Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Probable System Security 2009 infection

  • This topic is locked This topic is locked
12 replies to this topic

#1 Orion99


  • Members
  • 8 posts
  • Local time:07:05 PM

Posted 24 July 2009 - 11:22 PM

Please help I am getting desparate...this is as detailed an analysis as I can manage:

Kaspersky scan follows the dds scan and the problem description.

The infection began, probably, as a 'System Security 2009' virus. It changed my background to

the fake security add beginning with: "Security System Protect your PC" and "WARNING


then the warning to protect my wife family job and so on. At first it took over everything then

using task manager I waited for the numerical process to flash up and I stopped the process

which remove the background and many of the symptoms. I then removed a number of viruses

and trojans such as Trojan Horse Generic 13ATPH, V-packed Monder, Trojan Horse Clicker

AAIP, Trojan Horse VB.jcy. by removing devopaha.dll and kayukore.dll

I was unable to remove Trojan.win32.tdds.aekg with aparently resides at:

C:\window\system32\UACecknyxynadctuycjav.dll which Kaspersky and AVG 8.5 can locate

but cannot heal or delete and is apparently invisible through the cmd prompt or anywhere else.

I cannot boot into safe mode (BSOD appears with the warning "a problem has been detected

and windows has been shut down to prevent damage to your computer." Occasionally, it will

give the alert IRQL_NOT_LESS_OR_EQUAL but usually it is followed by a variety of

different codes soch as )X00000008E (OXC0000005, 0X84D92c2, 0XF71C15C4,

DX00000000) and then begins physical dump. The numbers and letters change each time

however. The same thing happens when I attempt to do a search in windows and use several

other programs like registry editor.

Spyware Terminator realtime shield pops up a warning saying the it has encountered a problem

and has to close. Ad-Aware, Spybot Search and Destroy and Malawarebytes will not function.

All my old restore points are now missing. Stopzilla will not install, AVG Free 8.5 will scan but

will not remove the viruses

A popup comes up continually saying "webpage you requested is not available offline. To view

this page click connect. It is unavailable because I took the unit offline.


DDS (Ver_09-06-26.01) - FAT32x86
Run by orion at 17:27:49.32 on Fri 07/24/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.450 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

AV: McAfee VirusScan *On-access scanning enabled* (Updated)

FW: McAfee Personal Firewall Plus *enabled*


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
D:\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Common Files\Apple\Mobile Device

C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\ewidoctrl.exe
C:\Program Files\Java\jre6\bin\jqs.exe
D:\Spyware Terminator\sp_rsser.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgentNT.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\EPSON\EBAPI\EBRR.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
D:\Spyware Terminator\SpywareTerminatorShield.exe
D:\Spyware Terminator\SpywareTerminatorUpdate.exe
C:\Documents and Settings\Orion\Desktop\Virus Removal Tool\is-MVEVI\is-MVEVI.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.comcast.net/comcast.html
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
uSearch Bar = hxxp://www.google.com/ie
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} -

c:\adobe\adobe acrobat 7.0\activex\AcroIEHelper.dll
BHO: Winamp Toolbar Loader: {25cee8ec-5730-41bc-8b58-22ddc8ab8c20} - c:\program

files\winamp toolbar\winamptb.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program

BHO: Comcast Toolbar: {79ceea4e-c231-4614-9e3b-53b2a02f39b7} - c:\program

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910}

- c:\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} -

c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} -

c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\adobe\adobe acrobat

TB: Comcast Toolbar: {79ceea4e-c231-4614-9e3b-53b2a02f39b7} - c:\program

TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - c:\program files\winamp

TB: {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - No File
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
TB: {D0523BB4-21E7-11DD-9AB7-415B56D89593} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\adobe\adobe acrobat

EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} -

EB: IE DOM Explorer: {a202b231-ef71-4a08-bdb9-4ce5ae8bde0a} -

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {8BCB5337-EC01-4E38-840C-A964F174255B} - No File
uRun: [SpywareTerminatorUpdate] "d:\spyware terminator\SpywareTerminatorUpdate.exe"
mRun: [SpywareTerminator] "d:\spyware terminator\SpywareTerminatorShield.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
uPolicies-explorer: NoThemesTab = 0 (0x0)
uPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
uPolicies-system: NoDispAppearancePage = 0 (0x0)
uPolicies-system: NoDispSettingsPage = 0 (0x0)
IE: &Add animation to IncrediMail Style Box
IE: Convert link target to Adobe PDF - c:\adobe\adobe acrobat

IE: Convert link target to existing PDF - c:\adobe\adobe acrobat

IE: Convert selected links to Adobe PDF - c:\adobe\adobe acrobat

IE: Convert selected links to existing PDF - c:\adobe\adobe acrobat

IE: Convert selection to Adobe PDF - c:\adobe\adobe acrobat

IE: Convert selection to existing PDF - c:\adobe\adobe acrobat

IE: Convert to Adobe PDF - c:\adobe\adobe acrobat

IE: Convert to existing PDF - c:\adobe\adobe acrobat

IE: Send to &Bluetooth Device... - d:\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - d:\widcomm\bluetooth software\btsendto_ie.htm
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program

IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} -

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program

IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} -

{9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program

Trusted Zone: comcast.net\www
Trusted Zone: zap2it.com\dishnetwork.tvlistings
Trusted Zone: zap2it.com\www
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} -

DPF: {17492023-C23A-453E-A040-C7C580BBF700} -

DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -

DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} -







DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} -

Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program

Notify: avgrsstarter - avgrsstx.dll
STS: {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - No File
SEH: WinFax PRO IShellExecuteHook: {a213b520-c6c2-11d0-af9d-008029e1027e} -

SEH: CShellExecuteHookImpl Object: {54d9498b-cf93-414f-8984-8ce7fde0d391} -

c:\program files\ewido\shellhook.dll
SEH: Microsoft AntiMalware ShellExecuteHook:

{091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
LSA: Notification Packages = scecli c:\windows\system32\volosejo.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\orion\applic~1\mozilla\firefox\profiles\mw3mwo8c.default\
FF - prefs.js: browser.search.selectedEngine - Comcast Search
FF - prefs.js: browser.startup.homepage -

FF - component: c:\documents and settings\orion\application


FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\orion\application


FF - plugin: c:\documents and settings\orion\application


FF - plugin: c:\documents and settings\orion\local settings\application

FF - plugin: c:\documents and settings\orion\local settings\application

FF - plugin: d:\divx\divx player\npDivxPlayerPlugin.dll
FF - plugin: d:\divx\divx web player\npdivx32.dll
FF - plugin: d:\firefox\plugins\NPMGWRAP.DLL
FF - plugin: d:\firefox\plugins\npPandoWebInst.dll
FF - plugin: d:\firefox\plugins\npunagi2.dll
FF - plugin: d:\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: d:\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - HiddenExtension: Java Console: No Registry Reference -

FF - HiddenExtension: Java Console: No Registry Reference -

FF - HiddenExtension: Java Console: No Registry Reference -

FF - HiddenExtension: Java Console: No Registry Reference -


FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee

Privacy Service

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-7-23 64160]
R0 sonypvl2;sonypvl2;c:\windows\system32\drivers\sonypvl2.sys [2009-2-1 19478]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys

[2009-6-15 327688]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver

x86;c:\windows\system32\drivers\avgmfx86.sys [2007-3-26 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys

[2009-6-15 108552]
R1 Cinemsup;Cinemsup;c:\windows\system32\drivers\cinemsup.sys [2003-12-19 6656]
R1 ewido security suite driver;ewido security suite driver;c:\program files\ewido\guard.sys

[2004-11-22 3072]
R1 is-MVEVIdrv;is-MVEVIdrv;c:\windows\system32\drivers\91111516.sys [2009-7-22

R1 sonypvf2;sonypvf2;c:\windows\system32\drivers\sonypvf2.sys [2009-2-1 635017]
R1 sonypvt2;sonypvt2;c:\windows\system32\drivers\sonypvt2.sys [2009-2-1 431236]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys

[2009-6-14 142592]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-6-15

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-6-15 298776]
R2 ewido security suite control;ewido security suite control;c:\program files\ewido\ewidoctrl.exe

[2005-11-30 13888]
R2 HIDKbFlt;HIDKbFlt.SvcDesc%;c:\windows\system32\drivers\HIDKbFlt.sys [2005-7-25

R2 PCC_PFW;PC-Cillin Personal Firewall;c:\windows\system32\drivers\PCC_PFW.sys

[2002-5-31 57468]
R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\TmXPFlt.sys [2002-3-16 201984]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2002-3-16 20864]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe

[2006-11-3 13592]
S2 Tmntsrv;Trend NT Realtime Service;"d:\pc-cillin\tmntsrv.exe" --> d:\pc-cillin\Tmntsrv.exe

S3 Ati0xbqrhmr;Ati0xbqrhmr; [x]
S3 ati2mpaa;ati2mpaa;c:\windows\system32\drivers\ati2mpaa.sys [2005-10-25 281856]
S3 ATICXCAP;ATI TV Wonder Pro A/V Capture;c:\windows\system32\drivers\aticxcap.sys

[2005-3-30 173824]
S3 ATICXTUN;ATI TV Wonder Pro Tuner (Philips 1236

MK3);c:\windows\system32\drivers\aticxtun.sys [2005-3-30 29184]
S3 ATICXXBR;ATI TV Wonder Pro A/V Crossbar;c:\windows\system32\drivers\aticxxbr.sys

[2005-3-30 9088]
S3 ATIPCXXX;ATI Parental control device;c:\windows\system32\drivers\atipcxxx.sys

[2005-10-25 10240]
S3 ATIVRVXX;ATI Rage Theatre Video

(ATIRTCAP);c:\windows\system32\drivers\atirtcap.sys [2005-10-25 49920]
S3 ATIVXSXX;ATI Audio Crossbar (ATIVXBAR);c:\windows\system32\drivers\ativxbar.sys

[2005-10-25 26624]
S3 CrystalSysInfo;CrystalSysInfo;\??\d:\mediacoder iphone edition\sysinfo.sys -->

d:\mediacoder iphone edition\SysInfo.sys [?]
S3 ctlsb16;Creative SB16/AWE32/AWE64 Driver

(WDM);c:\windows\system32\drivers\ctlsb16.sys [2006-1-30 96256]
S3 DVXUSBKS;DVXCEL Streaming Class

Driver;c:\windows\system32\drivers\DVXUSBKS.sys [2005-10-25 42146]
S3 DVXUSBLD;DVXUSBLD;c:\windows\system32\drivers\DVXUSBLD.SYS [2005-10-25

S3 ElevatorService;ElevatorService;d:\riptiger\ElevatorService.exe [2009-7-7 180224]
S3 Lmtsosncstat;Lmtsosncstat;c:\windows\system32\findstr.exe [2006-2-28 27136]
S3 MBAMCatchMe;MBAMCatchMe;\??\c:\windows\system32\drivers\mbamcatchme.sys -->

c:\windows\system32\drivers\mbamcatchme.sys [?]
S3 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6

S3 pcmstub;pcmstub;\??\c:\windows\system32\pcmstub.sys -->

c:\windows\system32\pcmstub.sys [?]
S3 SndTAudio;SndTAudio;c:\windows\system32\drivers\SndTAudio.sys [2009-7-7 23096]
S3 uty0mtk3;AVZ Kernel Driver;\??\c:\windows\system32\drivers\uty0mtk3.sys -->

c:\windows\system32\drivers\uty0mtk3.sys [?]
S3 ZD1211BU(SMC);802.11g Wireless USB2.0 Adapter

Driver(SMC);c:\windows\system32\drivers\ZD1211BU.sys [2006-8-24 477696]
S4 AntiSpywareService;Comcast AntiSpyware;c:\program

files\comcasttb\comcastspywarescan\ComcastAntiSpyService.exe [2009-3-16 616408]
S4 ewido security suite guard;ewido security suite guard;c:\program files\ewido\ewidoguard.exe

[2005-12-18 151616]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware

Service;"d:\ad-aware\ad-aware\aawservice.exe" --> d:\ad-aware\ad-aware\AAWService.exe

S4 PCCPFW;PC-cillin PersonalFirewall;d:\pc-cillin\pccpfw.exe --> d:\pc-cillin\PCCPFW.exe

S4 STSService;STSService;"c:\program files\soundtaxi media suite\stsservice.exe" -->

c:\program files\soundtaxi media suite\STSService.exe [?]

============== File Associations ===============

regfile=regedit.exe "%1" %*

=============== Created Last 30 ================

2009-07-24 14:18 <DIR> --d----- C:\!KillBox
2009-07-23 14:06 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-07-23 14:05 <DIR> --d-h---

2009-07-23 13:45 <DIR> --d-h--- c:\docume~1\alluse~1\applic~1\~0
2009-07-23 09:05 148,496 a------- c:\windows\system32\drivers\45953154.sys
2009-07-22 12:58 148,496 a------- c:\windows\system32\drivers\91111516.sys
2009-07-22 11:15 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2009-07-21 19:58 <DIR> --d----- c:\program files\iPod
2009-07-21 19:56 <DIR> --d----- c:\program files\iTunes
2009-07-08 08:30 547 a------- c:\windows\system32\ff_vfw.dll.manifest
2009-07-08 08:30 85,504 a------- c:\windows\system32\ff_vfw.dll
2009-07-07 14:25 <DIR> --d----- C:\Converted
2009-07-07 14:06 23,096 a------- c:\windows\system32\drivers\SndTAudio.sys
2009-07-06 10:21 257,536 a------- c:\windows\system32\gfbaksm.dat
2009-07-06 10:20 257,536 a------- c:\windows\system32\hdkernel.dll
2009-07-06 10:20 1,330,176 a------- c:\windows\system32\vbshd.dll
2009-07-05 16:40 38 a------- c:\windows\avisplitter.ini
2009-07-05 16:37 <DIR> --d----- c:\program files\FLVCodec
2009-07-05 13:50 156,672 a------- c:\windows\system32\rmc_fixasf.exe
2009-07-05 13:50 237,568 a------- c:\windows\system32\rmc_rtspdl.dll
2009-07-05 13:47 323,584 a------- c:\windows\system32\AUDIOGENIE2.DLL
2009-07-05 13:47 <DIR> --d----- c:\windows\Replay Media Catcher
2009-07-05 13:02 <DIR> --d----- C:\downloads
2009-07-05 13:02 <DIR> --d----- c:\docume~1\orion\applic~1\GrabPro
2009-07-05 12:56 1,700,352 a------- c:\windows\system32\GdiPlus.dll
2009-07-05 12:56 221,215 a------- c:\windows\system32\divxdec.ax
2009-07-04 19:43 <DIR> --d----- c:\program files\WinPcap
2009-07-04 17:00 <DIR> --d----- c:\docume~1\orion\applic~1\Moyea
2009-07-02 11:04 <DIR> --d----- c:\docume~1\orion\applic~1\DiskAid

==================== Find3M ====================

2009-07-10 07:56 4,456 a------- c:\windows\system32\d3d9caps.dat
2009-06-15 07:51 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-15 07:51 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-15 07:51 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-06-14 18:04 142,592 a------- c:\windows\system32\drivers\sp_rsdrv2.sys
2009-05-29 17:37 205,824 a------- c:\windows\system32\xvidvfw.dll
2009-05-29 17:31 881,664 a------- c:\windows\system32\xvidcore.dll
2009-05-29 13:36 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-05-29 13:36 39,424 a------- c:\windows\system32\drivers\usbaapl.sys
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 11:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-05-01 17:03 120,056 -------- c:\windows\system32\pxcpyi64.exe
2009-05-01 17:03 118,520 -------- c:\windows\system32\pxinsi64.exe
2009-05-01 17:02 90,112 a------- c:\windows\system32\dpl100.dll
2009-05-01 17:02 823,296 a------- c:\windows\system32\divx_xx0c.dll
2009-05-01 17:02 823,296 a------- c:\windows\system32\divx_xx07.dll
2009-05-01 17:02 815,104 a------- c:\windows\system32\divx_xx0a.dll
2009-05-01 17:02 811,008 a------- c:\windows\system32\divx_xx16.dll
2009-05-01 17:02 802,816 a------- c:\windows\system32\divx_xx11.dll
2009-05-01 17:02 685,056 a------- c:\windows\system32\DivX.dll
2009-04-29 00:46 3,068,928 a------- c:\windows\system32\dllcache\mshtml.dll
2009-04-29 00:46 666,624 a------- c:\windows\system32\wininet.dll
2009-04-29 00:46 666,624 a------- c:\windows\system32\dllcache\wininet.dll
2009-04-29 00:46 620,032 a------- c:\windows\system32\dllcache\urlmon.dll
2009-04-29 00:46 81,920 a------- c:\windows\system32\ieencode.dll
2009-04-29 00:46 1,499,136 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-04-29 00:46 81,920 -------- c:\windows\system32\dllcache\ieencode.dll
2008-05-29 12:24 61,224 a------- c:\documents and

2007-04-15 22:37 28,366 a------- c:\program files\INSTALL.LOG
2008-09-21 16:53 952 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-09-21 16:51 88 ---shr-- c:\windows\system32\FD81847F12.sys

============= FINISH: 17:29:55.04 ===============


Scanned: 897378
Detected: 1
Untreated: 1
Start time: 7/24/2009 5:23:49 PM
Duration: 05:45:10
Finish time: 7/24/2009 11:08:59 PM

Status Object
------ ------
detected: Trojan program Trojan.Win32.TDSS.aekg File:


Time Name Status Reason
---- ---- ------ ------

Object Scanned Detected Untreated Deleted Moved to Quarantine Archives

Packed files Password protected Corrupted
------ ------- -------- --------- ------- ------------------- --------

------------ ------------------ ---------

Parameter Value
--------- -----
Security Level Custom
Action Disinfect, delete if disinfection fails
Run mode Manually
File types Scan all files
Scan only new and changed files No
Scan archives All
Scan embedded OLE objects All
Skip if object is larger than No
Skip if scan takes longer than No
Parse email formats Yes
Scan password-protected archives Yes
Enable iChecker technology Yes
Enable iSwift technology Yes
Show detected threats on "Detected" tab Yes
Rootkits search Yes
Deep rootkits search Yes
Use heuristic analyzer Yes

Status Object Size Added
------ ------ ---- -----

Status Object Size
------ ------ ----

Attached Files

BC AdBot (Login to Remove)


#2 sundavis


  • Malware Response Team
  • 2,708 posts
  • Gender:Not Telling
  • Local time:06:05 PM

Posted 02 August 2009 - 11:36 AM

Hi Orion99,

Welcome to BleepingComputer HijackThis Logs and Malware Removal, :thumbup2:
My name is sundavis, I will be helping you to deal with your Malware problems today.


If you already have Combofix, please delete that copy and download it again as it's being updated regularly.

Please visit this webpage for download links, and instructions for running the tool:


Note: CombFix has recently been updated to include the option for installing the Recovery Console automatically. You will see the below prompt when you first run ComboFix:

Posted Image

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
It is a simple procedure that will only take a few moments of your time. Once Recovery Console is installed, you should see a blue screen prompt like the one below:

Posted Image

1.Close/disable all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

2.Click Yes to allow Combofix to continue scanning for malware.

When done, a log will be produced (or locate it in C:\ComboFix.txt). Please post that log in your next reply.

Do not mouse click on Combofix while it is running. That may cause it to stall.

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<info.txt (<

In your next reply, please post back:

1.Combofix log
2.RSIT log.txt and info.txt.

The log format is really unreadable. :) Before copying the logs into this thread, make sure you have unchecked word wrap under the log format tap. Thanks.

#3 Orion99

  • Topic Starter

  • Members
  • 8 posts
  • Local time:07:05 PM

Posted 02 August 2009 - 01:11 PM

I followed instructions as stated, including stopping any anti-virus or spyware programs but it will not run combofix program. When I click on the tiger icon the hourglass flashes for a nanosecond and then goes away and nothing. The RSIT.exe seems to run find and created the logs you indicated (attached). I have had similar issues when trying to install other programs such as Stopzilla. What do I do now?

Attached Files

  • Attached File  log.txt   51.72KB   10 downloads
  • Attached File  info.txt   38.08KB   2 downloads

#4 sundavis


  • Malware Response Team
  • 2,708 posts
  • Gender:Not Telling
  • Local time:06:05 PM

Posted 02 August 2009 - 01:19 PM

Hi Orion99,

Please delete that copy of combofix from your desktop and redownload it again. Rename it Orion99.exe while saving it to your desktop.
Double click the Orion99.exe from your desktop and run the program. Before running it, disable your AV program and install the Recovery Console while prompted. Good luck!

#5 Orion99

  • Topic Starter

  • Members
  • 8 posts
  • Local time:07:05 PM

Posted 02 August 2009 - 03:00 PM

Ok all done...system ran chkdsk which it would not before. The logs follow

Attached Files

#6 sundavis


  • Malware Response Team
  • 2,708 posts
  • Gender:Not Telling
  • Local time:06:05 PM

Posted 02 August 2009 - 05:39 PM

Hi Orion99,

I do not recommend that you have more than one anti virus product installed and running on your computer at a time. In your case, you have an AVG Antivirus, and McAfee VirusScan Enterprise.
The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms".
It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.

Since AVG is an outdated version. Please remove it via Add/Remove programs. After that, go to Here to download AVG remover to clean the leftovers.

  • Close any open browsers
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Go to Here for your reference.
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text inside the code box below:

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CPMb371c0e9]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tomafibewo]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uninstall_CToolbar]

Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop

Posted Image

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


Older versions Java have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 14...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) the following Java Runtime Environment (JRE or J2SE) in the name, and the following update:
    • Java™ 6 Update 13
      Java™ 6 Update 3
      Java™ 6 Update 5
      Java™ 6 Update 7
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u14-windows-i586-p.exe to install the newest version.


Let's clean some temp files. Please do the following:

Please download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.


Please perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner.
  • Please go to Kaspersky Online Scanner and perform an online antivirus scan.
  • Click Accept button on the "Requirements and limitations".
  • When Java warning " The applcation digital signature has been verified. Do you want to run the application " appears, Click on "Run" button.
  • It will be Downloading and installing the program and Updating the database.
  • When Updating the database have finished, click on Settings.
  • Make sure all boxes are checked. then click on the Save button.
  • Click on My Computer under Scan menu. It will start scanning, so be patient and let it run.
  • Once the scan is completed, Click on View Scan Report.
  • You may see a list of infected items over there. Click on Save Report As.
  • Click "Desktop" , Name the file as "KAS", Change the Files of type to Text file (.txt) and Click on Save button.
  • Please post the contents in your next reply.
  • You can refer to this animation
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Please post back the logs in your next reply.

1.Combofix log
2.KAS Scan Report
3.Fresh HJT log

Tell me how your pc is running now.

#7 Orion99

  • Topic Starter

  • Members
  • 8 posts
  • Local time:07:05 PM

Posted 03 August 2009 - 09:41 AM

I have a couple issues that I do not understand. First, I uninstalled McAfee more than a year ago so is should not be on my system, yet it pops up when I run combofix. Secondly, when I drag the provided script over to combo fix it runs for a bit, giving me the McAfee warning, and then another warning:

"Were you trying to run cfs script? The name CFScript appears to be incorrectly spelt" (their use of spelt instead of spelt not mine). After I click the "OK" button it does not run any further. What should I do now?

#8 Orion99

  • Topic Starter

  • Members
  • 8 posts
  • Local time:07:05 PM

Posted 03 August 2009 - 09:48 AM

Whoops, my bad...can't type properly today. I mistyped the file name. It has been corrected and combofix is running. I told it to ignore McAfee. Unless there is something else I will proceed with the other steps as you outlined.

Thanks Orion

#9 sundavis


  • Malware Response Team
  • 2,708 posts
  • Gender:Not Telling
  • Local time:06:05 PM

Posted 03 August 2009 - 11:05 AM

Hi Orion99,

I mistyped the file name

You should copy/paste the contents to the CFscript.txt, not to type. Since the McAfee had been uninstalled, You might try use MCPR removal tool to remove the leftovers.

If you need a free one, please go to Here to get Avira AntiVir Personal - It's a light version and a good detector as well.

#10 Orion99

  • Topic Starter

  • Members
  • 8 posts
  • Local time:07:05 PM

Posted 03 August 2009 - 05:14 PM

Okay all is done as requested. Logs attached.

Attached Files

#11 sundavis


  • Malware Response Team
  • 2,708 posts
  • Gender:Not Telling
  • Local time:06:05 PM

Posted 03 August 2009 - 11:30 PM

Hi Orion99,

As far as those infected objects listed in the Kaspersky report, mIRC.exe comes from the default factory installation. It's a false positive and we can leave it as it should be.

As to the rest in the list, those can be safely tucked away in ComboFix's quarantine folder or in old System Restore Points, which we will be taking care of now.

Now, your system seems to be clear. :thumbup2: Do you have any remaining issues on your pc? If not, let's do some tidy up.


Click START then RUN
Now copy/paste Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

Posted Image

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

  • Please download OTC and save it to desktop.
  • Double-click OTC.exe.
  • Click the CleanUp! button.
  • Accept any prompts to let the program proceed.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.
  • Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
Remember to delete tools and all the logs we have used.

Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:

  • Update your antivirus programs

    Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system. You can use one of these sites to check if any updates are needed for your pc.
    Secunia Software Inspector
    F-secure Health Check

  • Install a-squared Free -a-squared free is a product from Emsi Software provided free for private use that can detect and remove a variety of malicious software. If you have a dialup internet connection, you may also like to install a-squared Anti-Dialer which provides some real time protection against premium rate dialers

    A tutorial on installing & using this product can be found here:

    Clean your PC with a-squared Free

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Please check out Tony Klein's article "How did I get infected in the first place?"
Read some information Here how to prevent Malware.

Glad to be of help. Safe surfing!!

#12 Orion99

  • Topic Starter

  • Members
  • 8 posts
  • Local time:07:05 PM

Posted 04 August 2009 - 08:20 AM

Thanks SOOOO much for your assistance. Now all is right with the world. You may want to note that A-squared is no longer available at the link you provided. However, it can be found here: http://download.cnet.com/A-squared-Free/30...4-10262215.html . Thanks again.


#13 sundavis


  • Malware Response Team
  • 2,708 posts
  • Gender:Not Telling
  • Local time:06:05 PM

Posted 05 August 2009 - 10:57 PM

Since this issue appears resolved ... this Topic is closed. Glad we could help.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users