Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Nasty bug deep-rooted and causing problems.


  • Please log in to reply
18 replies to this topic

#1 Smak Runner 2K

Smak Runner 2K

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 31 May 2009 - 11:38 AM

Hello,

I'm new here (obviously). I have a bug (or...several) that I'm at my wits end with trying to figure-out how to remove. There is definately a DNS changer at play and some adware/malware changing and adding ads on some different web pages, ect. I've DL'ed (from a clean computer) Malware-bytes, AVG 8.5, and Ad Aware AE (plus all updates) and run them in the last 24hrs to no avail. I still can't visit malwarebytes.org or update (from this computer) any of these programs from MY computer though - the malware is stopping me.

Help? I've been dealing with this for a week now...I've lost some files (pictures) to this malware, which I have recovered 90% of...but I'm afraid it's going to happen again.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:41:09 PM, on 5/31/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\System32\msconfig.exe" /auto
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shock...ash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

--
End of file - 2867 bytes

Edited by Smak Runner 2K, 31 May 2009 - 11:42 AM.


BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:44 AM

Posted 11 June 2009 - 08:27 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 Smak Runner 2K

Smak Runner 2K
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 14 June 2009 - 08:50 AM

Symptoms:

Virus / Malware continually destroys installed AVG 8.5 components...rendering it useless.

Cannot install some programs

Cannot update ANY antivirus / anti-malware programs

Cannot upload pictures to Facebook ect.

Virus / Malware has deleted 75% of my pictures and media on this computer. (I had them backed-up...whew!).

Cannot visit websites related to malware / virus removal programs.

Obnoxious ad-links and pop-ups.

Requested Log:

DDS (Ver_09-05-14.01) - NTFSx86
Run by Dan at 9:42:38.76 on Sun 06/14/2009
Internet Explorer: 8.0.6001.18783
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.1023.295 [GMT -4:00]

SP: Antispyware *disabled* (Updated) {4D811FF1-EC48-48F5-88F9-29174196D43B}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\lxdicoms.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe
C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe
C:\Users\Dan\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Dan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Dan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Users\Dan\Desktop\dds (1).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.espn.com/
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [Google Update] "c:\users\dan\appdata\local\google\update\GoogleUpdate.exe" /c
mRun: [MSConfig] "c:\windows\system32\msconfig.exe" /auto
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [lxdimon.exe] "c:\program files\lexmark 3500-4500 series\lxdimon.exe"
mRun: [lxdiamon] "c:\program files\lexmark 3500-4500 series\lxdiamon.exe"
uPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
uPolicies-explorer: NoThemesTab = 0 (0x0)
uPolicies-system: NoColorChoice = 0 (0x0)
uPolicies-system: NoDispAppearancePage = 0 (0x0)
uPolicies-system: NoDispSettingsPage = 0 (0x0)
uPolicies-system: NoSizeChoice = 0 (0x0)
uPolicies-system: NoVisualStyleChoice = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
LSP: c:\windows\system32\wpclsp.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A364AF35-0CDF-41E8-8F3B-E0E55E15EBA1} - hxxp://www.programchecker.com/dll/nixon.cab
DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.0/jinstall-1_4_0-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - c:\program files\microsoft activesync\AATP.DLL
AppInit_DLLs: c:\windows\system32\avgrsstx.dll

============= SERVICES / DRIVERS ===============

R0 BsStor;InCD Storage Helper Driver;c:\windows\system32\drivers\bsstor.sys [2005-6-12 9344]
R0 IFP300;iriver Internet Audio Player IFP-300;c:\windows\system32\drivers\ifp300.sys [2006-7-13 14531]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-5-31 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-5-31 108552]
R2 lxdi_device;lxdi_device;c:\windows\system32\lxdicoms.exe -service --> c:\windows\system32\lxdicoms.exe -service [?]
S2 lxdiCATSCustConnectService;lxdiCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdiserv.exe [2007-4-26 99248]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-6-12 66048]
S3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2009-1-31 33792]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-5-31 298776]
S4 BsUDF;InCD UDF Driver;c:\windows\system32\drivers\bsudf.sys [2005-6-12 448640]
S4 XXWXCVQ;XXWXCVQ;c:\users\dan\appdata\local\temp\xxwxcvq.exe --> c:\users\dan\appdata\local\temp\XXWXCVQ.exe [?]

=============== Created Last 30 ================

2009-06-13 09:42 159,762,078 a------- c:\windows\MEMORY.DMP
2009-06-12 23:26 428,544 a------- c:\windows\system32\EncDec.dll
2009-06-12 23:26 293,376 a------- c:\windows\system32\psisdecd.dll
2009-06-12 23:26 217,088 a------- c:\windows\system32\psisrndr.ax
2009-06-12 23:26 177,664 a------- c:\windows\system32\mpg2splt.ax
2009-06-12 23:26 80,896 a------- c:\windows\system32\MSNP.ax
2009-06-12 14:56 <DIR> --d----- c:\programdata\NOS
2009-06-11 12:37 <DIR> --d----- c:\windows\Desktop
2009-06-11 12:37 110 a------- c:\windows\Hop.ini
2009-06-10 18:42 2,033,152 a------- c:\windows\system32\win32k.sys
2009-06-10 18:42 636,928 a------- c:\windows\system32\localspl.dll
2009-06-06 13:00 <DIR> --d----- c:\programdata\Zenturi
2009-06-06 13:00 <DIR> --d----- c:\progra~2\Zenturi
2009-06-06 10:17 <DIR> --d----- c:\program files\Ashampoo
2009-05-31 18:55 318,976 a------- c:\windows\system32\CF4501.exe
2009-05-31 18:55 <DIR> --ds---- C:\ComboFix
2009-05-31 18:54 318,976 a------- c:\windows\system32\CF4129.exe
2009-05-31 18:42 318,976 a------- c:\windows\system32\CF1846.exe
2009-05-31 18:41 318,976 a------- c:\windows\system32\CF1605.exe
2009-05-31 17:57 <DIR> -cd----- c:\programdata\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-31 17:57 <DIR> -cd----- c:\progra~2\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-31 14:42 162,304 a------- c:\windows\system32\ztvunrar36.dll
2009-05-31 14:42 153,088 a------- c:\windows\system32\UNRAR3.dll
2009-05-31 14:42 77,312 a------- c:\windows\system32\ztvunace26.dll
2009-05-31 14:42 75,264 a------- c:\windows\system32\unacev2.dll
2009-05-31 14:42 69,632 a------- c:\windows\system32\ztvcabinet.dll
2009-05-31 14:42 <DIR> --d----- c:\users\dan\appdata\roaming\Simply Super Software
2009-05-31 14:42 <DIR> --d----- c:\programdata\Simply Super Software
2009-05-31 14:42 <DIR> --d----- c:\program files\Trojan Remover
2009-05-31 14:42 <DIR> --d----- c:\progra~2\Simply Super Software
2009-05-31 12:30 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-05-31 11:39 1,647 a------- C:\AVG Free 8.5.lnk
2009-05-31 11:39 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-31 11:39 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-05-31 11:39 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-31 11:39 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-05-31 10:47 <DIR> --d----- c:\users\dan\DoctorWeb
2009-05-31 01:30 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-31 01:30 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-31 01:30 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-28 23:21 318,976 a------- c:\windows\system32\CF29264.exe
2009-05-28 23:21 <DIR> --ds---- C:\gred
2009-05-28 23:12 318,976 a------- c:\windows\system32\CF27530.exe
2009-05-28 22:55 318,976 a------- c:\windows\system32\CF24115.exe
2009-05-28 22:51 318,976 a------- c:\windows\system32\CF23383.exe
2009-05-24 15:37 318,976 a------- c:\windows\system32\CF22156.exe
2009-05-24 15:33 <DIR> --d----- C:\SDFix
2009-05-24 12:11 0 a------- c:\windows\system32\atiicdxx.dat
2009-05-24 11:57 161,792 a------- c:\windows\SWREG.exe
2009-05-24 11:57 154,624 a------- c:\windows\PEV.exe
2009-05-24 11:57 98,816 a------- c:\windows\sed.exe
2009-05-24 11:56 318,976 a------- c:\windows\system32\CF11734.exe
2009-05-24 11:56 318,976 a------- c:\windows\system32\CF11587.exe
2009-05-19 05:19 <DIR> --d----- c:\programdata\App4rTemp
2009-05-19 05:19 <DIR> --d----- c:\progra~2\App4rTemp
2009-05-19 03:25 <DIR> --d----- c:\program files\Trend Micro
2009-05-18 00:15 <DIR> --d----- C:\VundoFix Backups
2009-05-17 20:32 <DIR> --d----- c:\users\dan\appdata\roaming\Malwarebytes
2009-05-17 20:31 <DIR> --d----- c:\programdata\Malwarebytes
2009-05-17 20:31 <DIR> --d----- c:\progra~2\Malwarebytes
2009-05-17 20:18 <DIR> --d----- c:\users\dan\appdata\roaming\IObit
2009-05-17 20:18 <DIR> --d----- c:\program files\IObit
2009-05-17 10:37 <DIR> --d----- c:\programdata\Sony Corporation
2009-05-17 10:37 <DIR> --d----- c:\progra~2\Sony Corporation
2009-05-17 09:03 37,888 a------- c:\windows\system32\drivers\gxvxccbifnnptdcmqtxyrevudnfwvbxbvcqgw.sys.vir
2009-05-17 01:37 <DIR> --d----- c:\users\dan\appdata\roaming\Antispyware
2009-05-16 22:44 <DIR> --d----- c:\program files\FreeUndelete
2009-05-16 22:02 <DIR> --d----- c:\program files\R-Studio

==================== Find3M ====================

2009-06-13 22:04 51,200 a------- c:\windows\inf\infpub.dat
2009-06-13 22:04 143,360 a------- c:\windows\inf\infstrng.dat
2009-05-09 01:50 915,456 a------- c:\windows\system32\wininet.dll
2009-05-09 01:34 71,680 a------- c:\windows\system32\iesetup.dll
2009-05-08 00:52 0 ----h--- c:\programdata\PKP_DLdu.DAT
2009-05-08 00:52 0 ----h--- c:\progra~2\PKP_DLdu.DAT
2009-05-07 22:59 106,496 a------- c:\windows\system32\ATL71.DLL
2009-05-01 19:57 86,016 a------- c:\windows\inf\infstor.dat
2009-04-23 08:43 784,896 a------- c:\windows\system32\rpcrt4.dll
2009-03-16 23:38 40,960 a------- c:\windows\apppatch\apihex86.dll
2009-03-16 23:38 13,824 a------- c:\windows\system32\apilogen.dll
2009-03-16 23:38 24,064 a------- c:\windows\system32\amxread.dll
2008-10-26 22:23 86,399,322 a------- c:\users\dan\Videos.zip
2008-06-10 20:19 665,600 a------- c:\windows\inf\drvindex.dat
2008-06-08 19:11 174 a--sh--- c:\program files\desktop.ini
2006-11-02 08:40 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:40 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:40 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:40 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2001-08-22 13:15 245,760 a------- c:\windows\inf\i386\viceo.dll
2001-08-22 13:13 32,768 a------- c:\windows\inf\i386\Pmicro.dll
2001-08-22 13:13 61,440 a------- c:\windows\inf\i386\gl.dll
2001-08-03 18:29 13,824 a------- c:\windows\inf\i386\Usbscan.sys

============= FINISH: 9:43:04.86 ===============

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:44 PM

Posted 16 June 2009 - 09:06 AM

Hello Smak Runner 2K,

I see you've been struggling for a month now...
I take it running ComboFix didn't work out the way it should ? :thumbup2:

Please download, using another PC, a fresh copy of ComboFix,
and rename it (to CF.exe fi.) prior to saving it to a transport medium (usb-stick, ...)

Boot into safe mode:
Restart your computer and as soon as it starts booting up again, continuously tap F8.
A menu should come up where you will be given the option to enter Safe Mode.

In safe mode :
1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. Transfer the renamed ComboFix copy to your desktop.
Double click the ComboFix icon to run it.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.
ComboFix may restart your system in order to remove some malware upon reboot.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :)

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 Smak Runner 2K

Smak Runner 2K
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 17 June 2009 - 08:11 PM

OK...couple of things.

First - I can't access "Internet Options" from either the Control Panel or from within IE in safe mode. However, If I log on under safe mode - with networking, I can access "Internet Options" from within IE but not from the Control Panel still. Is that normal? Doesn't seem so, but I could be wrong.

In truth, there are only (7) options available in the Control Panel while logged-in under either safe mode...just want to make sure that's hunky-dory in the first place.

Second - I had a friend burn me a CD with a fresh version of Combofix burned into it...but he forgot to re-name the file (doh!). Just for chuckles, I copied it to the desktop, renamed it, and tried to run it. I hangs at "Trying to create new system restore point" after telling me that access was denied for non-administrator-type reasons...even after I click "run as administrator" under the "Computer Administrator" account...sigh.

I will get another disk burned for me (correctly) tomorrow and update you on my progress. Any answers you can provide to my first question though would be helpful - for the sole purpose of expanding my knowledge base :thumbup2:

Thanks for the help so far.

Edited by Smak Runner 2K, 17 June 2009 - 08:12 PM.


#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:44 PM

Posted 18 June 2009 - 04:39 AM

Hello Smak Runner 2K,

Print these instructions or save them to your desktop for future viewing.

Please download, or transfer using another PC, one or more of these anti-rootkit (ARK) tools:Please boot in diagnostic mode :
Start > in the Start Menu Search Box : type msconfig and press Enter > in System Configuration utility : check diagnostic startup, click "Apply" and "OK" and Click the Restart button to reboot your computer.

Prior to running the ARK scan it is recommended to do the following (ensure more accurate results and avoid common issues that may cause false detections.)
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
Note: Not all hidden components detected by ARKs are malicious.
You should not be alarmed if you see some hidden entries created by legitimate programs after performing a scan.


Now perform an anti-rootkit (ARK) scan with downloaded tool(s),
and post the result(s) in your next reply.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#7 Smak Runner 2K

Smak Runner 2K
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 20 June 2009 - 07:52 AM

Thunder,

Sophos Anti-rootkit - won't let me download, says it doesn't support Windows Vista

Panda AntiRootkit - does not support Windows Vista

Avira AntiRootkit - "One of the Avira AntiVir Desktop Products must be installed first. The application will now exit."

Help?

Edited by Smak Runner 2K, 20 June 2009 - 09:40 AM.


#8 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:44 PM

Posted 20 June 2009 - 11:35 AM

No problem Smak Runner 2K,

See if these will run :

Radix anti-rootkit : http://www.usec.at/radix.html
RootRepeal : http://rootrepeal.googlepages.com/RootRepeal.zip
Gmer : http://www.gmer.net/download.php

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#9 Smak Runner 2K

Smak Runner 2K
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 20 June 2009 - 04:41 PM

Radix - Does not run in Windows Vista

Root Repeal - Encounters an "index block" error and shuts down

I do...however...have a GMER log, which I have attached.

Attached Files

  • Attached File  GMER.log   14.15KB   13 downloads


#10 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:44 PM

Posted 22 June 2009 - 04:25 AM

Hello Smak Runner 2K,

Nothing much disturbing to see there :thumbup2:

Just to make sure,
can you run the PrevX scanner as well : http://info.prevx.com/downloadcsi.asp

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#11 Smak Runner 2K

Smak Runner 2K
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 22 June 2009 - 05:30 PM

I can't post a log unless I buy the full version, but it found 2 problems:

ws2fix.exe in C://windows/system32

ws2fix.exe in C://users/dan/desktop/smitfraudfix

#12 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:44 PM

Posted 25 June 2009 - 03:21 AM

Hello Smak Runner 2K,

Don't worry about ws2fix.exe, that's a Smitfraudfix component. :thumbup2:

Please download OTM version 3 by OldTimer and save it to your desktop.
Double click the icon on your desktop to run it.
(Note: If you are running on Vista, right-click on the file and choose Run As Administrator).

Copy the blue, bolded text lines below to the clipboard by highlighting ALL of them and pressing CTRL + C[/b]
(or, after highlighting, right-click and choose Copy:processes
explorer.exe

:services
XXWXCVQ

:files
c:\users\dan\appdata\local\temp\xxwxcvq.exe
c:\windows\system32\drivers\gxvxccbifnnptdcmqtxyrevudnfwvbxbvcqgw.sys.vir

:folders
c:\users\dan\appdata\roaming\Antispyware

:commands
[emptytemp]
[start explorer]
[reboot]

Return to OTM 3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.

Click the red MoveIt! button.
Copy everything in the Results window (under the green bar) and paste it in your next reply.
Close OTM 3

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the [b]C:\_OTMoveIt\MovedFiles
folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Check if you can get ComboFix to run now.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#13 Smak Runner 2K

Smak Runner 2K
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 28 June 2009 - 09:55 PM

Here's what I have...but the dang program crashed the first time through, after it had done 80% of the scan...so this log is not completely indicative of what got accomplished.

All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== SERVICES/DRIVERS ==========
Service\Driver XXWXCVQ not found.
Service\Driver XXWXCVQ not found.
========== FILES ==========
File/Folder c:\users\dan\appdata\local\temp\xxwxcvq.exe not found.
File/Folder c:\windows\system32\drivers\gxvxccbifnnptdcmqtxyrevudnfwvbxbvcqgw.sys.vir not found.
Error: Unable to interpret <:folders> in the current context!
Error: Unable to interpret <c:\users\dan\appdata\roaming\Antispyware> in the current context!
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Branyan
->Temporary Internet Files folder emptied: 0 bytes

User: Dan
File delete failed. C:\Users\Dan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 1831397 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 901748 bytes

User: Default
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temporary Internet Files folder emptied: 0 bytes

User: Gabrielle
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes

User: Guest
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes

User: LarryJr My Documents

User: Mcx1
->Temporary Internet Files folder emptied: 0 bytes

User: Mcx2
->Temporary Internet Files folder emptied: 0 bytes

User: Mcx3
->Temporary Internet Files folder emptied: 0 bytes

User: Public

User: Shannon
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 795750 bytes

User: Visitor
->Temporary Internet Files folder emptied: 61975033 bytes
->Java cache emptied: 5068010 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 599488 bytes

RecycleBin emptied: 3039603 bytes

Total Files Cleaned = 70.77 mb


OTM by OldTimer - Version 3.0.0.2 log created on 06252009_180658

Files moved on Reboot...

Registry entries deleted on Reboot...


Here's a fresh Hijack This log also, just to show any changes. Combofix will still not run (freezing at "Creating System Restore Point").

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:52:21 PM, on 6/28/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\wpcumi.exe
C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehtray.exe
C:\Users\Dan\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -

C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program

Files\AVG\AVG8\Toolbar\IEToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program

Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [WPCUMI] C:\Windows\system32\WpcUmi.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0

\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [lxdiamon] "C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe"
O4 - HKLM\..\Run: [lxdimon.exe] "C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\rmtray.exe /S
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\Dan\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-21-1757981266-1214440339-839522115-1004\..\Run: [WMPNSCFG] C:\Program

Files\Windows Media Player\WMPNSCFG.exe (User 'Shannon')
O4 - HKUS\S-1-5-21-1757981266-1214440339-839522115-1004\..\Run: [swg] C:\Program

Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Shannon')
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) -

http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {A364AF35-0CDF-41E8-8F3B-E0E55E15EBA1} (Zenturi Active Programs Control) -

http://www.programchecker.com/dll/nixon.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

https://fpdownload.macromedia.com/get/shock...ash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) -

http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program

Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\Windows\System32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8

\avgwdsvc.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program

Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google

Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program

Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxdiCATSCustConnectService - Lexmark International, Inc. - C:\Windows\system32

\spool\DRIVERS\W32X86\3\\lxdiserv.exe
O23 - Service: lxdi_device - - C:\Windows\system32\lxdicoms.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony

Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony

Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common

Files\Sony Shared\AVLib\SPTISRV.exe
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

--
End of file - 5264 bytes

Also...here's a DDS log as well.


DDS (Ver_09-06-26.01) - NTFSx86
Run by Dan at 22:58:50.93 on Sun 06/28/2009
Internet Explorer: 8.0.6001.18783
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.1023.431 [GMT -4:00]

SP: Antispyware *disabled* (Updated) {4D811FF1-EC48-48F5-88F9-29174196D43B}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Windows\system32\lxdicoms.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\wpcumi.exe
C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehtray.exe
C:\Users\Dan\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\System32\wpcumi.exe
C:\Windows\SOUNDMAN.EXE
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe
C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Dan\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uURLSearchHooks: H - No File
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [RegistryMechanic] c:\program files\registry mechanic\rmtray.exe /S
uRun: [AdobeUpdater] "c:\program files\common files\adobe\updater5\AdobeUpdater.exe"
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Google Update] "c:\users\dan\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [WPCUMI] c:\windows\system32\WpcUmi.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [lxdiamon] "c:\program files\lexmark 3500-4500 series\lxdiamon.exe"
mRun: [lxdimon.exe] "c:\program files\lexmark 3500-4500 series\lxdimon.exe"
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
LSP: c:\windows\system32\wpclsp.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A364AF35-0CDF-41E8-8F3B-E0E55E15EBA1} - hxxp://www.programchecker.com/dll/nixon.cab
DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.0/jinstall-1_4_0-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - c:\program files\microsoft activesync\AATP.DLL
AppInit_DLLs: c:\windows\system32\avgrsstx.dll

============= SERVICES / DRIVERS ===============

R0 BsStor;InCD Storage Helper Driver;c:\windows\system32\drivers\bsstor.sys [2005-6-12 9344]
R0 IFP300;iriver Internet Audio Player IFP-300;c:\windows\system32\drivers\ifp300.sys [2006-7-13 14531]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-5-31 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-5-31 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-5-31 298776]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-6-12 66048]
S3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2009-1-31 33792]
S4 BsUDF;InCD UDF Driver;c:\windows\system32\drivers\bsudf.sys [2005-6-12 448640]

=============== Created Last 30 ================

2009-06-27 09:26 <DIR> --d----- c:\programdata\AVG Security Toolbar
2009-06-27 09:26 <DIR> --d----- c:\progra~2\AVG Security Toolbar
2009-06-25 18:54 <DIR> --ds---- C:\mouse
2009-06-25 18:54 318,976 a------- c:\windows\system32\CF12791.exe
2009-06-25 18:53 318,976 a------- c:\windows\system32\CF12572.exe
2009-06-25 17:49 <DIR> --d----- C:\_OTM
2009-06-24 17:27 <DIR> --ds---- C:\CF
2009-06-24 17:27 318,976 a------- c:\windows\system32\CF8520.exe
2009-06-24 17:26 318,976 a------- c:\windows\system32\CF8122.exe
2009-06-20 09:10 691 a------- c:\users\dan\appdata\roaming\GetValue.vbs
2009-06-20 09:10 35 a------- c:\users\dan\appdata\roaming\SetValue.bat
2009-06-20 09:08 1,438 a------- c:\windows\system32\tmp.reg
2009-06-20 09:07 289,144 a------- c:\windows\system32\VCCLSID.exe
2009-06-20 09:07 288,417 a------- c:\windows\system32\SrchSTS.exe
2009-06-20 09:07 87,552 a------- c:\windows\system32\VACFix.exe
2009-06-20 09:07 82,944 a------- c:\windows\system32\IEDFix.exe
2009-06-20 09:07 82,944 a------- c:\windows\system32\IEDFix.C.exe
2009-06-20 09:07 82,432 a------- c:\windows\system32\404Fix.exe
2009-06-20 09:07 80,384 a------- c:\windows\system32\o4Patch.exe
2009-06-20 09:07 78,336 a------- c:\windows\system32\Agent.OMZ.Fix.exe
2009-06-20 09:07 75,776 a------- c:\windows\system32\WS2Fix.exe
2009-06-20 09:07 53,248 a------- c:\windows\system32\Process.exe
2009-06-20 09:07 51,200 a------- c:\windows\system32\dumphive.exe
2009-06-20 08:40 <DIR> --d----- c:\users\dan\Pavark
2009-06-20 08:29 <DIR> --d----- c:\program files\Sophos
2009-06-16 22:06 35,262 a------- c:\windows\Dan.acl
2009-06-16 20:51 318,976 a------- c:\windows\system32\CF19406.exe
2009-06-16 20:47 318,976 a------- c:\windows\system32\CF18639.exe
2009-06-16 20:46 318,976 a------- c:\windows\system32\CF18551.exe
2009-06-16 20:43 318,976 a------- c:\windows\system32\CF17842.exe
2009-06-16 20:42 318,976 a------- c:\windows\system32\CF17679.exe
2009-06-16 20:42 <DIR> --ds---- C:\ComboFix
2009-06-16 20:41 318,976 a------- c:\windows\system32\CF17597.exe
2009-06-16 20:40 318,976 a------- c:\windows\system32\CF17388.exe
2009-06-13 09:42 159,762,078 a------- c:\windows\MEMORY.DMP
2009-06-12 23:26 428,544 a------- c:\windows\system32\EncDec.dll
2009-06-12 23:26 293,376 a------- c:\windows\system32\psisdecd.dll
2009-06-12 23:26 217,088 a------- c:\windows\system32\psisrndr.ax
2009-06-12 23:26 177,664 a------- c:\windows\system32\mpg2splt.ax
2009-06-12 23:26 80,896 a------- c:\windows\system32\MSNP.ax
2009-06-12 14:56 <DIR> --d----- c:\programdata\NOS
2009-06-11 12:37 <DIR> --d----- c:\windows\Desktop
2009-06-11 12:37 110 a------- c:\windows\Hop.ini
2009-06-10 18:42 2,033,152 a------- c:\windows\system32\win32k.sys
2009-06-10 18:42 636,928 a------- c:\windows\system32\localspl.dll
2009-06-06 13:00 <DIR> --d----- c:\programdata\Zenturi
2009-06-06 13:00 <DIR> --d----- c:\progra~2\Zenturi
2009-06-06 10:17 <DIR> --d----- c:\program files\Ashampoo
2009-05-31 18:55 318,976 a------- c:\windows\system32\CF4501.exe
2009-05-31 18:54 318,976 a------- c:\windows\system32\CF4129.exe
2009-05-31 18:42 318,976 a------- c:\windows\system32\CF1846.exe
2009-05-31 18:41 318,976 a------- c:\windows\system32\CF1605.exe
2009-05-31 17:57 <DIR> -cd----- c:\programdata\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-31 17:57 <DIR> -cd----- c:\progra~2\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-31 14:42 <DIR> --d----- c:\programdata\Simply Super Software
2009-05-31 14:42 <DIR> --d----- c:\progra~2\Simply Super Software
2009-05-31 12:30 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-05-31 11:39 1,647 a------- C:\AVG Free 8.5.lnk
2009-05-31 11:39 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-31 11:39 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-05-31 11:39 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-31 11:39 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-05-31 10:47 <DIR> --d----- c:\users\dan\DoctorWeb

==================== Find3M ====================

2009-06-25 03:02 51,200 a------- c:\windows\inf\infpub.dat
2009-06-25 03:02 143,360 a------- c:\windows\inf\infstrng.dat
2009-06-08 08:10 155,136 a------- c:\windows\PEV.exe
2009-05-28 23:21 318,976 a------- c:\windows\system32\CF29264.exe
2009-05-28 23:12 318,976 a------- c:\windows\system32\CF27530.exe
2009-05-28 22:54 318,976 a------- c:\windows\system32\CF24115.exe
2009-05-28 22:51 318,976 a------- c:\windows\system32\CF23383.exe
2009-05-24 15:37 318,976 a------- c:\windows\system32\CF22156.exe
2009-05-24 11:56 318,976 a------- c:\windows\system32\CF11734.exe
2009-05-24 11:55 318,976 a------- c:\windows\system32\CF11587.exe
2009-05-09 01:50 915,456 a------- c:\windows\system32\wininet.dll
2009-05-09 01:34 71,680 a------- c:\windows\system32\iesetup.dll
2009-05-08 00:52 0 ----h--- c:\programdata\PKP_DLdu.DAT
2009-05-08 00:52 0 ----h--- c:\progra~2\PKP_DLdu.DAT
2009-05-07 22:59 106,496 a------- c:\windows\system32\ATL71.DLL
2009-05-01 19:57 86,016 a------- c:\windows\inf\infstor.dat
2009-04-23 08:43 784,896 a------- c:\windows\system32\rpcrt4.dll
2008-10-26 22:23 86,399,322 a----r-- c:\users\dan\Videos.zip
2008-06-10 20:19 665,600 a------- c:\windows\inf\drvindex.dat
2008-06-08 19:11 174 a--sh--- c:\program files\desktop.ini
2006-11-02 08:40 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:40 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:40 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:40 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2001-08-22 13:15 245,760 a------- c:\windows\inf\i386\viceo.dll
2001-08-22 13:13 32,768 a------- c:\windows\inf\i386\Pmicro.dll
2001-08-22 13:13 61,440 a------- c:\windows\inf\i386\gl.dll
2001-08-03 18:29 13,824 a------- c:\windows\inf\i386\Usbscan.sys

============= FINISH: 23:00:03.19 ===============

Attached Files


Edited by Smak Runner 2K, 28 June 2009 - 10:01 PM.


#14 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:44 PM

Posted 08 July 2009 - 07:14 AM

Hello Smak Runner 2K,

Please clear the DNS cache :* Go to Start > All Programs > Accessories > Command Prompt
* Right-click on it and ‘Run As Administrator’
* Type the following and hit Enter: ipconfig /flushdns
* After a few moments you should be able to see a confirmation window: Windows IP Configuration. Successfully flushed the DNS Resolver Cache.
If you connect to the internet using a modem/router, please disconnect the network cable, then power down the modem/router (disconnect power cable), wait for 10 minutes and reboot the modem/router + connect cable.

Still not possible to update MBAM ?

Download the following file and save to your desktop : http://live.sysinternals.com/procexp.exe
Rename the file to winlogon.exe and then run it.
Once completed, save a log (click the disk icon) to your desktop as proc.txt, and post the contents in your next reply.

Greetings,
Thunder

Edited by Thunder, 08 July 2009 - 07:29 AM.

Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#15 Smak Runner 2K

Smak Runner 2K
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 11 July 2009 - 09:13 AM

I can update MWB now...I'm running a scan as I type this.

Requested log attached.

Attached Files

  • Attached File  proc.txt   1.51KB   12 downloads





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users