Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help with malware


  • This topic is locked This topic is locked
19 replies to this topic

#1 dever

dever

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NH
  • Local time:08:56 AM

Posted 29 July 2009 - 02:44 PM

Hello,

I have what seems to be a malware infection of some sort... The trouble began with the appearance of a red circle w/ white X in the tray with a message " your computer is infected" I then experienced pop-ups from other fake spyware 'fix-it' sites such as home antivirus 2010 among others. My processes tab within task manager included braviax.exe and msb.exe which I learned were both trouble. I was able to rid myself of braviax (so I think), and the red X has since gone away. I am able to end process the msb.exe, but it will always restart on a reboot.

what else... My spybot and ad aware will not complete a scan, and when I attempt an AVG scan, it runs for 20-30 minutes and I get the dreaded "blue screen" - error message is IRQL NOT lESS OR EQUAL.

Also... the new frustration with this whole infection is that google ( or any search engine) will redirect the results to different but similar web pages

Hopefully this is enough info to get the ball rolling; I am quite the novice when it comes to anything much more involved than I have tried so far. I will paste the logs below.

Thanks again for any possible leads!


Thanks in advance...


DDS (Ver_09-06-26.01) - NTFSx86
Run by Dave at 15:25:06.03 on Wed 07/29/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.47 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:WINDOWSsystem32svchost -k DcomLaunch
svchost.exe
C:WINDOWSSystem32svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:WINDOWSsystem32spoolsv.exe
svchost.exe
C:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
C:PROGRA~1AVGAVG8avgwdsvc.exe
C:Program FilesBonjourmDNSResponder.exe
C:WINDOWSsystem32lxdicoms.exe
C:PROGRA~1AVGAVG8avgrsx.exe
C:PROGRA~1AVGAVG8avgnsx.exe
C:WINDOWSsystem32svchost.exe -k imgsvc
C:WINDOWSExplorer.EXE
C:PROGRA~1AVGAVG8avgemc.exe
C:WINDOWSsystem32igfxpers.exe
C:Program FilesIntelModem Event MonitorIntelMEM.exe
C:WINDOWSsystem32dlatfswctrl.exe
C:Program FilesAVGAVG8avgcsrvx.exe
C:PROGRA~1AVGAVG8avgtray.exe
C:Program FilesiTunesiTunesHelper.exe
C:WINDOWSsystem32RUNDLL32.EXE
C:WINDOWSsystem32ctfmon.exe
C:Program FilesSpybot - Search & DestroyTeaTimer.exe
C:Program FilesiPodbiniPodService.exe
C:Program FilesMozilla Firefoxfirefox.exe
C:Program FilesSpybot - Search & DestroySpybotSD.exe
C:Program FilesSpybot - Search & DestroySpybotSD.exe
C:Documents and SettingsDaveDesktopdds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uDefault_Search_URL = hxxp://www.google.com/ie
uWindow Title = Windows Internet Explorer provided by Comcast
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com
uURLSearchHooks: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:program filesfreecordertbFre0.dll
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:program filesspybot - search & destroySDHelper.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:program filesfreecordertbFre0.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:windowssystem32Shdocvw.dll
uRun: [ctfmon.exe] c:windowssystem32ctfmon.exe
uRun: [MalwareRemovalBot] c:program filesmalwareremovalbotMalwareRemovalBot.exe -boot
uRun: [SpybotSD TeaTimer] c:program filesspybot - search & destroyTeaTimer.exe
mRun: [igfxtray] c:windowssystem32igfxtray.exe
mRun: [igfxhkcmd] c:windowssystem32hkcmd.exe
mRun: [igfxpers] c:windowssystem32igfxpers.exe
mRun: [IntelMeM] c:program filesintelmodem event monitorIntelMEM.exe
mRun: [HotKeysCmds] c:windowssystem32hkcmd.exe
mRun: [dla] c:windowssystem32dlatfswctrl.exe
mRun: [MimBoot] c:progra~1musicm~1musicm~2mimboot.exe
mRun: [IMJPMIG8.1] "c:windowsimeimjp8_1IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:windowssystem32imepintlgntImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:windowssystem32imetintlgntTINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:windowssystem32imetintlgntTINTSETP.EXE /IMEName
mRun: [FaxCenterServer] "c:program fileslexmark fax solutionsfm3032.exe" /s
mRun: [Adobe Reader Speed Launcher] "c:program filesadobereader 8.0readerReader_sl.exe"
mRun: [AVG8_TRAY] c:progra~1avgavg8avgtray.exe
mRun: [AppleSyncNotifier] c:program filescommon filesapplemobile device supportbinAppleSyncNotifier.exe
mRun: [QuickTime Task] "c:program filesquicktimeQTTask.exe" -atboottime
mRun: [iTunesHelper] "c:program filesitunesiTunesHelper.exe"
mRun: [MSxmlHpr] RUNDLL32.EXE c:windowssystem32msxm192z.dll,w
mRun: [Home Antivirus 2010] "c:program fileshomeantivirus2010HomeAntivirus2010.exe" /hide
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: &Viewpoint Search - c:program filesviewpointviewpoint toolbarViewBar.dll/CXTSEARCH.HTML
IE: E&xport to Microsoft Excel - c:progra~1micros~4office11EXCEL.EXE/3000
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%Network Diagnosticxpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:program filesmessengermsmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC} - c:program filesjavajre1.5.0_11binssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:progra~1micros~4office11REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:windowssystem32Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:program filesspybot - search & destroySDHelper.dll
Trusted Zone: ccsmax.comwww
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://active.macromedia.com/director/cabs/sw.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2739AFF-FA40-4527-9A19-DE81795C2C03} - hxxp://moneycentral.msn.com/cabs/ticker.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:program filesavgavg8avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:windowssystem32WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:docume~1daveapplic~1mozillafirefoxprofilesuxe6eowx.default
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:program filesavgavg8firefoxcomponentsavgssff.dll
FF - plugin: c:documents and settingsdaveapplication datamozillafirefoxprofilesuxe6eowx.defaultextensionsmoveplayer@movenetworks.complatformwinnt_x86-msvcpluginsnpmnqmp071101000055.dll
FF - plugin: c:program filesgooglegoogle updater2.4.1536.6592npCIDetect13.dll
FF - plugin: c:program filesjavajre1.5.0_11binNPJava11.dll
FF - plugin: c:program filesjavajre1.5.0_11binNPJava12.dll
FF - plugin: c:program filesjavajre1.5.0_11binNPJava13.dll
FF - plugin: c:program filesjavajre1.5.0_11binNPJava14.dll
FF - plugin: c:program filesjavajre1.5.0_11binNPJava32.dll
FF - plugin: c:program filesjavajre1.5.0_11binNPJPI150_11.dll
FF - plugin: c:program filesjavajre1.5.0_11binNPOJI610.dll
FF - plugin: c:program filesmozilla firefoxpluginsnpqtplugin8.dll
FF - plugin: c:program filespicasa2npPicasa2.dll
FF - plugin: c:program filesquicktimepluginsnpqtplugin8.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:windowssystem32driversLbd.sys [2009-2-5 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:windowssystem32driversavgldx86.sys [2009-1-22 327688]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:windowssystem32driversavgmfx86.sys [2009-1-22 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:windowssystem32driversavgtdix.sys [2009-1-22 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:progra~1avgavg8avgemc.exe [2009-5-12 906520]
R2 avg8wd;AVG Free8 WatchDog;c:progra~1avgavg8avgwdsvc.exe [2009-1-22 298776]
R2 lxdi_device;lxdi_device;c:windowssystem32lxdicoms.exe -service --> c:windowssystem32lxdicoms.exe -service [?]
S2 lxdiCATSCustConnectService;lxdiCATSCustConnectService;c:windowssystem32spooldriversw32x863lxdiserv.exe [2008-4-16 99248]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:program fileslavasoftad-awareAAWService.exe [2009-1-18 1029456]

=============== Created Last 30 ================

2009-07-29 14:20 38,160 a------- c:windowssystem32driversmbamswissarmy.sys
2009-07-29 14:20 19,096 a------- c:windowssystem32driversmbam.sys
2009-07-29 14:20 <DIR> --d----- c:docume~1alluse~1applic~1Malwarebytes
2009-07-29 09:31 <DIR> --d----- c:program filesMalwarebytes' Anti-Malware
2009-07-29 09:15 <DIR> --d----- c:docume~1daveapplic~1MalwareRemovalBot
2009-07-29 07:45 <DIR> --d----- C:0c6c2174b97bd73c89f03e2e5f
2009-07-28 21:54 11,011 a------- c:docume~1alluse~1applic~1ucokulu.sys
2009-07-28 21:54 19,097 a------- c:docume~1daveapplic~1isenyca.bin
2009-07-28 21:54 18,448 a------- c:windowsbuhicary._dl
2009-07-28 21:54 18,354 a------- c:windowsizonasyw.scr
2009-07-28 21:54 17,999 a------- c:docume~1daveapplic~1asajyn.reg
2009-07-28 21:54 16,833 a------- c:windowsyxop.vbs
2009-07-28 21:54 16,782 a------- c:windowsjoqoloxaf.bin
2009-07-28 21:54 15,931 a------- c:docume~1alluse~1applic~1nubiryko.dat
2009-07-28 21:54 15,786 a------- c:windowssystem32xuce.pif
2009-07-28 21:54 15,173 a------- c:windowsoqyko.scr
2009-07-28 21:54 14,799 a------- c:program filescommon filesegydisadeq.dat
2009-07-28 21:54 13,240 a------- c:docume~1alluse~1applic~1ipika.sys
2009-07-28 21:54 10,316 a------- c:windowsaporavi.reg
2009-07-28 21:54 10,032 a------- c:windowssystem32hyxum.scr
2009-07-28 21:54 345,699 a------- c:windowssystem32_scui.cpl
2009-07-28 21:14 182,210 a------- c:windowssystem32wisdstr.exe
2009-07-28 15:58 146,432 a------- c:windowsmsb.exe
2009-07-28 15:57 6,144 a------- c:windowssystem32cru629.dat
2009-07-28 15:57 6,144 a------- c:windowscru629.dat
2009-07-28 15:55 <DIR> --d----- c:docume~1daveapplic~1Logs
2009-07-28 15:54 128 a------- C:sd7vsbee108.bat
2009-07-28 15:51 30,208 a------- c:windowssystem32dllcachefigaro.sys
2009-07-28 15:50 146,432 a------- c:windowsmsa.exe

==================== Find3M ====================

2009-07-28 21:54 14,964 a------- c:program filescommon filesusomunov.ban
2009-07-19 18:48 11,067,392 a------- c:windowssystem32dllcacheieframe.dll
2009-07-19 09:18 5,937,152 a------- c:windowssystem32dllcachemshtml.dll
2009-07-03 13:09 915,456 a------- c:windowssystem32wininet.dll
2009-07-03 13:09 915,456 a------- c:windowssystem32dllcachewininet.dll
2009-07-03 13:09 12,800 -------- c:windowssystem32dllcachexpshims.dll
2009-07-03 13:09 1,208,832 a------- c:windowssystem32dllcacheurlmon.dll
2009-07-03 13:09 206,848 a------- c:windowssystem32dllcacheoccache.dll
2009-07-03 13:09 594,432 a------- c:windowssystem32dllcachemsfeeds.dll
2009-07-03 13:09 55,296 a------- c:windowssystem32dllcachemsfeedsbs.dll
2009-07-03 13:09 1,985,536 a------- c:windowssystem32dllcacheiertutil.dll
2009-07-03 13:09 25,600 a------- c:windowssystem32dllcachejsproxy.dll
2009-07-03 13:09 184,320 a------- c:windowssystem32dllcacheiepeers.dll
2009-07-03 13:09 246,272 -------- c:windowssystem32dllcacheieproxy.dll
2009-07-03 13:09 386,048 a------- c:windowssystem32dllcacheiedkcs32.dll
2009-07-03 07:01 173,056 a------- c:windowssystem32dllcacheie4uinit.exe
2009-07-01 09:20 327,688 a------- c:windowssystem32driversavgldx86.sys
2009-07-01 09:20 11,952 a------- c:windowssystem32avgrsstx.dll
2009-06-16 10:36 119,808 a------- c:windowssystem32t2embed.dll
2009-06-16 10:36 81,920 a------- c:windowssystem32fontsub.dll
2009-06-16 10:36 119,808 -------- c:windowssystem32dllcachet2embed.dll
2009-06-16 10:36 81,920 -------- c:windowssystem32dllcachefontsub.dll
2009-06-05 11:42 2,060,288 a------- c:windowssystem32usbaaplrc.dll
2009-06-05 11:42 39,424 a------- c:windowssystem32driversusbaapl.sys
2009-06-03 15:09 1,291,264 a------- c:windowssystem32quartz.dll
2009-06-03 15:09 1,291,264 -------- c:windowssystem32dllcachequartz.dll
2009-05-28 14:29 15,688 a------- c:windowssystem32lsdelete.exe
2009-05-12 01:11 102,912 -------- c:windowssystem32dllcacheiecompat.dll
2009-05-07 11:32 345,600 a------- c:windowssystem32localspl.dll
2009-05-07 11:32 345,600 -------- c:windowssystem32dllcachelocalspl.dll
2009-03-17 11:27 2,931,160 a------- c:program filesFLV PlayerFCSetup.exe
2008-09-01 15:47 26,562 a------- c:program filesGmaps Pedometer.htm
2008-09-22 21:27 32,768 ac-sh--- c:windowssystem32configsystemprofilelocal settingshistoryhistory.ie5mshist012008092220080923index.dat

============= FINISH: 15:27:36.10 ===============

DDS (Ver_09-06-26.01) - NTFSx86
Run by Dave at 15:25:06.03 on Wed 07/29/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.47 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:WINDOWSsystem32svchost -k DcomLaunch
svchost.exe
C:WINDOWSSystem32svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:WINDOWSsystem32spoolsv.exe
svchost.exe
C:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
C:PROGRA~1AVGAVG8avgwdsvc.exe
C:Program FilesBonjourmDNSResponder.exe
C:WINDOWSsystem32lxdicoms.exe
C:PROGRA~1AVGAVG8avgrsx.exe
C:PROGRA~1AVGAVG8avgnsx.exe
C:WINDOWSsystem32svchost.exe -k imgsvc
C:WINDOWSExplorer.EXE
C:PROGRA~1AVGAVG8avgemc.exe
C:WINDOWSsystem32igfxpers.exe
C:Program FilesIntelModem Event MonitorIntelMEM.exe
C:WINDOWSsystem32dlatfswctrl.exe
C:Program FilesAVGAVG8avgcsrvx.exe
C:PROGRA~1AVGAVG8avgtray.exe
C:Program FilesiTunesiTunesHelper.exe
C:WINDOWSsystem32RUNDLL32.EXE
C:WINDOWSsystem32ctfmon.exe
C:Program FilesSpybot - Search & DestroyTeaTimer.exe
C:Program FilesiPodbiniPodService.exe
C:Program FilesMozilla Firefoxfirefox.exe
C:Program FilesSpybot - Search & DestroySpybotSD.exe
C:Program FilesSpybot - Search & DestroySpybotSD.exe
C:Documents and SettingsDaveDesktopdds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uDefault_Search_URL = hxxp://www.google.com/ie
uWindow Title = Windows Internet Explorer provided by Comcast
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com
uURLSearchHooks: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:program filesfreecordertbFre0.dll
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:program filesspybot - search & destroySDHelper.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:program filesfreecordertbFre0.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:windowssystem32Shdocvw.dll
uRun: [ctfmon.exe] c:windowssystem32ctfmon.exe
uRun: [MalwareRemovalBot] c:program filesmalwareremovalbotMalwareRemovalBot.exe -boot
uRun: [SpybotSD TeaTimer] c:program filesspybot - search & destroyTeaTimer.exe
mRun: [igfxtray] c:windowssystem32igfxtray.exe
mRun: [igfxhkcmd] c:windowssystem32hkcmd.exe
mRun: [igfxpers] c:windowssystem32igfxpers.exe
mRun: [IntelMeM] c:program filesintelmodem event monitorIntelMEM.exe
mRun: [HotKeysCmds] c:windowssystem32hkcmd.exe
mRun: [dla] c:windowssystem32dlatfswctrl.exe
mRun: [MimBoot] c:progra~1musicm~1musicm~2mimboot.exe
mRun: [IMJPMIG8.1] "c:windowsimeimjp8_1IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:windowssystem32imepintlgntImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:windowssystem32imetintlgntTINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:windowssystem32imetintlgntTINTSETP.EXE /IMEName
mRun: [FaxCenterServer] "c:program fileslexmark fax solutionsfm3032.exe" /s
mRun: [Adobe Reader Speed Launcher] "c:program filesadobereader 8.0readerReader_sl.exe"
mRun: [AVG8_TRAY] c:progra~1avgavg8avgtray.exe
mRun: [AppleSyncNotifier] c:program filescommon filesapplemobile device supportbinAppleSyncNotifier.exe
mRun: [QuickTime Task] "c:program filesquicktimeQTTask.exe" -atboottime
mRun: [iTunesHelper] "c:program filesitunesiTunesHelper.exe"
mRun: [MSxmlHpr] RUNDLL32.EXE c:windowssystem32msxm192z.dll,w
mRun: [Home Antivirus 2010] "c:program fileshomeantivirus2010HomeAntivirus2010.exe" /hide
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: &Viewpoint Search - c:program filesviewpointviewpoint toolbarViewBar.dll/CXTSEARCH.HTML
IE: E&xport to Microsoft Excel - c:progra~1micros~4office11EXCEL.EXE/3000
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%Network Diagnosticxpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:program filesmessengermsmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC} - c:program filesjavajre1.5.0_11binssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:progra~1micros~4office11REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:windowssystem32Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:program filesspybot - search & destroySDHelper.dll
Trusted Zone: ccsmax.comwww
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://active.macromedia.com/director/cabs/sw.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2739AFF-FA40-4527-9A19-DE81795C2C03} - hxxp://moneycentral.msn.com/cabs/ticker.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:program filesavgavg8avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:windowssystem32WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:docume~1daveapplic~1mozillafirefoxprofilesuxe6eowx.default
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:program filesavgavg8firefoxcomponentsavgssff.dll
FF - plugin: c:documents and settingsdaveapplication datamozillafirefoxprofilesuxe6eowx.defaultextensionsmoveplayer@movenetworks.complatformwinnt_x86-msvcpluginsnpmnqmp071101000055.dll
FF - plugin: c:program filesgooglegoogle updater2.4.1536.6592npCIDetect13.dll
FF - plugin: c:program filesjavajre1.5.0_11binNPJava11.dll
FF - plugin: c:program filesjavajre1.5.0_11binNPJava12.dll
FF - plugin: c:program filesjavajre1.5.0_11binNPJava13.dll
FF - plugin: c:program filesjavajre1.5.0_11binNPJava14.dll
FF - plugin: c:program filesjavajre1.5.0_11binNPJava32.dll
FF - plugin: c:program filesjavajre1.5.0_11binNPJPI150_11.dll
FF - plugin: c:program filesjavajre1.5.0_11binNPOJI610.dll
FF - plugin: c:program filesmozilla firefoxpluginsnpqtplugin8.dll
FF - plugin: c:program filespicasa2npPicasa2.dll
FF - plugin: c:program filesquicktimepluginsnpqtplugin8.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:windowssystem32driversLbd.sys [2009-2-5 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:windowssystem32driversavgldx86.sys [2009-1-22 327688]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:windowssystem32driversavgmfx86.sys [2009-1-22 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:windowssystem32driversavgtdix.sys [2009-1-22 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:progra~1avgavg8avgemc.exe [2009-5-12 906520]
R2 avg8wd;AVG Free8 WatchDog;c:progra~1avgavg8avgwdsvc.exe [2009-1-22 298776]
R2 lxdi_device;lxdi_device;c:windowssystem32lxdicoms.exe -service --> c:windowssystem32lxdicoms.exe -service [?]
S2 lxdiCATSCustConnectService;lxdiCATSCustConnectService;c:windowssystem32spooldriversw32x863lxdiserv.exe [2008-4-16 99248]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:program fileslavasoftad-awareAAWService.exe [2009-1-18 1029456]

=============== Created Last 30 ================

2009-07-29 14:20 38,160 a------- c:windowssystem32driversmbamswissarmy.sys
2009-07-29 14:20 19,096 a------- c:windowssystem32driversmbam.sys
2009-07-29 14:20 <DIR> --d----- c:docume~1alluse~1applic~1Malwarebytes
2009-07-29 09:31 <DIR> --d----- c:program filesMalwarebytes' Anti-Malware
2009-07-29 09:15 <DIR> --d----- c:docume~1daveapplic~1MalwareRemovalBot
2009-07-29 07:45 <DIR> --d----- C:0c6c2174b97bd73c89f03e2e5f
2009-07-28 21:54 11,011 a------- c:docume~1alluse~1applic~1ucokulu.sys
2009-07-28 21:54 19,097 a------- c:docume~1daveapplic~1isenyca.bin
2009-07-28 21:54 18,448 a------- c:windowsbuhicary._dl
2009-07-28 21:54 18,354 a------- c:windowsizonasyw.scr
2009-07-28 21:54 17,999 a------- c:docume~1daveapplic~1asajyn.reg
2009-07-28 21:54 16,833 a------- c:windowsyxop.vbs
2009-07-28 21:54 16,782 a------- c:windowsjoqoloxaf.bin
2009-07-28 21:54 15,931 a------- c:docume~1alluse~1applic~1nubiryko.dat
2009-07-28 21:54 15,786 a------- c:windowssystem32xuce.pif
2009-07-28 21:54 15,173 a------- c:windowsoqyko.scr
2009-07-28 21:54 14,799 a------- c:program filescommon filesegydisadeq.dat
2009-07-28 21:54 13,240 a------- c:docume~1alluse~1applic~1ipika.sys
2009-07-28 21:54 10,316 a------- c:windowsaporavi.reg
2009-07-28 21:54 10,032 a------- c:windowssystem32hyxum.scr
2009-07-28 21:54 345,699 a------- c:windowssystem32_scui.cpl
2009-07-28 21:14 182,210 a------- c:windowssystem32wisdstr.exe
2009-07-28 15:58 146,432 a------- c:windowsmsb.exe
2009-07-28 15:57 6,144 a------- c:windowssystem32cru629.dat
2009-07-28 15:57 6,144 a------- c:windowscru629.dat
2009-07-28 15:55 <DIR> --d----- c:docume~1daveapplic~1Logs
2009-07-28 15:54 128 a------- C:sd7vsbee108.bat
2009-07-28 15:51 30,208 a------- c:windowssystem32dllcachefigaro.sys
2009-07-28 15:50 146,432 a------- c:windowsmsa.exe

==================== Find3M ====================

2009-07-28 21:54 14,964 a------- c:program filescommon filesusomunov.ban
2009-07-19 18:48 11,067,392 a------- c:windowssystem32dllcacheieframe.dll
2009-07-19 09:18 5,937,152 a------- c:windowssystem32dllcachemshtml.dll
2009-07-03 13:09 915,456 a------- c:windowssystem32wininet.dll
2009-07-03 13:09 915,456 a------- c:windowssystem32dllcachewininet.dll
2009-07-03 13:09 12,800 -------- c:windowssystem32dllcachexpshims.dll
2009-07-03 13:09 1,208,832 a------- c:windowssystem32dllcacheurlmon.dll
2009-07-03 13:09 206,848 a------- c:windowssystem32dllcacheoccache.dll
2009-07-03 13:09 594,432 a------- c:windowssystem32dllcachemsfeeds.dll
2009-07-03 13:09 55,296 a------- c:windowssystem32dllcachemsfeedsbs.dll
2009-07-03 13:09 1,985,536 a------- c:windowssystem32dllcacheiertutil.dll
2009-07-03 13:09 25,600 a------- c:windowssystem32dllcachejsproxy.dll
2009-07-03 13:09 184,320 a------- c:windowssystem32dllcacheiepeers.dll
2009-07-03 13:09 246,272 -------- c:windowssystem32dllcacheieproxy.dll
2009-07-03 13:09 386,048 a------- c:windowssystem32dllcacheiedkcs32.dll
2009-07-03 07:01 173,056 a------- c:windowssystem32dllcacheie4uinit.exe
2009-07-01 09:20 327,688 a------- c:windowssystem32driversavgldx86.sys
2009-07-01 09:20 11,952 a------- c:windowssystem32avgrsstx.dll
2009-06-16 10:36 119,808 a------- c:windowssystem32t2embed.dll
2009-06-16 10:36 81,920 a------- c:windowssystem32fontsub.dll
2009-06-16 10:36 119,808 -------- c:windowssystem32dllcachet2embed.dll
2009-06-16 10:36 81,920 -------- c:windowssystem32dllcachefontsub.dll
2009-06-05 11:42 2,060,288 a------- c:windowssystem32usbaaplrc.dll
2009-06-05 11:42 39,424 a------- c:windowssystem32driversusbaapl.sys
2009-06-03 15:09 1,291,264 a------- c:windowssystem32quartz.dll
2009-06-03 15:09 1,291,264 -------- c:windowssystem32dllcachequartz.dll
2009-05-28 14:29 15,688 a------- c:windowssystem32lsdelete.exe
2009-05-12 01:11 102,912 -------- c:windowssystem32dllcacheiecompat.dll
2009-05-07 11:32 345,600 a------- c:windowssystem32localspl.dll
2009-05-07 11:32 345,600 -------- c:windowssystem32dllcachelocalspl.dll
2009-03-17 11:27 2,931,160 a------- c:program filesFLV PlayerFCSetup.exe
2008-09-01 15:47 26,562 a------- c:program filesGmaps Pedometer.htm
2008-09-22 21:27 32,768 ac-sh--- c:windowssystem32configsystemprofilelocal settingshistoryhistory.ie5mshist012008092220080923index.dat

Edited by dever, 29 July 2009 - 03:35 PM.


BC AdBot (Login to Remove)

 


m

#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:56 AM

Posted 07 August 2009 - 05:12 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 dever

dever
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NH
  • Local time:08:56 AM

Posted 08 August 2009 - 09:26 AM

Thanks for the reply.

I am indeed still having major issues... In fact I am writing this reply from my laptop, as the computer in question is being inconsistent to put it mildly. I have been experiencing crashes either during the boot-up, or shortly thereafter. As far as what I have tried so far... I opened task manager processes and googled each of them. The following suspect processes have been running at one time or another: msb.exe, bravia.exe, a.tmp, c.exe, 8.tmp, 13394534.exe. This is probably not a complete list, as I just took those notes the last time I looked. I have been able to keep the machine running by monitoring the task manager and ending those suspect processes as they occur.

As I said in my first post, the "red X" seems to have gone away, and I am not currently seeing any fake virus scan pop-ups. I am still experiencing search result redirects, and more recently on windows start up I was getting a rundll error window: mslx.exe (I think that is what it was), so I went into the start menu and deselected that process.

That all brings us to the present: the computer just now booted up, I am looking at the desktop with no errors, but it appears to be in limbo - hourglass displayed when cursor is hovered over lower tray. It is quite possible I can reboot and things will work fine for a little while - very unpredictable ( I was actually able to run an an AVG scan last night for 3 hours which located 50 threats)

I will stop rambling on and let you tell me what direction to proceed. I will try to get dds to run in the meantime... is that something I should try to use in safe mode?

Thanks again in advance for all the great work you folks do!

#4 dever

dever
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NH
  • Local time:08:56 AM

Posted 08 August 2009 - 10:41 AM

OK, I got things running for another dds run... here are the two files.

Thanks again


DDS (Ver_09-06-26.01) - NTFSx86
Run by Dave at 11:21:56.85 on Sat 08/08/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.202 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\lxdicoms.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Documents and Settings\Dave\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uDefault_Search_URL = hxxp://www.google.com/ie
uWindow Title = Windows Internet Explorer provided by Comcast
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com
uURLSearchHooks: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\tbFre0.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\tbFre0.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [MimBoot] c:\progra~1\musicm~1\musicm~2\mimboot.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [FaxCenterServer] "c:\program files\\lexmark fax solutions\fm3032.exe" /s
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [MSxmlHpr] RUNDLL32.EXE c:\windows\system32\msxm192z.dll,w
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: &Viewpoint Search - c:\program files\viewpoint\viewpoint toolbar\ViewBar.dll/CXTSEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_11\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: ccsmax.com\www
DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93}
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389}
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
DPF: {E2739AFF-FA40-4527-9A19-DE81795C2C03}
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dave\applic~1\mozilla\firefox\profiles\uxe6eowx.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\dave\application data\mozilla\firefox\profiles\uxe6eowx.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJPI150_11.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\picasa2\npPicasa2.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-5 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-22 335752]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-22 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-22 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-5-12 907032]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-22 298776]
R2 lxdi_device;lxdi_device;c:\windows\system32\lxdicoms.exe -service --> c:\windows\system32\lxdicoms.exe -service [?]
S2 lxdiCATSCustConnectService;lxdiCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdiserv.exe [2008-4-16 99248]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 1029456]
UnknownUnknown bbynbomu;bbynbomu; [x]
UnknownUnknown fvruaziqq;fvruaziqq; [x]
UnknownUnknown ihxwatamf;ihxwatamf; [x]
UnknownUnknown kekep;kekep; [x]

=============== Created Last 30 ================

2009-08-08 11:10 71,808 a------- c:\windows\system32\drivers\bngzpurpncas.sys
2009-08-08 09:48 71,808 a------- c:\windows\system32\drivers\vfpprv.sys
2009-08-08 09:21 71,808 a------- c:\windows\system32\drivers\ipmngmrrzsibzvr.sys
2009-08-08 09:05 71,808 a------- c:\windows\system32\drivers\whrkmkppoonax.sys
2009-08-07 22:33 71,808 a------- c:\windows\system32\drivers\ubynusq.sys
2009-08-07 15:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\12364534
2009-08-07 13:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\13394534
2009-08-07 13:49 71,808 a------- c:\windows\system32\drivers\jrxwslencshumtg.sys
2009-08-07 13:43 71,808 a------- c:\windows\system32\drivers\shrfrukebw.sys
2009-08-03 19:02 65,536 a------- c:\windows\system32\drivers\vsfocexgipjxuj.sys
2009-08-03 19:01 65,536 a------- c:\windows\system32\drivers\siwqvnpcbdmextir.sys
2009-08-03 19:00 213,024 a------- c:\windows\system32\drivers\str.sys
2009-08-03 19:00 <DIR> --dsh--- c:\windows\system32\lowsec
2009-08-03 19:00 71,808 a------- c:\windows\system32\drivers\nideita.sys
2009-07-29 09:15 <DIR> --d----- c:\docume~1\dave\applic~1\MalwareRemovalBot
2009-07-29 07:45 <DIR> --d----- C:\0c6c2174b97bd73c89f03e2e5f
2009-07-28 21:54 11,011 a------- c:\docume~1\alluse~1\applic~1\ucokulu.sys
2009-07-28 21:54 19,097 a------- c:\docume~1\dave\applic~1\isenyca.bin
2009-07-28 21:54 18,448 a------- c:\windows\buhicary._dl
2009-07-28 21:54 18,354 a------- c:\windows\izonasyw.scr
2009-07-28 21:54 17,999 a------- c:\docume~1\dave\applic~1\asajyn.reg
2009-07-28 21:54 16,833 a------- c:\windows\yxop.vbs
2009-07-28 21:54 16,782 a------- c:\windows\joqoloxaf.bin
2009-07-28 21:54 15,931 a------- c:\docume~1\alluse~1\applic~1\nubiryko.dat
2009-07-28 21:54 15,786 a------- c:\windows\system32\xuce.pif
2009-07-28 21:54 15,173 a------- c:\windows\oqyko.scr
2009-07-28 21:54 14,799 a------- c:\program files\common files\egydisadeq.dat
2009-07-28 21:54 13,240 a------- c:\docume~1\alluse~1\applic~1\ipika.sys
2009-07-28 21:54 10,316 a------- c:\windows\aporavi.reg
2009-07-28 21:54 10,032 a------- c:\windows\system32\hyxum.scr
2009-07-28 15:58 146,432 a------- c:\windows\msb.exe
2009-07-28 15:55 <DIR> --d----- c:\docume~1\dave\applic~1\Logs
2009-07-28 15:54 128 a------- C:\sd7vsbee108.bat
2009-07-28 15:50 146,432 a------- c:\windows\msa.exe

==================== Find3M ====================

2009-08-03 16:20 335,752 a------- c:\windows\system32\drivers\avgldx86.sys
2009-07-28 21:54 14,964 a------- c:\program files\common files\usomunov.ban
2009-07-19 18:48 11,067,392 a------- c:\windows\system32\dllcache\ieframe.dll
2009-07-19 09:18 5,937,152 a------- c:\windows\system32\dllcache\mshtml.dll
2009-07-03 13:09 915,456 a------- c:\windows\system32\wininet.dll
2009-07-03 13:09 915,456 a------- c:\windows\system32\dllcache\wininet.dll
2009-07-03 13:09 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-07-03 13:09 1,208,832 a------- c:\windows\system32\dllcache\urlmon.dll
2009-07-03 13:09 206,848 a------- c:\windows\system32\dllcache\occache.dll
2009-07-03 13:09 594,432 a------- c:\windows\system32\dllcache\msfeeds.dll
2009-07-03 13:09 55,296 a------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-07-03 13:09 1,985,536 a------- c:\windows\system32\dllcache\iertutil.dll
2009-07-03 13:09 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll
2009-07-03 13:09 184,320 a------- c:\windows\system32\dllcache\iepeers.dll
2009-07-03 13:09 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-07-03 13:09 386,048 a------- c:\windows\system32\dllcache\iedkcs32.dll
2009-07-03 07:01 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-07-01 09:20 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-16 10:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 10:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-05 11:42 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-03 15:09 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll
2009-05-28 14:29 15,688 a------- c:\windows\system32\lsdelete.exe
2009-05-12 01:11 102,912 -------- c:\windows\system32\dllcache\iecompat.dll
2009-03-17 11:27 2,931,160 a------- c:\program files\FLV PlayerFCSetup.exe
2008-09-01 15:47 26,562 a------- c:\program files\Gmaps Pedometer.htm
2008-09-22 21:27 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092220080923\index.dat

============= FINISH: 11:32:53.82 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-06-26.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 11/17/2004 5:20:34 PM
System Uptime: 8/8/2009 11:12:12 AM (0 hours ago)

Motherboard: Dell Computer Corp. | | 0N6381
Processor: Intel® Pentium® 4 CPU 3.00GHz | Microprocessor | 2992/800mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 71 GiB total, 2.478 GiB free.
D: is CDROM ()
E: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================


==== Installed Programs ======================

Abacast Client
ABBYY FineReader 5.0 Sprint Plus
ABBYY FineReader 6.0 Sprint
Ad-Aware
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 8.1.6
Adobe SVG Viewer 3.0
Adobe® Photoshop® Album Starter Edition 3.0
Apple Mobile Device Support
Apple Software Update
Applian FLV Player
AVG Free 8.5
Banctec Service Agreement
Bonjour
CCScore
Comcast High-Speed Internet Install Wizard
Compatibility Pack for the 2007 Office system
Critical Update for Windows Media Player 11 (KB959772)
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Media Experience
Dell Photo AIO Printer 922
Dell Support 5.0.0 (630)
DING!
Easy Grade Pro
ESSBrwr
ESSCDBK
ESScore
ESSCT
ESSEMAIL
ESSgui
ESShelp
ESSini
ESSPCD
ESSSONIC
ESSTOOLS
ESSvpaht
ESSvpot
ExamView Pro
EZFuse_Version_2
Freecorder Toolbar
Freecorder Toolbar 3.02 Application
Google Earth
Google Updater
HLPIndex
HLPSFO
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Intel® 537EP V9x DF PCI Modem
Intel® Extreme Graphics 2 Driver

#5 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:56 AM

Posted 09 August 2009 - 08:35 AM

Hi dever,

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Please reply and let me know how you want to proceed.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#6 dever

dever
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NH
  • Local time:08:56 AM

Posted 09 August 2009 - 08:52 AM

I understand the risks associated with these monsters once they get infested...I had already changed passwords using my laptop. I would still like to get things cleaned up though, if only to thoroughly go through my files/photos, etc to backup what's important before a reformat - none of which I can do in this computer's current state... Which brings me to where I'm at now - What I said in my last post about not having recently experienced the fake alert pop-ups was premature to say the least. I am getting multiple infection alerts which have crippled my ability to do anything (open a browser, open task manager, run AV, etc) My desktop background has now been changed to "WARNING YOU'RE IN DANGER" plus a lot of other scary stuff not even written with proper grammar.

I know you will probably have me download and run various cleaner programs, how will I be able to do this in the computer's current condition? I have not tried to boot up in safe mode since this latest attack of pop-ups, as I wanted to wait for some better advice from you.

Thanks again

Edited by dever, 09 August 2009 - 08:54 AM.


#7 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:56 AM

Posted 09 August 2009 - 10:57 AM

Hello, dever.

Ok, we will continue. We should be able to get to a state where the computer is usable.

I'd also like to let you know that I am in training here at BC. At each stage of the process, my work will be checked by an expert coach. That means there may be a slight delay between my responses as they check it. Don't worry, we won't leave you.

Here's a few things to get started:
  • Please subscribe to this topic, if you haven't already.
  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
  • Even if things appear better, that does not mean we are finished, especially with some of the infections you have. Please continue to follow my instructions until I give you the "all clean".
  • If at any point, you are not sure what I am asking for, please ask me and I can better communicate what I mean.
  • Please reply within 5 days of my last post or the thread will be closed. If you will be away or unable to reply, please let me know in advance so the thread is not closed.
Step 1

I see Freecorder toolbar and Viewpoint Media Manager are installed. I strongly recommend to remove both programs as they are considered questionable by most sources. I will leave the choice up to you. If you do want to remove, please follow the instructions below.

Please uninstall any of the following program(s) if they are listed using Add/Remove Programs if they are present. To do this, go to Start > Settings > Control Panel and double-click on Add/Remove Programs. From within Add/Remove Programs highlight each one and select Remove.

Freecorder Toolbar
Freecorder Toolbar 3.02 Application
Viewpoint Media Manager
Viewpoint
Viewpoint Manager
Viewpoint Media Player
Viewpoint Toolbar


Be sure to reboot when done.



Step 2

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

If MBAM will not run, rename MBAM.exe to dever.exe and try running it again...and let me know that you had to rename it.


Step 3

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive.
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
Step 4

Does this domain: ccsmax.com mean anything to you? Please let me know in your reply.



Step 5

In your reply, please post:
  • MBAM Log
  • Root Repeal Log
  • Updated DDS log
  • description of any remaining issues
  • Your attach.txt was cut off in your last post. Please attach it to your reply
  • please also let me know about that domain I asked you about.
Note: You may need several posts to post all these logs...it's a lot of information and more than likely will not fit into one post as happened before. Please doublecheck to be sure the full log is listed once you hit "post".

EDIT: typo

Edited by etavares, 09 August 2009 - 10:58 AM.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#8 dever

dever
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NH
  • Local time:08:56 AM

Posted 09 August 2009 - 11:13 AM

etavares,

I will likely get back to you with all that tonight, as I have to step out this afternoon. To update you on my previous post, however, I did reboot in safe mode to access the start list and deselected two suspicious items: msxm192z & 12364534. I was then able to load and run (running now) Malwarebytes . (I had to rename mbam-setup.exe to newtool2.exe & mbam.exe to newtool3.exe) I did this before your post, so I selected full scan instead of quick scan, and I neglected to update before the scan. As I said, I have to go out for the afternoon, so I will allow the full scan to continue, and then I will comply with your instructions exactly in order and post back.

Thanks again, dev

Edited by dever, 09 August 2009 - 12:08 PM.


#9 dever

dever
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NH
  • Local time:08:56 AM

Posted 09 August 2009 - 09:26 PM

Etavares,

An update on my progress... As I said previously, I was able to get mbam up and running in safe mode. A complete scan ran successfully. During the repair process, just as you had mentioned, it prompted me to reboot. I did this and the computer opened normally (regular mode) but with no visible signs of mbam continuing its work. I wasn't sure if the window was supposed to reopen or not?

While I was waiting for something to happen there, I went to the control pannel>add & remove programs. Freecorder was listed, Viewpoint was not. I attempted to remove freecorder and the whole add/remove program window locked up (couldn't scroll, maximize, close window, no sign of window even being open in task manager) I went to start>programs>Freecorder>uninstall, and it seemed to uninstall in a matter of seconds. I then rebooted as you instructed and successfully got back into windows, but only for 5-6 minutes before blue screen of death "IRQL_NOT_LESS_OR_EQUAL" I rebooted again and just as windows was opening, another blue screen - no message up top, but the filename vfpprv.sys was among the tech data. One more reboot with identical results.

I then rebooted into safe mode in order to open mbam & access the log from the original scan. I have no internet access in safe mode so I transferred it onto a thumb drive. I also was able to run dds and get those logs transferred. I am now on my laptop and have attached all three logs below.

I don't know if you want me to proceed with rootrepeal - at this point I would also have to attempt this via safe mode.

the domain ccsmax is an interface I use to access my company website.

Thanks again for your help, dev

Attached File  mbam_log_2009_08_09__20_50_22_.txt   7.55KB   18 downloads
Attached File  DDS.txt   11.79KB   17 downloads
Attached File  Attach.txt   24.81KB   13 downloads

Edited by dever, 10 August 2009 - 02:18 PM.


#10 dever

dever
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NH
  • Local time:08:56 AM

Posted 10 August 2009 - 06:48 AM

I woke up this AM and started the computer and it booted into normal mode just fine... I attempted to download rootrepeal, but the first time (using primary mirror) it created a folder with nothing in it to unzip. All subsequent attempts (primary or secondary) would immediately lock up the browser (not responding). Until I hear from you, I thought I would take advantage of being in normal mode to re-run Malwarebytes in order to confirm it finished what it started yesterday. A quick scan is running now.

Edited by dever, 10 August 2009 - 07:56 AM.


#11 dever

dever
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NH
  • Local time:08:56 AM

Posted 10 August 2009 - 01:26 PM

No luck with the mbam scan in normal mode... Tried it twice both times it hung up around the 19 minute mark while "performing extra and heuristics scan" The first time I restarted it after 20-30 minutes, but this time it has been hung up for 5 hours... I'll wait for further words.

dev

#12 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:56 AM

Posted 10 August 2009 - 03:07 PM

Hi dever,

Looks like MBAM caught a ton of stuff. A few things for now.

First, before we proceed, let's check a few files. Your log shows signs of a really bad and poorly written virus. Before we proceed, I'd like to check that...it will greatly change the way we proceed.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.

c:\windows\explorer.exe
c:\windows\system32\svchost.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe


Please post back the results of all the scans in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/



Next, since you're using a flash drive, we need to ensure you can't accidentally transfer the virus to the other computer. Please do this on your clean computer.

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.


Please reply with the virus scan results of those files.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#13 dever

dever
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NH
  • Local time:08:56 AM

Posted 11 August 2009 - 01:20 PM

Etavares,

I have scanned those 4 files on Jotti. No problems were found in any of them. I didn't see any type of log that was created for me to paste here, but I got the "0 out of 21 scanners reported malware." result for each file.

I also completed the hidden file instructions and I now have Flash Disinfector on the laptop.

The computer is still very sporadic at booting up into normal mode. No real changes to report.


Thanks again!

#14 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:56 AM

Posted 12 August 2009 - 05:59 AM

Hello, dever.
That's good they came back clean. I am very concerned that we may not be able to save your system, however. A TMP file running in the process list is often an indicator of a Virut infection. We can keep proceeding, but that virus is poorly written, and injects itself into running processes (e.g. Windows) and mangles the files it attaches to and could cause the errors you are seeing. If you did have that virus, the damage is irreparable, short of reformatting and reinstalling Windows. Security experts believe a Clean Reformat is the only way to return the system to its normal working state. You should be able to pull off most of your data beforehand if you want to go this route.

If you do want to backup your data...this is CRITICAL:
Backup all your personal documents such as pictures, documents, personal data, etc. only. DO NOT backup any executable files (software, programs), screen savers (*.scr) or any web pages (*.html or *.htm). Virut attempts to infect these files by appending itself to them. As a result, if you backup those files, you have a chance of possible Virut reinfection. Please also be careful backing up compressed files (zip, rar, etc.) that have EXE, SCR, HTM or HTML files in them. They can reinfect your computer.



If you want to attempt to fix the machine, please continue with the instructions below. I am not confident we can get it working correctly given the number of infections and the potential for Virut.


With the flashdisinfector program, did it ask you to insert your thumbdrive? Please ensure you re-run it if not and insert the flash drive you are using to move files to and from the infected computer. It prevents it from auto-running and infecting your clean computer by plugging it into the machine, although you can still infect it by running an infected program.

Please disconnect your infected computer from the internet at this point. Just unplug the network cable.



Step 1

Please do the instructions below, although:
1. Where it says to download the program, download it from the clean computer save and it to your flash drive.
2. Copy the file from the flash drive to the desktop of the infected computer and continue with the instructions on your infected computer where it says to disable antivirus/antispyware programs.

**********

Next, please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#15 dever

dever
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NH
  • Local time:08:56 AM

Posted 12 August 2009 - 07:02 AM

Etavares,

Thanks for the recommendations. . . I am leaning toward reformatting, now that you have got me to a point that it seems I will be able to transfer pictures, etc. I have a brand new external hard drive here - any special precautions before I plug it in? (othre than your warning about .exe files) Looking forward, once I am up and running with the reformat, is there any vulnerability to the external hard drive bing plugged into the computer? (do you need a back-up to the back-up)

I've got to go through my files to see what's worth moving, but one thing comes to mind... How do I move music that is in Itunes?

Also, any general advice on AV software? I have been running AVG for a year or so because I had heard basically good things. (& why spend the money for something else?) I notice that on BC, avast and avira are regularly recommended, do these have advantages over AVG? Or should I quit being cheap and resubscribe to McAffe? I also noticed that Malwarebytes had a paid version... worth the money?

Thanks for all your help... I probably won't get to this until tomorrow or the next day, but I'll let you know that I went that route.

dev

Edited by dever, 12 August 2009 - 07:06 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users