Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


I was sent here by Garmanma as a last resort, please help!

  • This topic is locked This topic is locked
2 replies to this topic

#1 Lifetimer


  • Members
  • 23 posts
  • Local time:02:17 AM

Posted 28 July 2009 - 10:17 AM

Hi, we've been trying to get rid of my malware over in the other forum. Topic referenced is here: http://www.bleepingcomputer.com/forums/t/243923/mbam-superantispyware-pro-and-system-restore-have-all-been-disabled-please-can-you-help/ ~ OB MBAM, SaS, and all other malware/spyware programs we tried can install and start, but then get shut down and disabled as soon as they start scanning. Also, search engines are redirected to shopping sites. This is my last chance before a reformat...

Here's my DDS log, thanks in advance for looking!

DDS (Ver_09-06-26.01) - NTFSx86
Run by HP_Administrator at 10:57:13.53 on Tue 07/28/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1186 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\MediaMall\MediaMallServer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mWinlogon: Taskman=c:\recycler\s-1-5-21-2472019254-3466077513-381103178-9634\msimfo32.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {1909403A-83C7-4546-9CA4-F73BD2837D0C} - No File
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: : {48952320-c4ca-4d1c-8bd3-b874ea21cfc3} - c:\windows\system32\gyfucpq.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\9f5d4358-5577-44e8-9825-0a1561c14095.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [DMAScheduler] "c:\program files\hp digitalmedia archive\DMAScheduler.exe"
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [Alcmtr] ALCMTR.EXE
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [VX3000] c:\windows\vVX3000.exe
mRun: [UVS12 Preload] c:\program files\corel\corel videostudio 12\uvPL.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware3\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\symant~1.lnk - c:\program files\microsoft office\office\1033\OLFSNT40.EXE
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229208958731
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229226839765
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: dicnhnot - gyfucpq.dll
AppInit_DLLs: cykmot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-4-29 28544]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-7-25 335752]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-7-25 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-7-25 108552]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 72944]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-7-25 298776]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 MediaMall Server;MediaMall Server;c:\program files\mediamall\MediaMallServer.exe [2009-5-22 4295680]
R3 ndisrd;WinpkFilter Service;c:\windows\system32\drivers\ndisrd.sys [2009-7-2 20480]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
S2 srenum;srenum;c:\windows\system32\drivers\srenum.sys --> c:\windows\system32\drivers\srenum.sys [?]
S3 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2009-7-26 40840]
S3 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2009-7-26 66952]
S3 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2009-7-26 81288]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-7-26 356920]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-7-26 1079176]

=============== Created Last 30 ================

2009-07-26 21:50 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-26 21:50 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-26 21:50 --d----- c:\program files\Malwarebytes' Anti-Malware3
2009-07-26 21:06 --d----- c:\program files\SUPERAntiSpyware
2009-07-26 21:05 --d----- c:\program files\common files\Wise Installation Wizard
2009-07-26 00:25 81,288 a------- c:\windows\system32\drivers\iksyssec.sys
2009-07-26 00:25 66,952 a------- c:\windows\system32\drivers\iksysflt.sys
2009-07-26 00:25 40,840 a------- c:\windows\system32\drivers\ikfilesec.sys
2009-07-26 00:25 29,576 a------- c:\windows\system32\drivers\kcom.sys
2009-07-26 00:25 --d----- c:\program files\Spyware Doctor
2009-07-26 00:25 --d----- c:\docume~1\hp_adm~1\applic~1\PC Tools
2009-07-26 00:22 --d----- c:\program files\Bazooka Scanner
2009-07-25 22:08 --d-h--- C:\$AVG8.VAULT$
2009-07-25 22:01 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-07-25 22:01 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-07-25 22:01 335,752 a------- c:\windows\system32\drivers\avgldx86.sys
2009-07-25 22:01 --d----- c:\windows\system32\drivers\Avg
2009-07-25 22:01 --d----- c:\program files\AVG
2009-07-25 22:01 --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-07-25 21:57 --d----- c:\docume~1\hp_adm~1\applic~1\AVG8
2009-07-25 15:30 --d----- c:\program files\hairtear
2009-07-25 15:27 --d----- c:\program files\Malwarebytes' Anti-Malware2
2009-07-25 12:18 --d----- c:\documents and settings\hp_administrator\DoctorWeb
2009-07-24 00:44 --d----- c:\program files\Malw
2009-07-23 22:38 24,576 a------- c:\windows\system32\VundoFixSVC.exe
2009-07-23 14:03 2 a------- C:\-331059287
2009-07-23 14:02 2 a------- c:\windows\0101120101464849.dat
2009-07-23 14:02 2 a------- c:\windows\010112010146118114.dat
2009-07-23 14:02 202 a------- c:\windows\prxid93ps.dat
2009-07-02 11:59 20,480 a------- c:\windows\system32\drivers\ndisrd.sys
2009-07-01 00:53 --d----- C:\VundoFix Backups
2009-06-29 11:08 --d----- c:\program files\common files\muvee Technologies

==================== Find3M ====================

2009-06-17 16:28 150,588 a------- c:\windows\hpoins33.dat
2009-06-08 11:01 10,856 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-05-10 11:47 578,560 a------- c:\windows\system32\dllcache\user32.dll
1998-12-09 03:53 186,368 a------- c:\program files\common files\IRAREG.DLL
1998-12-09 03:53 99,840 a------- c:\program files\common files\IRAABOUT.DLL
1998-12-09 03:53 70,144 a------- c:\program files\common files\IRAMDMTR.DLL
1998-12-09 03:53 48,640 a------- c:\program files\common files\IRALPTTR.DLL
1998-12-09 03:53 31,744 a------- c:\program files\common files\IRAWEBTR.DLL
1998-12-09 03:53 17,920 a------- c:\program files\common files\IRASRIAL.DLL
2007-06-20 17:13 22 a--sh--- c:\windows\sminst\HPCD.SYS

============= FINISH: 10:57:42.79 ===============

Edited by Orange Blossom, 28 July 2009 - 03:39 PM.

BC AdBot (Login to Remove)



#2 SifuMike


    malware expert

  • Staff Emeritus
  • 15,385 posts
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:17 AM

Posted 06 August 2009 - 12:12 AM

Hello Lifetimer,

Sorry for the delay, we have many logs backed up. :thumbup2:

If you still need help, then please do the following:

Open HijackThis 2.0.2
Press the button 'View Misc Tools Section'
Press the button 'open uninstall manager'
Press the button 'save list'
Save it to your desktop.
Press Save. Save it your desktop.
A notepad file will open.
If no notepad opens then it will be on your desktop (where you saved it)
Post the content here in your reply.
Close HijackThis.


Download Security Check by screen317 from here or here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.


Download Lop S&D
Lop S&D will only run on Windows XP and Windows Vista

Disable your antivirus and antimalware programs so they do not interfere with the running of Lop S&D.
To see how to disable security programs visit this tutorial:
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

You can enable them after the scan.

You can find a detailed instructions with visuals here

Double-click Lop S&D.exe

If you are using Windows Vista, right-click on LopSD.exe icon and select 'Run as administrator' to perform this scan.

Choose the language, then choose Option 1 (Search)
Wait till the end of the scan
Post the log which is created: (%SystemDrive%\lopR.txt)

Edited by SifuMike, 06 August 2009 - 12:25 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!

Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 SifuMike


    malware expert

  • Staff Emeritus
  • 15,385 posts
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:17 AM

Posted 13 August 2009 - 10:37 PM

Due to inactivity, this thread will now be closed.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!

Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users