Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan/Spyware Infection


  • This topic is locked This topic is locked
11 replies to this topic

#1 WiredBob

WiredBob

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:22 AM

Posted 27 May 2009 - 09:33 PM

A few weeks ago when I woke up my computer had like 30 opened windows and all of these IE windows opened with advertisements. Also AVG showed numerous problems. I ran a check on TrendMicro Housecall which showed virus infection that could not be removed. The advertisements and IE hijacks continued until I looked at my systems processes which showed an IE process with large, varying CPU even though all IE programs were currently closed. I removed the IE process that was using all the CPU (unfortunately I did not save the name of the process, sorry!) and the advertisements and IE hijacking stopped. However now when I reboot Windows XP I get an error message:
RUNDLL
Error loading C:\WINDOWS\System32\lunapigi.dll

Also ever since this infection my PC has not been the same. It is slow, cannot handle multiple functions, etc. I really notice it the most when I try to do my favorite online gaming.

I want to know if there is still any malicious software still on my machine and if so, how to remove it. I would also like to address the Reboot error, if possible. I hope someone can help...your time is truly appreciated!


DDS (Ver_09-05-14.01) - NTFSx86
Run by Billy at 19:09:24.29 on Wed 05/27/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.534 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Billy\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {8ffc7c2d-c25e-4e96-b5d8-0e99997af3a6} - c:\windows\system32\kiradeha.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [yugivufetu] Rundll32.exe "c:\windows\system32\lunapigi.dll",s
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
AppInit_DLLs: c:\windows\system32\yepuvula.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli c:\windows\system32\yepuvula.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\billy\applic~1\mozilla\firefox\profiles\paa6xtas.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - data:text/plain,keyword.URL=hxxp://search.yahoo.com/search?fr=yff3u&p=
FF - component: c:\documents and settings\billy\application data\mozilla\firefox\profiles\paa6xtas.default\extensions\{463f6ca5-ee3c-4be1-b7e6-7fee11953374}\platform\winnt\components\FoxyTunes.dll
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_ZangoSA.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-10-18 325896]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-10-18 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-10-18 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-10-18 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-10-18 298776]

=============== Created Last 30 ================

2009-05-27 15:57 <DIR> --d----- c:\program files\Trend Micro
2009-05-15 11:11 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-05-15 11:10 <DIR> --d----- c:\documents and settings\billy\.housecall6.6
2009-05-09 12:01 <DIR> --d----- c:\program files\iPod
2009-05-09 12:01 <DIR> --d----- c:\program files\iTunes
2009-05-09 12:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

==================== Find3M ====================

2009-05-12 08:41 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-12 08:41 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-12 08:41 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-06 07:22 284,160 a------- c:\windows\system32\pdh.dll

============= FINISH: 19:09:35.81 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:22 AM

Posted 08 June 2009 - 07:48 PM

Hi

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

If you do not make a reply in 5 days, we will need to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
If you still require assistance post a new set of DDS Logs and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log please refer to this page and in step #6 there is instructions on downloading and running DDS. IF you have any problems just let me know in your next reply or simply post a Hijackthis log.

Thanks again and we apologzie for the delay.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:22 AM

Posted 13 June 2009 - 11:14 AM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 from the last day I replied initially, the topic will need to be closed.

Thanks for understanding. :thumbup2:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:22 AM

Posted 17 June 2009 - 04:29 PM

Hello.

Due to Lack of feedback, this topic is now Closed.

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic in the Hijackthis-Malware Removal forum.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:22 AM

Posted 23 June 2009 - 11:32 AM

Topic re-opend upon user's request.

Please post the required information in my inital post.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#6 WiredBob

WiredBob
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:22 AM

Posted 23 June 2009 - 07:59 PM

Since my initial post I ended up running Malwarebytes program to remove an obvious infection of Virtumonde. PC seems to be running better. Also I am not getting an error message at start up, which I believe was fixed by CC Cleaner program.

DDS (Ver_09-05-14.01) - NTFSx86
Run by Billy at 17:53:23.20 on Tue 06/23/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.573 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\stsystra.exe
svchost.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Billy\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {8ffc7c2d-c25e-4e96-b5d8-0e99997af3a6} - No File
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
AppInit_DLLs: c:\windows\system32\yepuvula.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli c:\windows\system32\yepuvula.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\billy\applic~1\mozilla\firefox\profiles\paa6xtas.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - data:text/plain,keyword.URL=hxxp://search.yahoo.com/search?fr=yff3u&p=
FF - component: c:\documents and settings\billy\application data\mozilla\firefox\profiles\paa6xtas.default\extensions\{463f6ca5-ee3c-4be1-b7e6-7fee11953374}\platform\winnt\components\FoxyTunes.dll
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_ZangoSA.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-10-18 325896]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-10-18 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-10-18 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-10-18 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-10-18 298776]

=============== Created Last 30 ================

2009-06-14 00:17 <DIR> --d----- c:\program files\GoldWave
2009-06-13 23:32 <DIR> --d----- C:\Temp
2009-06-13 23:32 <DIR> --d----- c:\program files\MP4Converter
2009-06-13 22:57 131,072 a------- c:\windows\system32\SpoonUninstall.exe
2009-06-13 22:57 36,104 a------- c:\windows\system32\SpoonUninstall-dBpowerAMP Music Converter.dat
2009-06-13 22:57 33,846 a------- c:\windows\system32\SpoonUninstall-dBpowerAMP Music Converter.bmp
2009-06-13 22:57 <DIR> --d----- c:\program files\Illustrate
2009-06-06 11:08 <DIR> --d----- c:\program files\iPod
2009-06-06 11:08 <DIR> --d----- c:\program files\iTunes
2009-05-29 14:33 <DIR> --d----- c:\docume~1\billy\applic~1\Malwarebytes
2009-05-29 14:33 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-29 14:33 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-29 14:33 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-29 14:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-29 00:55 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-05-29 00:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-05-27 22:57 <DIR> --d----- c:\program files\CCleaner
2009-05-27 15:57 <DIR> --d----- c:\program files\Trend Micro
2009-05-26 17:18 90,112 a------- c:\windows\system32\QuickTimeVR.qtx
2009-05-26 17:18 57,344 a------- c:\windows\system32\QuickTime.qts

==================== Find3M ====================

2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-15 11:10 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-05-12 08:41 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-12 08:41 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-12 08:41 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-05-07 08:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-28 21:46 666,624 a------- c:\windows\system32\wininet.dll
2009-04-28 21:46 81,920 a------- c:\windows\system32\ieencode.dll
2009-04-17 05:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 07:51 585,216 a------- c:\windows\system32\rpcrt4.dll

============= FINISH: 17:53:50.84 ===============

Attached Files



#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:22 AM

Posted 24 June 2009 - 09:35 AM

Hello.

Hello.

Also I am not getting an error message at start up, which I believe was fixed by CC Cleaner program.

I hope you are not using the "registry cleaner" part of CCleaner's function. Take a read below.

Registry Cleaner(s) Warning

Please be aware that Bleeping Computer staff do not recommend the usage of registry cleaners/tools due to the following facts:
  • Registry tools can cause irreparable damage to your Operating System. This could include making your computer inoperatable.
  • These programs generally only delete "orphaned" or "dead" entries. This merely removes entries that point to files that no longer exist on your computer. Registry entries do not take up a significant amount of hardrive space. The program itself (and its own registry entries) likely occupy relatively more space.
  • The amount of improvement in performance you gain is minimal.
This is done, assuming that the major audience here at this board may be inexperienced users and thus a suggested safeguard from our side.
If you feel that your have sufficient knowledge to use such tools safely, then you are welcome to keep them.

miekiemoes offered a blog over here: http://miekiemoes.blogspot.com/2008/02/reg...weaking_13.html



Please uninstall this older version of Java:

Java™ 6 Update 7

Now, run a online scan.

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.

Post back with a new set of DDS logs afterwards.

With Regards,
Extremeboy

Edited by extremeboy, 24 June 2009 - 09:35 AM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 WiredBob

WiredBob
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:22 AM

Posted 24 June 2009 - 04:04 PM

"I hope you are not using the "registry cleaner" part of CCleaner's function."

Actually yes I did use the registry cleaner. :thumbup2: I guess I will not be using that anymore. What about Advanced System Care? Is that program safe to use?

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Wednesday, June 24, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Wednesday, June 24, 2009 21:29:31
Records in database: 2387487
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 40202
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 01:01:56


File name / Threat name / Threats count
C:\Documents and Settings\Billy\.housecall6.6\Quarantine\klite.ath[1].htm.bac_a02256 Infected: Trojan-Clicker.HTML.IFrame.aga 1

The selected area was scanned.


DDS (Ver_09-05-14.01) - NTFSx86
Run by Billy at 13:58:11.23 on Wed 06/24/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.642 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\Billy\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {8ffc7c2d-c25e-4e96-b5d8-0e99997af3a6} - No File
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
AppInit_DLLs: c:\windows\system32\yepuvula.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli c:\windows\system32\yepuvula.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\billy\applic~1\mozilla\firefox\profiles\paa6xtas.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - data:text/plain,keyword.URL=hxxp://search.yahoo.com/search?fr=yff3u&p=
FF - component: c:\documents and settings\billy\application data\mozilla\firefox\profiles\paa6xtas.default\extensions\{463f6ca5-ee3c-4be1-b7e6-7fee11953374}\platform\winnt\components\FoxyTunes.dll
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_ZangoSA.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-10-18 325896]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-10-18 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-10-18 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-10-18 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-10-18 298776]

=============== Created Last 30 ================

2009-06-24 12:16 73,728 a------- c:\windows\system32\javacpl.cpl
2009-06-14 00:17 <DIR> --d----- c:\program files\GoldWave
2009-06-13 23:32 <DIR> --d----- C:\Temp
2009-06-13 23:32 <DIR> --d----- c:\program files\MP4Converter
2009-06-13 22:57 131,072 a------- c:\windows\system32\SpoonUninstall.exe
2009-06-13 22:57 36,104 a------- c:\windows\system32\SpoonUninstall-dBpowerAMP Music Converter.dat
2009-06-13 22:57 33,846 a------- c:\windows\system32\SpoonUninstall-dBpowerAMP Music Converter.bmp
2009-06-13 22:57 <DIR> --d----- c:\program files\Illustrate
2009-06-06 11:08 <DIR> --d----- c:\program files\iPod
2009-06-06 11:08 <DIR> --d----- c:\program files\iTunes
2009-05-29 14:33 <DIR> --d----- c:\docume~1\billy\applic~1\Malwarebytes
2009-05-29 14:33 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-29 14:33 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-29 14:33 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-29 14:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-29 00:55 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-05-29 00:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-05-27 22:57 <DIR> --d----- c:\program files\CCleaner
2009-05-27 15:57 <DIR> --d----- c:\program files\Trend Micro
2009-05-26 17:18 90,112 a------- c:\windows\system32\QuickTimeVR.qtx
2009-05-26 17:18 57,344 a------- c:\windows\system32\QuickTime.qts

==================== Find3M ====================

2009-06-24 12:16 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-15 11:10 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-05-12 08:41 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-12 08:41 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-12 08:41 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-05-07 08:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-28 21:46 666,624 a------- c:\windows\system32\wininet.dll
2009-04-28 21:46 81,920 a------- c:\windows\system32\ieencode.dll
2009-04-17 05:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 07:51 585,216 a------- c:\windows\system32\rpcrt4.dll

============= FINISH: 13:58:51.46 ===============

Attached Files



#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:22 AM

Posted 25 June 2009 - 04:05 PM

Hello.

A few things we need to take care of.

What about Advanced System Care? Is that program safe to use?

That program also has a registry cleaning function to it. I would avoid using that. I'm no big fan of any tweaking but as long as it's not anything to do with the registry it's okay. Please be careful of what you do and know what you are doing before tweaking the system. I personally do not find it very helpful. A safer way to apporach the same thing is:

1. Remove unnecessary startup/services using StartUpLite
2. Defrag and run temporary internet files, cookies etc..
--- Some programs can do this are: auslogics disk defrag, ATFCleaner, CCleaner etc...
3. Try some of the steps mentioned here: http://www.bleepingcomputer.com/forums/ind...st&p=487112

Backup Registry with ERUNT

This tool will create a complete backup of your registry. A backup is created to ensure we have backup so encase anything goes wrong we can deal with it. Do not delete these backups until we are finished.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

How to Restore from the ERUNT Backup

Only restore from the backups if instructed to, or you need to do so. You need it if after doing something, your computer will only boot in Safe Mode and you are unable to contact us (or anyone else) for help by other means, or if your computer will not boot into Windows at all.

To restore if you can boot, navigate to C:\WINDOWS\erdnt, choose the folder with the most recent date, and double click ERDNT.EXE. Check all boxes in the restoration options.

To restore from the Recovery Console using the Windows CD:
  • Turn on your machine with the disk in the drive.
  • Type in the number of the Windows installation you want to repair (usually 1), then press Enter.
  • Type in the Administrator password (leave blank if you are unsure what it is or if you do not have one) and press Enter.
  • Type without quotes "cd erdnt" followed by Enter.
  • Type without quotes "dir" followed by Enter. This will list out the available folders, whose names are the date on which the backup was taken in (M)M-DD-YYYY format. Try the most recent dates first.
  • Type without quotes "cd **name of the folder**" followed by Enter.
  • Type without quotes "batch erdnt.con" followed by Enter.
  • Type without quotes "exit" followed by Enter.
  • Remove your CD from the drive and reboot your computer into the restored registry. If you still cannot boot, try again with an earlier restore date.




Download and Run OTM
  • Please download OTM by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop If you are running on Vista, right click on the file and choose Run As Administrator.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :files
    C:\Documents and Settings\Billy\.housecall6.6\Quarantine
    c:\windows\system32\yepuvula.dll
    :reg
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=""
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{8ffc7c2d-c25e-4e96-b5d8-0e99997af3a6}]
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
    :commands
    [EmptyTemp]
    [Reboot]
  • Click the large Posted Image button.
  • If OTM requires are reboot, please allow it to do so.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
Note: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Take a new DDS run and post back with the log.

Then, please let me know how your computer is running and any more symptoms or problems you may still have.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 WiredBob

WiredBob
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:22 AM

Posted 25 June 2009 - 05:31 PM

Thanks for the useful information. :thumbup2: Everything seems to be running fine.

I hope this is the OTM results log that you asked for:

All processes killed
========== FILES ==========
C:\Documents and Settings\Billy\.housecall6.6\Quarantine moved successfully.
File/Folder c:\windows\system32\yepuvula.dll not found.
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows\\"AppInit_DLLs"|"" /E : value set successfully!
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{8ffc7c2d-c25e-4e96-b5d8-0e99997af3a6}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8ffc7c2d-c25e-4e96-b5d8-0e99997af3a6}\ not found.
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\\"Notification Packages"|hex(7):73,63,65,63,6c,69,00,00 /E : value set successfully!
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Billy
->Temp folder emptied: 76011774 bytes
->Temporary Internet Files folder emptied: 4212807 bytes
->Java cache emptied: 7746239 bytes
->FireFox cache emptied: 67490022 bytes
->Apple Safari cache emptied: 4708514 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 388567837 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2195181 bytes
%systemroot%\System32 .tmp files removed: 2322961 bytes
Windows Temp folder emptied: 571 bytes

RecycleBin emptied: 2967361 bytes

Total Files Cleaned = 530.52 mb


OTM by OldTimer - Version 3.0.0.2 log created on 06252009_152114

Files moved on Reboot...

Registry entries deleted on Reboot...


DDS (Ver_09-05-14.01) - NTFSx86
Run by Billy at 15:28:40.07 on Thu 06/25/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.483 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Billy\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {8ffc7c2d-c25e-4e96-b5d8-0e99997af3a6} - No File
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\billy\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\billy\applic~1\mozilla\firefox\profiles\paa6xtas.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - data:text/plain,keyword.URL=hxxp://search.yahoo.com/search?fr=yff3u&p=
FF - component: c:\documents and settings\billy\application data\mozilla\firefox\profiles\paa6xtas.default\extensions\{463f6ca5-ee3c-4be1-b7e6-7fee11953374}\platform\winnt\components\FoxyTunes.dll
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_ZangoSA.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-10-18 325896]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-10-18 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-10-18 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-10-18 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-10-18 298776]

=============== Created Last 30 ================

2009-06-25 15:21 <DIR> --d----- C:\_OTM
2009-06-24 12:16 73,728 a------- c:\windows\system32\javacpl.cpl
2009-06-14 00:17 <DIR> --d----- c:\program files\GoldWave
2009-06-13 23:32 <DIR> --d----- C:\Temp
2009-06-13 23:32 <DIR> --d----- c:\program files\MP4Converter
2009-06-13 22:57 131,072 a------- c:\windows\system32\SpoonUninstall.exe
2009-06-13 22:57 36,104 a------- c:\windows\system32\SpoonUninstall-dBpowerAMP Music Converter.dat
2009-06-13 22:57 33,846 a------- c:\windows\system32\SpoonUninstall-dBpowerAMP Music Converter.bmp
2009-06-13 22:57 <DIR> --d----- c:\program files\Illustrate
2009-06-06 11:08 <DIR> --d----- c:\program files\iPod
2009-06-06 11:08 <DIR> --d----- c:\program files\iTunes
2009-05-29 14:33 <DIR> --d----- c:\docume~1\billy\applic~1\Malwarebytes
2009-05-29 14:33 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-29 14:33 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-29 14:33 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-29 14:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-29 00:55 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-05-29 00:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-05-27 22:57 <DIR> --d----- c:\program files\CCleaner
2009-05-27 15:57 <DIR> --d----- c:\program files\Trend Micro
2009-05-26 17:18 90,112 a------- c:\windows\system32\QuickTimeVR.qtx
2009-05-26 17:18 57,344 a------- c:\windows\system32\QuickTime.qts

==================== Find3M ====================

2009-06-24 12:16 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-15 11:10 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-05-12 08:41 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-12 08:41 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-12 08:41 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-05-07 08:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-28 21:46 666,624 a------- c:\windows\system32\wininet.dll
2009-04-28 21:46 81,920 a------- c:\windows\system32\ieencode.dll
2009-04-17 05:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 07:51 585,216 a------- c:\windows\system32\rpcrt4.dll

============= FINISH: 15:29:04.03 ===============

#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:22 AM

Posted 25 June 2009 - 09:00 PM

Great.

Log looks clean. We can wrap up now.



Please follow/read the steps below to remove the tools we used, purge a system restore and for some more information. :)

Cleanup! with OTM
Let's remove all the tools we've used so far.
  • Double click the OTM.exe to run it. Right-click and select run as administrator if you are using Vista
  • Click Posted Image.
  • Follow the prompts to remove the tools we used.
  • If required for a reboot click Yes

Create a New System Restore Point<- Very Important

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok"
  • Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" Tab.
  • Click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

System A bit Slow? Try StartupLight

You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.

If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.


Congratulations! You now appear clean! :cool: :) :thumbup2:

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Preventing Infections in the Future

Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:
  • Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
Disable Autorun on Flash-Drive/Removable Drives

When is AUTORUN.INF really an AUTORUN.INF?

USB worms work by creating a file called AUTORUN.INF on the root of USB drives. These INF files then use Autorun or Autoplay (not the same thing!) to execute themselves either when the stick is inserted, or more commonly, when the user double-clicks on the USB drive icon from My Computer (Windows Explorer)...


Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read USB-Based Malware Attacks and Please disable Autorun asap!.

If using Windows Vista, please refer to:
"Disable AutoPlay in Windows Vista"
"Preventing AutoPlay with Local Group Policy Editor or AutoPlay options panel"

Note: When Autorun is disabled, double-clicking a drive which has autorun.inf in its root directory may still activate Autorun so be careful.

Vist the WindowsUpdate Site Regularly

I recommend you regularly visit the Windows Update Site!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
Update Non-Microsoft Programs

It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Update all programs regularly - Make sure you update all the programs you have installed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet


Glad I was able to help and thank you for choosing Bleeping Computer as you malware removal source.
Don't forget to tell your friends about us and Good luck :)


If you have no more questions, comments or problems please tell us, so we can close off the topic.

Thanks :)

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:22 AM

Posted 29 June 2009 - 12:54 PM

Hello.

Since this issue appears to be resolved, this topic is now closed.
If you are the topic starter and need this topic reopened, please send me a message.

Everyone else, please begin a new topic.

With Regards,
Extremeboy

Edited by extremeboy, 30 June 2009 - 01:44 PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users