Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AVCare virus - Help with removal


  • This topic is locked This topic is locked
2 replies to this topic

#1 KKittelman

KKittelman

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 26 August 2009 - 02:40 AM

It's the typical take over your computer and opens a dozen screens telling you your computer is infected...yadda yadda. I can access Task Manager and momentarily disable Windowns Antivirus Pro.exe. It pops back up seconds later.

The system isn't connected to the internet. So i'm accessing the forum on my computer and transporting files using a flash drive.

Here's the HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:52:20 PM, on 8/25/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:Program FilesWIDCOMMBluetooth Softwarebinbtwdins.exe
C:Program FilesCommon FilesLogishrdBluetoothLBTServ.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
c:program filescommon fileslogitechlvmvfmLVPrcSrv.exe
C:WINDOWSsvchast.exe
C:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
C:WINDOWSsystem32CTsvcCDA.EXE
c:program filesdell printersAdditional Color Laser SoftwareStatus MonitorDLSDBNT.EXE
C:Program FilesIntelIntel Application Acceleratoriaantmon.exe
C:Program FilesLogitechEasy Synchronizationservicestub.exe
C:Program FilesLogitechEasy SynchronizationLogitechEasySync.exe
C:Program FilesCommon FilesMicrosoft SharedVS7DEBUGMDM.EXE
C:Program FilesMicrosoft SQL ServerMSSQL$MICROSOFTBCMBinnsqlservr.exe
C:WINDOWSsystem32nvsvc32.exe
C:WINDOWSsystem32svchost.exe
C:Program FilesViewpointCommonViewpointService.exe
c:program filesdell printersAdditional Color Laser SoftwareStatus MonitorDLPWDNT.EXE
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32ctfmon.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesViewpointViewpoint ManagerViewMgr.exe
C:WINDOWSsystem32taskmgr.exe
C:Documents and SettingsDavid LondonDesktopThisFunFile.exe
C:Program FilesWindows Antivirus ProWindows Antivirus Pro.exe

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://safesearch.cyberdefender.com/smallsearch.html
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCUSoftwareMicrosoftInternet ExplorerSearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:Program FilesRealRealPlayerrpbrowserrecordplugin.dll
O2 - BHO: XML module - {500BCA15-57A7-4eaf-8143-8C619470B13D} - C:WINDOWSsystem32msxml71.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:WINDOWSsystem32dlatfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:Program FilesJavajre1.6.0_02binssv.dll
O2 - BHO: ICQSys (IE PlugIn) - {76DC0B63-1533-4ba9-8BE8-D59EB676FA02} - C:WINDOWSsystem32dddesot.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:Program FilesCommon FilesMicrosoft SharedWindows LiveWindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:Program FilesGoogleGoogle ToolbarGoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:Program FilesGoogleGoogleToolbarNotifier5.2.4204.1700swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:Program FilesWindows Live Toolbarmsntb.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:Program FilesGoogleGoogle ToolbarComponentfastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Ask.com Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:Program FilesAsk.comGenericAskToolbar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:Program FilesWindows Live Toolbarmsntb.dll
O3 - Toolbar: Ask.com Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:Program FilesAsk.comGenericAskToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:Program FilesGoogleGoogle ToolbarGoogleToolbar_32.dll
O4 - HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSsystem32NvCpl.dll,NvStartup
O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeqttask.exe" -atboottime
O4 - HKLM..Run: [TkBellExe] "C:Program FilesCommon FilesRealUpdate_OBrealsched.exe" -osboot
O4 - HKLM..Run: [DC6cw] "C:Program FilesCommon FilesDriveCleanerDC6cw.exe" -c
O4 - HKLM..Run: [net] "C:WINDOWSsystem32net.net"
O4 - HKLM..Run: [KernelFaultCheck] %systemroot%system32dumprep 0 -k
O4 - HKLM..Run: [UserFaultCheck] %systemroot%system32dumprep 0 -u
O4 - HKLM..Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O4 - HKCU..Run: [swg] "C:Program FilesGoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe"
O4 - HKCU..Run: [H/PC Connection Agent] "C:Program FilesMicrosoft ActiveSyncwcescomm.exe"
O4 - HKCU..Run: [VideoCall] "C:Program FilesLogitechVideoCallVideoCall.exe" -minimized
O4 - HKCU..Run: [MsnMsgr] "C:Program FilesMSN MessengerMsnMsgr.Exe" /background
O4 - HKCU..Run: [DW6] "C:Program FilesThe Weather Channel FWDesktopDesktopWeather.exe"
O4 - HKCU..Run: [Monopod] C:DOCUME~1DAVIDL~1LOCALS~1Tempa.exe
O4 - HKUSS-1-5-18..RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS.DEFAULT..RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = C:Program FilesLogitechSetPointSetPoint.exe
O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = C:Program FilesNETGEARWG111v2WG111v2.exe
O8 - Extra context menu item: &Windows Live Search - res://C:Program FilesWindows Live Toolbarmsntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~2OFFICE11EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:Program FilesWIDCOMMBluetooth Softwarebtsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_02binssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_02binssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:PROGRA~1MI3AA1~1INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:PROGRA~1MI3AA1~1INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:PROGRA~1MI3AA1~1INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~2OFFICE11REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:Program FilesWIDCOMMBluetooth Softwarebtsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:Program FilesWIDCOMMBluetooth Softwarebtsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:WINDOWSsystem32Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O16 - DPF: {22E5D91F-89E6-4405-AD9C-0AF27BA6F06B} (HidInputMonitorX Control) - file:///E:/components/hidinputmonitorx.ocx
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {4F63D44B-6274-4D60-8AB1-CAA7116B8AF3} (A9Helper.A9) - file:///E:/components/A9.ocx
O16 - DPF: {7030CC6C-1A88-4591-BB5A-651B9F7F0C30} (WMVHDRatingCtrl Class) - file:///E:/components/wmvhdrating.ocx
O20 - Winlogon Notify: GoToAssist - C:Program FilesCitrixGoToAssist480G2AWinLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:Program FilesCommon FilesAdobe Systems SharedServiceAdobelmsvc.exe
O23 - Service: AntipyProex (AntipPro2009_100) - Unknown owner - C:WINDOWSsvchast.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:Program FilesWIDCOMMBluetooth Softwarebinbtwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:WINDOWSsystem32CTsvcCDA.EXE
O23 - Service: Dell Printer Status Watcher (DLPWD) - Dell Inc. - c:program filesdell printersAdditional Color Laser SoftwareStatus MonitorDLPWDNT.EXE
O23 - Service: Dell Printer Status Database (DLSDB) - Dell Inc. - c:program filesdell printersAdditional Color Laser SoftwareStatus MonitorDLSDBNT.EXE
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:Program FilesCitrixGoToAssist480g2aservice.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:Program FilesGoogleCommonGoogle UpdaterGoogleUpdaterService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:Program FilesIntelIntel Application Acceleratoriaantmon.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:Program FilesCommon FilesLogishrdBluetoothLBTServ.exe
O23 - Service: Logitech Easy Synchronization - Unknown owner - C:Program FilesLogitechEasy Synchronizationservicestub.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:program filescommon fileslogitechlvmvfmLVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:Program FilesCommon FilesLogitechSrvLnchSrvLnch.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:Program FilesCommon FilesMacromedia SharedServiceMacromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:WINDOWSsystem32nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:Program FilesViewpointCommonViewpointService.exe

--
End of file - 11147 bytes

And for your enjoyment is Silent Runner log:

"Silent Runners.vbs", revision 59, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCUSoftwareMicrosoftWindowsCurrentVersionRun {++}
"ctfmon.exe" = "C:WINDOWSsystem32ctfmon.exe" [MS]
"swg" = ""C:Program FilesGoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe"" ["Google Inc."]
"H/PC Connection Agent" = ""C:Program FilesMicrosoft ActiveSyncwcescomm.exe"" [MS]
"VideoCall" = ""C:Program FilesLogitechVideoCallVideoCall.exe" -minimized" ["Logitech, Inc"]
"MsnMsgr" = ""C:Program FilesMSN MessengerMsnMsgr.Exe" /background" [file not found]
"DW6" = ""C:Program FilesThe Weather Channel FWDesktopDesktopWeather.exe"" ["The Weather Channel Interactive, Inc."]
"Monopod" = "C:DOCUME~1DAVIDL~1LOCALS~1Tempa.exe" [null data]

HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun {++}
"NvCplDaemon" = "RUNDLL32.EXE C:WINDOWSsystem32NvCpl.dll,NvStartup" [MS]
"QuickTime Task" = ""C:Program FilesQuickTimeqttask.exe" -atboottime" ["Apple Inc."]
"TkBellExe" = ""C:Program FilesCommon FilesRealUpdate_OBrealsched.exe" -osboot" ["RealNetworks, Inc."]
"DC6cw" = ""C:Program FilesCommon FilesDriveCleanerDC6cw.exe" -c" [null data]
"net" = ""C:WINDOWSsystem32net.net"" ["Comp"]
"KernelFaultCheck" = "C:WINDOWSsystem32dumprep 0 -k"
"UserFaultCheck" = "C:WINDOWSsystem32dumprep 0 -u"
"Kernel and Hardware Abstraction Layer" = "KHALMNPR.EXE" ["Logitech, Inc."]

HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
InProcServer32(Default) = "C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelper.dll" ["Adobe Systems Incorporated"]
{3049C3E9-B461-4BC5-8870-4C09146192CA}(Default) = (no title provided)
-> {HKLM...CLSID} = "RealPlayer Download and Record Plugin for Internet Explorer"
InProcServer32(Default) = "C:Program FilesRealRealPlayerrpbrowserrecordplugin.dll" ["RealPlayer"]
{500BCA15-57A7-4eaf-8143-8C619470B13D}(Default) = "XML module"
-> {HKLM...CLSID} = "XML Class"
InProcServer32(Default) = "C:WINDOWSsystem32msxml71.dll" [null data]
{5CA3D70E-1895-11CF-8E15-001234567890}(Default) = (no title provided)
-> {HKLM...CLSID} = "DriveLetterAccess"
InProcServer32(Default) = "C:WINDOWSsystem32dlatfswshx.dll" ["Sonic Solutions"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
InProcServer32(Default) = "C:Program FilesJavajre1.6.0_02binssv.dll" ["Sun Microsystems, Inc."]
{76DC0B63-1533-4ba9-8BE8-D59EB676FA02}(Default) = (no title provided)
-> {HKLM...CLSID} = "ICQSys (IE PlugIn)"
InProcServer32(Default) = "C:WINDOWSsystem32dddesot.dll" ["ASC - AntiSpyware"]
{9030D464-4C02-4ABF-8ECC-5164760863C6}(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Sign-in Helper"
InProcServer32(Default) = "C:Program FilesCommon FilesMicrosoft SharedWindows LiveWindowsLiveLogin.dll" [MS]
{AA58ED58-01DD-4d91-8333-CF10577473F7}(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
InProcServer32(Default) = "C:Program FilesGoogleGoogle ToolbarGoogleToolbar_32.dll" ["Google Inc."]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Notifier BHO"
InProcServer32(Default) = "C:Program FilesGoogleGoogleToolbarNotifier5.2.4204.1700swg.dll" ["Google Inc."]
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Toolbar Helper"
InProcServer32(Default) = "C:Program FilesWindows Live Toolbarmsntb.dll" [MS]
{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}(Default) = "Google Dictionary Compression sdch"
-> {HKLM...CLSID} = "Google Dictionary Compression sdch"
InProcServer32(Default) = "C:Program FilesGoogleGoogle ToolbarComponentfastsearch_B7C5AC242193BB3E.dll" ["Google Inc."]
{D4027C7F-154A-4066-A1AD-4243D8127440}(Default) = "Ask.com Toolbar BHO"
-> {HKLM...CLSID} = "Ask.com Toolbar"
InProcServer32(Default) = "C:Program FilesAsk.comGenericAskToolbar.dll" ["Ask.com"]

HKLMSOFTWAREMicrosoftWindowsCurrentVersionShell ExtensionsApproved
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
InProcServer32(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
InProcServer32(Default) = "C:WINDOWSsystem32hticons.dll" ["Hilgraeve, Inc."]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
InProcServer32(Default) = "C:WINDOWSsystem32nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
InProcServer32(Default) = "C:WINDOWSsystem32nvcpl.dll" ["NVIDIA Corporation"]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
InProcServer32(Default) = "C:PROGRA~1MICROS~2OFFICE11MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
InProcServer32(Default) = "C:PROGRA~1MICROS~2OFFICE11OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
InProcServer32(Default) = "C:Program FilesMicrosoft OfficeOFFICE11msohev.dll" [MS]
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}" = "RecordNow! SendToExt"
-> {HKLM...CLSID} = "RecordNow! SendToExt"
InProcServer32(Default) = "C:Program FilesSonicRecordNow! Plusshlext.dll" [null data]
"{5CA3D70E-1895-11CF-8E15-001234567890}" = "DriveLetterAccess"
-> {HKLM...CLSID} = "DriveLetterAccess"
InProcServer32(Default) = "C:WINDOWSsystem32dlatfswshx.dll" ["Sonic Solutions"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
InProcServer32(Default) = "C:Program FilesRealRealPlayerrpshell.dll" ["RealNetworks, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
InProcServer32(Default) = "C:PROGRA~1WINZIPWZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
InProcServer32(Default) = "C:PROGRA~1WINZIPWZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
InProcServer32(Default) = "C:PROGRA~1WINZIPWZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
InProcServer32(Default) = "C:PROGRA~1WINZIPWZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{49BF5420-FA7F-11cf-8011-00A0C90A8F78}" = "Mobile Device"
-> {HKLM...CLSID} = "Mobile Device"
InProcServer32(Default) = "C:PROGRA~1MI3AA1~1Wcesview.dll" [MS]
"{6af09ec9-b429-11d4-a1fb-0090960218cb}" = "My Bluetooth Places"
-> {HKLM...CLSID} = "My Bluetooth Places"
InProcServer32(Default) = "C:WINDOWSsystem32btneighborhood.dll" ["Broadcom Corporation."]
"{7842554E-6BED-11D2-8CDB-B05550C10000}" = "Monitor"
-> {HKLM...CLSID} = "Monitor Class"
InProcServer32(Default) = "C:WINDOWSsystem32btncopy.dll" ["Broadcom Corporation."]
"{DC70C4A5-2044-4c59-B806-DEFB9AE0DF7C}" = "Logitech Setpoint Extension"
-> {HKLM...CLSID} = "KbLogiExt Class"
InProcServer32(Default) = "C:Program FilesLogitechSetPointkbcplext.dll" ["Logitech, Inc."]
"{B9B9F083-2B04-452A-8691-83694AC1037B}" = "Logitech Setpoint Extension"
-> {HKLM...CLSID} = "LogiExt Class"
InProcServer32(Default) = "C:Program FilesLogitechSetPointmcplext.dll" ["Logitech, Inc."]

HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerShellExecuteHooks
<<!>> "{FE24CD78-7C63-465D-8787-4EDF7FC79895}" = "ShellExecuteHook class"
-> {HKLM...CLSID} = "ShellExecuteHook class"
InProcServer32(Default) = "C:Program FilesLogitechEasy Synchronizationshellexecutehook.dll" [null data]

HKLMSOFTWAREMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
InProcServer32(Default) = "C:WINDOWSsystem32WPDShServiceObj.dll" [MS]

HKLMSOFTWA REMicrosoftWindows NTCurrentVersionWinlogon
<<!>> "GinaDLL" = "RtlGina2.dll" [null data]

HKLMSYSTEMCurrentControlSetControlSession Manager
<<!>> "BootExecute" = "autocheck autochk *"|"daila" [" "]

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotify
<<!>> GoToAssistDLLName = "C:Program FilesCitrixGoToAssist480G2AWinLogon.dll" ["Citrix Online, a division of Citrix Systems, Inc."]
<<!>> LBTWlgnDLLName = "c:program filescommon fileslogishrdbluetoothLBTWlgn.dll" ["Logitech, Inc."]

HKLMSOFTWAREClassesPROTOCOLSFilter
<<!>> text/xmlCLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
InProcServer32(Default) = "C:Program FilesCommon FilesMicrosoft SharedOFFICE11MSOXMLMF.DLL" [MS]

HKLMSOFTWAREClassesFoldershellexColumnHandlers
{F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
InProcServer32(Default) = "C:Program FilesCommon FilesAdobeAcrobatActiveXPDFShell.dll" ["Adobe Systems, Inc."]

HKLMSOFTWAREClasses*shellexContextMenuHandlers
WinZip(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
InProcServer32(Default) = "C:PROGRA~1WINZIPWZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLMSOFTWAREClassesDirectoryshellexContextMenuHandlers
WinZip(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
InProcServer32(Default) = "C:PROGRA~1WINZIPWZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLMSOFTWAREClassesFoldershellexContextMenuHandlers
WinZip(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
InProcServer32(Default) = "C:PROGRA~1WINZIPWZSHLSTB.DLL" ["WinZip Computing, Inc."]


Default executables:
--------------------

HKLMSOFTWAREClasses.exe(Default) = "exefile"
<<!>> HKLMSOFTWAREClassesexefileshellopencommand(Default) = "C:WINDOWSsystem32desot.exe "%1" %*" [null data]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorer

"NoCDBurning" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HonorAutoRunSetting" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCUSoftwareMicrosoftInternet ExplorerDesktopGeneral
"Wallpaper" = "C:WINDOWSsystem32configsystemprofileLocal SettingsApplication DataMicrosoftWallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCUControl PanelDesktop
"Wallpaper" = "C:Documents and SettingsDavid LondonLocal SettingsApplication DataMicrosoftWallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCUControl PanelDesktop
"SCRNSAVE.EXE" = "C:WINDOWSsystem32ssstars.scr" [MS]


Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerAutoplayHandlersHandlers

DMXPlayCD
"Provider" = "Dell Media Experience"
"InvokeProgID" = "DMX.PLAYCD"
"InvokeVerb" = "Play"
HKLMSOFTWAREClassesDMX.PLAYCDshellPlayCommand(Default) = "C:Program FilesDellMedia ExperienceDMX.exe Music "Play %1"" [null data]

DMXPlayDVD
"Provider" = "Dell Media Experience"
"InvokeProgID" = "DMX.PLAYDVD"
"InvokeVerb" = "Play"
HKLMSOFTWAREClassesDMX.PLAYDVDshellPlayCommand(Default) = "C:Program FilesDellMedia ExperienceDMX.exe DVD "Play %1"" [null data]

MSWPDShellNamespaceHandler
"Provider" = "@%SystemRoot%System32WPDShextRes.dll,-501"
"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"
"InitCmdLine" = " "
-> {HKLM...CLSID} = "WPDShextAutoplay"
LocalServer32(Default) = "C:WINDOWSsystem32WPDShextAutoplay.exe" [MS]

PDVDPlayDVDMovieOnArrival
"Provider" = "PowerDVD"
"InvokeProgID" = "DVD"
"InvokeVerb" = "PlayWithPowerDVD"
HKLMSOFTWAREClassesDVDshellPlayWithPowerDVDCommand(Default) = ""C:Program FilesCyberLinkPowerDVDPowerDVD.exe" MOVIE "%L"" ["CyberLink Corp."]

PSASE30ImportPicturesOnArrival
"Provider" = "Adobe Photoshop Album Starter Edition"
"InvokeProgID" = "PSASE30.autoplay"
"InvokeVerb" = "launch"
HKLMSOFTWAREClassesPSASE30.autoplayshelllaunchcommand(Default) = ""C:Program FilesAdobePhotoshop Album Starter Edition3.2Appspsaproxy.exe" -v %1" ["Adobe Systems Incorporated"]

RPCDBurningOnArrival
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.CDBurn.6"
"InvokeVerb" = "open"
HKCUSoftwareClassesRealPlayer.CDBurn.6shellopencommand(Default) = ""C:Program FilesRealRealPlayerRealPlay.exe" /burn "%1"" ["RealNetworks, Inc."]

RPDeviceOnArrival
"Provider" = "RealPlayer"
"ProgID" = "RealPlayer.HWEventHandler"
HKLMSOFTWAREClassesRealPlayer.HWEventHandlerCLSID(Default) = "{67E76F1D-BDE2-4052-913C-2752366192D2}"
-> {HKLM...CLSID} = "RealNetworks Scheduler"
LocalServer32(Default) = ""C:Program FilesCommon FilesRealUpdate_OBrealsched.exe" -autoplay" ["RealNetworks, Inc."]

RPPlayCDAudioOnArrival
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.AudioCD.6"
"InvokeVerb" = "play"
HKCUSoftwareClassesRealPlayer.AudioCD.6shellplaycommand(Default) = ""C:Program FilesRealRealPlayerRealPlay.exe" /play %1 " ["RealNetworks, Inc."]

RPPlayDVDMovieOnArrival
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.DVD.6"
"InvokeVerb" = "play"
HKCUSoftwareClassesRealPlayer.DVD.6shellplaycommand(Default) = ""C:Program FilesRealRealPlayerRealPlay.exe" /dvd %1 " ["RealNetworks, Inc."]

RPPlayMediaOnArrival
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.AutoPlay.6"
"InvokeVerb" = "open"
HKCUSoftwareClassesRealPlayer.AutoPlay.6shellopencommand(Default) = ""C:Program FilesRealRealPlayerRealPlay.exe" /autoplay "%1"" ["RealNetworks, Inc."]

SonicRnAudioCD
"Provider" = "Sonic RecordNow! Plus"
"InvokeProgID" = "Sonic.RecordNow"
"InvokeVerb" = "AudioCDJob"
HKLMSOFTWAREClassesSonic.RecordNowshellAudioCDJobCommand(Default) = ""C:Program FilesSonicRecordNow! PlusRecordNow.exe" /AudioCDJob %L" [null data]

SonicRnBurnAudioCD
"Provider" = "Sonic RecordNow! Plus"
"InvokeProgID" = "Sonic.RecordNow"
"InvokeVerb" = "AudioCDTarget"
HKLMSOFTWAREClassesSonic.RecordNowshellAudioCDTargetCommand(Default) = ""C:Program FilesSonicRecordNow! PlusRecordNow.exe" /AudioCDTarget %L" [null data]

SonicRnBurnDataDisc
"Provider" = "Sonic RecordNow! Plus"
"InvokeProgID" = "Sonic.RecordNow"
"InvokeVerb" = "DataDiscTarget"
HKLMSOFTWAREClassesSonic.RecordNowshellDataDiscTargetCommand(Default) = ""C:Program FilesSonicRecordNow! PlusRecordNow.exe" /DataDiscTarget %L" [null data]

SonicRnCopyCD
"Provider" = "Sonic RecordNow! Plus"
"InvokeProgID" = "Sonic.RecordNow"
"InvokeVerb" = "CopyDiscJob"
HKLMSOFTWAREClassesSonic.RecordNowshellCopyDiscJobCommand(Default) = ""C:Program FilesSonicRecordNow! PlusRecordNow.exe" /CopyDiscJob %L" [null data]

SonicRnCopyDisc
"Provider" = "Sonic RecordNow! Plus"
"InvokeProgID" = "Sonic.RecordNow"
"InvokeVerb" = "CopyDiscJob"
HKLMSOFTWAREClassesSonic.RecordNowshellCopyDiscJobCommand(Default) = ""C:Program FilesSonicRecordNow! PlusRecordNow.exe" /CopyDiscJob %L" [null data]

SonicVideoCameraArrival
"Provider" = "Sonic Solutions"
"ProgID" = "MyDVD.MyDVDAPHandler"
"InitCmdLine" = "new"
HKLMSOFTWAREClassesMyDVD.MyDVDAPHandlerCLSID(Default) = "{3D5EF619-F606-4FAA-97C0-222B7DCA05EC}"
-> {HKLM...CLSID} = "MyDVDAPHandler Class"
LocalServer32(Default) = "C:Program FilesSonicMyDVDMyDVD.exe -autoplay" ["Sonic Solutions"]

SonicVideoCameraArrivalDirect
"Provider" = "Sonic Solutions"
"ProgID" = "MyDVD.MyDVDAPHandler"
"InitCmdLine" = "direct"
HKLMSOFTWAREClassesMyDVD.MyDVDAPHandlerCLSID(Default) = "{3D5EF619-F606-4FAA-97C0-222B7DCA05EC}"
-> {HKLM...CLSID} = "MyDVDAPHandler Class"
LocalServer32(Default) = "C:Program FilesSonicMyDVDMyDVD.exe -autoplay" ["Sonic Solutions"]


Startup items in "David London" & "All Users" startup folders:
--------------------------------------------------------------

C:Documents and SettingsAll UsersStart MenuProgramsStartup
"Bluetooth" -> shortcut to: "C:Program FilesWIDCOMMBluetooth SoftwareBTTray.exe" ["Broadcom Corporation."]
"Logitech SetPoint" -> shortcut to: "C:Program FilesLogitechSetPointSetPoint.exe" ["Logitech, Inc."]
"NETGEAR WG111v2 Smart Wizard" -> shortcut to: "C:Program FilesNETGEARWG111v2WG111v2.exe" [empty string]


Enabled Scheduled Tasks:
------------------------

"AppleSoftwareUpdate" -> launches: "C:Program FilesApple Software UpdateSoftwareUpdate.exe -task" ["Apple Inc."]
"Check Updates for Windows Live Toolbar" -> launches: "C:Program FilesWindows Live ToolbarMSNTBUP.EXE" [MS]
"Norton Security Scan for David London" -> launches: "C:Program FilesNorton Security ScanNorton Security ScanEngine2.3.0.44Nss.exe /scan-quick /scheduled" ["Symantec Corporation"]
"Scheduled Update for Ask Toolbar" -> launches: "C:Program FilesAsk.comUpdateTask.exe" [null data]
"WGASetup" -> launches: "C:WINDOWSsystem32KB905474wgasetup.exe /autoauto" [MS]
"{7B02EF0B-A410-4938-8480-9BA26420A627}" -> launches: "C:WINDOWSmsa.exe" [null data]
"{BB65B0FB-5712-401b-B616-E69AC55E2757}" -> launches: "C:DOCUME~1DAVIDL~1LOCALS~1Tempa.exe" [null data]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLMSYSTEMCurrentControlSetServicesWinsock2ParametersNameSpace_Catalog5Catalog_Entries {++}
000000000001LibraryPath = "%SystemRoot%System32mswsock.dll" [MS]
000000000002LibraryPath = "%SystemRoot%System32winrnr.dll" [MS]
000000000003LibraryPath = "%SystemRoot%System32mswsock.dll" [MS]

Transport Service Providers

HKLMSYSTEMCurrentControlSetServicesWinsock2ParametersProtocol_Catalog9Catalog_Entries {++}
0000000000##PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%system32mswsock.dll [MS], 01 - 03, 06 - 27
%SystemRoot%system32rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCUSoftwareMicrosoftInternet ExplorerToolbarShellBrowser
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "Google Toolbar"
InProcServer32(Default) = "C:Program FilesGoogleGoogle ToolbarGoogleToolbar_32.dll" ["Google Inc."]

HKCUSoftwareMicrosoftInternet ExplorerToolbarWebBrowser
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "Google Toolbar"
InProcServer32(Default) = "C:Program FilesGoogleGoogle ToolbarGoogleToolbar_32.dll" ["Google Inc."]
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}"
-> {HKLM...CLSID} = "Windows Live Toolbar"
InProcServer32(Default) = "C:Program FilesWindows Live Toolbarmsntb.dll" [MS]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"
-> {HKLM...CLSID} = "Ask.com Toolbar"
InProcServer32(Default) = "C:Program FilesAsk.comGenericAskToolbar.dll" ["Ask.com"]

HKLMSOFTWAREMicrosoftInternet ExplorerToolbar
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" = (no title provided)
-> {HKLM...CLSID} = "Windows Live Toolbar"
InProcServer32(Default) = "C:Program FilesWindows Live Toolbarmsntb.dll" [MS]
"{D4027C7F-154A-4066-A1AD-4243D8127440}" = (no title provided)
-> {HKLM...CLSID} = "Ask.com Toolbar"
InProcServer32(Default) = "C:Program FilesAsk.comGenericAskToolbar.dll" ["Ask.com"]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar"
InProcServer32(Default) = "C:Program FilesGoogleGoogle ToolbarGoogleToolbar_32.dll" ["Google Inc."]

Explorer Bars

HKLMSOFTWAREMicrosoftInternet ExplorerExplorer Bars
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}(Default) = (no title provided)
-> {HKLM...CLSID} = "Real.com"
InProcServer32(Default) = "C:WINDOWSsystem32Shdocvw.dll" [MS]

Also, a heads up, this system has a RAID 1 mirroring memory setup. And, of course, does not have Windows Recovery Console installed. I've read that this is not possible with this setup.

Merged 3 posts. ~ OB

Edited by Orange Blossom, 04 September 2009 - 12:46 PM.


BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:07:22 PM

Posted 09 September 2009 - 08:37 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.  

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine.  Please perform the following scan:
  • Download DDS by sUBs from one of the following links.  Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool.  No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note:  You may have to disable any script protection running if the scan fails to run.  After downloading the tool, disconnect from the internet and disable all antivirus protection.  Run the scan, enable your A/V and reconnect to the internet.  

Information on A/V control HERE

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,960 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:22 AM

Posted 15 September 2009 - 07:12 PM

Due to the lack of feedback, this Topic is now closed.

In case you still have problems, please send me a Private message to reopen this topic within the next 5 days. Beyond that point, please start a new topic.

Orange Blossom :thumbup2:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users