~1\mcafee\spamki~1\mcapfbho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} -

c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} -

c:\windows\system32\dla\tfswshx.dll
BHO: {8FB5B012-E8CB-46cd-B6D2-ED428FAE9043} - No File
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} -

c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} -

c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO:

{af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program

files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: {b87a6e4c-e2e7-45c8-a8fd-ce55b4af0f1e} -

c:\windows\system32\ddcya.dll
TB: McAfee VirusScan: {ba52b914-b692-46c4-b683-905236f6f655} -

c:\progra~1\mcafee.com\vso\mcvsshl.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} -

c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program

files\google\google toolbar\GoogleToolbar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {40D41A8B-D79B-43D7-99A7-9EE0F344C385} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} -

c:\windows\system32\Shdocvw.dll
uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe
uRun: [Steam] "c:\program files\valve\steam\steam.exe" -silent
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program

files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US

ee://aol/imApp
uRun: [ISMPack6] "c:\program files\ism2\ISMPack6.exe"
uRun: [DellSupportCenter] "c:\program files\dell support

center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [updateMgr] "c:\program files\adobe\acrobat

7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [QNPlus]
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search &

destroy\TeaTimer.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe"

/background
uRun: [DWQueuedReporting]

"c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [ShowLOMControl] 1 (0x1)
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [DVDLauncher] "c:\program

files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] "c:\program files\common

files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common

files\installshield\updateservice\issch.exe" -start
mRun: [VSOCheckTask] "c:\progra~1\mcafee.com\vso\mcmnhdlr.exe"

/checktask
mRun: [OASClnt] c:\program files\mcafee.com\vso\oasclnt.exe
mRun: [MCAgentExe] c:\progra~1\mcafee.com\agent\mcagent.exe
mRun: [MCUpdateExe] c:\progra~1\mcafee.com\agent\mcupdate.exe
mRun: [MSKDetectorExe] c:\progra~1\mcafee\spamki~1\MSKDetct.exe

/startup
mRun: [MSKAGENTEXE] c:\progra~1\mcafee\spamki~1\MskAgent.exe
mRun: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
mRun: [MPFExe] c:\progra~1\mcafee.com\person~1\MpfTray.exe
mRun: [HostManager] c:\program files\common

files\aol\1147835042\ee\AOLSoftware.exe
mRun: [IPHSend] c:\program files\common files\aol\iphsend\IPHSend.exe
mRun: [IntelZeroConfig] "c:\program

files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program

files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [HP Software Update] c:\program files\hewlett-packard\hp software

update\HPWuSchd2.exe
mRun: [dscactivate] "c:\program files\dell support

center\gs_agent\custom\dsca.exe"
mRun: [WinampAgent] c:\program files\winamp\winampa.exe
mRun: [903bd1ce] rundll32.exe "c:\windows\system32\coojftom.dll",b
mRun: [DellSupportCenter] "c:\program files\dell support

center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Cqudegexi] rundll32.exe "c:\windows\Uhibusijegoh.dll",e
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe"

-atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [Norman ZANDA] "c:\program files\norman\npm\bin\ZLH.EXE" /LOAD

/SPLASH
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
StartupFolder:

c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk -

c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder:

c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk -

c:\program files\digital line detect\DLG.exe
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel -

c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network

Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program

files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} -

{7DD73374-7187-4103-8F29-622AA25E7C40} -

c:\progra~1\mcafee\spamki~1\mcapfbho.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

{FF059E31-CC5A-4E2E-BF3B-96E929D65503} -

c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

{FE54FA40-D68C-11d2-98FA-00C0F0318AFE} -

c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

{53707962-6F74-2D53-2644-206D7942484F} -

c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: amaena.com
Trusted Zone: avsystemcare.com
Trusted Zone: onerateld.com
Trusted Zone: safetydownload.com
Trusted Zone: trustedantivirus.com
Trusted Zone: virusschlacht.com
Trusted Zone: musicmatch.com\online
DPF: {17492023-C23A-453E-A040-C7C580BBF700} -

hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {233C1507-6A77-46A4-9443-F871F945D258} -

hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} -

hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662

.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} -

hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -

hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.ca

b
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -

hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultr

ashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} -

hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.ca

b
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} -

hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/671

2/player/install/installer.exe
DPF: {DA80E089-4648-43D5-93B4-7F37917084E6} -

hxxp://www.candystand.com/assets/activex/virtools/CacheManager.CAB
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program

files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -

c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: aywetsjq - aywetsjq.dll
Notify: igfxcui - igfxdev.dll
Notify: jkkliff - jkkliff.dll
LSA: Authentication Packages = msv1_0 nwprovau

c:\windows\system32\ddcya.dll

================= FIREFOX ===================

FF - ProfilePath -

c:\docume~1\locals~1\applic~1\mozilla\firefox\profiles\2pvpzw2v.default

\
FF - component: c:\program

files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program

files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava11.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava12.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava13.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava14.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava32.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPOJI610.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience

technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-4-5 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver

x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-25 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver

x86;c:\windows\system32\drivers\avgmfx86.sys [2008-12-25 27656]
R1 AvgTdiX;AVG Free8 Network

Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-12-25 107272]
R1 NGS;Norman General Security Driver;c:\program

files\norman\ngs\bin\ngs.sys [2009-5-3 22712]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe

[2009-2-1 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe

[2009-2-1 298264]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program

files\lavasoft\ad-aware\AAWService.exe [2009-3-9 953168]
R2 McDetect.exe;McAfee WSC Integration;c:\program

files\mcafee.com\agent\Mcdetect.exe [2006-5-11 126976]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe

[2005-8-5 99328]
R2 McShield;McAfee.com McShield;c:\progra~1\mcafee.com\vso\mcshield.exe

[2006-5-11 221184]
R2 McTskshd.exe;McAfee Task

Scheduler;c:\progra~1\mcafee.com\agent\mctskshd.exe [2006-5-11 122368]
R2 Ndiskio;Ndiskio;c:\program files\norman\nse\bin\Ndiskio.sys

[2009-5-3 20448]
R2 Norman ZANDA;Norman ZANDA;c:\program files\norman\npm\bin\Zanda.exe

[2009-2-25 408696]
R2 NVOY;Norman Resource Provider;c:\program

files\norman\npm\bin\nvoy.exe [2009-5-3 126008]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys

[2006-12-22 24521]
R3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys

[2006-5-11 114464]
R3 nsesvc;Norman Scanner Engine Service;c:\program

files\norman\nse\bin\Nsesvc.exe [2009-5-3 310328]
R3 NvcMFlt;NvcMFlt;c:\windows\system32\drivers\nvcw32mf.sys [2009-5-3

19512]
R3 nvcoas;Norman Virus Control on-access component;c:\program

files\norman\nvc\bin\Nvcoas.exe [2009-5-3 195640]
R3 NVCScheduler;Norman Virus Control Scheduler;c:\program

files\norman\npm\bin\nvcsched.exe [2009-5-3 154680]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program

files\viewpoint\common\ViewpointService.exe [2007-2-21 24652]
S3 IPSECEXT;Nortel Extranet Access

Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2006-12-22 155216]
S3 mcupdmgr.exe;McAfee SecurityCenter Update

Manager;c:\progra~1\mcafee.com\agent\mcupdmgr.exe [2006-5-11 245760]

=============== Created Last 30 ================

2009-05-06 18:07 <DIR> --d----- c:\program files\Trend

Micro
2009-05-05 06:39 1 a-------

c:\windows\system32\uniq.tll
2009-05-03 23:00 212,024 a-------

c:\windows\system32\nscrnsav.scr
2009-05-03 23:00 19,512 a-------

c:\windows\system32\drivers\nvcw32mf.sys
2009-05-03 22:59 <DIR> --d----- c:\program files\Norman
2009-04-15 01:27 473,600 --------

c:\windows\system32\dllcache\fastprox.dll
2009-04-15 01:27 401,408 --------

c:\windows\system32\dllcache\rpcss.dll
2009-04-15 01:27 284,160 --------

c:\windows\system32\dllcache\pdh.dll
2009-04-15 01:27 227,840 --------

c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 01:27 110,592 --------

c:\windows\system32\dllcache\services.exe
2009-04-15 01:26 729,088 --------

c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 01:26 714,752 --------

c:\windows\system32\dllcache\ntdll.dll
2009-04-15 01:26 617,472 --------

c:\windows\system32\dllcache\advapi32.dll
2009-04-15 01:26 453,120 --------

c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 01:25 2,560 --------

c:\windows\system32\xpsp4res.dll
2009-04-15 01:25 215,552 --------

c:\windows\system32\dllcache\wordpad.exe

==================== Find3M ====================

2009-04-26 19:36 15,688 a-------

c:\windows\system32\lsdelete.exe
2009-04-26 19:35 64,160 a-------

c:\windows\system32\drivers\Lbd.sys
2009-03-21 10:06 989,696 --------

c:\windows\system32\dllcache\kernel32.dll
2009-03-06 10:22 284,160 a-------

c:\windows\system32\pdh.dll
2009-03-05 20:54 5,902 a--sh---

c:\windows\system32\KGyGaAvL.sys
2009-03-02 20:18 826,368 a-------

c:\windows\system32\wininet.dll
2009-03-02 20:18 826,368 --------

c:\windows\system32\dllcache\wininet.dll
2009-02-28 00:54 636,072 --------

c:\windows\system32\dllcache\iexplore.exe
2009-02-20 06:20 70,656 --------

c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 06:20 13,824 --------

c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 01:14 161,792 --------

c:\windows\system32\dllcache\ieakui.dll
2009-02-09 08:10 729,088 a-------

c:\windows\system32\lsasrv.dll
2009-02-09 08:10 714,752 a-------

c:\windows\system32\ntdll.dll
2009-02-09 08:10 617,472 a-------

c:\windows\system32\advapi32.dll
2009-02-09 08:10 401,408 a-------

c:\windows\system32\rpcss.dll
2009-02-09 07:13 1,846,784 a-------

c:\windows\system32\win32k.sys
2009-02-07 19:02 2,066,048 --------

c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 07:11 110,592 a-------

c:\windows\system32\services.exe
2009-02-06 07:08 2,189,056 --------

c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 07:06 2,145,280 a-------

c:\windows\system32\ntoskrnl.exe
2009-02-06 07:06 2,145,280 --------

c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 06:39 35,328 a-------

c:\windows\system32\sc.exe
2009-02-06 06:39 35,328 a-------

c:\windows\system32\dllcache\sc.exe
2009-02-06 06:32 2,023,936 a-------

c:\windows\system32\ntkrnlpa.exe
2009-02-06 06:32 2,023,936 --------

c:\windows\system32\dllcache\ntkrpamp.exe
2008-10-11 16:12 88 ---shr--

c:\windows\system32\F87B2EA438.sys
2008-09-14 19:37 32,768 ac-sh---

c:\windows\system32\config\systemprofile\local

settings\history\history.ie5\mshist012008091420080915\index.dat

============= FINISH: 18:53:00.06 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 burtchth

burtchth
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:21 AM

Posted 06 May 2009 - 06:35 PM

Ah I forgot a few things. First, I'm using Windows XP on my laptop. Also, I had a similar problem last December and was able to fix it before it got this far by using a Norman cleaner. I tried using Norman this time, but it did not work. Also, I've tried to download Malwarebytes but it would not allow it and I've had trouble downloading a few other programs. The other day I couldn't run Defragmenter and was unable to update Adaware and AVG. If I remember anything else I'll keep you posted. Thanks again!

#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:07:21 AM

Posted 21 May 2009 - 08:11 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#4 burtchth

burtchth
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:21 AM

Posted 22 May 2009 - 08:34 AM

Hi,
Thanks for the reply! Windows no longer boots up, I can get past the sign in screen to my account but nothing else happens. The only way I can get on the internet is by a McAfee update box that comes up, so I'm not positive if I'll be able to keep getting back online. Thanks again and here's the log.




DDS (Ver_09-05-14.01) - NTFSx86
Run by Tommy at 9:23:46.21 on Fri 05/22/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.383 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Norman Security Suite *On-access scanning enabled* (Updated) {EB9EFB40-AE72-4C43-B204-0FCD0E92D5F1}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall Plus *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\Program Files\Norman\Npm\Bin\Elogsvc.exe
C:\Program Files\Norman\Ngs\Bin\Nprosec.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Norman\Npm\Bin\Zanda.exe
C:\Program Files\Norman\npm\bin\nvoy.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Norman\Npm\Bin\scheduler.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Norman\Npm\Bin\Njeeves.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Norman\Nse\Bin\NSESVC.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norman\Nvc\Bin\nvcoas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Documents and Settings\Tommy\Desktop\dds(3).pif
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.msu.edu/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: SFCDisable=4 (0x4)
mWinlogon: userinit=c:\windows\system32\sdra64.exe,
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: McAfee AntiPhishing Filter: {41d68ed8-4cff-4115-88a6-6ebb8af19000} - c:\progra~1\mcafee\spamki~1\mcapfbho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: {8FB5B012-E8CB-46cd-B6D2-ED428FAE9043} - No File
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: {b87a6e4c-e2e7-45c8-a8fd-ce55b4af0f1e} - c:\windows\system32\ddcya.dll
TB: McAfee VirusScan: {ba52b914-b692-46c4-b683-905236f6f655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {40D41A8B-D79B-43D7-99A7-9EE0F344C385} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe
uRun: [Steam] "c:\program files\valve\steam\steam.exe" -silent
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [ISMPack6] "c:\program files\ism2\ISMPack6.exe"
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [QNPlus]
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [ShowLOMControl] 1 (0x1)
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [VSOCheckTask] "c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
mRun: [OASClnt] c:\program files\mcafee.com\vso\oasclnt.exe
mRun: [MCAgentExe] c:\progra~1\mcafee.com\agent\mcagent.exe
mRun: [MCUpdateExe] c:\progra~1\mcafee.com\agent\mcupdate.exe
mRun: [MSKDetectorExe] c:\progra~1\mcafee\spamki~1\MSKDetct.exe /startup
mRun: [MSKAGENTEXE] c:\progra~1\mcafee\spamki~1\MskAgent.exe
mRun: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
mRun: [MPFExe] c:\progra~1\mcafee.com\person~1\MpfTray.exe
mRun: [HostManager] c:\program files\common files\aol\1147835042\ee\AOLSoftware.exe
mRun: [IPHSend] c:\program files\common files\aol\iphsend\IPHSend.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [WinampAgent] c:\program files\winamp\winampa.exe
mRun: [903bd1ce] rundll32.exe "c:\windows\system32\coojftom.dll",b
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Cqudegexi] rundll32.exe "c:\windows\Uhibusijegoh.dll",e
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [Norman ZANDA] "c:\program files\norman\npm\bin\ZLH.EXE" /LOAD /SPLASH
mRun: [MRT] "c:\windows\system32\MRT.exe" /R
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRunOnce: [GrpConv] grpconv -o
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - {7DD73374-7187-4103-8F29-622AA25E7C40} - c:\progra~1\mcafee\spamki~1\mcapfbho.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: amaena.com
Trusted Zone: avsystemcare.com
Trusted Zone: onerateld.com
Trusted Zone: safetydownload.com
Trusted Zone: trustedantivirus.com
Trusted Zone: virusschlacht.com
Trusted Zone: musicmatch.com\online
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
DPF: {DA80E089-4648-43D5-93B4-7F37917084E6} - hxxp://www.candystand.com/assets/activex/virtools/CacheManager.CAB
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: aywetsjq - aywetsjq.dll
Notify: igfxcui - igfxdev.dll
Notify: jkkliff - jkkliff.dll
LSA: Authentication Packages = msv1_0 nwprovau c:\windows\system32\ddcya.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tommy\applic~1\mozilla\firefox\profiles\vxv19b2j.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msu.edu
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava11.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava12.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava13.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava14.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava32.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPOJI610.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-4-5 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-25 325896]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-12-25 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-12-25 108552]
R1 NGS;Norman General Security Driver;c:\program files\norman\ngs\bin\ngs.sys [2009-5-3 22712]
R1 NPROSEC;Norman Security driver;c:\program files\norman\ngs\bin\nprosec.sys [2009-5-17 53816]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-5-19 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-5-19 298776]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 953168]
R2 McDetect.exe;McAfee WSC Integration;c:\program files\mcafee.com\agent\Mcdetect.exe [2006-5-11 126976]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McAfee.com McShield;c:\progra~1\mcafee.com\vso\mcshield.exe [2006-5-11 221184]
R2 McTskshd.exe;McAfee Task Scheduler;c:\progra~1\mcafee.com\agent\mctskshd.exe [2006-5-11 122368]
R2 Ndiskio;Ndiskio;c:\program files\norman\nse\bin\Ndiskio.sys [2009-5-3 20448]
R2 Norman ZANDA;Norman ZANDA;c:\program files\norman\npm\bin\Zanda.exe [2009-2-25 408696]
R2 NPROSECSVC;Norman Security service;c:\program files\norman\ngs\bin\nprosec.exe [2009-5-17 121912]
R2 NVOY;Norman Resource Provider;c:\program files\norman\npm\bin\nvoy.exe [2009-5-3 126008]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2006-12-22 24521]
R3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2006-5-11 114464]
R3 nsesvc;Norman Scanner Engine Service;c:\program files\norman\nse\bin\Nsesvc.exe [2009-5-21 310328]
R3 NvcMFlt;NvcMFlt;c:\windows\system32\drivers\nvcw32mf.sys [2009-5-17 19512]
R3 nvcoas;Norman Virus Control on-access component;c:\program files\norman\nvc\bin\Nvcoas.exe [2009-5-3 195640]
R3 Scheduler;Norman Scheduler Service;c:\program files\norman\npm\bin\scheduler.exe [2009-5-17 130104]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-2-21 24652]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2006-12-22 155216]
S3 mcupdmgr.exe;McAfee SecurityCenter Update Manager;c:\progra~1\mcafee.com\agent\mcupdmgr.exe [2006-5-11 245760]
S3 NVCScheduler;Norman Virus Control Scheduler;"c:\program files\norman\npm\bin\nvcsched.exe" --> c:\program files\norman\npm\bin\Nvcsched.exe [?]

=============== Created Last 30 ================

2009-05-22 09:22 <DIR> --d-h--- c:\windows\PIF
2009-05-17 13:17 19,512 a------- c:\windows\system32\drivers\nvcw32mf.sys
2009-05-12 16:44 552 a------- c:\windows\system32\d3d8caps.dat
2009-05-09 09:45 1 a------- c:\windows\9g2234wesdf3dfgjf23
2009-05-09 09:45 10,752 ----h--- c:\windows\pp06.exe
2009-05-09 09:45 2 ----h--- c:\windows\t55ft2692f44.dat
2009-05-09 09:45 <DIR> --d----- c:\windows\system32\796525
2009-05-09 09:45 15,872 ----h--- c:\windows\ld08.exe
2009-05-08 07:05 1,400 a------- c:\windows\system32\ahtn.htm
2009-05-08 07:05 4,785 a------- c:\windows\system32\warning.gif
2009-05-08 07:05 445 a------- c:\windows\system32\win32hlp.cnf
2009-05-08 07:05 104,960 a------- c:\windows\system32\dllcache\userinit.exe
2009-05-08 07:05 22,528 a------- c:\windows\system32\frmwrk32.exe
2009-05-06 18:07 <DIR> --d----- c:\program files\Trend Micro
2009-05-05 06:39 1 a------- c:\windows\system32\uniq.tll
2009-05-03 23:00 212,024 a------- c:\windows\system32\nscrnsav.scr
2009-05-03 22:59 <DIR> --d----- c:\program files\Norman

==================== Find3M ====================

2009-05-19 13:01 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-19 13:01 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-19 13:01 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-05-17 12:55 104,960 a------- c:\windows\system32\userinit.exe
2009-04-26 19:36 15,688 a------- c:\windows\system32\lsdelete.exe
2009-04-26 19:35 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-03-21 10:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-06 10:22 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-03-05 20:54 5,902 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-03-02 20:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-02 20:18 826,368 -------- c:\windows\system32\dllcache\wininet.dll
2009-02-28 00:54 636,072 -------- c:\windows\system32\dllcache\iexplore.exe
2008-10-11 16:12 88 ---shr-- c:\windows\system32\F87B2EA438.sys
2008-09-14 19:37 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091420080915\index.dat

============= FINISH: 9:26:11.73 ===============

<Edited to place Attach.txt IN-LINE ~ Maurice>


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-05-14.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 5/16/2006 12:34:35 PM
System Uptime: 5/22/2009 9:14:24 AM (0 hours ago)

Motherboard: Dell Inc. | | 0KD882
Processor: Genuine Intel® CPU T2400 @ 1.83GHz | Microprocessor | 1828/166mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 68 GiB total, 44.823 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\3D95F921364FC000
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\3D95F921364FC000
Service: NIC1394

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

300_saver_01
Ad-Aware
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Media Player
Adobe Reader 7.0.9
Adobe Shockwave Player 11
AIM 6
AOL Uninstaller (Choose which Products to Remove)
Apple Mobile Device Support
Apple Software Update
AVG Free 8.5
Bonjour
Broadcom Management Programs
Conexant HDA D110 MDC V.92 Modem
Corel Paint Shop Pro X
Corel Photo Album 6
Counter-Strike™
Dell Digital Jukebox Driver
Dell Game Console
Dell Support Center (Support Software)
Dell System Restore
DellSupport
Digital Content Portal
Digital Line Detect
Documentation & Support Launcher
EducateU
Games, Music, & Photos Launcher
GemMaster Mystic
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows XP (KB952287)
HP Software Update
HP Update
Intel® Graphics Media Accelerator Driver
Intel® PROSet/Wireless Software
Internal Network Card Power Management
Internet Service Offers Launcher
iTunes
Java 2 Runtime Environment, SE v1.4.2_03
Learn2 Player (Uninstall Only)
McAfee Uninstaller
mCore
MCU
mDriver
mDrWiFi
mHlpDell
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
mIWA
mLogView
mMHouse
Modem Helper
Mozilla Firefox (3.0.10)
mPfMgr
mPfWiz
mProSafe
MSN
mSSO
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Musicmatch for Windows Media Player
Musicmatch® Jukebox
mWlsSafe
mWMI
mXML
mZConfig
NetWaiting
NetZeroInstallers
Norman Security Suite
Nortel Networks Contivity VPN Client
PowerDVD 5.7
QuickSet
QuickTime
RealPlayer Basic
SCRABBLE
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Sonic DLA
Sonic Encoders
Sonic MyDVD LE
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
Steam™
SWAT 4
SWAT 4 - Gold
Synaptics Pointing Device Driver
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update Rollup 2 for Windows XP Media Center Edition 2005
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Virtools 3D Life Player
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WA Update v3.50 beta2
WebCyberCoach 3.2 Dell
WebFldrs XP
Winamp
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live OneCare safety scanner
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
Windows Media Player Firefox Plugin
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB908250
Windows XP Media Center Edition 2005 KB912067
Windows XP Service Pack 3
WordPerfect Office 12
Worms Armageddon

==== Event Viewer Messages From Past Week ========

5/17/2009 12:59:38 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service MskService with arguments "" in order to run the server: {5109B8D8-73AF-4C41-A70E-73707E1F908A}
5/17/2009 12:51:56 PM, error: Service Control Manager [7000] - The Viewpoint Manager Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/17/2009 1:31:50 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Viewpoint Manager Service service to connect.
5/17/2009 1:31:50 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the McAfee SpamKiller Server service to connect.
5/17/2009 1:31:50 PM, error: Service Control Manager [7000] - The McAfee SpamKiller Server service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/17/2009 1:25:58 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
5/17/2009 1:25:09 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: APPDRV AvgLdx86 AvgMfx86 Fips intelppm NGS

==== End Of File ===========================

Edited by Maurice Naggar, 22 May 2009 - 11:52 AM.


#5 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:21 AM

Posted 22 May 2009 - 12:02 PM

Hello Burt,

I'll be helping you to search for and remove malwares. First, though, you have to sort out which one of these antivirus apps is to be your resident (always on) antivirus:
AVG Anti-Virus Free or
Norman Security Suite ver. 7.00 or
McAfee VirusScan ?

Having more than one AV active at the same time will lead to conflicts and will result in less security.

Whichever of the 2 you do not have a current license for, then de-install.

Next, Spybot's Tea Timer has to be turned off and kept that way.

Right click the Spybot Icon in the system tray (notification area).
  • If you have the new version 1.5, click once on Resident Protection and make sure it is Unchecked.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident

    If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
    Exit Spybot S&D when done and reboot the system so the changes are in effect.
Also, Ad-Aware's Ad watch has to be off:
Right click on the Ad-Watch icon in the system tray.
At the bottom of the screen there will be two checkable items called "Active" and "Automatic".
Active: This will turn Ad-Watch On\Off without closing it.
Automatic: Suspicious activity will be blocked automatically.
Uncheck both of those boxes.

=
Download this INF repair file by MS-MVP Miekiemoes: http://users.telenet.be/bluepatchy/miekiem...orepolicies.zip
Unzip the download. Open the folder VArestorepolicies and Right-click the file inside, VArestorepolicies.INF and choose Install.

Delete the download, the unzipped folder and all contents.
=

Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from
>>> here <<<
  • Double-click FixPolicies.exe.
  • Click the "Install" button on the bottom toolbar of the box that will open.
  • The program will create a new Folder called FixPolicies.
  • Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
  • A black box will briefly appear and then close.
  • This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.
Please advise when these are taken care of. The system has Vundo malwares, which need to be removed; which we will cover after your reply.

Edited by Maurice Naggar, 22 May 2009 - 12:13 PM.

~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#6 burtchth

burtchth
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:21 AM

Posted 22 May 2009 - 10:11 PM

Maurice,
I was able to do everything except the FixPolicies part. The file downloaded but I couldn't open or install it. I uninstalled Norman and McAfee so I only have AVG anti-virus. Windows can boot up now and I can access the Task Manager again. Let me know if I need to keep trying to run FixPolicies, otherwise I'll wait for the next step. Thanks again!

#7 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:21 AM

Posted 23 May 2009 - 02:50 PM

Hello burt,

Let me know if you were able to run VArestorepolicies.
You may run Fixpolicies again.

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!
Posted Image
If you are a a casual viewer, do NOT try this on your system!
If you are not Burtchth and have a similar problem, do NOT post here; start your own topic[/color]

Do not run or start any other programs while these utilities and tools are in use!
Posted Image Do NOT run any other tools on your own or do any fixes other than what is listed here.
If you have questions, please ask before you do something on your own.
But it is important that you get going on these following steps.
=
Close any of your open programs while you run these tools.

=
Set Windows to show all files and all folders.
On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.
Next, un-check Hide extensions for known file types.
Next un-check Hide protected operating system files.

=

Take out the trash (temporary files & temporary internet files)
Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.
Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:
Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
ATF-Cleaner should be run per the above in every user-login account {User Profile}

=

Please download and run the Trend Micro Sysclean Package on your computer.
NOTE! This scan will probably take a long time to run on your computer so be patient and don't use it while it's scanning.
  • Create a brand new folder to copy these files to.
  • As an example: C:\DCE
  • Then open each of the zipped archive files and copy their contents to C:\DCE
  • Copy the file sysclean.com to the new folder C:\DCE as well.
  • Double-click on the file sysclean.com that is in the C:\DCE folder and follow the on-screen instructions.

    After doing all of this, please post back your results, including the log file sysclean.log that will be left behind by sysclean.
How To Use Compressed (Zipped) Folders in Windows XP
Compress and uncompress files (zip files) in Vista

=
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

If you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image


* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop
If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on Combo-Fix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

IF you should see a message like this:
Posted Image
then, be sure to write down fully and also copy that into your next reply here and then await for my response.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
-------------------------------------------------------

A caution - Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.
If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light.
If it is flashing, Combofix is still at work.
=

Please download & save Malwarebytes Anti-Malware from
http://www.download.com/Malwarebytes-Anti-..._4-10804572.htm or
http://www.besttechie.net/tools/mbam-setup.exe or
http://malwarebytes.gt500.org/mbam.jsp

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy & Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


RE-Enable your AntiVirus and AntiSpyware applications.

Reply with copy of the Sysclean log
C:\Combofix.txt
the MBAM scan log
and tell me, How is your system now?
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#8 burtchth

burtchth
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:21 AM

Posted 25 May 2009 - 01:08 AM

Last time I was able to run VArestorepolicies. I disabled AVG from the system tray but I'm not sure if it worked completely as ComboFix said it was not disabled. My computer is running better now, it has improved a lot since VArestorepolicies was run. I just got done running MBAM so I haven't had the chance to see if it is normal, but it seems to be pretty close. Thanks for the help and I'll do my best not to mess it up while I await the next step.

Ran ATF Cleaner

Ran Trend Micro, log is below


/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2006-2007, Trend Micro, Inc. |
| http://www.antivirus.com |
\--------------------------------------------------------------/


2009-05-24, 21:46:31, Auto-clean mode specified.
2009-05-24, 21:46:31, Initialized Rootkit Driver version 2.2.0.1004.
2009-05-24, 21:46:31, Running scanner "C:\Documents and Settings\Tommy\Desktop\DCE\TSC.BIN"...
2009-05-24, 21:47:18, Scanner "C:\Documents and Settings\Tommy\Desktop\DCE\TSC.BIN" has finished running.
2009-05-24, 21:47:18, TSC Log:

’žD a m a g e C l e a n u p E n g i n e ( D C E ) 6 . 0 ( B u i l d 1 1 7 2 )


W i n d o w s X P ( B u i l d 2 6 0 0 : S e r v i c e P a c k 3 )




S t a r t t i m e : S u n M a y 2 4 2 0 0 9 2 1 : 4 6 : 3 4





L o a d D a m a g e C l e a n u p T e m p l a t e ( D C T ) " C : \ D o c u m e n t s a n d S e t t i n g s \ T o m m y \ D e s k t o p \ D C E \ T M R D C T . p t n " ( v e r s i o n ) [ f a i l ]


L o a d D a m a g e C l e a n u p T e m p l a t e ( D C T ) " C : \ D o c u m e n t s a n d S e t t i n g s \ T o m m y \ D e s k t o p \ D C E \ t s c . p t n " ( v e r s i o n 1 0 3 6 ) [ s u c c e s s ]





C o m p l e t e t i m e : S u n M a y 2 4 2 0 0 9 2 1 : 4 7 : 1 8


E x e c u t e p a t t e r n c o u n t ( 3 0 5 2 ) , V i r u s f o u n d c o u n t ( 0 ) , V i r u s c l e a n c o u n t ( 0 ) , C l e a n f a i l e d c o u n t ( 0 )





2009-05-24, 21:47:18, Running scanner "C:\Documents and Settings\Tommy\Desktop\DCE\VSCANTM.BIN"...
2009-05-24, 22:40:28, Scanner "C:\Documents and Settings\Tommy\Desktop\DCE\VSCANTM.BIN" has finished running.
2009-05-24, 22:40:28, VSCANTM Log:

2009-05-24, 22:40:28, Files Detected:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 5/24/2009 21:47:18
VSAPI Engine Version : 8.910-1002
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 145 (401987/401987 Patterns) (2009/05/22) (614500)

Command Line: C:\Documents and Settings\Tommy\Desktop\DCE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\Documents and Settings\Tommy\Desktop\DCE\lpt$vpn.145

C:\Program Files\Movie Maker\profsydybav.html [HTML_IFRAME.KG]
163214 files have been read.
163214 files have been checked.
163182 files have been scanned.
240949 files have been scanned. (including files in archived)
1 files containing viruses.
Found 1 viruses totally.
Maybe 0 viruses totally.
Stop At: 5/24/2009 22:40:28 53 minutes 10 seconds (3190.09 seconds) has elapsed.(19.545 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-05-24, 22:40:28, Files Clean:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 5/24/2009 21:47:18
VSAPI Engine Version : 8.910-1002
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 145 (401987/401987 Patterns) (2009/05/22) (614500)

Command Line: C:\Documents and Settings\Tommy\Desktop\DCE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\Documents and Settings\Tommy\Desktop\DCE\lpt$vpn.145

163214 files have been read.
163214 files have been checked.
163182 files have been scanned.
240949 files have been scanned. (including files in archived)
1 files containing viruses.
Found 1 viruses totally.
Maybe 0 viruses totally.
Stop At: 5/24/2009 22:40:28 53 minutes 10 seconds (3190.09 seconds) has elapsed.(19.545 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-05-24, 22:40:28, Clean Fail:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 5/24/2009 21:47:18
VSAPI Engine Version : 8.910-1002
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 145 (401987/401987 Patterns) (2009/05/22) (614500)

Command Line: C:\Documents and Settings\Tommy\Desktop\DCE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\Documents and Settings\Tommy\Desktop\DCE\lpt$vpn.145

163214 files have been read.
163214 files have been checked.
163182 files have been scanned.
240949 files have been scanned. (including files in archived)
1 files containing viruses.
Found 1 viruses totally.
Maybe 0 viruses totally.
Stop At: 5/24/2009 22:40:28 53 minutes 10 seconds (3190.09 seconds) has elapsed.(19.545 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-05-24, 22:40:29, Running SSAPI scanner ""...
2009-05-24, 23:08:48, SSAPI Log:

SSAPI Scanner Version: 1.0.1003
SSAPI Engine Version: 5.2.1032
SSAPI Pattern Version: 7.73
SSAPI Anti-Rootkit Version: 2.2.0.1004

Spyware Scan Started: 05/24/2009 22:40:33

Detected: 0 items.

Spyware Scan Ended: 05/24/2009 23:08:48
Scan Complete. Time=1698.598389.





ComboFix said to write down these files. All start with C:\WINDOWS\system32\

And are followed by:

Drivers\UACvsnveigcwrssttv.sys
Drivers\TDSSmqlt.sys
TDSSoiqt.dll
TDSSmtvd.dat
TDSShrxm.dll
TDSSvkql.dll
TDSSxfum.dll
TDSSlxwp.dll
TDSSnmxh.log
TDSSsahc.dll
TDSSrhyp.log
TDSSkkai.log
UACwbmkkmboycnmvkg.dll
UACohmvycufnuevvlb.dll
UACyhmcbdyphtbvkpe.log


Here is the ComboFix log:

ComboFix 09-05-24.06 - Tommy 05/25/2009 1:11.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.594 [GMT -4:00]
Running from: c:\documents and settings\Tommy\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Start Menu\Live Safety Center.lnk
c:\temp\fCOe
c:\temp\xOe
c:\windows\cookies.ini
c:\windows\system32\aywetsjq.dllbox
c:\windows\system32\drivers\TDSSmqlt.sys
c:\windows\system32\drivers\UACvsnveigcwrssttv.sys
c:\windows\system32\ixkazstx.dllbox
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\m7
c:\windows\system32\mcrh.tmp
c:\windows\system32\okhvwtlx.dllbox
c:\windows\system32\sdra64.exe
c:\windows\system32\TDSShrxm.dll
c:\windows\system32\TDSSkkai.log
c:\windows\system32\TDSSlxwp.dll
c:\windows\system32\TDSSmtvd.dat
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSoiqt.dll
c:\windows\system32\TDSSrhyp.log
c:\windows\system32\TDSSsahc.dll
c:\windows\system32\TDSSvkql.dll
c:\windows\system32\TDSSxfum.dll
c:\windows\system32\twain_32
c:\windows\system32\twain_32\user.ds
c:\windows\system32\uacinit.dll
c:\windows\system32\UACiqpfwaravglinht.dll
c:\windows\system32\UACkopmjdqluabdbur.dll
c:\windows\system32\UACohmvycufnuevvlb.dll
c:\windows\system32\UACrxngipfumuybwur.dat
c:\windows\system32\UACuwqvsciqlnlasft.dll
c:\windows\system32\UACwbmkkmboycnmvkg.dll
c:\windows\system32\UACyhmcbdyphtbvkpe.log
c:\windows\system32\uniq.tll
c:\windows\system32\vMW02a
c:\windows\system32\w1
c:\windows\system32\win32hlp.cnf
c:\windows\system32\xhgvijlz.dllbox
c:\windows\t55ft2692f44.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS
-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-04-25 to 2009-05-25 )))))))))))))))))))))))))))))))
.

2009-05-22 13:22 . 2009-05-22 13:22 -------- d--h--w c:\windows\PIF
2009-05-12 21:31 . 2009-05-12 21:31 17412 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\ThreatWork\Submit\SYS32DLL.exe
2009-05-12 21:31 . 2009-05-12 21:31 17412 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\ThreatWork\Submit\nfr[1].exe
2009-05-12 21:31 . 2009-05-12 21:31 10756 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\ThreatWork\Submit\pp.06[1].exe
2009-05-12 21:31 . 2009-05-12 21:31 15876 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\ThreatWork\Submit\ld08.exe
2009-05-12 21:31 . 2009-05-12 21:31 10756 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\ThreatWork\Submit\pp06.exe
2009-05-12 20:44 . 2009-05-12 20:44 552 ----a-w c:\windows\system32\d3d8caps.dat
2009-05-09 13:45 . 2009-05-12 21:31 -------- d-----w c:\windows\system32\796525
2009-05-06 22:07 . 2009-05-06 22:07 -------- d-----w c:\program files\Trend Micro
2009-05-06 20:11 . 2009-05-06 20:11 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Mozilla
2009-05-04 02:59 . 2009-05-23 02:40 -------- d-----w c:\program files\Norman
2009-05-03 23:18 . 2009-05-03 23:18 202244 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\ThreatWork\Submit\300_saver_01.scr
2009-05-03 23:18 . 2009-05-03 23:18 34308 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\ThreatWork\Submit\saver1.dll
2009-04-27 23:35 . 2009-04-27 23:35 299352 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-04-26 23:36 . 2009-04-26 23:36 25440 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2009-04-26 23:36 . 2009-04-26 23:36 15688 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-04-26 23:36 . 2009-04-26 23:36 165728 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-04-26 23:36 . 2009-04-26 23:36 343888 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-04-26 23:36 . 2009-04-26 23:36 289632 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-04-26 23:36 . 2009-04-26 23:36 82784 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-04-26 23:35 . 2009-04-26 23:35 1629024 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-04-26 23:35 . 2009-04-26 23:35 212848 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-04-26 23:35 . 2009-04-26 23:35 40288 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-04-26 23:35 . 2009-04-26 23:35 64160 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-04-26 23:35 . 2009-04-26 23:35 632680 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-04-26 23:34 . 2009-04-26 23:34 539512 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-04-26 23:34 . 2009-04-26 23:34 552808 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-04-26 23:34 . 2009-04-26 23:34 2324808 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-04-26 23:34 . 2009-04-26 23:34 626000 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-04-26 23:34 . 2009-04-26 23:34 516440 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-04-26 23:34 . 2009-04-26 23:34 953168 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-23 02:30 . 2006-05-11 19:22 -------- d-----w c:\documents and settings\All Users\Application Data\McAfee.com
2009-05-19 17:01 . 2008-12-26 01:12 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-05-19 17:01 . 2008-12-26 01:12 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-05-19 17:01 . 2008-12-26 01:12 27784 ----a-w c:\windows\system32\drivers\avgmfx86.sys
2009-05-19 17:01 . 2008-12-26 01:12 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-05-05 10:45 . 2008-12-26 01:12 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-05-03 16:21 . 2006-10-11 17:16 -------- d-----w c:\program files\Google
2009-04-26 23:36 . 2009-04-06 02:36 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-04-26 23:35 . 2009-04-05 23:35 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-04-05 23:30 . 2009-04-05 23:30 -------- dc-h--w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-05 23:30 . 2007-10-14 15:21 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-12 08:17 . 2009-04-05 23:30 2902048 -c--a-w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-03-06 14:22 . 2005-08-16 09:18 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-06 00:54 . 2006-08-29 00:40 56 -csh--r c:\windows\system32\38A42E7BF8.sys
2009-03-06 00:54 . 2006-05-17 03:41 5902 --sha-w c:\windows\system32\KGyGaAvL.sys
2009-03-05 01:15 . 2008-10-17 02:04 1878984 -c--a-w c:\documents and settings\Tommy\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2009-03-03 00:18 . 2005-08-16 09:18 826368 ----a-w c:\windows\system32\wininet.dll
2008-10-11 20:12 . 2006-05-17 03:41 88 --sh--r c:\windows\system32\F87B2EA438.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"Steam"="c:\program files\valve\steam\steam.exe" [2009-05-23 1217784]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-07 68856]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"Aim6"="c:\program files\AIM6\aim6.exe" [2007-09-29 50528]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShowLOMControl"="1 (0x1)" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-12-06 839680]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 761947]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"HostManager"="c:\program files\Common Files\AOL\1147835042\ee\AOLSoftware.exe" [2006-05-10 50760]
"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 696320]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-09 16384]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-01-15 37376]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-19 1947928]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-04-26 516440]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-11-16 397312]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-5-11 24576]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-19 17:01 11952 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ lsdelete

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1147835042\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1147835042\\ee\\aim6.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\hendrix_gypsy_magic\\day of defeat\\hl.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\hendrix_gypsy_magic\\condition zero\\hl.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\hendrix_gypsy_magic\\condition zero deleted scenes\\hl.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\hendrix_gypsy_magic\\counter-strike\\hl.exe"=
"c:\\MicroProse\\Worms Armageddon\\wa.exe"=
"c:\\Program Files\\Nortel Networks\\Extranet.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Tommy\\Desktop\\[ PC Games ] - Age of Empires II(FULL)\\age2_x1.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Documents and Settings\\Tommy\\Desktop\\[ PC Games ] - Age of Empires II(FULL)\\empires2.exe"=
"c:\\Program Files\\Valve\\Steam\\Steam.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [4/5/2009 7:35 PM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/25/2008 9:12 PM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [12/25/2008 9:12 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [5/19/2009 1:00 PM 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/19/2009 1:00 PM 298776]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2/21/2007 1:31 AM 24652]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [12/22/2006 2:35 AM 24521]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [12/22/2006 2:35 AM 155216]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 953168]
.
Contents of the 'Scheduled Tasks' folder

2009-05-05 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 23:34]

2009-05-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
- - - - ORPHANS REMOVED - - - -

BHO-{8FB5B012-E8CB-46cd-B6D2-ED428FAE9043} - (no file)
BHO-{B87A6E4C-E2E7-45C8-A8FD-CE55B4AF0F1E} - c:\windows\system32\ddcya.dll
HKCU-Run-ISMPack6 - c:\program files\ISM2\ISMPack6.exe
HKCU-Run-MsnMsgr - c:\program files\Windows Live\Messenger\MsnMsgr.Exe
HKCU-Run-QNPlus - (no file)
HKLM-Run-903bd1ce - c:\windows\system32\coojftom.dll
HKLM-Run-Cqudegexi - c:\windows\Uhibusijegoh.dll
Notify-aywetsjq - aywetsjq.dll
Notify-jkkliff - jkkliff.dll
SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msu.edu/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: amaena.com
Trusted Zone: avsystemcare.com
Trusted Zone: onerateld.com
Trusted Zone: safetydownload.com
Trusted Zone: trustedantivirus.com
Trusted Zone: virusschlacht.com
Trusted Zone: musicmatch.com\online
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
FF - ProfilePath - c:\documents and settings\Tommy\Application Data\Mozilla\Firefox\Profiles\vxv19b2j.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msu.edu
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-25 01:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3752)
c:\windows\system32\mshtml.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\dllhost.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2009-05-25 1:26 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-25 05:26

Pre-Run: 48,230,551,552 bytes free
Post-Run: 48,181,846,016 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

Current=15 Default=15 Failed=14 LastKnownGood=16 Sets=1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16
302 --- E O F --- 2009-05-17 18:11




Here is the MBAM log:

Malwarebytes' Anti-Malware 1.36
Database version: 2176
Windows 5.1.2600 Service Pack 3

5/25/2009 1:43:11 AM
mbam-log-2009-05-25 (01-43-11).txt

Scan type: Quick Scan
Objects scanned: 89819
Time elapsed: 4 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7aa32fc7-133b-4ae7-998e-ced0d9829b12} (Trojan.Dialer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NWCWorkstation (Backdoor.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\796525 (Trojan.BHO) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\MSINET.oca (Rogue.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\9g2234wesdf3dfgjf23 (Worm.KoobFace) -> Quarantined and deleted successfully.

#9 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:21 AM

Posted 25 May 2009 - 07:00 AM

You've done well so far. Combofix noted and has removed a rootkit infection. I want us to follow up with 2 tools.
There will be more to do later.

Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
    Files to delete:
    c:\windows\system32\drivers\msqpdxserv.sys 
    c:\windows\system32\TDSSweat.dat
    C:\WINDOWS\system32\drivers\TDSSmqlt.sys 
    C:\windows\system32\drivers\tdssserv.sys
    C:\windows\system32\drivers\UACd.sys
    C:\windows\system32\drivers\UACvsnveigcwrssttv.sys
    C:\WINDOWS\system32\drivers\TDSSmact.sys
    C:\WINDOWS\system32\TDSSfpmp.dll
    C:\WINDOWS\system32\TDSSwpyd.dat 
    C:\WINDOWS\system32\TDSStkdv.log  
    C:\WINDOWS\system32\TDSSotxb.dll 
    C:\WINDOWS\system32\TDSScrrn.dll 
    C:\WINDOWS\system32\TDSSbvqh.dll 
    C:\WINDOWS\system32\TDSSjnmx.dll
    c:\windows\system32\TDSShrxr.dll
    c:\windows\system32\TDSSkkbi.log
    c:\windows\system32\TDSSlrvd.dat
    c:\windows\system32\TDSSlxwp.dll
    c:\windows\system32\TDSSnmxh.log
    c:\windows\system32\TDSSoiqt.dll
    c:\windows\system32\TDSSrhyp.log
    c:\windows\system32\TDSSrtqp.dll
    c:\windows\system32\TDSSsihc.dll
    c:\windows\system32\TDSSxfum.dll
    c:\windows\system32\TDSSmtve.dat
    c:\windows\system32\TDSSnirj.dat
    C:\WINDOWS\SYSTEM32\TDSSixgp.dll
    C:\WINDOWS\SYSTEM32\TDSSproc.log
    C:\WINDOWS\SYSTEM32\TDSSwkod.log
    c:\windows\sysguard.exe
    c:\windows\system32\sdra64.exe
    
    Drivers to delete:
    UACvsnveigcwrssttv
    gxvxcserv
    ovfsthx
    UACd.sys
    UACd
    gaopdxserv.sys
    gaopdxserv
    gaopdxl
    tdss
    tdssserv
    TDSSserv.SYS
    Service_TDSSSERV.SYS
    Legacy_TDSSSERV.SYS
    msqpdxserv.sys
    msqpdxserv
    
    Folders to delete:
    C:\recycler
    D:\recycler
    e:\recycler
    f:\recycler
    g:\recycler
    h:\recycler
  • In the avenger window, click the Paste Script from Clipboard icon, Posted Image button.
  • :!: Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  • After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.
Not all the items will be found; so do not worry. Hopefully enough of the rootkit will be removed so that we can continue forward with more cleaning.
If you get a blue screen abort when it reboots, please write down all the information, STOP codes and description.
and then reboot the system again.

Download RootRepeal:
http://rootrepeal.googlepages.com/RootRepeal.zip
  • Extract the archive to a folder you create such as C:\RootRepeal
  • Double-click RootRepeal.exe to launch the program (Vista users should right-click and select "Run as Administrator).
  • Click the "File" tab (located at the bottom of the RootRepeal screen)
  • Click the "Scan" button
  • In the popup dialog, check the drives to be scanned - making sure to check your primary operating system drive - normally C:
  • Click OK and the file scan will begin
  • When the scan is done, there will be files listed, but most if not all of them will be legitimate
  • Click the "Save Report" Button
  • Save the log file to your Documents folder
  • Post the content of the RootRepeal file scan log in your next reply.
Reply with copy of C:\Avenger.txt
and copy of RootRepeal file scan log

Edited by Maurice Naggar, 25 May 2009 - 07:04 AM.

~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#10 burtchth

burtchth
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:21 AM

Posted 25 May 2009 - 04:15 PM

Here's the Avenger log:

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


< Edited to remove lines / items not found ~ for readability ~ Maurice>


Completed script processing.

*******************

Finished! Terminate.


When I opened RootRepeal this error message came up: Error - invalid PE image found!
I ran the scan and here's the log:


ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/05/25 17:10
Program Version: Version 1.2.3.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\config\system.LOG
Status: Size mismatch (API: 8192, Raw: 12288)

Path: C:\Documents and Settings\Tommy\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt_GTActions.log
Status: Allocation size mismatch (API: 216, Raw: 168)

Path: C:\Documents and Settings\Tommy\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\gdql_d_DSAgnt.log
Status: Allocation size mismatch (API: 216, Raw: 168)

Edited by Maurice Naggar, 25 May 2009 - 04:24 PM.


#11 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:21 AM

Posted 25 May 2009 - 04:33 PM

The Avenger did not find rootkit remains, which is a very good result. Please do the following:

This system has an old version of Java Run-time.

Uninstall jre1.6 (or any earlier) + any other (JRE Runtime Environment ) Sun Java package via Add/Remove Programs.
If you see any other Java versions there,
such as
J2SE Runtime Environment 5.0
Java SE Runtime Environment
Java 6


uninstall all of them. After uninstalling, reboot if directed to do so.

In Windows Explorer, navigate to and delete C:\Program Files\Java <=this folder, if found.Do NOT delete C:\Program Files\JavaVM <=this folder, if found!
Open an IE window and go to http://java.sun.com/javase/downloads/index.jsp
> In top of the page (first in the list), click on the Download button to the right of Java Runtime Environment (JRE) 6 Update 13
> If Information Bar pop-ups up, right-click on it and say it's OK to display the blocked content; You do not have to install the Java Web Start ActiveX Control
> Accept the license agreement
> Click on Windows Offline Installation, Multi-language and Save the file to your desktop; do not Run it.

When the download is complete, close all browser windows and double-click on the saved file to install the update.
  • Tip: Choose Custom install to select only the part(s) you need/want.
Delete the downloaded installation file after completing the above procedure and reboot if prompted to do so.

If you were /not/ prompted to reboot, please do so now.

To test your Java Run-time, you may go to this page http://www.javatester.org/version.html
When all is well, you should see Java Version: 1.6.0_13 from Sun Microsystems Inc.
=

Scan the system with the Kaspersky Online Scanner
http://www.kaspersky.com/virusscanner

Posted Image Attention: Kaspersky Online Scanner 7.0 may not run successfully while another antivirus program is running. If you have Anti-Virus software installed, please temporarily disable your AV protection before running the Kaspersky Online Scanner. Reenable it after the scan is finished.

During this run, make sure your browser does not block popup windows. Have patience while some screens populate.

1) Click the Kapersky Online Scanner button. You'll see a popup window.
2) Accept the agreement
3) Accept the installation of the required ActiveX object ( XP SP2-SP3 will show this in the Information Bar )
4) For XP SP2-SP3, click the Install button when prompted
5) The necessary files will be downloaded and installed. Please have plenty of patience.
6) After Kaspersky AntiVirus Database is updated, look at the Scan box.
7) Click the My Computer line
8 ) Be infinetely patient, the scan is comprehensive and, unlike other online antivirus scanners, will detect all malwares

9) When the scan is completed there will be an option to Save report as a .txt file. Click that button. Copy and paste the report into your reply.

( To see an animated tutorial-how-to on the scan, see >>this link<<)

Re-enable your antivirus program after Kaspersky has finished.
Kapersky Online Scanner can be uninstalled later on from Add or Remove Programs in the Control Panel, if desired.

Do not be alarmed if Kaspersky tags items that are already in quarantine by MBAM, or SmitFraudFix items, or ComboFix's Qoobox & quarantine.
Kaspersky is a report only and does not remove files.

=
Next, generate a new DDS report (as you did at the very start) for my review.

Download Security Check by screen317 and save it to your Desktop: here or here

  • Run Security Check
  • Follow the onscreen instructions inside of the command window.
  • A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!
Posted Image If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.

Reply with copy of the Kaspersky.txt report.
the new DDS.txt
the checkup.txt from above
and tell me, How is your system now ?
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#12 burtchth

burtchth
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:21 AM

Posted 25 May 2009 - 08:41 PM

Everything seems to be working great and I haven't needed to run in Safe Mode since you started helping. It doesn't take long to boot up and the only program that seems to be running slowly is IE when it starts up, but that was normal before the problems started. One thing is my desktop is covered with these new programs. Do you want me to keep them after I've run them?

The Java steps went well and should be up to date.

Here is the Kaspersky log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Monday, May 25, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Tuesday, May 26, 2009 00:29:06
Records in database: 2245685
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 98592
Threat name: 4
Infected objects: 7
Suspicious objects: 0
Duration of the scan: 02:16:09


File name / Threat name / Threats count
C:\Documents and Settings\Tommy\Desktop\DCE\backup\profsydybav.html Infected: Trojan-Clicker.HTML.IFrame.dn 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\sdra64.exe.vir Infected: Trojan-Spy.Win32.Zbot.gen 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACiqpfwaravglinht.dll.vir Infected: Packed.Win32.Tdss.f 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACkopmjdqluabdbur.dll.vir Infected: Packed.Win32.Tdss.f 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACohmvycufnuevvlb.dll.vir Infected: Packed.Win32.Tdss.f 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACuwqvsciqlnlasft.dll.vir Infected: Packed.Win32.Tdss.f 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACwbmkkmboycnmvkg.dll.vir Infected: Trojan.Win32.TDSS.acbd 1

The selected area was scanned.


Here is the DDS report, the Attach log is attached:


DDS (Ver_09-05-14.01) - NTFSx86
Run by Tommy at 21:18:15.12 on Mon 05/25/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.622 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\AOL\1147835042\ee\AOLSoftware.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Winamp\winampa.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Documents and Settings\Tommy\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.msu.edu/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: {8FB5B012-E8CB-46cd-B6D2-ED428FAE9043} - No File
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: {B87A6E4C-E2E7-45C8-A8FD-CE55B4AF0F1E} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {40D41A8B-D79B-43D7-99A7-9EE0F344C385} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe
uRun: [Steam] "c:\program files\valve\steam\steam.exe" -silent
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [ShowLOMControl] 1 (0x1)
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [HostManager] c:\program files\common files\aol\1147835042\ee\AOLSoftware.exe
mRun: [IPHSend] c:\program files\common files\aol\iphsend\IPHSend.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [WinampAgent] c:\program files\winamp\winampa.exe
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: amaena.com
Trusted Zone: avsystemcare.com
Trusted Zone: onerateld.com
Trusted Zone: safetydownload.com
Trusted Zone: trustedantivirus.com
Trusted Zone: virusschlacht.com
Trusted Zone: musicmatch.com\online
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
DPF: {DA80E089-4648-43D5-93B4-7F37917084E6} - hxxp://www.candystand.com/assets/activex/virtools/CacheManager.CAB
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
LSA: Authentication Packages = msv1_0 nwprovau

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tommy\applic~1\mozilla\firefox\profiles\vxv19b2j.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msu.edu
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava11.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava12.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava13.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava14.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava32.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPOJI610.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-4-5 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-25 325896]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-12-25 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-12-25 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-5-19 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-5-19 298776]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-2-21 24652]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2006-12-22 24521]
R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 953168]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2006-12-22 155216]

=============== Created Last 30 ================

2009-05-25 18:26 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-25 18:26 73,728 a------- c:\windows\system32\javacpl.cpl
2009-05-25 01:35 <DIR> --d----- c:\docume~1\tommy\applic~1\Malwarebytes
2009-05-25 01:35 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-25 01:35 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-25 01:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-25 01:35 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-25 01:02 <DIR> a-dshr-- C:\cmdcons
2009-05-25 01:00 161,792 a------- c:\windows\SWREG.exe
2009-05-25 01:00 154,624 a------- c:\windows\PEV.exe
2009-05-25 01:00 98,816 a------- c:\windows\sed.exe
2009-05-22 09:22 <DIR> --d-h--- c:\windows\PIF
2009-05-12 16:44 552 a------- c:\windows\system32\d3d8caps.dat
2009-05-06 18:07 <DIR> --d----- c:\program files\Trend Micro
2009-05-03 22:59 <DIR> --d----- c:\program files\Norman

==================== Find3M ====================

2009-05-19 13:01 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-19 13:01 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-19 13:01 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-04-26 19:36 15,688 a------- c:\windows\system32\lsdelete.exe
2009-04-26 19:35 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-03-21 10:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-06 10:22 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-03-05 20:54 5,902 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-03-02 20:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-02 20:18 826,368 -------- c:\windows\system32\dllcache\wininet.dll
2009-02-28 00:54 636,072 -------- c:\windows\system32\dllcache\iexplore.exe
2008-10-11 16:12 88 ---shr-- c:\windows\system32\F87B2EA438.sys
2008-09-14 19:37 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091420080915\index.dat

============= FINISH: 21:19:05.84 ===============



Here is the Security Check log:

Results of screen317's Security Check version 0.98.3
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
``````````````````````````````

Windows Firewall Enabled!
WindowsLiveOneCaresafetyscanner
AVGFree8.5
Antivirus up to date!
``````````````````````````````
Anti-malware/Other Utilities Check:
``````````````````````````````

Out of date Spybot installed!
Ad-Aware
Spybot - Search & Destroy 1.5.2.20
Spybot - Search & Destroy
Malwarebytes' Anti-Malware
HijackThis 2.0.2
Java™ 6 Update 13
``````````````````````````````
Process Check:
objlist.exe by Laurent
``````````````````````````````

Ad-Aware AAWService.exe
Ad-Aware AAWTray.exe
AVG avgwdsvc.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
AVG avgemc.exe
Spybot SDHelper is disabled!
Spybot - Search & Destroy TeaTimer.exe
``````````````````````````````
DNS Vulnerability Check:
``````````````````````````````

GREAT! (Very random)

Scan took 30 seconds.
`````````End of Log```````````


Overall, I think I've put everything here that you need, if I forgot anything let me know. Thanks again for the help and I look forward to what's next.

Attached Files



#13 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:21 AM

Posted 26 May 2009 - 05:03 PM

Download OTListIt by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTListIt2.exe
  • Please double-click OTListIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy all the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :files
    C:\Documents and Settings\Tommy\Desktop\DCE\backup\profsydybav.html
  • Return to OTLisIt2. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste.
  • Close any browser(s) windows that may be open.
  • Using your mouse, click on the red-lettered button Run Fix.
  • Once you see a message box "Fix complete! Click OK to open the fix log."
    Click the OK button
  • The log will open in Notepad (your default text editor).
  • Save the log if you wish. I will not need to see a copy.
=


Unless you have purchased Malwarebytes' Anti Malware {MBAM}, you need to un-install it. Go to Control Panel and Add-or-Remove programs.
Look for it and click the line for it. Select Change/Remove to de-install it.

Do the same for Kaspersky online scan.

You should also de-install the version of Spybot that you have. There's a newer version you might consider getting, if you plan to use Spybot in the future.
Also de-install the version 7 of Adobe Reader.
OK & Exit out of Control Panel

If you must have Adobe Reader, Get the latest version from http://www.adobe.com/products/acrobat/readstep2.html

=

I see that you are clear of your original issues.
If you have a problem with these steps, or something does not quite work here, do let me know.

The following few steps will remove tools we used; followed by advice on staying safer.

We have to remove Combofix and all its associated folders. By whichever name you named it, ( you had named it combo-fix Posted Image), put that name in the RUN box stated just below.
The "/u" in the Run line below is to start Combofix for it's cleanup & removal function.
Note the space after x and before the slash mark.
The utility must be removed to prevent any un-intentional or accidental usage, PLUS, to free up much space on your hard disk.
  • Click Start, then click Run.

    In the command box that opens, type or copy/paste combo-fix /u and then click OK.
  • Please double-click OTListIt2.exe to run it.
  • Click on the CleanUp! button. When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTListIt2 attempting to contact the internet you should allow it to do so. After the list has been download you'll be asked if you want to Begin cleanup process? Select Yes.
  • This step removes the files, folders, and shortcuts created by the tools I had you download and run.
If you find any further leftover downloads that you and I have used, you may delete them.

We are finished here. Best regards. :thumbup2:

Edited by Maurice Naggar, 26 May 2009 - 05:06 PM.

~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users