Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Had Vundo and now can't remove a dll file


  • This topic is locked This topic is locked
40 replies to this topic

#1 Denied Fantasies

Denied Fantasies

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 12 May 2009 - 09:56 PM

After having gotten Vundo and "fixed" it with Anti-Malware tools and such, it soon came back while I was surfing the web with browser Mozilla Firefox.
Vundo was detected a second time, and caused me many headaches, but I was able to rid myself of it (mostly, I think)...
But now Firefox crashes before it even starts up, and Internet Explorer won't load webpages. I've resorted to Google Chrome until the problem is fixed.
In the crash report from Firefox, it notes that there is a file gxvxcescrsfkpcnortrrrcmbjujcqsfvfgbid.dll (the only one in the list of modules without a version number) that caused it to crash. I searched my comptuer for it, and it is located in the C:\Windows\System32 folder. However, when I navigate to that folder, it can't be seen. Through other programs, I've found some of the properties for it. It's 0 bytes. It's most likely something like a piece of malware that was randomly named, since no Google search results returned about the file name. It may be Backdoor.Ulrbot.C or something of the sort. I do not know whether or not it's related to Vundo, but I got both at about the same time.
Please help me on what to do. Thanks.

Here is the DDS log:


DDS (Ver_09-03-16.01) - NTFSx86
Run by Annie at 19:42:03.54 on Tue 05/12/2009
Internet Explorer: 8.0.6001.18702
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6001.1.1252.1.1033.18.3030.1752 [GMT -7:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\bcmwltry.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_f091b975\aestsrv.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Windows\system32\CTsvcCDA.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\System32\Drivers\WTSRV.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\WTClient.exe
C:\Program Files\Dell\DellDock\DellDock.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\System32\WLTRAY.EXE
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\conime.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\AIM6\aim6.exe
C:\Users\Annie\AppData\Roaming\Google\Google Talk\googletalk.exe
C:\Users\Annie\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Annie\Documents\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.swagbucks.com/?cmd=home
uWindow Title = Windows Internet Explorer provided by Yahoo!
mDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2081216
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
mWinlogon: Userinit=c:\windows\system32\userinit.exe
uWinlogon: Shell=c:\program files\privacy center\pc.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [AdobeBridge]
uRun: [googletalk] "c:\users\annie\appdata\roaming\google\google talk\googletalk.exe" /autostart
uRun: [Google Update] "c:\users\annie\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\pokepoke.exe
mRun: [Windows Defender] "%ProgramFiles%\Windows Defender\MSASCui.exe" -hide
mRun: [Apoint] "c:\program files\delltpad\Apoint.exe"
mRun: [IgfxTray] "c:\windows\system32\igfxtray.exe"
mRun: [HotKeysCmds] "c:\windows\system32\hkcmd.exe"
mRun: [Persistence] "c:\windows\system32\igfxpers.exe"
mRun: [UpdReg] "c:\windows\UpdReg.EXE"
mRun: [Broadcom Wireless Manager UI] "c:\windows\system32\WLTRAY.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [Dell Webcam Central] "c:\program files\dell webcam\dell webcam central\WebcamDell.exe" /mode2
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [WTClient] "WTClient.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
StartupFolder: c:\users\annie\appdata\roaming\micros~1\windows\startm~1\programs\startup\delldo~1.lnk - c:\program files\dell\delldock\DellDock.exe
StartupFolder: c:\users\annie\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\program files\dell\quickset\quickset.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\progra~1\java\jre16~1.0_0\bin\ssv.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~3\GOEC62~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\annie\appdata\roaming\mozilla\firefox\profiles\9dabpdym.default\
FF - plugin: c:\program files\google\google updater\2.4.1508.6312\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\users\annie\appdata\local\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\users\annie\appdata\roaming\mozilla\plugins\npatgpc.dll
FF - plugin: c:\users\annie\appdata\roaming\mozilla\plugins\npgoogletalk.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-5-10 130936]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_f091b975\AEstSrv.exe [2008-12-15 73728]
R2 BT848;Conexant's BtPCI WDM Video Capture;c:\windows\system32\drivers\BT848.sys [2009-4-11 371349]
R2 DockLoginService;Dock Login Service;c:\program files\dell\delldock\DockLogin.exe [2008-9-23 155648]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-5-10 348752]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-12-15 113664]
R3 itecir;ITECIR Infrared Receiver;c:\windows\system32\drivers\itecir.sys [2008-12-15 54784]
R3 k57nd60x;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\k57nd60x.sys [2008-12-15 203264]
R3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\drivers\OA001Ufd.sys [2009-2-9 144672]
R3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\drivers\OA001Vid.sys [2009-2-9 277440]
R3 PTSimBus;PenTablet Bus Enumerator;c:\windows\system32\drivers\PTSimBus.sys [2009-2-15 18944]
S2 gupdate1c9a598343cc4be;Google Update Service (gupdate1c9a598343cc4be);c:\program files\google\update\GoogleUpdate.exe [2009-3-15 133104]
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-12-15 30192]
S3 PTSimHid;PenTablet Simulated HID MiniDriver;c:\windows\system32\drivers\PTSimHid.sys [2009-2-15 10752]
S4 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2009-5-10 64392]

=============== Created Last 30 ================

2009-05-12 14:41 <DIR> --d----- C:\!KillBox
2009-05-12 13:16 <DIR> --d----- c:\program files\MSXML 4.0
2009-05-11 20:41 <DIR> --d----- c:\program files\Mozilla Firefox 3.5 Beta 4
2009-05-11 19:32 <DIR> --d----- c:\program files\Ace Utilities
2009-05-11 18:22 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-05-11 15:27 0 a---h--- C:\ProgramData.LOG2
2009-05-11 15:27 0 a---h--- C:\ProgramData.LOG1
2009-05-10 18:02 <DIR> --d----- c:\program files\MSSOAP
2009-05-10 18:02 <DIR> --d----- c:\program files\common files\MSSoap
2009-05-10 18:00 <DIR> --d----- c:\program files\Webroot
2009-05-10 17:56 164 a------- c:\windows\install.dat
2009-05-10 17:36 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-05-10 17:35 130,936 a------- c:\windows\system32\drivers\PCTCore.sys
2009-05-10 17:35 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-05-10 17:35 <DIR> --d----- c:\program files\common files\PC Tools
2009-05-10 17:35 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-05-10 17:34 <DIR> --d----- c:\program files\Spyware Doctor
2009-05-10 00:00 <DIR> --d----- c:\users\annie\appdata\roaming\SUPERAntiSpyware.com
2009-05-09 23:59 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-05-09 23:55 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-09 23:55 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-09 23:55 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-09 23:23 <DIR> --d----- c:\users\annie\BannedStory
2009-05-09 22:41 2,483 a------- c:\windows\system32\BIN_STRSBW.SPT
2009-05-09 20:23 <DIR> --d----- c:\users\annie\appdata\roaming\PC Tools
2009-05-09 19:44 <DIR> --d----- C:\VundoFix Backups
2009-04-29 19:12 <DIR> --d----- c:\users\annie\appdata\roaming\Windows Live Writer
2009-04-29 17:53 <DIR> --d----- c:\users\annie\Tracing
2009-04-29 17:41 <DIR> --d----- c:\program files\Microsoft Office Outlook Connector
2009-04-29 17:40 <DIR> --d----- c:\program files\Microsoft
2009-04-29 17:40 <DIR> --d----- c:\program files\Windows Live SkyDrive
2009-04-29 17:34 <DIR> --d----- c:\program files\common files\Windows Live
2009-04-20 17:30 <DIR> --d----- c:\users\annie\Alyn00b
2009-04-17 09:40 118 a------- c:\windows\system32\MRT.INI
2009-04-16 17:09 <DIR> --d----- C:\Ntreev
2009-04-16 15:58 <DIR> --d----- c:\program files\Persona
2009-04-16 11:17 97,800 a------- c:\windows\system32\infocardapi.dll
2009-04-16 11:17 105,016 a------- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-04-16 11:17 622,080 a------- c:\windows\system32\icardagt.exe
2009-04-16 11:17 43,544 a------- c:\windows\system32\PresentationHostProxy.dll
2009-04-16 11:17 37,384 a------- c:\windows\system32\infocardcpl.cpl
2009-04-16 11:17 11,264 a------- c:\windows\system32\icardres.dll
2009-04-16 11:17 781,344 a------- c:\windows\system32\PresentationNative_v0300.dll
2009-04-16 11:17 326,160 a------- c:\windows\system32\PresentationHost.exe
2009-04-16 11:06 96,760 a------- c:\windows\system32\dfshim.dll
2009-04-16 11:06 282,112 a------- c:\windows\system32\mscoree.dll
2009-04-16 11:06 41,984 a------- c:\windows\system32\netfxperf.dll
2009-04-16 11:05 158,720 a------- c:\windows\system32\mscorier.dll
2009-04-16 11:05 83,968 a------- c:\windows\system32\mscories.dll
2009-04-16 11:03 7,680 a------- c:\windows\system32\spwmp.dll
2009-04-16 11:03 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-04-16 11:03 4,096 a------- c:\windows\system32\msdxm.ocx
2009-04-16 11:03 4,096 a------- c:\windows\system32\dxmasf.dll
2009-04-16 11:02 376,832 a------- c:\windows\system32\winhttp.dll
2009-04-16 10:58 2,033,152 a------- c:\windows\system32\win32k.sys
2009-04-16 10:26 <DIR> --d----- c:\programdata\PC Tools
2009-04-16 10:26 <DIR> --d----- c:\progra~2\PC Tools
2009-04-16 10:26 1,081,616 a------- c:\windows\system32\MSCOMCTL.OCX
2009-04-16 10:26 506,368 a------- c:\windows\system32\msxml.dll
2009-04-16 10:07 <DIR> --d----- c:\users\annie\appdata\roaming\Malwarebytes
2009-04-16 10:07 <DIR> --d----- c:\programdata\Malwarebytes
2009-04-16 10:07 <DIR> --d----- c:\progra~2\Malwarebytes
2009-04-15 23:11 <DIR> --d----- c:\programdata\SUPERAntiSpyware.com
2009-04-15 23:11 <DIR> --d----- c:\progra~2\SUPERAntiSpyware.com
2009-04-15 21:23 <DIR> --d----- c:\program files\Yahoo!
2009-04-15 21:22 156,160 a------- c:\windows\system32\msls31.dll
2009-04-15 21:22 72,704 a------- c:\windows\system32\admparse.dll
2009-04-15 21:22 48,128 a------- c:\windows\system32\mshtmler.dll
2009-04-15 14:42 <DIR> --d----- c:\program files\Microsoft Visual Studio 8

==================== Find3M ====================

2009-04-19 11:22 143,360 a------- c:\windows\inf\infstrng.dat
2009-04-19 11:22 86,016 a------- c:\windows\inf\infstor.dat
2009-04-19 11:22 51,200 a------- c:\windows\inf\infpub.dat
2009-04-11 10:54 371,349 a------- c:\windows\system32\drivers\BT848.sys
2009-04-10 21:23 129,784 -------- c:\windows\system32\pxafs.dll
2009-04-10 21:23 118,520 -------- c:\windows\system32\pxinsi64.exe
2009-04-10 21:23 116,472 -------- c:\windows\system32\pxcpyi64.exe
2009-04-08 16:47 0 a---h--- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2009-03-16 20:38 40,960 a------- c:\windows\apppatch\apihex86.dll
2009-03-16 20:38 13,824 a------- c:\windows\system32\apilogen.dll
2009-03-16 20:38 24,064 a------- c:\windows\system32\amxread.dll
2009-03-08 04:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 04:33 109,056 a------- c:\windows\system32\iesysprep.dll
2009-03-08 04:33 109,568 a------- c:\windows\system32\PDMSetup.exe
2009-03-08 04:33 132,608 a------- c:\windows\system32\ieUnatt.exe
2009-03-08 04:33 107,520 a------- c:\windows\system32\RegisterIEPKEYs.exe
2009-03-08 04:33 107,008 a------- c:\windows\system32\SetIEInstalledDate.exe
2009-03-08 04:33 103,936 a------- c:\windows\system32\SetDepNx.exe
2009-03-08 04:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 04:32 66,560 a------- c:\windows\system32\wextract.exe
2009-03-08 04:32 169,472 a------- c:\windows\system32\iexpress.exe
2009-03-08 04:31 34,816 a------- c:\windows\system32\imgutil.dll
2009-03-08 04:31 45,568 a------- c:\windows\system32\mshta.exe
2009-03-02 21:46 3,599,328 a------- c:\windows\system32\ntkrnlpa.exe
2009-03-02 21:46 3,547,632 a------- c:\windows\system32\ntoskrnl.exe
2009-03-02 21:39 183,296 a------- c:\windows\system32\sdohlp.dll
2009-03-02 21:39 551,424 a------- c:\windows\system32\rpcss.dll
2009-03-02 21:39 26,112 a------- c:\windows\system32\printfilterpipelineprxy.dll
2009-03-02 21:37 98,304 a------- c:\windows\system32\iasrecst.dll
2009-03-02 21:37 54,784 a------- c:\windows\system32\iasads.dll
2009-03-02 21:37 44,032 a------- c:\windows\system32\iasdatastore.dll
2009-03-02 20:04 666,624 a------- c:\windows\system32\printfilterpipelinesvc.exe
2009-03-02 19:38 17,408 a------- c:\windows\system32\iashost.exe
2009-02-13 01:49 72,704 a------- c:\windows\system32\secur32.dll
2009-02-13 01:49 1,255,936 a------- c:\windows\system32\lsasrv.dll
2009-01-19 13:00 280 a------- c:\users\annie\appdata\roaming\wklnhst.dat
2008-12-15 18:20 665,600 a------- c:\windows\inf\drvindex.dat
2008-09-23 19:04 486,152 a------- c:\users\annie\ChromeSetup.exe
2008-01-20 19:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2007-11-21 20:18 108 a--shr-- c:\windows\neoqaz2.dll

============= FINISH: 19:42:36.53 ===============

Edited by Denied Fantasies, 12 May 2009 - 11:35 PM.


BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:11:13 PM

Posted 26 May 2009 - 12:25 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 Denied Fantasies

Denied Fantasies
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 26 May 2009 - 09:17 PM

Ever since I had "gotten rid of" Vundo (though I'm not sure if it's gone entirely yet), I could not open up Firefox. I click the icon, but it doesn't work. I can't uninstall it, either. Also, sometimes there is very high CPU usage, and the fan on my computer is almost always on high. Internet Explorer now works, and the file gxvxcescrsfkpcnortrrrcmbjujcqsfvfgbid.dll cannot be located with Google Desktop anymore. No results show up, so it should be gone by now. I did a system restore earlier due to Startup, Hibernation, and Sleep problems, and it fixed those problems, but after the restore, I had found the dll file still there, but after a few days, it disappeared. I'm not sure what had happened.
However, I'm still having problems with Firefox, and my computer (probably the hard drive) makes clicking noises. The fan, as noted before, is usually running high and noisily. All this never occurred before that incident with Vundo. I don't know if there is any other malware or leftovers of Vundo or whatever in my computer. So I would love to know if there are any problems with my computer that may or may not relate to Firefox not opening and the high CPU usage as well as the other problems noted. Please help me on cleaning out my computer so that those horrible badwares won't likelyt repeat itself and cause me more headaches. Thanks.

Here is a new DDS log and the Attach.txt is attached to this post.



DDS (Ver_09-05-14.01) - NTFSx86
Run by Annie at 18:43:35.84 on Tue 05/26/2009
Internet Explorer: 8.0.6001.18702
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3030.1608 [GMT -7:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\bcmwltry.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Windows\Explorer.EXE
C:\Program Files\Dell\DellDock\DellDock.exe
C:\Windows\system32\conime.exe
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_f091b975\aestsrv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Windows\system32\CTsvcCDA.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\System32\WLTRAY.EXE
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Windows\System32\WTClient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\AIM6\aim6.exe
C:\Users\Annie\AppData\Roaming\Google\Google Talk\googletalk.exe
C:\Users\Annie\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\System32\Drivers\WTSRV.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Annie\Documents\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.swagbucks.com/?cmd=home
uWindow Title = Windows Internet Explorer provided by Yahoo!
mDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2081216
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
mWinlogon: Userinit=c:\windows\system32\userinit.exe
uWinlogon: Shell=c:\program files\privacy center\pc.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google

toolbar\component\fastsearch_219B3E1547538286.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [AdobeBridge]
uRun: [googletalk] c:\users\annie\appdata\roaming\google\google talk\googletalk.exe /autostart
uRun: [Google Update] "c:\users\annie\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [Dell Webcam Central] "c:\program files\dell webcam\dell webcam central\WebcamDell.exe" /mode2
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [WTClient] WTClient.exe
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [AVGIDS] "c:\program files\avg\avg8\identityprotection\agent\bin\AVGIDSUI.exe"
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
StartupFolder: c:\users\annie\appdata\roaming\micros~1\windows\startm~1\programs\startup\delldo~1.lnk - c:\program files\dell\delldock\DellDock.exe
StartupFolder: c:\users\annie\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12

\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\program files\dell\quickset\quickset.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\progra~1\java\jre16~1.0_0\bin\ssv.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~3\office12\GR99D3~1.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~3\GOEC62~1.DLL,avgrsstx.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\annie\appdata\roaming\mozilla\firefox\profiles\c7rw1d54.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=&query=
FF - prefs.js: browser.search.selectedEngine - Dictionary.com
FF - prefs.js: browser.startup.homepage - hxxp://www.swagbucks.com/?cmd=home
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=&query=
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHr;AVGIDSErHr;c:\windows\system32\drivers\AVGIDSErHr.sys [2009-2-26 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-5-25 12552]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-4-16 130936]
R1 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwd6x.sys [2009-5-25 23832]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-5-25 325896]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-5-25 108552]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_f091b975\AEstSrv.exe [2008-12-15 73728]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-5-25 298264]
R2 AVGIDSWatcher;AVGIDSWatcher;c:\program files\avg\avg8\identityprotection\agent\bin\AVGIDSWatcher.exe [2009-2-26 563720]
R2 BT848;Conexant's BtPCI WDM Video Capture;c:\windows\system32\drivers\BT848.sys [2009-4-11 371349]
R2 DockLoginService;Dock Login Service;c:\program files\dell\delldock\DockLogin.exe [2008-9-23 155648]
R3 AVGIDSDriver;AVGIDSDriver;c:\program files\avg\avg8\identityprotection\agent\driver\platform_vista\AVGIDSDriver.sys [2009-2-26 121352]
R3 AVGIDSFilter;AVGIDSFilter;c:\program files\avg\avg8\identityprotection\agent\driver\platform_vista\AVGIDSFilter.sys [2009-2-26 30216]
R3 AVGIDSShim;AVGIDSShim;c:\program files\avg\avg8\identityprotection\agent\driver\platform_vista\AVGIDSShim.sys [2009-2-26 29136]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-12-15 113664]
R3 itecir;ITECIR Infrared Receiver;c:\windows\system32\drivers\itecir.sys [2008-12-15 54784]
R3 k57nd60x;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\k57nd60x.sys [2008-12-15 203264]
R3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\drivers\OA001Ufd.sys [2009-2-9 144672]
R3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\drivers\OA001Vid.sys [2009-2-9 277440]
R3 PTSimBus;PenTablet Bus Enumerator;c:\windows\system32\drivers\PTSimBus.sys [2009-2-15 18944]
S2 avgfws8;AVG8 Firewall;c:\progra~1\avg\avg8\avgfws8.exe --> c:\progra~1\avg\avg8\avgfws8.exe [?]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg8\identityprotection\agent\bin\AVGIDSAgent.exe [2009-2-26 5576712]
S2 gupdate1c9a598343cc4be;Google Update Service (gupdate1c9a598343cc4be);c:\program files\google\update\GoogleUpdate.exe [2009-3-15 133104]
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-12-15 30192]
S3 PTSimHid;PenTablet Simulated HID MiniDriver;c:\windows\system32\drivers\PTSimHid.sys [2009-2-15 10752]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-5-23 348752]
S4 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2009-5-23 64392]

=============== Created Last 30 ================

2009-05-25 22:04 <DIR> --d----- c:\users\annie\appdata\roaming\Desktopicon
2009-05-25 22:04 <DIR> --d----- c:\program files\Unlocker
2009-05-25 20:02 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-05-25 17:47 <DIR> --d----- c:\programdata\Downloaded Installations
2009-05-25 17:47 <DIR> --d----- c:\progra~2\Downloaded Installations
2009-05-25 17:47 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-25 17:47 10,520 a------- c:\windows\system32\avgrsstx.dll.old
2009-05-25 17:47 12,552 a------- c:\windows\system32\drivers\avgrkx86.sys
2009-05-25 17:47 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-05-25 17:47 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-25 17:47 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-05-25 17:46 23,832 a------- c:\windows\system32\drivers\avgfwd6x.sys
2009-05-25 17:46 <DIR> --d----- c:\program files\AVG
2009-05-25 17:46 <DIR> --d----- c:\programdata\avg8
2009-05-25 17:46 <DIR> --d----- c:\progra~2\avg8
2009-05-24 21:21 <DIR> --d----- c:\program files\common files\DeskShare Shared
2009-05-23 23:04 107,864 a------- c:\windows\system32\tsccvid.dll
2009-05-23 23:04 <DIR> --d----- c:\windows\system32\QuickTime
2009-05-23 23:04 <DIR> --d----- c:\programdata\TechSmith
2009-05-23 23:03 <DIR> --d----- c:\program files\common files\TechSmith Shared
2009-05-23 12:11 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-05-23 12:10 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-05-23 12:10 <DIR> --d----- c:\program files\Spyware Doctor
2009-05-21 19:18 <DIR> --d----- c:\program files\Sony
2009-05-19 17:01 <DIR> --d----- c:\users\annie\HyperCam 2
2009-05-19 16:54 <DIR> --d----- c:\program files\HyCam2
2009-05-16 16:09 <DIR> --d----- c:\programdata\Spybot - Search & Destroy
2009-05-16 16:09 <DIR> --d----- c:\progra~2\Spybot - Search & Destroy
2009-05-14 22:11 <DIR> --d----- c:\programdata\Sony
2009-05-13 22:22 <DIR> --d----- c:\program files\Flashants
2009-05-13 20:10 <DIR> --d----- C:\Fraps
2009-05-12 14:41 <DIR> --d----- C:\!KillBox
2009-05-12 13:16 <DIR> --d----- c:\program files\MSXML 4.0
2009-05-11 19:32 <DIR> --d----- c:\program files\Ace Utilities
2009-05-11 18:22 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-05-11 15:27 0 a---h--- C:\ProgramData.LOG2
2009-05-11 15:27 0 a---h--- C:\ProgramData.LOG1
2009-05-10 18:00 <DIR> --d----- c:\program files\Webroot
2009-05-10 17:35 <DIR> --d----- c:\program files\common files\PC Tools(98)
2009-05-10 00:00 <DIR> --d----- c:\users\annie\appdata\roaming\SUPERAntiSpyware.com
2009-05-09 23:55 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-09 23:23 <DIR> --d----- c:\users\annie\BannedStory
2009-05-09 20:23 <DIR> --d----- c:\users\annie\appdata\roaming\PC Tools
2009-05-09 19:44 <DIR> --d----- C:\VundoFix Backups
2009-04-29 19:12 <DIR> --d----- c:\users\annie\appdata\roaming\Windows Live Writer
2009-04-29 17:53 <DIR> --d----- c:\users\annie\Tracing
2009-04-29 17:40 <DIR> --d----- c:\program files\Microsoft
2009-04-29 17:40 <DIR> --d----- c:\program files\Windows Live SkyDrive
2009-04-29 17:34 <DIR> --d----- c:\program files\common files\Windows Live

==================== Find3M ====================

2009-05-25 17:47 143,360 a------- c:\windows\inf\infstrng.dat
2009-05-25 17:47 51,200 a------- c:\windows\inf\infpub.dat
2009-05-25 17:46 86,016 a------- c:\windows\inf\infstor.dat
2009-04-20 15:36 130,936 a------- c:\windows\system32\drivers\PCTCore.sys
2009-04-11 10:54 371,349 a------- c:\windows\system32\drivers\BT848.sys
2009-04-10 21:23 129,784 -------- c:\windows\system32\pxafs.dll
2009-04-10 21:23 118,520 -------- c:\windows\system32\pxinsi64.exe
2009-04-10 21:23 116,472 -------- c:\windows\system32\pxcpyi64.exe
2009-04-08 16:47 0 a---h--- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2009-03-16 20:38 40,960 a------- c:\windows\apppatch\apihex86.dll
2009-03-16 20:38 13,824 a------- c:\windows\system32\apilogen.dll
2009-03-16 20:38 24,064 a------- c:\windows\system32\amxread.dll
2009-03-08 04:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 04:33 109,056 a------- c:\windows\system32\iesysprep.dll
2009-03-08 04:33 109,568 a------- c:\windows\system32\PDMSetup.exe
2009-03-08 04:33 132,608 a------- c:\windows\system32\ieUnatt.exe
2009-03-08 04:33 107,520 a------- c:\windows\system32\RegisterIEPKEYs.exe
2009-03-08 04:33 107,008 a------- c:\windows\system32\SetIEInstalledDate.exe
2009-03-08 04:33 103,936 a------- c:\windows\system32\SetDepNx.exe
2009-03-08 04:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 04:32 66,560 a------- c:\windows\system32\wextract.exe
2009-03-08 04:32 169,472 a------- c:\windows\system32\iexpress.exe
2009-03-08 04:31 34,816 a------- c:\windows\system32\imgutil.dll
2009-03-08 04:31 48,128 a------- c:\windows\system32\mshtmler.dll
2009-03-08 04:31 45,568 a------- c:\windows\system32\mshta.exe
2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll
2009-03-02 21:46 3,599,328 a------- c:\windows\system32\ntkrnlpa.exe
2009-03-02 21:46 3,547,632 a------- c:\windows\system32\ntoskrnl.exe
2009-03-02 21:39 183,296 a------- c:\windows\system32\sdohlp.dll
2009-03-02 21:39 551,424 a------- c:\windows\system32\rpcss.dll
2009-03-02 21:39 26,112 a------- c:\windows\system32\printfilterpipelineprxy.dll
2009-03-02 21:37 98,304 a------- c:\windows\system32\iasrecst.dll
2009-03-02 21:37 54,784 a------- c:\windows\system32\iasads.dll
2009-03-02 21:37 44,032 a------- c:\windows\system32\iasdatastore.dll
2009-03-02 20:04 666,624 a------- c:\windows\system32\printfilterpipelinesvc.exe
2009-03-02 19:38 17,408 a------- c:\windows\system32\iashost.exe
2009-01-19 13:00 280 a------- c:\users\annie\appdata\roaming\wklnhst.dat
2008-12-15 18:20 665,600 a------- c:\windows\inf\drvindex.dat
2008-09-23 19:04 486,152 a------- c:\users\annie\ChromeSetup.exe
2008-01-20 19:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2007-11-21 20:18 108 a--shr-- c:\windows\neoqaz2.dll

============= FINISH: 18:43:54.47 ===============

Attached Files



#4 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:11:13 PM

Posted 27 May 2009 - 01:19 PM

Howdy, my name is Hoov, and I will be helping you with your dilemma.

Please make sure you watch this thread for responses. If you click the options tab at the top of your first post, you can select to track this thread.

Here is what I am asking you to do during the repair of your computer

*Tell me everything that you have done, if anything, to try and fix this problem.

*Please only use 1 forum to help clear up your problem. Posting on more than 1 and following instructions from more than 1 forum will cause those helping you to pull out thier hair.

*Follow my instructions - If you can't for some reason, or if you don't understand something, please tell me. If you deviate from my instructions, tell me, it may make a difference on where we go. Don't install anything, even other programs that have nothing to do with security or malware, it could cause things to change, and I would never know it.

*Have faith. I will do all I can to get your computer working, and if I can't - someone else here will know something else to try.

*Stick with me to the end. My aim is to fix your problems, and give you the tools and knowledge to keep this from happening again.

Now onto trying to fix your computer.

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

* Anyone other than the originator of this thread, you would be best advised to not run combofix without guidance from someone trained in its use. It is a very powerful tool that can cause damage to your computer if used wrong.

Run comboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Also make sure you close all your browsers just before the instructions tell you to start the scanner.

Please include the C:\ComboFix.txt in your next reply for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Then test out Firefox, and if it still has problems, click the start button, then all programs, then Mozilla Firefox, and then click on the Firefox that has safe mode after it and see if Firefox will start in safe mode. Let me know.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#5 Denied Fantasies

Denied Fantasies
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 27 May 2009 - 06:20 PM

Hi there! Thanks for helping out.

After performing the system restore, I never really did anything to try and fix the problem.

Anyway, I just finished using MBAM and Combofix. While running Combofix, the instructions were to exit out of all open programs and windows while it's running. However, in the process of using it, it restarted my computer and the windows that usually popped up... popped up. So I closed them immediately. AVG was also activated upon the startup of the computer, so I didn't really know what to do, as I don't think I was supposed to open any programs or windows... So it was left on as the log was being generated.
Firefox came up with no problems, both in Safe Mode and not in Safe Mode. :thumbup2:

[EDIT] I just restarted my computer, and the desktop wallpaper has completely changed and it keeps popping up with this message: "Dell Wireless WLAN Card Wireless Network Controller stopped working and was closed. A problem caused the application to stop working correctly. Windows will notify you if a solution is available."
Sometimes I get that message upon startup, but this time, every time I click the Close button, it'll reappear in half a minute. [/EDIT]


Here is my MBAM log. I have attached the Combofix.txt to this message.

Malwarebytes' Anti-Malware 1.37
Database version: 2186
Windows 6.0.6001 Service Pack 1

5/27/2009 3:31:01 PM
mbam-log-2009-05-27 (15-31-00).txt

Scan type: Quick Scan
Objects scanned: 82828
Time elapsed: 6 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Attached Files


Edited by Denied Fantasies, 27 May 2009 - 06:33 PM.


#6 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:11:13 PM

Posted 27 May 2009 - 09:15 PM

Can you change the wallpaper and does it stay changed? About the wireless problem,

I need you to go to the administration tools in Vista. They are in the Control Panel. Open the Admin tools, then open the event viewer. Over on the left hand side expand the window category and then click on System. Then up at the top click on Action and then click on Save Events As, type in system as the file name, make sure file type EVTX is selected, and then navigate so it will save the file to your desktop, then click save. Over on the left hand side and click on Application. Then up at the top click on Action and then click on Save Events As, type in application as the file name, make sure file type EVTX is selected, and then navigate so it will save the file to your desktop, then click save. Zip them both up into a single zip file, post them back here in your next reply as attachments.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#7 Denied Fantasies

Denied Fantasies
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 27 May 2009 - 09:57 PM

I can change the wallpaper.

I have the .evtx files you asked for, but the zip folder cannot be uploaded. It says that the file is larger than the available space.

#8 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:11:13 PM

Posted 27 May 2009 - 10:40 PM

Check your Private Messages.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#9 Denied Fantasies

Denied Fantasies
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 27 May 2009 - 10:52 PM

Just did. =)

#10 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:11:13 PM

Posted 27 May 2009 - 11:47 PM

I will look at them tomorrow. I am getting tired right now, time to take a bit of a nap.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#11 Denied Fantasies

Denied Fantasies
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 27 May 2009 - 11:51 PM

All right. There's no rush. ^^ Have a nice rest.

#12 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:11:13 PM

Posted 28 May 2009 - 10:14 AM

From your logs you have lots of problems.

Please perform a BitDefender Online Virus and Malware Scan here:
http://www.bitdefender.com/scan8/ie.html
* Click on I Agree.
* An ActiveX warning box will appear, click on Install.
* Under Select What You Want To Check For Viruses.
* Please Check My Computer and Click Ok
* Now Click On Click Here To Scan
* Next, Click on Click here to export the scan report
* Save it to your Desktop.
* In your next reply, please include the BitDefender log and a fresh HijackThis log.

Also do you have the windows Vista install disk? If you do I would like you to run the system file checker.

1. Click the Start button

2. From the Start Menu, Click All programs followed by Accessories

3. In the Accessories menu, Right Click on the Command Prompt option

4. From the drop down menu that appears, Click on the 'Run as administrator' option

5. If you have the User Account Control (UAC) enabled you will be asked for authorisation prior to the command prompt opening. You may simply need to press the Continue button if you are the administrator or insert the administrator password etc.

6. In the Command Prompt window, type: sfc /scannow and then press Enter

7. A message will appear stating that 'the system scan will begin'

8. Be patient because the scan may take some time

9. If any files require replacing SFC will replace them. You may be asked to insert your Vista DVD for this process to continue

10. If everything is okay you should, after the scan, see the following message "Windows resource protection did not find any integrity violations"

11. After the scan has completed, Close the command prompt window

If you ran the SFC let me know how it ran.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#13 Denied Fantasies

Denied Fantasies
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 28 May 2009 - 05:30 PM

For the BitDefender Online Virus and Malware Scanner, what should I put for Scan Options? Report only, prompt user for actions, disinfect, or delete?

#14 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:11:13 PM

Posted 28 May 2009 - 06:08 PM

disinfect
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#15 Denied Fantasies

Denied Fantasies
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 28 May 2009 - 07:15 PM

For some reason, I can't just scan My Computer. I either scan the whole computer, or I scan nothing. So I decided to scan the whole computer.

...this'll take a long while... It's going slowly, and the scan has been going for about thirty minutes already... and only about 5% done. So I'll probably have to get back to you in about a day, unless it quickens up. :thumbup2:

Edited by Denied Fantasies, 28 May 2009 - 07:16 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users