Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Seriously infected by UACd.sys


  • This topic is locked This topic is locked
13 replies to this topic

#1 computer-newcomer

computer-newcomer

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:49 AM

Posted 13 August 2009 - 03:58 PM

As my name explains all - computer-newcomer....

I encounter the same problem with UACd.sys, like one of your member - Smallness (I hope it is OK to mention the name?!) whose problem occured about the same time (beginning of this week, 10th Aug) as mine and the situation is pretty much the same, all searches redirected to windowclick.com and others. No antivirus programme can run (e.g. Spybot S & D; Malewarebytes). I also tried Window Live OneCare Safety scanner and AVG at different times, both full scan, they both found some infected items/issues before they got frozen during the scan, so no full scan completed, then viruses could not be removed.
Also, messages always pop up like: Google Installer; Google Update.exe - Application Error; The exception Breakpoint; iexplore.exe 0x088c27c0 .....

I lost sleep over these.... >.< .... please help. Here is my DDS:


DDS (Ver_09-07-30.01) - NTFSx86
Run by Fung's Supplies at 20:45:30.35 on 13/08/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.33.1033.18.510.41 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Q2\Fahid.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Q2\quick2.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Fung's Supplies\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/ig?hl=en
uWindow Title = Windows Internet Explorer provided by Yahoo!
uDefault_Page_URL = hxxp://uk.yahoo.com/?fr=fp-yie8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: Mininova-Vuze Toolbar: {d51d388b-f5dc-471a-a1ce-5e2d671091c0} - c:\program files\mininova-vuze\tbMin0.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: XML Class: {500bca15-57a7-4eaf-8143-8c619470b13d} - c:\windows\system32\msxml71.dll
BHO: : {53707962-6f74-2d53-2644-206d7942484f} - e:\old-fung\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Mininova-Vuze Toolbar: {d51d388b-f5dc-471a-a1ce-5e2d671091c0} - c:\program files\mininova-vuze\tbMin0.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Mininova-Vuze Toolbar: {d51d388b-f5dc-471a-a1ce-5e2d671091c0} - c:\program files\mininova-vuze\tbMin0.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [msnmsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Monopod] c:\docume~1\fung's~1\locals~1\temp\b.exe
mRun: [IMJPMIG8.1] c:\windows\ime\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [FAhid] c:\q2\Fahid.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4.0\OpwareSE4.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [CJIMETIPSYNC] c:\program files\common files\microsoft shared\ime\imtc65\changjie\CINTLCFG.EXE /CJIMETIPSync
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
StartupFolder: c:\docume~1\fung's~1\startm~1\programs\startup\quicks~1.lnk - c:\q2\quick2.exe
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1216470767280
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1216474442906
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-9-30 335752]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-9-30 27784]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-6-23 298776]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-5-19 240512]
S2 gupdate1c9d936be07b0ea;Google Update Service (gupdate1c9d936be07b0ea);c:\program files\google\update\GoogleUpdate.exe [2009-5-20 133104]

=============== Created Last 30 ================

2009-08-13 00:58 0 a------- C:\backup.reg
2009-08-13 00:58 61,440 a------- c:\windows\system32\drivers\hmrhgjl.sys
2009-08-11 22:29 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-08-11 22:29 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll
2009-08-10 23:09 3,126 a------- C:\rollback.ini
2009-08-10 22:06 <DIR> --d----- c:\program files\common files\ParetoLogic
2009-08-09 22:11 <DIR> --d----- c:\program files\PersonalAV
2009-08-09 21:14 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-08-09 03:06 <DIR> --d----- c:\windows\system32\XPSViewer
2009-08-09 03:05 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-09 03:05 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-09 03:05 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-09 03:05 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-08-09 03:05 117,760 -------- c:\windows\system32\prntvpt.dll
2009-08-09 03:05 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-08-09 03:05 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-08-05 10:01 204,800 -c------ c:\windows\system32\dllcache\mswebdvd.dll
2009-07-17 20:01 58,880 -c------ c:\windows\system32\dllcache\atl.dll

==================== Find3M ====================

2009-08-11 23:23 244,116 a------- c:\windows\pchealth\helpctr\config\cache\Professional_32_1033.dat
2009-08-05 10:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-17 20:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 -------- c:\windows\system32\wmpdxm.dll
2009-07-05 17:19 335,752 a------- c:\windows\system32\drivers\avgldx86.sys
2009-07-03 18:09 915,456 a------- c:\windows\system32\wininet.dll
2009-06-23 09:44 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-16 15:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 15:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-12 13:31 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 13:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-10 15:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 07:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-03 20:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-05-19 09:59 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2009-05-09 16:14 34 a------- c:\documents and settings\fung's supplies\jagex_runescape_preferences.dat
2008-10-11 11:03 61,480 a------- c:\documents and settings\fung's supplies\GoToAssistDownloadHelper.exe

============= FINISH: 20:48:42.03 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:49 PM

Posted 24 August 2009 - 08:03 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 computer-newcomer

computer-newcomer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:49 AM

Posted 25 August 2009 - 10:09 AM

Dear Thcbytes,

Thanks so much for your reply as I become desperate and frustrated about my computer, now I feel help is at hand.

I am almost computer illiterate, please bear with me if I use the wrong terms or meanings, here I'll try to include a clear description of the problems I'm having as much as I can and steps I performed so far:

These are the pop up messages pretty much in sequence,
  • First, when I turn on my computer, Window Genuine Advantage Notifications pop up everytime, it's been here for a while. Although I didn't suspect that as a virus, but I find it a nuisance - (I always click 'x' to close the window)
  • As soon as the user account comes to the screen, a window message appears with a bleeping sound from CPU, GoogleUpdate.exe - Application_Error: The exception Breakpoint. A breakpoint has been reached (0x80000003) occurred in the application at location 0x00406eef (I click 'x' to close the window)
  • Then it comes the message Google Installer - Google Installer has encountered a problem and needs to close. We are sorry for the inconvenience. Debug/Send Error Report (I click 'Debug' as there is no 'x' at top right corner)
  • Again a similar message Google Installer - Google Installer encountered a problem and needed to close. Send Error Report/Don't send (I always click 'send Error Report')
  • Error Reporting, after all checked, (I click 'close')
  • Error Reporting - Thank you for taking the time to report this problem. ( I usually keep it on without closing this window, with this, it seems I can access the internet without the freeze up)
  • Other than above, Google Installer will come up from time to time when I am on line (I click 'Debug').
Most of the times, after making the above windows messages more or less disappear, the cursor moves but without clicking function, or even if it clicks, the 'hour-glass' comes up and freezes. I usually force the computer to turn off by press and hold the ON/OFF button on the CPU. Usually after a several consecutive attempts to turn on the computer, it will work without the same symptom.

If the speaker or headphone is on, sounds (like a TV program is running without any screen or images) could suddenly come on at the background even I was not on any webpage. It could happen when I was listening to the music at 'My Music'. Also when I was using Skype to call abroad, at the middle of conversation, this sound of TV program came and cut off Skype suddenly.

At the worst of times, the computer restarts repeatedly all by itself, no matter what I was using. (I'm so scar now as this could happen anytime while I'm typing this report!) :thumbup2:

Other than that, Mbam is not functioning, Spybot S&D not able to run, AVG & Windows Live Once Care Safety scan run only a while and stopped, never completed.

Also, I cannot scan document to my PC.

Of course, most significant sign of this UACd.sys is redirecting the search by 'windowclick.com' to the irrelevant sites, away from Google search...I end up clicking the Google search twice to avoid being redirected....

The above are the symptoms my computer encountered, please ask if I did not explain clear enough. Thanks million times.

I am sorry, I donít know how to zip up the attachments (DDS.txt) before attach here, I hope it is alright. If not, please let me know how to do it and I will send it again if necessary.

I also attached the Ark.txt for your information. However, a small window message pop up: RootRepeal Error - FindNextFile error 1392 (0x570)!

Here is my DDS:
DDS (Ver_09-07-30.01) - NTFSx86
Run by Fung's Supplies at 13:14:05.64 on 25/08/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.33.1033.18.510.104 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\BCMSMMSG.exe
C:\Q2\Fahid.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\dwwin.exe
C:\Q2\quick2.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Q2\PAD32.EXE
C:\Q2\SMART32.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Fung's Supplies\Local Settings\Temporary Internet Files\Content.IE5\QSBGPRWQ\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/ig?hl=en
uWindow Title = Windows Internet Explorer provided by Yahoo!
uDefault_Page_URL = hxxp://uk.yahoo.com/?fr=fp-yie8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: Mininova-Vuze Toolbar: {d51d388b-f5dc-471a-a1ce-5e2d671091c0} - c:\program files\mininova-vuze\tbMin0.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: XML Class: {500bca15-57a7-4eaf-8143-8c619470b13d} - c:\windows\system32\msxml71.dll
BHO: : {53707962-6f74-2d53-2644-206d7942484f} - e:\old-fung\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Mininova-Vuze Toolbar: {d51d388b-f5dc-471a-a1ce-5e2d671091c0} - c:\program files\mininova-vuze\tbMin0.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Mininova-Vuze Toolbar: {d51d388b-f5dc-471a-a1ce-5e2d671091c0} - c:\program files\mininova-vuze\tbMin0.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [msnmsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [Monopod] c:\docume~1\fung's~1\locals~1\temp\b.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [IMJPMIG8.1] c:\windows\ime\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [FAhid] c:\q2\Fahid.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4.0\OpwareSE4.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [CJIMETIPSYNC] c:\program files\common files\microsoft shared\ime\imtc65\changjie\CINTLCFG.EXE /CJIMETIPSync
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
StartupFolder: c:\docume~1\fung's~1\startm~1\programs\startup\quicks~1.lnk - c:\q2\quick2.exe
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1216470767280
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1216474442906
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-9-30 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-9-30 27784]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-6-23 297752]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-5-19 240512]
S2 gupdate1c9d936be07b0ea;Google Update Service (gupdate1c9d936be07b0ea);c:\program files\google\update\GoogleUpdate.exe [2009-5-20 133104]

=============== Created Last 30 ================

2009-08-13 00:58 0 a------- C:\backup.reg
2009-08-13 00:58 61,440 a------- c:\windows\system32\drivers\hmrhgjl.sys
2009-08-11 22:29 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-08-11 22:29 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll
2009-08-10 23:09 3,126 a------- C:\rollback.ini
2009-08-10 22:06 <DIR> --d----- c:\program files\common files\ParetoLogic
2009-08-09 22:11 <DIR> --d----- c:\program files\PersonalAV
2009-08-09 21:14 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-08-09 03:06 <DIR> --d----- c:\windows\system32\XPSViewer
2009-08-09 03:05 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-09 03:05 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-09 03:05 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-09 03:05 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-08-09 03:05 117,760 -------- c:\windows\system32\prntvpt.dll
2009-08-09 03:05 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-08-09 03:05 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-08-05 10:01 204,800 -c------ c:\windows\system32\dllcache\mswebdvd.dll

==================== Find3M ====================

2009-08-18 14:23 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-18 14:23 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-05 10:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-17 20:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 -------- c:\windows\system32\wmpdxm.dll
2009-07-03 18:09 915,456 a------- c:\windows\system32\wininet.dll
2009-06-16 15:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 15:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-12 13:31 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 13:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-10 15:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 07:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-03 20:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-05-19 09:59 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2009-05-09 16:14 34 a------- c:\documents and settings\fung's supplies\jagex_runescape_preferences.dat
2008-10-11 11:03 61,480 a------- c:\documents and settings\fung's supplies\GoToAssistDownloadHelper.exe

============= FINISH: 13:16:59.89 ===============

Attached Files



#4 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:49 PM

Posted 30 August 2009 - 10:54 PM

Hi Computer Newcomer,




Welcome to BleepingComputer HijackThis Logs and Malware Removal, :thumbup2:
My name is sundavis, I will be helping you to deal with your Malware problems today.

Please go to Add/Remove Programs and locate the following bold. Are you aware of this program? If not, please uninstall any ??? programs if found.

???????? 2003




Step1

Please disable Spybot S&D's protection,or it will interfere.
  • You can enable it after you're clean.
  • Open Spybot and click on 'Mode' and check 'Advanced Mode'.
  • Click on 'Tools' in bottom left hand corner.
  • Click on the 'System Startup' icon.
  • Uncheck 'Teatimer' box and/or uncheck 'Resident'.
  • Click the 'Allow Change' box.
  • Then, check next to the computer clock to see if the icon for Spybot is still there.
  • If it is, right click it and choose 'exit Spybot-S&D Resident'.
  • Restart the computer.
  • If you find you're experiencing problems disabling Spybot's Tea-Timer,follow the info in the link below:
  • http://www.russelltexas.com/malware/teatimer.htm


Step2

If you already have Combofix, please delete that copy and download it again as it's being updated regularly.

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Note: CombFix has recently been updated to include the option for installing the Recovery Console automatically. You will see the below prompt when you first run ComboFix:


Posted Image


The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
It is a simple procedure that will only take a few moments of your time. Once Recovery Console is installed, you should see a blue screen prompt like the one below:


Posted Image

1.Close/disable all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

2.Click Yes to allow Combofix to continue scanning for malware.

When done, a log will be produced (or locate it in C:\ComboFix.txt). Please post that log in your next reply.

Do not mouse click on Combofix while it is running. That may cause it to stall.

Note:If you can't run Combofix, please delete that copy from your desktop and redownload it again. Please rename it to Newcomer.exe before saving it to your desktop. Thanks.




Step3

Please download GMER Rootkit Scanner from Here or Here.
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish. For more info, go to Here for your reference.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" , and copy and paste the contents in your next reply.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


In your next reply, please post back:

1.Combofix log
2.GMER log Thanks.

Edited by sundavis, 30 August 2009 - 11:03 PM.


#5 computer-newcomer

computer-newcomer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:49 AM

Posted 31 August 2009 - 08:39 PM

Dear Sundavis,

Thank you sooooooooooo much for your reply :thumbup2:

I tried to follow your instructions as close as possible, however, quite a few hiccups all alongs. First of all, I cannot open Spybot at all, so I get around it and I think I disabled it at the end.

Installed ComboFix, but did not run, only an hourglass appeared for a few seconds before it disappeared. I finally clicked on ComboFix from the Search result and it started to work. Then suddenly, a bleeping noise from CPU, a window message pop up: Caution:............(concerning if the sites may be tainted or not....)

While ComboFix is scanning for infected files, a bleeping message: !!: ComboFix has detected the presence of rootkit acitivity and needs to reboot the machine. Kindly note down on paper, the name of each file. We may need it later (Totally 14 of them). At this point, I realised ComboFix did not create a System Rstore point, No backing up the Windows Registry. Then the computer restarted right after, ComboFix was there to start working on Autoscan. Window message pop up: PEV.exe - Corrupt File: The file or directory C:\DOCUME~1\Fung's Supplies\Local Settings\Temporary Internet Files\Content....(reading too slow, message disappeared), and a second message came: PEV.cfxxe - Corrupt File: ..............Content.IE5\B8NY2ZE9 is corrupt and unreadable. Please run the Chkdsk utility. (I didn't run anything, just click 'x').

ComboFix: Find 3M.........

When ComboFix log finished, I downloaded Gmer Rootkit Scanner, unfortunately, it could not run, a bleeping noise again from CPU, with a black background window flashed & disappeared very quickly, by clicking 'run' hundred of times, I think I read: 'Programme is too big to fit in the memory'. So I need your further help on how to deal with this one before I can post the GMER log to you.

Thanks again for your invaluable help and I do appreciate it very much.

For the moment, I post you the ComboFix log:-


ComboFix 09-08-31.03 - Fung's Supplies 01/09/2009 1:17.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.33.1033.18.510.230 [GMT 1:00]
Running from: c:\documents and settings\Fung's Supplies\Desktop\ComboFix.exe.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\FUNG'S~1\LOCALS~1\Temp\install_flash_player.exe
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20081210210118156.log
c:\documents and settings\All Users\Application Data\Solt Lake Software
c:\documents and settings\Douglas\Start Menu\Programs\MS AntiSpyware 2009
c:\documents and settings\Douglas\Start Menu\Programs\MS AntiSpyware 2009\MS AntiSpyware 2009.lnk
C:\LOG2.tmp
C:\LOG4.tmp
c:\windows\Installer\288eb5.msi
c:\windows\Installer\288eb6.msp
c:\windows\Installer\288eb7.msp
c:\windows\Installer\288eb8.msp
c:\windows\Installer\288eb9.msp
c:\windows\Installer\288eba.msp
c:\windows\Installer\288ebb.msp
c:\windows\Installer\288ebc.msp
c:\windows\Installer\288ebd.msp
c:\windows\Installer\288ebe.msp
c:\windows\Installer\288f62.msi
c:\windows\Installer\68aaf.msp
c:\windows\Installer\68ab0.msp
c:\windows\Installer\68ab1.msp
c:\windows\Installer\68ab2.msp
c:\windows\Installer\68ab3.msp
c:\windows\Installer\68ab4.msp
c:\windows\Installer\68ab5.msp
c:\windows\Installer\68ab6.msp
c:\windows\Installer\68ab7.msp
c:\windows\run.log
c:\windows\system32\drivers\fad.sys
c:\windows\system32\Drivers\hmrhgjl.sys
c:\windows\system32\drivers\SKYNETixjciktm.sys
c:\windows\system32\drivers\UACovirdtodgx.sys
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\sdra64.exe
c:\windows\system32\SKYNETbrqpotvy.dll
c:\windows\system32\SKYNETibvdheft.dll
c:\windows\system32\SKYNETqsalxrqu.dat
c:\windows\system32\SKYNETxsiovigr.dat
c:\windows\system32\UACdoywwkyddh.db
c:\windows\system32\UACgkevnniwyr.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACjcefarswwj.dll
c:\windows\system32\UACmhsduuuuip.dll
c:\windows\system32\UACmiqitykcbw.dll
c:\windows\system32\UACnpkaltouej.dll
c:\windows\system32\UACynrvxxyife.dat
c:\windows\system32\yO3G8CQ3.exe.a_a

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SKYNETowkmxjbg
-------\Legacy_SKYNETowkmxjbg
-------\Service_UACd.sys
-------\Legacy_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-08-01 to 2009-09-01 )))))))))))))))))))))))))))))))
.

2009-08-31 21:21 . 2009-08-31 21:21 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-18 13:25 . 2009-08-15 18:18 2808600 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avguires.dll
2009-08-16 18:08 . 2009-08-17 11:21 1165592 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
2009-08-16 18:08 . 2009-08-17 11:21 1475352 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-08-16 18:08 . 2009-08-17 11:21 587032 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgiproxy.exe
2009-08-16 18:08 . 2009-08-17 11:21 758040 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avginet.dll
2009-08-15 18:20 . 2009-08-15 18:18 1111320 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgssie.dll
2009-08-15 18:20 . 2009-08-15 18:18 354072 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgxch32.dll
2009-08-15 18:20 . 2009-08-15 18:18 2308888 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avguiadv.dll
2009-08-15 18:20 . 2009-08-15 18:18 3497240 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-08-12 23:58 . 2009-08-12 23:58 0 ----a-w- C:\backup.reg
2009-08-12 00:08 . 2009-08-13 14:39 -------- d-----w- c:\program files\Windows Live Safety Center
2009-08-11 21:29 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-10 21:06 . 2009-08-11 21:31 -------- d-----w- c:\program files\Common Files\ParetoLogic
2009-08-10 21:00 . 2009-08-10 21:00 -------- d-----w- c:\documents and settings\Fung's Supplies\Local Settings\Application Data\Downloaded Installations
2009-08-09 21:11 . 2009-08-09 21:11 -------- d-----w- c:\program files\PersonalAV
2009-08-09 20:41 . 2009-08-09 20:41 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-08-09 02:07 . 2009-08-09 02:07 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2009-08-09 02:06 . 2009-08-09 02:06 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-09 02:06 . 2009-08-09 02:06 -------- d-----w- c:\program files\MSBuild
2009-08-09 02:06 . 2009-08-09 02:06 -------- d-----w- c:\program files\Reference Assemblies
2009-08-09 02:05 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-09 02:05 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-09 02:05 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-09 02:05 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-09 02:05 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-09 02:05 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-09 02:05 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-01 00:13 . 2009-05-20 10:35 -------- d-----w- c:\documents and settings\Fung's Supplies\Application Data\Skype
2009-08-31 21:22 . 2008-07-21 12:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-31 20:43 . 2008-09-30 10:08 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-18 13:23 . 2009-01-28 15:18 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-18 13:23 . 2008-09-30 10:08 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-18 13:23 . 2008-09-30 10:08 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-15 18:18 . 2009-08-18 13:26 3299608 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-08-09 21:00 . 2008-07-20 13:06 76192 ----a-w- c:\documents and settings\Fung's Supplies\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-05 15:57 . 2009-01-18 18:44 -------- d-----w- c:\documents and settings\Fung's Supplies\Application Data\Azureus
2009-08-05 15:36 . 2009-01-18 18:43 -------- d-----w- c:\program files\Vuze
2009-08-05 09:01 . 2001-08-23 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-31 13:03 . 2008-07-19 23:25 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-28 13:44 . 2008-09-04 10:43 -------- d-----w- c:\documents and settings\Fung's Supplies\Application Data\Canon
2009-07-17 19:01 . 2001-08-23 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 22:43 . 2008-07-19 13:25 286208 ------w- c:\windows\system32\wmpdxm.dll
2009-07-08 13:28 . 2008-07-19 23:36 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-07 21:03 . 2008-09-06 11:54 -------- d-----w- c:\documents and settings\Fung's Supplies\Application Data\U3
2009-07-03 17:09 . 2001-08-23 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-21 17:03 . 2009-06-21 17:03 3956736 ----a-w- c:\documents and settings\Fung's Supplies\Application Data\PowerChallenge\PowerSoccer\PowerSoccer.exe
2009-06-21 17:03 . 2009-06-21 17:03 917504 ----a-w- c:\documents and settings\Fung's Supplies\Application Data\PowerChallenge\PowerSoccer\TVE3.dll
2009-06-21 17:03 . 2009-06-21 17:03 676464 ----a-w- c:\documents and settings\Fung's Supplies\Application Data\PowerChallenge\PowerSoccer\DFEngine.dll
2009-06-21 17:03 . 2009-06-21 17:03 253952 ----a-w- c:\documents and settings\Fung's Supplies\Application Data\PowerChallenge\PowerSoccer\openal32.dll
2009-06-21 17:02 . 2009-06-21 17:02 54760 ----a-w- c:\documents and settings\Fung's Supplies\Application Data\PowerChallenge\PowerSoccer\webdriver0.dll
2009-06-19 23:22 . 2009-06-19 23:22 152576 ----a-w- c:\documents and settings\Fung's Supplies\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-06-16 14:36 . 2001-08-23 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2001-08-23 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-14 15:07 . 2009-06-23 19:05 1004800 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-06-12 12:31 . 2001-08-23 12:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2001-08-23 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2001-08-23 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 08:19 . 2008-07-18 20:15 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2001-08-23 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 2001-08-23 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]
"{d51d388b-f5dc-471a-a1ce-5e2d671091c0}"= "c:\program files\Mininova-Vuze\tbMin0.dll" [2009-07-16 2215960]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_CLASSES_ROOT\clsid\{d51d388b-f5dc-471a-a1ce-5e2d671091c0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-14 15:07 1004800 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d51d388b-f5dc-471a-a1ce-5e2d671091c0}]
2009-07-16 09:32 2215960 ----a-w- c:\program files\Mininova-Vuze\tbMin0.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{d51d388b-f5dc-471a-a1ce-5e2d671091c0}"= "c:\program files\Mininova-Vuze\tbMin0.dll" [2009-07-16 2215960]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{d51d388b-f5dc-471a-a1ce-5e2d671091c0}]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D51D388B-F5DC-471A-A1CE-5E2D671091C0}"= "c:\program files\Mininova-Vuze\tbMin0.dll" [2009-07-16 2215960]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{d51d388b-f5dc-471a-a1ce-5e2d671091c0}]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-20 68856]
"msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-03-27 24103720]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-21 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-21 126976]
"FAhid"="c:\q2\Fahid.exe" [2008-07-22 60036]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-18 2007832]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984]
"BCMSMMSG"="BCMSMMSG.exe" - c:\windows\BCMSMMSG.exe [2003-08-29 122880]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]

c:\documents and settings\Fung's Supplies\Start Menu\Programs\Startup\
QuickStart.lnk - c:\q2\quick2.exe [2008-7-22 237568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-18 13:23 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\Old-Fung\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"e:\\Old-Fung\\Program Files\\IncrediMail\\bin\\IMApp.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Documents and Settings\\Fung's Supplies\\Application Data\\PowerChallenge\\PowerSoccer\\PowerSoccer.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [30/09/2008 11:08 335240]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [23/06/2009 09:43 297752]
S2 gupdate1c9d936be07b0ea;Google Update Service (gupdate1c9d936be07b0ea);c:\program files\Google\Update\GoogleUpdate.exe [20/05/2009 11:35 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
Contents of the 'Scheduled Tasks' folder

2009-07-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 11:34]

2009-09-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-20 10:35]

2009-08-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-20 10:35]

2009-08-31 c:\windows\Tasks\User_Feed_Synchronization-{6C6F2907-E973-4702-9E85-921B037BAF02}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 03:31]

2009-09-01 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-08 21:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/ig?hl=en
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-01 01:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-09-01 1:27
ComboFix-quarantined-files.txt 2009-09-01 00:27

Pre-Run: 121,152,483,328 bytes free
Post-Run: 122,680,786,944 bytes free

245 --- E O F --- 2009-08-26 10:51

#6 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:49 PM

Posted 31 August 2009 - 11:37 PM

Hi Computer Newcomer,




I finally clicked on ComboFix from the Search result

That walkaround is the first time i have ever heard. :thumbup2:

Let's try another Gmer randomly named EXE from Here . Click the Download EXE and save it on your desktop running it as described in my previous post.

If still no joy whatsoever, then please run RootRepel again. Remember to delete the old copy of Gmer and RootRepel from your desktop and redownload it if needed and close all windows except Gmer or RR.



Step1

Older versions Java have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 16...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) the following Java Runtime Environment (JRE or J2SE) in the name, and the following update:

    Java™ 6 Update 2
    Java™ 6 Update 7

  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u16-windows-i586-p.exe to install the newest version.


Step2

Let's clean some temp files. Please do the following:

Please download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.


If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.



Step3

Please perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner.
  • Please go to Kaspersky Online Scanner and perform an online antivirus scan.
  • Click Accept button on the "Requirements and limitations".
  • When Java warning " The applcation digital signature has been verified. Do you want to run the application " appears, Click on "Run" button.
  • It will be Downloading and installing the program and Updating the database.
  • When Updating the database have finished, click on Settings.
  • Make sure all boxes are checked. then click on the Save button.
  • Click on My Computer under Scan menu. It will start scanning, so be patient and let it run.
  • Once the scan is completed, Click on View Scan Report.
  • You may see a list of infected items over there. Click on Save Report As.
  • Click "Desktop" , Name the file as "KAS", Change the Files of type to Text file (.txt) and Click on Save button.
  • Please post the contents in your next reply.
  • You can refer to this animation
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.


I will give you another one, just in case. :)

Please run the F-Secure Online Scanner
Note: You will need to use Internet explorer for this scan

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt .
  • Copy and paste that log as a reply to this topic and also let me know how things are now.


Please post back the logs in your next reply.


1.KAS Scan Report
2.New DDS log
3.Gmer log

Tell me how your pc is behaving now.

#7 computer-newcomer

computer-newcomer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:49 AM

Posted 01 September 2009 - 09:16 PM

Dear Sundavis,

Tried to send you the message, but board message says "sorry, your post was too long, please reduce it", so I need to cut my original message into pieces. Also, when Bleeping computer saved my original message in different form as below, I hope it wouldn't cause you too much problem to read:-



<DIV class=quotetop>Hi Sundavis,<BR><BR>Thank you for your prompt reply.<BR><BR>

I finally clicked on ComboFix from the Search result - That walkaround is the first time i have ever heard. <IMG style="VERTICAL-ALIGN: middle" border=0 alt=thumbup2.gif src="http://www.bleepingcomputer.com/forums/http://www.bleepingcomputer.com/forums/http://www.bleepingcomputer.com/forums/style_emoticons/default/thumbup2.gif" emoid=":thumbup2:">

it was just my desperate measure as I could neither open Skybot nor run ComboFix yesterday....<IMG style="VERTICAL-ALIGN: middle" border=0 alt="" src="http://www.bleepingcomputer.com/forums/http://www.bleepingcomputer.com/forums/http://www.bleepingcomputer.com/forums/style_emoticons/default/wacko.gif" emoid=":)"><BR><!--QuoteEnd--><BR>I find a yellow triangle warning sign at taskbar, with a bubble says: <STRONG>8jzgdrpy[1].exe - Corrupt File </STRONG>The file or directory C:Documents and Settings......Content.IE5B8NY2ZE9 is corrupt and unreadable. Please run the Chkdsk utility. I ignored it and turned the computer off for a while.<BR><BR>When I turned on the computer, a full blue screen was on saying: <BR><BR>Checking file system on C<BR>The type of the file system is NTFS..........<BR>CHKDSK is verifying file (stage 1 of 3)...<BR>File verification completed<BR>CHKDSK is verifying indexes (stages 2 of 3)...#Sorting index $I30 in file 17640<BR>Index verification completed<BR>CHKDSK is recovering lost files<BR>Recovering orphaned file 9w2pa5i[1].jgp(9875) into directory file 17640....<BR>(the screen disappeared before I can finish jot it down the rest)<BR><BR>With your new link of Gmer, a log has been successfully prepared. (I will post it further down)<BR><BR>I followed your Step 1, older version Java components and update has been removed, also installed the latest version of Java Runtime Environment (JRE) Version 6 (<STRONG>jre-6u16-windows-i586</STRONG>) without '<STRONG>p.exe</STRONG>', I hope it is alright.<BR><BR>Then with Step 2,<STRONG> AFT Cleaner</STRONG> has freed 25.652 MBs.<BR><BR>Step 3, with Kaspersky Online Scanner's result is as below. <BR><BR>With your help, I finally got all 3 logs you asked for...<BR><BR>--------------------------------------------------------------------------------<BR>KASPERSKY ONLINE SCANNER 7.0: scan report<BR> Tuesday, September 1, 2009<BR> Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)<BR> Kaspersky Online Scanner version: 7.0.26.13<BR> Last database update: Tuesday, September 01, 2009 18:34:05<BR> Records in database: 2737256<BR>--------------------------------------------------------------------------------</DIV>

<DIV class=quotetop>Scan settings:<BR> scan using the following database: extended<BR> Scan archives: yes<BR> Scan e-mail databases: yes</DIV>

<DIV class=quotetop>Scan area - My Computer:<BR> A:<BR> C:<BR> D:<BR> E:</DIV>

<DIV class=quotetop>Scan statistics:<BR> Objects scanned: 141682<BR> Threats found: 12<BR> Infected objects found: 14<BR> Suspicious objects found: 0<BR> Scan duration: 05:44:01</DIV>

<DIV class=quotetop><BR>File name / Threat / Threats count<BR>C:QooboxQuarantineCWINDOWSsystem32driversSKYNETixjciktm.sys.vir Infected: Trojan.Win32.TDSS.amve 1<BR>C:QooboxQuarantineCWINDOWSsystem32driversUACovirdtodgx.sys.vir Infected: Rootkit.Win32.Agent.moy 1<BR>C:QooboxQuarantineCWINDOWSsystem32SKYNETbrqpotvy.dll.vir Infected: Trojan.Win32.Tdss.anuv 1<BR>C:QooboxQuarantineCWINDOWSsystem32SKYNETibvdheft.dll.vir Infected: Trojan.Win32.Tdss.anus 1<BR>C:QooboxQuarantineCWINDOWSsystem32UACgkevnniwyr.dll.vir Infected: Packed.Win32.Tdss.m 1<BR>C:QooboxQuarantineCWINDOWSsystem32UACjcefarswwj.dll.vir Infected: Trojan.Win32.Tdss.anre 1<BR>C:QooboxQuarantineCWINDOWSsystem32UACmhsduuuuip.dll.vir Infected: Trojan.Win32.Tdss.anrd 1<BR>C:QooboxQuarantineCWINDOWSsystem32UACmiqitykcbw.dll.vir Infected: Trojan.Win32.Tdss.anrc 1<BR>C:QooboxQuarantineCWINDOWSsystem32UACnpkaltouej.dll.vir Infected: Trojan.Win32.Tdss.ajkj 1<BR>E:Old-FungDocuments and SettingsFung's SuppliesDesktopBBDesktopHelpInstallDV.exe Infected: not-a-virus:RiskTool.Win32.PsKill.1101 2<BR>E:Old-FungProgram FilesNorton AntiVirusQuarantine67657880 Infected: Virus.VBS.Redlof.a 1<BR>E:Old-FungWINDOWSMailSwitch.ocx Infected: Trojan-PSW.Win32.Agent.ktv 1<BR>E:Old-FungWINDOWSMotivebtbbUninstallHelper.exe Infected: not-a-virus:RiskTool.Win32.PsKill.1101 1</DIV>

<DIV class=quotetop>Selected area has been scanned.<BR><BR><BR>- Here comes the New DDS log:- (I attached also the attach.txt, just in case)<BR><BR>DDS (Ver_09-07-30.01) - NTFSx86 <BR>Run by Fung's Supplies at 1:56:13.89 on 02/09/2009<BR>Internet Explorer: 8.0.6001.18702<BR>Microsoft Windows XP Professional 5.1.2600.3.1252.33.1033.18.510.115 [GMT 1:00]</DIV>

<DIV class=quotetop>AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}</DIV>

<DIV class=quotetop>============== Running Processes ===============</DIV>

<DIV class=quotetop>C:WINDOWSsystem32svchost -k DcomLaunch<BR>svchost.exe<BR>C:WINDOWSSystem32svchost.exe -k netsvcs<BR>svchost.exe<BR>svchost.exe<BR>C:WINDOWSsystem32spoolsv.exe<BR>svchost.exe<BR>C:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe<BR>C:PROGRA~1AVGAVG8avgwdsvc.exe<BR>C:Program FilesBonjourmDNSResponder.exe<BR>C:Program FilesCommon FilesMicrosoft SharedVS7DEBUGMDM.EXE<BR>C:Program FilesMicrosoftSearch Enhancement PackSeaPortSeaPort.exe<BR>C:WINDOWSSystem32svchost.exe -k imgsvc<BR>C:PROGRA~1AVGAVG8avgrsx.exe<BR>C:WINDOWSExplorer.EXE<BR>C:WINDOWSBCMSMMSG.exe<BR>C:Q2Fahid.exe<BR>C:Program FilesScanSoftOmniPageSE4.0OpwareSE4.exe<BR>C:Program FilesiTunesiTunesHelper.exe<BR>C:Program FilesGoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe<BR>C:Program FilesSkypePhoneSkype.exe<BR>C:Program FilesWindows Media PlayerWMPNSCFG.exe<BR>C:WINDOWSsystem32ctfmon.exe<BR>C:WINDOWSSystem32svchost.exe -k HTTPFilter<BR>C:Q2quick2.exe<BR>C:Program FilesiPodbiniPodService.exe<BR>C:Program FilesJavajre6binjqs.exe<BR>C:Program FilesInternet ExplorerIEXPLORE.EXE<BR>C:Program FilesInternet ExplorerIEXPLORE.EXE<BR>C:Program FilesAVGAVG8avgscanx.exe<BR>C:Program FilesAVGAVG8avgcsrvx.exe<BR>C:Documents and SettingsFung's SuppliesDesktopdds.scr</DIV>

<DIV class=quotetop>============== Pseudo HJT Report ===============</DIV>

<DIV class=quotetop>uStart Page = hxxp://www.google.co.uk/ig?hl=en<BR>uInternet Connection Wizard,ShellNext = iexplore<BR>uInternet Settings,ProxyOverride = *.local<BR>uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:program filesavgavg8toolbarIEToolbar.dll<BR>uURLSearchHooks: Mininova-Vuze Toolbar: {d51d388b-f5dc-471a-a1ce-5e2d671091c0} - c:program filesmininova-vuzetbMin0.dll<BR>uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:program filesyahoo!companioninstallscpnyt.dll<BR>mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:program filesavgavg8toolbarIEToolbar.dll<BR>BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:program filesyahoo!companioninstallscpnyt.dll<BR>BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:program filescommon filesadobeacrobatactivexAcroIEHelperShim.dll<BR>BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:program filesavgavg8avgssie.dll<BR>BHO: {500BCA15-57A7-4eaf-8143-8C619470B13D} - No File<BR>BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:program filesspybot - search & destroySDHelper.dll<BR>BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File<BR>BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:program filescanoneasy-webprintEWPBrowseLoader.dll<BR>BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:program filesmicrosoftsearch enhancement packsearch helperSEPsearchhelperie.dll<BR>BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:program filescommon filesmicrosoft sharedwindows liveWindowsLiveLogin.dll<BR>BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:program filesavgavg8toolbarIEToolbar.dll<BR>BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:program filesgooglegoogle toolbarGoogleToolbar_32.dll<BR>BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:program filesgooglegoogletoolbarnotifier5.2.4204.1700swg.dll<BR>BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:program filesgooglegoogle toolbarcomponentfastsearch_B7C5AC242193BB3E.dll<BR>BHO: Mininova-Vuze Toolbar: {d51d388b-f5dc-471a-a1ce-5e2d671091c0} - c:program filesmininova-vuzetbMin0.dll<BR>BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:program filesjavajre6binjp2ssv.dll<BR>BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:program fileswindows livetoolbarwltcore.dll<BR>BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:program filesjavajre6libdeployjqsiejqs_plugin.dll<BR>BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:program filesyahoo!companioninstallscpnYTSingleInstance.dll<BR>TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:program filescanoneasy-webprintToolband.dll<BR>TB: Mininova-Vuze Toolbar: {d51d388b-f5dc-471a-a1ce-5e2d671091c0} - c:program filesmininova-vuzetbMin0.dll<BR>TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:program filesyahoo!companioninstallscpnyt.dll<BR>TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:program fileswindows livetoolbarwltcore.dll<BR>TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:program filesavgavg8toolbarIEToolbar.dll<BR>TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:program filesgooglegoogle toolbarGoogleToolbar_32.dll<BR>TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File<BR>TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File<BR>EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File<BR>uRun: [swg] "c:program filesgooglegoogletoolbarnotifierGoogleToolbarNotifier.exe"<BR>uRun: [msnmsgr] "c:program fileswindows livemessengerMsnMsgr.Exe" /background<BR>uRun: [Skype] "c:program filesskypephoneSkype.exe" /nosplash /minimized<BR>uRun: [WMPNSCFG] c:program fileswindows media playerWMPNSCFG.exe<BR>uRun: [ctfmon.exe] c:windowssystem32ctfmon.exe<BR>uRun: [SpybotSD TeaTimer] c:program filesspybot - search & destroyTeaTimer.exe<BR>mRun: [IMJPMIG8.1] c:windowsimeimjp8_1IMJPMIG.EXE /Spoil /RemAdvDef /Migration32<BR>mRun: [IgfxTray] c:windowssystem32igfxtray.exe<BR>mRun: [HotKeysCmds] c:windowssystem32hkcmd.exe<BR>mRun: [BCMSMMSG] BCMSMMSG.exe<BR>mRun: [FAhid] c:q2Fahid.exe<BR>mRun: [SSBkgdUpdate] "c:program filescommon filesscansoft sharedssbkgdupdateSSBkgdupdate.exe" -Embedding -boot<BR>mRun: [OpwareSE4] "c:program filesscansoftomnipagese4.0OpwareSE4.exe"<BR>mRun: [AppleSyncNotifier] c:program filescommon filesapplemobile device supportbinAppleSyncNotifier.exe<BR>mRun: [AVG8_TRAY] c:progra~1avgavg8avgtray.exe<BR>mRun: [QuickTime Task] "c:program filesquicktimeqttask.exe" -atboottime<BR>mRun: [iTunesHelper] "c:program filesitunesiTunesHelper.exe"<BR>mRun: [Adobe Reader Speed Launcher] "c:program filesadobereader 9.0readerReader_sl.exe"<BR>mRun: [UserFaultCheck] %systemroot%system32dumprep 0 -u<BR>mRun: [SunJavaUpdateSched] "c:program filesjavajre6binjusched.exe"<BR>dRun: [CTFMON.EXE] c:windowssystem32CTFMON.EXE<BR>dRun: [msnmsgr] "c:program fileswindows livemessengermsnmsgr.exe" /background<BR>StartupFolder: c:docume~1fung's~1startm~1programsstartupquicks~1.lnk - c:q2quick2.exe<BR>IE: Add to Windows &Live Favorites - <A href="http://favorites.live.com/quickadd.aspx">http://favorites.live.com/quickadd.aspx</A><BR>IE: E&xport to Microsoft Excel - c:progra~1micros~2office11EXCEL.EXE/3000<BR>IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%Network Diagnosticxpnetdiag.exe<BR>IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:program filesmessengermsmsgs.exe<BR>IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:progra~1micros~2office11REFIEBAR.DLL<BR>IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:program filesspybot - search & destroySDHelper.dll<BR>DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab<BR>DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab<BR>DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab<BR>DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:program filesyahoo!commonYinsthelper.dll<BR>DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab<BR>DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1216470767280<BR>DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1216474442906<BR>DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab<BR>DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}<BR>DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}<BR>DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab<BR>DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab<BR>DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab<BR>Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:program filesavgavg8avgpp.dll<BR>Notify: avgrsstarter - avgrsstx.dll<BR>Notify: igfxcui - igfxsrvc.dll<BR>SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:windowssystem32WPDShServiceObj.dll</DIV>

<DIV class=quotetop>============= SERVICES / DRIVERS ===============</DIV>

<DIV class=quotetop>R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:windowssystem32driversavgldx86.sys [2008-9-30 335240]<BR>R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:windowssystem32driversavgmfx86.sys [2008-9-30 27784]<BR>R2 avg8wd;AVG Free8 WatchDog;c:progra~1avgavg8avgwdsvc.exe [2009-6-23 297752]<BR>R2 SeaPort;SeaPort;c:program filesmicrosoftsearch enhancement packseaportSeaPort.exe [2009-5-19 240512]<BR>S2 gupdate1c9d936be07b0ea;Google Update Service (gupdate1c9d936be07b0ea);c:program filesgoogleupdateGoogleUpdate.exe [2009-5-20 133104]</DIV>

<DIV class=quotetop>=============== Created Last 30 ================</DIV>

<DIV class=quotetop>2009-09-01 16:52 411,368 a------- c:windowssystem32deploytk.dll<BR>2009-09-01 16:52 73,728 a------- c:windowssystem32javacpl.cpl<BR>2009-09-01 01:46 <DIR> --d-h--- c:windowsPIF<BR>2009-09-01 01:26 <DIR> -cd----- c:windowssystem32dllcachecache<BR>2009-09-01 00:48 229,376 a------- c:windowsPEV.exe<BR>2009-09-01 00:48 161,792 a------- c:windowsSWREG.exe<BR>2009-09-01 00:48 98,816 a------- c:windowssed.exe<BR>2009-09-01 00:47 <DIR> --ds---- C:ComboFix.exe<BR>2009-08-31 22:38 <DIR> --d----- c:windowspss<BR>2009-08-31 22:21 <DIR> --d----- c:program filesSpybot - Search & Destroy<BR>2009-08-13 00:58 0 a------- C:backup.reg<BR>2009-08-11 22:29 128,512 -c------ c:windowssystem32dllcachedhtmled.ocx<BR>2009-08-11 22:29 1,315,328 -c------ c:windowssystem32dllcachemsoe.dll<BR>2009-08-10 23:09 3,126 a------- C:rollback.ini<BR>2009-08-10 22:06 <DIR> --d----- c:program filescommon filesParetoLogic<BR>2009-08-09 22:11 <DIR> --d----- c:program filesPersonalAV<BR>2009-08-09 21:14 1,089,593 -c------ c:windowssystem32dllcachentprint.cat<BR>2009-08-09 03:06 <DIR> --d----- c:windowssystem32XPSViewer<BR>2009-08-09 03:05 597,504 -c------ c:windowssystem32dllcacheprintfilterpipelinesvc.exe<BR>2009-08-09 03:05 575,488 -c------ c:windowssystem32dllcachexpsshhdr.dll<BR>2009-08-09 03:05 89,088 -c------ c:windowssystem32dllcachefilterpipelineprintproc.dll<BR>2009-08-09 03:05 575,488 -------- c:windowssystem32xpsshhdr.dll<BR>2009-08-09 03:05 117,760 -------- c:windowssystem32prntvpt.dll<BR>2009-08-09 03:05 1,676,288 -c------ c:windowssystem32dllcachexpssvcs.dll<BR>2009-08-09 03:05 1,676,288 -------- c:windowssystem32xpssvcs.dll<BR>2009-08-05 10:01 204,800 -c------ c:windowssystem32dllcachemswebdvd.dll</DIV>

<DIV class=quotetop>==================== Find3M ====================</DIV>

<DIV class=quotetop>2009-08-18 14:23 11,952 a------- c:windowssystem32avgrsstx.dll<BR>2009-08-18 14:23 335,240 a------- c:windowssystem32driversavgldx86.sys<BR>2009-08-05 10:01 204,800 a------- c:windowssystem32mswebdvd.dll<BR>2009-07-17 20:01 58,880 a------- c:windowssystem32atl.dll<BR>2009-07-13 23:43 286,208 -------- c:windowssystem32wmpdxm.dll<BR>2009-07-03 18:09 915,456 -------- c:windowssystem32wininet.dll<BR>2009-06-16 15:36 119,808 a------- c:windowssystem32t2embed.dll<BR>2009-06-16 15:36 81,920 a------- c:windowssystem32fontsub.dll<BR>2009-06-12 13:31 80,896 a------- c:windowssystem32tlntsess.exe<BR>2009-06-12 13:31 76,288 a------- c:windowssystem32telnet.exe<BR>2009-06-10 15:13 84,992 a------- c:windowssystem32avifil32.dll<BR>2009-06-10 09:19 2,066,432 a------- c:windowssystem32mstscax.dll<BR>2009-06-10 07:14 132,096 a------- c:windowssystem32wkssvc.dll<BR>2009-05-19 09:59 32 a------- c:docume~1alluse~1applic~1ezsid.dat<BR>2009-05-09 16:14 34 a------- c:documents and settingsfung's suppliesjagex_runescape_preferences.dat<BR>2008-10-11 11:03 61,480 a------- c:documents and settingsfung's suppliesGoToAssistDownloadHelper.exe</DIV>

<DIV class=quotetop>============= FINISH: 1:57:09.95

#8 computer-newcomer

computer-newcomer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:49 AM

Posted 01 September 2009 - 09:40 PM

Hi Sundavis,

This is the second part of the message. I tried for the 3rd time to send gmer.txt to you, but the Board Message says the post was too long....I now try to attach the Gmer.txt as an attachment. I hope it works, or I'll go mad! :thumbup2:

Also, please let me know if you can read my last reply (with KAS Scan report & Neww DDS log) with ease. If not, I shall resend it to you....only I have to retype it all... >_<

Since yesterday, after finishing ComboFix, my computer improves a lot, I can now open Spybot S&D, the Redirecting from Google search seems stopped, no more unwilling auto restart, even the frequent 'freezes' seems disappeared. Those non-stop pop up messages windows (i.e Google Installer, GoogleUpdate.exe, iexplore.exe ....) has stopped too. <BR><BR>However, whenever I use website like Facebook or Login to Yahoo to check mails, <STRONG>Security Alert</STRONG> window pops up: You're about to view pages over a secure connection . Any information you exchange with this site cannot be viewed by anyone else on the web. Do you want to continue? (If I clicked YES, second <STRONG>Security Alert </STRONG>will follow: You're about to leave a secure Internet connection. It will be possible for others to view information you send. Do you want to continue?.....Both come with an empty box to check - 'In the future, do not show this warning'. (I am tempted to check the box, is it unsafe to do so? Please advise!)<BR><BR>Also, the Window Genuine Advantage Notifications still coming up every time I turn on the computer, any way to stop it?<BR><BR>Other than that, It seems to me that the way I used the computer today (mostly cleaning and scans etc.) cannot fully justify how my computer behaves, I will try to use it a bit more in a more normal daily way later on to see if anything worths to mention to you. <BR><BR>Anyway, I am very impressed with your help and all your advices are greatly appreciated. <IMG style="VERTICAL-ALIGN: middle" border=0 alt="" src="http://www.bleepingcomputer.com/forums/style_emoticons/default/smile.gif" emoid=":)"> <BR><BR>Thanks again. Computer-newcomer</DIV>

Attached Files

  • Attached File  Gmer.txt   91.63KB   2 downloads

Edited by computer-newcomer, 01 September 2009 - 09:44 PM.


#9 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:49 PM

Posted 02 September 2009 - 02:25 AM

Hi Computer Newcomer,



The format of your post is abnormal. When clicking on Save button in the online scanner, make sure your Files of type should be changed into Text file (.txt), not html or htm.

Please delete the following files manually.

E:\Old-FungDocuments and Settings\Fung's Supplies\Desktop\BBDesktopHelpInstallDV.exe
E:\Old-Fung\WINDOWS\MailSwitch.ocx
E:\Old-Fung\WINDOWS\Motive\btbb\UninstallHelper.exe


I am tempted to check the box, is it unsafe to do so? Please advise

Yes, you may proceed to check that box and no more pop up next time.

the Window Genuine Advantage Notifications still coming up every time I turn on the computer, any way to stop it?

You should go to MS to validate the genuine copy of your Windows. For more info:

http://support.microsoft.com/kb/905474/en-us

http://www.microsoft.com/genuine/

I will try to use it a bit more in a more normal daily way later on to see if anything worths to mention to you.

That's ok. I will leave this topic open for a few days. If everything goes well, I will give you the final instruction. Good luck. :thumbup2:

#10 computer-newcomer

computer-newcomer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:49 AM

Posted 02 September 2009 - 04:09 AM

Hi Sundavis,

Once again, thanks so much for your prompt reply.

The format of your post is abnormal.


When my post was too long and saved in Board Message, the format has been transformed. I apologized for that.

Here I send again the Kaspersky Online Scanner report and the new DDS log in a normal way, it should be easier for you to identify my problem:-

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, September 1, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, September 01, 2009 18:34:05
Records in database: 2737256
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Objects scanned: 141682
Threats found: 12
Infected objects found: 14
Suspicious objects found: 0
Scan duration: 05:44:01


File name / Threat / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\SKYNETixjciktm.sys.vir Infected: Trojan.Win32.TDSS.amve 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\UACovirdtodgx.sys.vir Infected: Rootkit.Win32.Agent.moy 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\SKYNETbrqpotvy.dll.vir Infected: Trojan.Win32.Tdss.anuv 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\SKYNETibvdheft.dll.vir Infected: Trojan.Win32.Tdss.anus 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACgkevnniwyr.dll.vir Infected: Packed.Win32.Tdss.m 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACjcefarswwj.dll.vir Infected: Trojan.Win32.Tdss.anre 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACmhsduuuuip.dll.vir Infected: Trojan.Win32.Tdss.anrd 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACmiqitykcbw.dll.vir Infected: Trojan.Win32.Tdss.anrc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACnpkaltouej.dll.vir Infected: Trojan.Win32.Tdss.ajkj 1
E:\Old-Fung\Documents and Settings\Fung's Supplies\Desktop\BBDesktopHelpInstallDV.exe Infected: not-a-virus:RiskTool.Win32.PsKill.1101 2
E:\Old-Fung\Program Files\Norton AntiVirus\Quarantine\67657880 Infected: Virus.VBS.Redlof.a 1
E:\Old-Fung\WINDOWS\MailSwitch.ocx Infected: Trojan-PSW.Win32.Agent.ktv 1
E:\Old-Fung\WINDOWS\Motive\btbb\UninstallHelper.exe Infected: not-a-virus:RiskTool.Win32.PsKill.1101 1

Selected area has been scanned.

Here comes my DDS log:-

DDS (Ver_09-07-30.01) - NTFSx86
Run by Fung's Supplies at 1:56:13.89 on 02/09/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.33.1033.18.510.115 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Q2\Fahid.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Q2\quick2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Documents and Settings\Fung's Supplies\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/ig?hl=en
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: Mininova-Vuze Toolbar: {d51d388b-f5dc-471a-a1ce-5e2d671091c0} - c:\program files\mininova-vuze\tbMin0.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {500BCA15-57A7-4eaf-8143-8C619470B13D} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Mininova-Vuze Toolbar: {d51d388b-f5dc-471a-a1ce-5e2d671091c0} - c:\program files\mininova-vuze\tbMin0.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Mininova-Vuze Toolbar: {d51d388b-f5dc-471a-a1ce-5e2d671091c0} - c:\program files\mininova-vuze\tbMin0.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [msnmsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [IMJPMIG8.1] c:\windows\ime\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [FAhid] c:\q2\Fahid.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4.0\OpwareSE4.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
StartupFolder: c:\docume~1\fung's~1\startm~1\programs\startup\quicks~1.lnk - c:\q2\quick2.exe
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1216470767280
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1216474442906
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-9-30 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-9-30 27784]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-6-23 297752]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-5-19 240512]
S2 gupdate1c9d936be07b0ea;Google Update Service (gupdate1c9d936be07b0ea);c:\program files\google\update\GoogleUpdate.exe [2009-5-20 133104]

=============== Created Last 30 ================

2009-09-01 16:52 411,368 a------- c:\windows\system32\deploytk.dll
2009-09-01 16:52 73,728 a------- c:\windows\system32\javacpl.cpl
2009-09-01 01:46 <DIR> --d-h--- c:\windows\PIF
2009-09-01 01:26 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-09-01 00:48 229,376 a------- c:\windows\PEV.exe
2009-09-01 00:48 161,792 a------- c:\windows\SWREG.exe
2009-09-01 00:48 98,816 a------- c:\windows\sed.exe
2009-09-01 00:47 <DIR> --ds---- C:\ComboFix.exe
2009-08-31 22:38 <DIR> --d----- c:\windows\pss
2009-08-31 22:21 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-08-13 00:58 0 a------- C:\backup.reg
2009-08-11 22:29 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-08-11 22:29 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll
2009-08-10 23:09 3,126 a------- C:\rollback.ini
2009-08-10 22:06 <DIR> --d----- c:\program files\common files\ParetoLogic
2009-08-09 22:11 <DIR> --d----- c:\program files\PersonalAV
2009-08-09 21:14 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-08-09 03:06 <DIR> --d----- c:\windows\system32\XPSViewer
2009-08-09 03:05 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-09 03:05 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-09 03:05 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-09 03:05 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-08-09 03:05 117,760 -------- c:\windows\system32\prntvpt.dll
2009-08-09 03:05 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-08-09 03:05 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-08-05 10:01 204,800 -c------ c:\windows\system32\dllcache\mswebdvd.dll

==================== Find3M ====================

2009-08-18 14:23 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-18 14:23 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-05 10:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-17 20:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 -------- c:\windows\system32\wmpdxm.dll
2009-07-03 18:09 915,456 -------- c:\windows\system32\wininet.dll
2009-06-16 15:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 15:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-12 13:31 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 13:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-10 15:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 07:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-05-19 09:59 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2009-05-09 16:14 34 a------- c:\documents and settings\fung's supplies\jagex_runescape_preferences.dat
2008-10-11 11:03 61,480 a------- c:\documents and settings\fung's supplies\GoToAssistDownloadHelper.exe

============= FINISH: 1:57:09.95 ===============


For the advices you gave out in the last reply, I will deal with it later on today and will let you know the outcome.

Just want to say that I am very grateful for your help.

#11 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:49 PM

Posted 02 September 2009 - 04:57 AM

Hi Computer Newcomer,




The logs look good. :thumbup2: Please delete those files as instructed in my previous post. Let's clean some orphaned entries.

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text inside the code box below:

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Connection Wizard] 
"ShellNext"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{500BCA15-57A7-4eaf-8143-8C619470B13D}]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar]
"A057A204-BACC-4D26-9990-79A187E2698E"=-
"BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Explorer Bars]
"32683183-48a0-441b-a342-7c2a440a9478"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}]


Name the file as fix.reg, making sure save as type is set to " All Files ". It should look like Posted Image
Double click it and an information box will pop up asking if you want to merge the information in the file into the registry, click yes. Please delete the reg file afterwards.


Let me know if you have any remaining issues on your pc. Hope everthing goes smoothly. :)

#12 computer-newcomer

computer-newcomer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:49 AM

Posted 03 September 2009 - 08:23 PM

Hi Sundavis,

I am sorry that I did not write yesterday since I want to make sure how my computer behavours before reporting to you. Anyway, thanks for your advices and patience.

I followed your instructions to delete 3 files manually (from your previous reply) and clean some orphaned entries (from your last reply), all these went well. Phew!

Oh, I forgot to mention that it seems to me that when I run the ComboFix, there was no recovery console installed.....should I be worried?

Yesterday, for the first time after being infected, I was finally able to open the Spybot again, so I ran it once, there were 39 problems (including a few malwares in registry value & directory, some trojansC in file...etc), so I clicked 'Fix the problem' and 'Immunise' afterwards. Today, I ran a AVG full scan, the scan has completed this time and no infection detected, what a relief! (note: the Security Alert pop up - you're about to view pages over a secure connection.....has gone automatically after the Spybot scan)

For sure, my computer is 'calming' down, no more redirecting, no auto shut down, no non-stop pop ups, no sudden TV/radio background sound.......... Today, I used Skype continuously for 2 hours, finally no sudden cut off..... However, I find it takes much longer time to connect internet explorer at anytime, Maybe I'm just being paranoid, I suspect there might still be some infections somewhere hidden to slow down the connection, even just by clicking the drop-down at google search, it is soooo s-l-o-w to display! For the peace of mind, should I run some more other antivirus programs, something powerful? Would you please recommend any?

Thank you again for your great help. :thumbup2:

#13 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:49 PM

Posted 03 September 2009 - 09:15 PM

Hi Computer Newcomer,



there was no recovery console installed.....should I be worried

It's ok. Since your don't use CF any more. We can leave it as it is.

For the peace of mind, should I run some more other antivirus programs

OK! For the peace of your mind, you may run MBAM if needed. For more info: From Here and Here .
Otherwise, you can do some maintenance in the following. Later on, if the problem still persists, you may try to repair or reinstall IE8 from Here .

Click Start>Run> Type/Pasteipconfig /flushdns into run box and hit enter. Refer to this thread if you don't know how.


Please go to Start -> Control Panel, and choose Network Connections. Then right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically. Click OK twice, and restart your computer.

Open IE, select Tools > Internet Options. Select the Connections tab.
  • If you are using LAN, click "LAN Settings" button. If you are using Dial-up or Virtual Private Network connection, select necessary connection and click "Settings" button.
  • In the "Proxy Server" area, uncheck the check mark next to Use a proxy server for ....
  • Click OK.
Go to Start>Run>type cmd, A dos window will come up. In the window, Type chkdsk c: /F, System will have message saying:
Chkdsk cannot run because the volume is in use by another process.Would you like to schedule this volume to be checked the next time the system restarts?(y/n)
Type Y. Reboot the system. It will make repairs when it reboots. Refer to this thread if you don't know how.

After that, What I'd like you to do is a hard reset with your router if you have one. Leave it on, and there should be a little pinhole in the back of the unit. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds). Then change your admin login and password--make it a strong password. You may also want to ask your ISP for help in case there are custom settings that need to be maintained.


Other than that, you are all clean now. :thumbup2: If you have no remaining issues on your pc, let's do some tidy up.


Step1

Click START then RUN
Now copy/paste Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

Posted Image

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.


Step2

Download OTC by OldTimer and save it to your desktop.
  • Double click OTC and let it run
  • Then Click the Cleanup button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.

Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:

  • Update your antivirus programs

    Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system. You can use one of these sites to check if any updates are needed for your pc.
    Secunia Software Inspector
    F-secure Health Check

  • Install a-squared Free -a-squared free is a product from Emsi Software provided free for private use that can detect and remove a variety of malicious software. If you have a dialup internet connection, you may also like to install a-squared Anti-Dialer which provides some real time protection against premium rate dialers

    A tutorial on installing & using this product can be found here:

    Clean your PC with a-squared Free

  • Update all these programs regularly - Make sure you update all the programs regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Please check out Tony Klein's article "How did I get infected in the first place?"
Read some information Here how to prevent Malware.


Glad to be of help. Safe surfing!!

#14 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:49 PM

Posted 08 September 2009 - 03:24 AM

Since this issue appears resolved ... this Topic is closed.

Glad we could help.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users