Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News: Bug Trio Affecting Eight D-Link Models Leads to Full Compromise

Featured Deal: Get The Pay What You Want: AWS Cloud Development Bundle Deal

I thought I had the Conficker Virus!

Started by jwilliams , Jul 24 2009 09:29 PM

This topic is locked

6 replies to this topic

#1 jwilliams

Members
35 posts
OFFLINE

Local time:06:50 AM

Posted 24 July 2009 - 09:29 PM

Originally, I was getting (and still getting) the userinit.exe application error. The data Execution Program also comes up after cancelling the userinit.exe error.
I began running antivirus software to remove any potential viruses. This is when I realized I couldn't access sites such as Bitdefender, Symantec, etc. I had read months ago that the Conficker virus would prevent updating antivirus and accessing Microsoft and antivirus software sites. I followed the directions for removing the Downadup and Conficker virus from the bleepingcomputer.com site. I downloaded and installed the MS08-067 Patch and ran the removal tool. The program states the system is clean. The next step was to proceed to post logs from the DDS program. I've downloaded and ran the DDS program. The DDS.txt and Attach.txt files are attached.

Thank you, in advance, for any help.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-06-26.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 2/13/2008 9:44:12 PM
System Uptime: 7/24/2009 8:34:01 PM (0 hours ago)

Motherboard: Dell Inc. | | 0MG532
Processor: Genuine Intel® CPU T2050 @ 1.60GHz | Microprocessor | 1596/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 50 GiB total, 28.318 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0001
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0001
Service: CVirtA

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Ad-Aware
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Reader 7.0
Adobe Shockwave Player
America Online (Choose which version to remove)
AOL Coach Version 1.0(Build:20040229.1 en)
AOL Connectivity Services
AOLIcon
AVG Free 8.5
Broadcom Management Programs
Cisco Systems VPN Client 4.8.02.0010
Conexant HDA D110 MDC V.92 Modem
Coupon Printer for Windows
Creative MediaSource 5
Creative System Information
Creative ZEN Nano Plus
Dell CinePlayer
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Media Experience
Dell ResourceCD
Dell System Restore
DellSupport
Digital Content Portal
Digital Line Detect
Eusing Free Registry Cleaner
Get High Speed Internet!
Google Desktop
HijackThis 1.99.1
Hotfix for Windows XP (KB952287)
hp deskjet 5550 series (Remove only)
hp print screen utility
Intel® Graphics Media Accelerator Driver
Intel® PROSet/Wireless Software
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_03
Lexmark 730 Series
LimeWire 4.18.8
Macromedia Dreamweaver 8
Macromedia Dreamweaver MX
Macromedia Extension Manager
Macromedia Fireworks MX
Macromedia Flash MX
Macromedia Flash Player
Macromedia FreeHand 10
McAfee Uninstaller
mCore
MCU
mDrWiFi
MetaFrame Presentation Server Web Client for Win32
mHlpDell
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Money 2005
Microsoft Office Outlook 2003 with Business Contact Manager Update
Microsoft Office Professional Edition 2003
Microsoft SQL Server Desktop Engine (MICROSOFTSMLBIZ)
Microsoft Visual C++ 2005 Redistributable
mIWA
mLogView
mMHouse
Modem Helper
Mozilla Firefox (3.0.11)
mPfMgr
mPfWiz
mProSafe
mSSO
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Musicmatch® Jukebox
mWlsSafe
mWMI
mXML
MySpaceIM
mZConfig
NetWaiting
Panda ActiveScan 2.0
QuickBooks Simple Start Special Edition
QuickSet
QuickTime
Roxio DLA
Roxio MyDVD LE
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB973346)
SmartFTP Client 2.0
SmartFTP Client 2.0 Setup Files (remove only)
Sonic Activation Module
Sonic Update Manager
Sound Blaster Audigy ADVANCED MB Demo
SpamBayes 1.0.4
Spyware Terminator
Synaptics Pointing Device Driver
TI-83 Plus Flash Debugger
Time Zone Data Update Tool for Microsoft Office Outlook
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Viewpoint Media Player
WebCyberCoach 3.2 Dell
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Media Format 11 runtime
Windows Media Format Runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
Xvid 1.1.2 final uninstall

==== Event Viewer Messages From Past Week ========

7/24/2009 7:30:48 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Print Spooler service to connect.
7/24/2009 7:30:48 PM, error: Service Control Manager [7000] - The Print Spooler service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
7/24/2009 7:18:13 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
7/24/2009 7:14:04 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD APPDRV AvgLdx86 AvgMfx86 AvgTdiX Fips intelppm IPSec MRxSmb NetBIOS NetBT OMCI pavboot RasAcd Rdbss Tcpip
7/24/2009 7:14:04 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
7/24/2009 7:14:04 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
7/24/2009 7:14:04 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
7/24/2009 7:14:04 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
7/24/2009 7:13:33 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
7/18/2009 1:42:28 PM, error: NETLOGON [5719] - No Domain Controller is available for domain CRSTI due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
7/18/2009 1:17:39 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service lxcf_device with arguments "" in order to run the server: {323CE21C-A448-40AA-BA74-7FCF1E44106F}

==== End Of File ===========================

DDS (Ver_09-06-26.01) - NTFSx86
Run by brownsuga at 20:50:58.14 on Fri 07/24/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.518 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\Explorer.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Janet Williams\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://my.netzero.net/s/search?r=minisearch
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [LXCFCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCFtime.dll,_RunDLLEntry@16
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
Trusted Zone: musicmatch.com\online
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {4788DE0A-3552-49EA-AC8C-233DA52523B9} - hxxp://www.blackberry.com/devicesoftware/AxLoader.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1203232485640
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5525/mcfscan.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\janetw~1\applic~1\mozilla\firefox\profiles\neiggjli.default\
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-4-30 28544]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-2-15 335752]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-2-15 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-2-15 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-15 298776]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]
S4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]

=============== Created Last 30 ================

==================== Find3M ====================

2009-07-20 20:35 361,600 a------- c:\windows\system32\drivers\TCPIP.SYS
2009-07-17 20:06 335,752 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-16 09:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 09:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-03 14:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-05-09 14:28 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-07 10:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-28 23:46 666,624 a------- c:\windows\system32\wininet.dll
2009-04-28 23:46 81,920 a------- c:\windows\system32\ieencode.dll

============= FINISH: 20:51:29.57 ===============

Attached Files

Attach.txt 8.53KB 0 downloads
DDS.txt 6.99KB 0 downloads

BC AdBot (Login to Remove)

BleepingComputer.com
Register to remove ads

#2 Elise

Bleepin' Blonde

Malware Study Hall Admin
61,314 posts
OFFLINE

Gender:Female
Location:Romania
Local time:02:50 PM

Posted 04 August 2009 - 02:20 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:

Download DDS by sUBs from one of the following links. Save it to your desktop.
- DDS.scr
- DDS.pif
Double click on the DDS icon, allow it to run.
A small box will open, with an explaination about the tool. No input is needed, the scan is running.
Notepad will open with the results.
Follow the instructions that pop up for posting the results.
Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

regards, Elise

"Now faith is the substance of things hoped for, the evidence of things not seen."

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

Malware analyst @ Emsisoft

#3 jwilliams

Topic Starter

Members
35 posts
OFFLINE

Local time:06:50 AM

Posted 04 August 2009 - 10:07 PM

The new DDS logs are attached.

Thanks.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-06-26.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 2/13/2008 9:44:12 PM
System Uptime: 8/4/2009 4:53:58 PM (5 hours ago)

Motherboard: Dell Inc. | | 0MG532
Processor: Genuine Intel® CPU T2050 @ 1.60GHz | Microprocessor | 1596/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 50 GiB total, 29.102 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0001
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0001
Service: CVirtA

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Ad-Aware
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Reader 7.0
Adobe Shockwave Player
America Online (Choose which version to remove)
AOL Coach Version 1.0(Build:20040229.1 en)
AOL Connectivity Services
AOLIcon
AVG Free 8.5
Broadcom Management Programs
Cisco Systems VPN Client 4.8.02.0010
Conexant HDA D110 MDC V.92 Modem
Coupon Printer for Windows
Creative MediaSource 5
Creative System Information
Creative ZEN Nano Plus
Dell CinePlayer
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Media Experience
Dell ResourceCD
Dell System Restore
DellSupport
Digital Content Portal
Digital Line Detect
Eusing Free Registry Cleaner
Get High Speed Internet!
Google Desktop
HijackThis 1.99.1
Hotfix for Windows XP (KB952287)
hp deskjet 5550 series (Remove only)
hp print screen utility
Intel® Graphics Media Accelerator Driver
Intel® PROSet/Wireless Software
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_03
Lexmark 730 Series
LimeWire 4.18.8
Macromedia Dreamweaver 8
Macromedia Dreamweaver MX
Macromedia Extension Manager
Macromedia Fireworks MX
Macromedia Flash MX
Macromedia Flash Player
Macromedia FreeHand 10
McAfee Uninstaller
mCore
MCU
mDrWiFi
MetaFrame Presentation Server Web Client for Win32
mHlpDell
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Money 2005
Microsoft Office Outlook 2003 with Business Contact Manager Update
Microsoft Office Professional Edition 2003
Microsoft SQL Server Desktop Engine (MICROSOFTSMLBIZ)
Microsoft Visual C++ 2005 Redistributable
mIWA
mLogView
mMHouse
Modem Helper
Mozilla Firefox (3.0.13)
mPfMgr
mPfWiz
mProSafe
mSSO
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Musicmatch® Jukebox
mWlsSafe
mWMI
mXML
MySpaceIM
mZConfig
NetWaiting
Panda ActiveScan 2.0
QuickBooks Simple Start Special Edition
QuickSet
QuickTime
Roxio DLA
Roxio MyDVD LE
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB973346)
SmartFTP Client 2.0
SmartFTP Client 2.0 Setup Files (remove only)
Sonic Activation Module
Sonic Update Manager
Sound Blaster Audigy ADVANCED MB Demo
SpamBayes 1.0.4
Spyware Terminator
Synaptics Pointing Device Driver
TI-83 Plus Flash Debugger
Time Zone Data Update Tool for Microsoft Office Outlook
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Viewpoint Media Player
WebCyberCoach 3.2 Dell
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Media Format 11 runtime
Windows Media Format Runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
Xvid 1.1.2 final uninstall

==== Event Viewer Messages From Past Week ========

8/4/2009 2:10:58 AM, error: HTTP [15005] - Unable to bind to the underlying transport for 0.0.0.0:2869. The IP Listen-Only list may contain a reference to an interface which may not exist on this machine. The data field contains the error number.
7/31/2009 1:12:25 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Print Spooler service to connect.
7/31/2009 1:12:25 AM, error: Service Control Manager [7000] - The Print Spooler service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
7/31/2009 1:12:18 AM, error: NETLOGON [5719] - No Domain Controller is available for domain CRSTI due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
7/29/2009 7:59:55 PM, error: Print [6161] - The document Test Page owned by brownsuga failed to print on printer hp deskjet 5550 series. Data type: NT EMF 1.008. Size of the spool file in bytes: 196608. Number of bytes printed: 0. Total number of pages in the document: 1. Number of pages printed: 0. Client machine: \\JWCRSTI. Win32 error code returned by the print processor: 2 (0x2).
7/29/2009 7:50:59 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
7/29/2009 7:50:59 PM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
7/29/2009 7:47:04 PM, error: Print [6161] - The document Test Page owned by suthern1 failed to print on printer hp deskjet 5550 series. Data type: NT EMF 1.008. Size of the spool file in bytes: 77468. Number of bytes printed: 0. Total number of pages in the document: 1. Number of pages printed: 0. Client machine: \\JWCRSTI. Win32 error code returned by the print processor: 2 (0x2).
7/29/2009 10:22:47 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service lxcf_device with arguments "" in order to run the server: {323CE21C-A448-40AA-BA74-7FCF1E44106F}

==== End Of File ===========================

DDS (Ver_09-06-26.01) - NTFSx86
Run by brownsuga at 21:58:35.64 on Tue 08/04/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.471 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\reader_s.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\System32\reader_s.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Janet Williams\reader_s.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Janet Williams\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://my.netzero.net/s/search?r=minisearch
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [reader_s] c:\documents and settings\janet williams\reader_s.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [LXCFCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCFtime.dll,_RunDLLEntry@16
mRun: [reader_s] c:\windows\system32\reader_s.exe
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
dRun: [reader_s] c:\documents and settings\default user\reader_s.exe
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
Trusted Zone: musicmatch.com\online
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {4788DE0A-3552-49EA-AC8C-233DA52523B9} - hxxp://www.blackberry.com/devicesoftware/AxLoader.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1203232485640
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5525/mcfscan.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\janetw~1\applic~1\mozilla\firefox\profiles\neiggjli.default\
FF - prefs.js: browser.startup.homepage - hxxp://track.moreniche.com/hit.php?w=155970&s=147
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-4-30 28544]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-2-15 335752]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-2-15 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-2-15 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-15 298776]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]
S4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]

=============== Created Last 30 ================

2009-08-03 21:14 182,656 ac------ c:\windows\system32\dllcache\ndis.sys
2009-08-03 21:14 55,808 a------- c:\documents and settings\janet williams\reader_s.exe
2009-08-03 21:14 55,296 a------- c:\windows\system32\reader_s.exe
2009-07-26 11:32 128,000 a------- c:\windows\SC.INS
2009-07-26 11:32 0 a------- c:\windows\sc.exe
2009-07-26 11:32 <DIR> --d----- c:\program files\Protection System
2009-07-20 20:35 0 a------- c:\windows\system32\1A.tmp
2009-07-20 20:35 83,968 a------- c:\windows\system32\19.tmp
2009-07-20 20:35 40 a------- c:\windows\system32\17.tmp
2009-07-20 20:35 <DIR> --d----- c:\program files\Jcore
2009-07-20 20:35 <DIR> --d----- c:\docume~1\janetw~1\applic~1\pridl
2009-07-20 20:35 361,600 a------- c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2009-07-20 20:34 85 a------- c:\windows\system32\geyekrutbarwip.dat
2009-07-20 20:34 <DIR> --d----- c:\docume~1\janetw~1\applic~1\Messenger
2009-07-09 00:02 <DIR> --d----- c:\windows\system32\wbem\Repository

==================== Find3M ====================

2009-08-04 19:00 361,600 a------- c:\windows\system32\drivers\TCPIP.SYS
2009-08-03 21:14 182,656 a------- c:\windows\system32\drivers\ndis.sys
2009-07-17 20:06 335,752 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-26 11:50 666,624 a------- c:\windows\system32\wininet.dll
2009-06-26 11:50 81,920 a------- c:\windows\system32\ieencode.dll
2009-06-16 09:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 09:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-03 14:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-05-09 14:28 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-07 10:32 345,600 a------- c:\windows\system32\localspl.dll

============= FINISH: 21:58:47.95 ===============

#4 extremeboy

Malware Response Team
12,975 posts
OFFLINE

Gender:Male
Local time:07:50 AM

Posted 05 August 2009 - 03:35 PM

Hello.

It seems you are infected with the file infector Virut. Those .tmp files and the reader_s.exe indicates it.

I would like you to still scan a few of the files please.

Scanning Files with Online Scanner

Please go to: VirusTotal

On the page you'll find a "Browse" button.
Next to the browse button you'll see a box to enter text.
Please copy/paste the following in BOLD:

C:\WINDOWS\system32\winlogon.exe

Then click the "Send File " button just below.
This will scan the file. Please be patient.
If the file is analyzed before click Reanalyse file now button.
Wait until the file is analyzed.
Once scanned, save (copy and paste) the results.
Please repeat the process for the following files:
- C:\WINDOWS\SYSTEM32\lsass.exe
- C:\WINDOWS\explorer.exe
- C:\Windows\System32\userinit.exe
Go back and post the results in your topic for review.

I would also, like you to run a GMER scan.

Download and Run Scan with GMER

We will use GMER to scan for rootkits.

Please download GMER from one of the following locations, and save it to your desktop:
Main Mirror
This version will download a randomly named file (Recommended)
Zip Mirror
Alternate Zip Mirror 1
Alternate Zip Mirror 2

This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.

Close any and all open programs, as this process may crash your computer.
Double click or on your desktop.
When you have done this, close all running programs.
There is a small chance this application may crash your computer so save any work you have open.

Double-click on Gmer.exe to start the program. Right-click and select Run As Administrator... if you are using Vista
Allow the gmer.sys driver to load if asked.
If it detects rootkit activity, you will receive a prompt (refer below) to run a full scan. Click NO..

In the right panel, you will see several boxes that have been checked. Please UNCHECK the following:
- Sections
- IAT/EAT
- Registry
- Drives/Partition other than Systemdrive (typically C:\)
- Show all (Don't miss this one!)
Click on and wait for the scan to finish.
If you see a rootkit warning window, click OK.
Push and save the logfile to your desktop.
Copy and Paste the contents of that file in your next post.

If GMER doesn't work in Normal Mode try running it in Safe Mode

Note: Do Not run any program while GMER is running
*Note*: Rootkit scans often produce false positives. Do NOT take any actions on "<--- ROOKIT" entries

~Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to

#5 jwilliams

Topic Starter

Members
35 posts
OFFLINE

Local time:06:50 AM

Posted 05 August 2009 - 08:29 PM

Thank you for the reply.
However, at this time, I am getting so many Application Errors, it is hard to maneuver around then to accomplish anything.
I am also unable to get an internet connection... my wireless connection (icon) has also disappeared.

I will work on it a bit.
If I'm unable to get a connection to perform the online scans, I will have to reinstall.

Thanks,
J

#6 extremeboy

Malware Response Team
12,975 posts
OFFLINE

Gender:Male
Local time:07:50 AM

Posted 05 August 2009 - 09:22 PM

Hello.

Yes, that may be a very good idea here. From the symptoms and some of the indications, it appears you have the Virut file infector. :thumbup2:

Virut File Infector Warning

Your system is infected with a polymorphic file infector called Virut and also has IRC bot functionality. Virut is capable of infecting all the machine's executable files (.exe) and screensaver files (.scr) and also web pages (.html and .htm). However, the problem is that the virus has a number of bugs in its code, and as a result, it may misinfect a proportion of executable files and therefore, the files are corrupted beyond repair. In addition, when it infects, sometimes it will destroy the file it tries to latch onto.

For these reasons, you really can't truly fix Virut. You will need to reinstall and format the operating system on this machine. As of now, security experts suggest that a clean Reformat is the only way to clean the infection and it is the only way to return the machine to its normal working state.

Backup all your documents and important items (personal data, work documents, pictures etc..) only. DO NOT backup any executable files (softwares) and screensavers (*.scr) or any web pages (*.html or *.htm). It attempts to infect any accessed .exe or .scr or .html/.htm files by appending itself to the executable.

Also, try to avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. Virut can penetrate and infect .exe files inside compressed files too.

More information on Virut can be found over here and here

With Regards,
Extremeboy

#7 extremeboy

Malware Response Team
12,975 posts
OFFLINE

Gender:Male
Local time:07:50 AM

Posted 09 August 2009 - 10:19 AM

Hello.

Due to Lack of feedback, this topic is now Closed

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic in the Hijackthis-Malware Removal forum.

With Regards,
Extremeboy