Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with unknown virus(s)


  • Please log in to reply
28 replies to this topic

#1 katydidonline

katydidonline

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Midwest USA
  • Local time:09:23 AM

Posted 18 October 2009 - 10:53 AM

My husband had been running AVG free for quite awhile then recently bought the full version which has been running a few months. About a week ago he tried to log on and was getting warning messages from the windows security center. (sorry I don't have those messages) I tried to help him fix it but it would not allow me to use system restore at point (and I tried all the way back to July) It would just say restore failed, try a different point. I tried to install Webroot security but the installaion failed.

Every MalWare removal program I try to run will just disappears or gives an error message

The computer will not start up in safe mode, we get a warning saying that windows deteced a problem

He is running Windows XP version 2002 SP3

Please help :(


DDS (Ver_09-10-13.01) - NTFSx86
Run by Larry Gray at 10:18:22.87 on Sun 10/18/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.461 [GMT -5:00]

AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Webroot Internet Security Essentials *On-access scanning disabled* (Outdated) {B3891867-7230-459B-9987-E7CCFA7A7D1D}
FW: Webroot Internet Security Essentials *enabled* {2DB6657C-B970-44d3-AB42-6325A913CCC2}

============== Running Processes ===============

C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Nuance\NaturallySpeaking10\Program\natspeak.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Documents and Settings\Larry Gray.PC325862970629\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
uWindow Title = Microsoft Internet Explorer provided by CenturyTel
mWindow Title = Microsoft Internet Explorer provided by CenturyTel
uInternet Connection Wizard,ShellNext = iexplore
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [system tool] c:\program files\irtsqq\bbqasysguard.exe
uRun: [mserv] c:\documents and settings\larry gray.pc325862970629\application data\svcst.exe
uRun: [svchost] c:\documents and settings\larry gray.pc325862970629\application data\svcst.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
mRun: [Reminder] c:\windows\creator\Remind_XP.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [realteks] "c:\documents and settings\larry gray.pc325862970629\application data\google\sxkzw965566.exe" 2
mRun: [system tool] c:\program files\irtsqq\bbqasysguard.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DNS7reminder] "c:\program files\nuance\naturallyspeaking10\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\nuance\naturallyspeaking10\Ereg.ini
mRun: [TerNa] c:\windows\system32\TerNa.exe
mRun: [SpySweeper] c:\program files\webroot\webrootsecurity\SpySweeperUI.exe /startintray
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [userinit] c:\windows\system32\ntos.exe
StartupFolder: c:\docume~1\larryg~1.pc3\startm~1\programs\startup\dragon~1.lnk - c:\program files\nuance\naturallyspeaking10\program\natspeak.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - hxxp://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} - hxxp://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} - hxxp://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Mah%20Jong%20Medley/Images/armhelper.ocx
DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - hxxp://zone.msn.com/binframework/v10/StProxy.cab55579.cab
DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} - hxxp://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab64162.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: c:\progra~1\google\google~3\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: IPC Configuration Utility - No File
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-9-26 29808]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-6 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-6-6 108552]
R1 pwipf6;pwipf6;c:\windows\system32\drivers\pwipf6.sys [2009-10-16 107272]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-3 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-3 297752]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-8-27 24652]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\webrootsecurity\WRConsumerService.exe [2009-10-16 1041784]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-8-22 231424]
S2 gupdate1ca29ae30729286;Google Update Service (gupdate1ca29ae30729286);c:\program files\google\update\GoogleUpdate.exe [2009-8-30 133104]
S3 FTD2XX;FTD2XX.SYS FT8U2XX device driver;c:\windows\system32\drivers\FTD2XX.sys [2009-4-13 29292]
S3 GoogleDesktopManager-022208-143751;Google Desktop Manager 5.7.802.22438;c:\program files\google\google desktop search\GoogleDesktop.exe [2006-9-17 29744]

=============== Created Last 30 ================

2009-10-17 00:38 267,592 a------- c:\program files\Uninstall Ask Toolbar.dll
2009-10-16 23:28 <DIR> --d----- C:\Binaries
2009-10-16 22:49 107,272 a------- c:\windows\system32\drivers\pwipf6.sys
2009-10-16 22:49 1,552,760 a------- c:\windows\WRSetup.dll
2009-10-16 22:49 <DIR> --d----- c:\program files\Webroot
2009-10-16 22:49 <DIR> --d----- c:\docume~1\larryg~1.pc3\applic~1\Webroot
2009-10-16 22:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Webroot
2009-10-11 12:30 <DIR> --d----- c:\docume~1\larryg~1.pc3\applic~1\MSNInstaller
2009-10-11 10:17 <DIR> --d----- c:\documents and settings\larry gray.pc325862970629\DoctorWeb
2009-10-10 19:32 0 a------- c:\windows\win32k.sys
2009-10-10 19:32 305,664 a------- c:\docume~1\larryg~1.pc3\applic~1\seres.exe
2009-10-10 19:32 0 a------- c:\docume~1\larryg~1.pc3\applic~1\svcst.exe
2009-10-01 11:02 974,848 a----r-- c:\windows\system32\hpost_p01a.dll
2009-10-01 11:02 729,088 a----r-- c:\windows\system32\hposwia_p01a.dll
2009-10-01 11:02 372,736 a----r-- c:\windows\system32\hppldcoi.dll
2009-10-01 11:02 309,760 a----r-- c:\windows\system32\difxapi.dll
2009-10-01 11:02 303,104 a----r-- c:\windows\system32\hposc_p01a.dll
2009-10-01 10:58 165,423 a------- c:\windows\hpoins30.dat
2009-10-01 10:58 844 -------- c:\windows\hpomdl30.dat
2009-10-01 09:39 844 -------- c:\windows\hpomdl30.dat.temp

==================== Find3M ====================

2009-10-11 13:16 3,754 a------- c:\docume~1\larryg~1.pc3\applic~1\SAS7_000.DAT
2009-09-10 14:54 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 14:53 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-08-05 04:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-28 11:14 11,952 a------- c:\windows\system32\avgrsstx.dll

============= FINISH: 10:18:36.26 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:23 AM

Posted 18 October 2009 - 11:46 AM

Hello katydidonline

Welcome to BleepingComputer :(
========================
Hi please click Here and download peek.bat.
Save it to the desktop.
Double click it to run it and post the log in your next reply.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 katydidonline

katydidonline
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Midwest USA
  • Local time:09:23 AM

Posted 18 October 2009 - 12:25 PM

hello and thank your for the fast reply! Here is the log reguested.

the 'problem' computer is not able to go online so I am using a thumb drive to move things back and forth to post.

Volume in drive C has no label.
Volume Serial Number is 4DC7-FD60

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/10/2004 10:00 AM 180,224 scecli.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/10/2004 10:00 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/10/2004 10:00 AM 55,808 eventlog.dll
3 File(s) 643,072 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 07:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 07:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 07:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\system32

04/13/2008 07:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\system32

04/13/2008 07:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\system32

04/13/2008 07:11 PM 61,952 eventlog.dll
3 File(s) 650,240 bytes

Total Files Listed:
9 File(s) 1,937,920 bytes
0 Dir(s) 25,105,395,712 bytes free

#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:23 AM

Posted 18 October 2009 - 12:30 PM

You are welcome :(
==============
One or more of the identified infections is a backdoor trojan or rootkit.

This can allow hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately.
If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information,
please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions
to apprise them of your situation.

Please read this for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
=====================
Please do the following:
Go to Start Run then type in cmd then hit enter.
Then copy the below command (text in bold) into the black box that pops up then hit enter.

Copy /y "C:\WINDOWS\ServicePackFiles\i386\eventlog.dll" C:\
If it works then it will say 1 file(s) copied.
If it does not say that DO NOT PROCEED.
================================

Please save this file to your desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
"%userprofile%\desktop\win32kdiag.exe" -f -r
====================================
1. Please download The Avenger2 by Swandog46 to your Desktop.
  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to move:
C:\eventlog.dll | C:\Windows\system32\eventlog.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.
==========================
First temporarily disable any antivirus program or any real time shields that are present:
If you do not know how then you can refer to this link:
http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/
================
Then Download Combofix from any of the links below. You must rename it before saving it. Rename it to kahdah then save it to your desktop.
Link 1
Link 2
--------------------------------------------------------------------

Double click on kahdah.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#5 katydidonline

katydidonline
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Midwest USA
  • Local time:09:23 AM

Posted 18 October 2009 - 01:36 PM

Wow! Thanks...I have been working from another computer since the infected one has not been able to conncet to the internet for a while. I am working on the instruction you gave me and will post ASAP. It there any way to know when the computer was infected. I do all my bill paying on line but never from this cpomputer.

#6 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:23 AM

Posted 18 October 2009 - 01:41 PM

Not sure about when hard to tell/
Probably before the symptoms started happening.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#7 katydidonline

katydidonline
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Midwest USA
  • Local time:09:23 AM

Posted 18 October 2009 - 02:07 PM

Here are the win32kdiag and the avenger logs. I am getting ready to run the combofix now

Running from: C:\Documents and Settings\Larry Gray.PC325862970629\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Larry Gray.PC325862970629\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB904706\KB904706

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB904706\KB904706

Found mount point : C:\WINDOWS\$hf_mig$\KB912945\KB912945

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB912945\KB912945

Found mount point : C:\WINDOWS\$hf_mig$\KB916281\KB916281

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB916281\KB916281

Found mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899

Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Found mount point : C:\WINDOWS\$hf_mig$\KB922760\KB922760

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB922760\KB922760

Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Found mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454

Found mount point : C:\WINDOWS\$hf_mig$\KB928090\KB928090

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB928090\KB928090

Found mount point : C:\WINDOWS\$hf_mig$\KB929338\KB929338

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB929338\KB929338

Found mount point : C:\WINDOWS\$hf_mig$\KB931768\KB931768

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB931768\KB931768

Found mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Found mount point : C:\WINDOWS\$hf_mig$\KB933566\KB933566

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB933566\KB933566

Found mount point : C:\WINDOWS\$hf_mig$\KB937143\KB937143

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB937143\KB937143

Found mount point : C:\WINDOWS\$hf_mig$\KB939653\KB939653

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB939653\KB939653

Found mount point : C:\WINDOWS\$hf_mig$\KB941568\KB941568

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB941568\KB941568

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460


******************************

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\eventlog.dll|C:\Windows\system32\eventlog.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

#8 katydidonline

katydidonline
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Midwest USA
  • Local time:09:23 AM

Posted 18 October 2009 - 02:49 PM

Here is the Combofix log

ComboFix 09-10-17.01 - Larry Gray 10/18/2009 14:30.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.486 [GMT -5:00]
Running from: c:\documents and settings\Larry Gray.PC325862970629\Desktop\kahdah.exe
AV: AVG Internet Security *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Webroot Internet Security Essentials *On-access scanning disabled* (Outdated) {B3891867-7230-459B-9987-E7CCFA7A7D1D}
FW: Webroot Internet Security Essentials *enabled* {2DB6657C-B970-44d3-AB42-6325A913CCC2}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Larry Gray.PC325862970629\Application Data\iniasd.txt
c:\documents and settings\Larry Gray.PC325862970629\Application Data\seres.exe
c:\documents and settings\Larry Gray.PC325862970629\Application Data\svcst.exe
c:\progra~1\Webroot\WEBROO~1\Backup\ntSVc.ocx
c:\windows\010112010146118114.dat
c:\windows\0101120101464849.dat
c:\windows\0101120101465749.dat
c:\windows\bf23567.dat
c:\windows\Installer\23c653.msp
c:\windows\Installer\4ee73.msp
c:\windows\jmmark2.dat
c:\windows\kb913800.exe
c:\windows\system32\1304952160.dat
c:\windows\system32\bszip.dll
c:\windows\win32k.sys
D:\Autorun.inf

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}


((((((((((((((((((((((((( Files Created from 2009-09-18 to 2009-10-18 )))))))))))))))))))))))))))))))
.

2009-10-18 19:35 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-10-17 04:28 . 2009-10-17 04:28 -------- d-----w- C:\Binaries
2009-10-17 03:49 . 2009-10-17 05:27 107272 ----a-w- c:\windows\system32\drivers\pwipf6.sys
2009-10-17 03:49 . 2009-10-17 04:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot
2009-10-17 03:49 . 2009-10-17 03:49 -------- d-----w- c:\program files\Webroot
2009-10-17 03:49 . 2009-10-17 03:49 -------- d-----w- c:\documents and settings\Larry Gray.PC325862970629\Application Data\Webroot
2009-10-17 03:49 . 2008-09-27 01:48 1552760 ----a-w- c:\windows\WRSetup.dll
2009-10-11 17:30 . 2009-10-11 17:30 -------- d-----w- c:\documents and settings\Larry Gray.PC325862970629\Application Data\MSNInstaller
2009-10-11 15:17 . 2009-10-11 15:22 -------- d-----w- c:\documents and settings\Larry Gray.PC325862970629\DoctorWeb
2009-10-01 16:05 . 2009-10-01 16:05 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-10-01 16:02 . 2008-04-16 04:05 729088 ----a-r- c:\windows\system32\hposwia_p01a.dll
2009-10-01 16:02 . 2008-04-16 04:05 974848 ----a-r- c:\windows\system32\hpost_p01a.dll
2009-10-01 16:02 . 2008-04-16 04:05 372736 ----a-r- c:\windows\system32\hppldcoi.dll
2009-10-01 16:02 . 2008-04-16 04:05 309760 ----a-r- c:\windows\system32\difxapi.dll
2009-10-01 16:02 . 2008-02-28 10:08 303104 ----a-r- c:\windows\system32\hposc_p01a.dll
2009-10-01 15:58 . 2009-10-01 16:09 165423 ----a-w- c:\windows\hpoins30.dat
2009-10-01 15:58 . 2008-06-18 06:22 844 ------w- c:\windows\hpomdl30.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-18 19:38 . 2009-06-05 17:28 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-18 15:14 . 2009-05-05 22:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-18 14:20 . 2006-09-17 23:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-10-17 05:37 . 2006-04-14 04:39 -------- d-----w- c:\program files\Google
2009-10-17 05:35 . 2009-08-13 18:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-10-17 05:35 . 2006-10-15 14:42 -------- d-----w- c:\program files\Yahoo!
2009-10-17 05:33 . 2009-08-27 22:04 -------- d-----w- c:\program files\AIM Toolbar
2009-10-17 04:01 . 2009-02-01 21:10 -------- d-----w- c:\documents and settings\Larry Gray.PC325862970629\Application Data\HPAppData
2009-10-11 18:20 . 2008-06-15 18:20 -------- d-----w- c:\program files\Common Files\AdvancedCleaner
2009-10-11 18:16 . 2009-09-08 01:16 3754 ----a-w- c:\documents and settings\Larry Gray.PC325862970629\Application Data\SAS7_000.DAT
2009-10-01 16:06 . 2006-04-14 04:44 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2009-09-11 23:31 . 2006-10-15 14:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-09-10 19:54 . 2009-05-05 22:21 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-05-05 22:22 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-10 01:12 . 2008-10-15 19:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-09-08 00:00 . 2009-09-08 00:00 -------- d-----w- c:\documents and settings\Larry Gray.PC325862970629\Application Data\Nuance
2009-09-07 23:51 . 2009-09-07 23:51 -------- d-----w- c:\program files\Common Files\ScanSoft Shared
2009-09-07 23:51 . 2009-09-07 23:51 -------- d-----w- c:\documents and settings\All Users\Application Data\ScanSoft
2009-09-07 23:51 . 2009-09-07 23:51 -------- d-----w- c:\program files\Common Files\Nuance
2009-09-07 23:50 . 2009-09-07 23:50 -------- d-----w- c:\program files\Nuance
2009-09-07 23:50 . 2009-09-07 23:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Nuance
2009-08-31 21:59 . 2009-08-27 22:03 -------- d-----w- c:\program files\Common Files\AOL
2009-08-31 21:56 . 2008-06-07 01:16 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-31 21:49 . 2009-08-31 00:00 -------- d-----w- c:\program files\irtsqq
2009-08-27 22:05 . 2009-08-27 22:03 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL OCP
2009-08-27 22:04 . 2009-08-27 22:04 -------- d-----w- c:\program files\Common Files\Software Update Utility
2009-08-27 22:04 . 2009-08-27 22:04 -------- d-----w- c:\program files\Viewpoint
2009-08-27 22:04 . 2009-08-27 22:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-08-27 22:03 . 2009-08-27 22:03 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-08-27 13:59 . 2006-04-14 04:53 138480 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-27 11:39 . 2008-10-15 20:00 -------- d-----w- c:\program files\MSBuild
2009-08-27 11:38 . 2009-08-27 11:38 -------- d-----w- c:\program files\Reference Assemblies
2009-08-26 19:51 . 2009-08-26 19:51 -------- d-----w- c:\program files\Follett
2009-08-26 19:31 . 2006-04-14 03:48 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-05 09:01 . 2004-08-10 15:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-28 16:14 . 2008-07-03 18:52 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-07-28 16:14 . 2008-06-07 01:16 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-28 16:14 . 2007-02-24 13:02 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2007-07-22 23:20 . 2006-11-07 22:24 135680 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-08-06 20:20 279944 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-06 279944]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-06 279944]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-08 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-11 344064]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-28 148888]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-03-26 49152]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-19 729178]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2005-12-12 94208]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-12-22 405504]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-08-01 233534]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"Reminder"="c:\windows\CREATOR\Remind_XP.exe" [2006-02-09 643072]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 507904]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-04-25 29744]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-09-29 2023704]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-06 177472]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"DNS7reminder"="c:\program files\Nuance\NaturallySpeaking10\Ereg\Ereg.exe" [2007-04-16 259624]
"SpySweeper"="c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe" [2008-09-27 6267256]

c:\documents and settings\Larry Gray.PC325862970629\Start Menu\Programs\Startup\
Dragon NaturallySpeaking.lnk - c:\program files\Nuance\NaturallySpeaking10\Program\natspeak.exe [2008-10-8 2811240]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-28 16:14 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0daila

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiagex.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\Rhapsody\\rhapsody.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"427:UDP"= 427:UDP:SLP_Port(427)

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [9/26/2008 4:15 AM 29808]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/6/2008 8:16 PM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/6/2008 8:16 PM 108552]
R1 pwipf6;pwipf6;c:\windows\system32\drivers\pwipf6.sys [10/16/2009 10:49 PM 107272]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/3/2008 1:52 PM 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/3/2008 1:52 PM 297752]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [8/27/2009 5:04 PM 24652]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [10/16/2009 10:49 PM 1041784]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [8/22/2005 4:06 AM 231424]
S2 gupdate1ca29ae30729286;Google Update Service (gupdate1ca29ae30729286);c:\program files\Google\Update\GoogleUpdate.exe [8/30/2009 3:12 PM 133104]
S3 FTD2XX;FTD2XX.SYS FT8U2XX device driver;c:\windows\system32\drivers\FTD2XX.sys [4/13/2009 3:30 PM 29292]
S3 GoogleDesktopManager-022208-143751;Google Desktop Manager 5.7.802.22438;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [9/17/2006 6:07 PM 29744]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-10-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2009-10-18 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-07 18:41]

2009-10-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-30 20:12]

2009-10-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-30 20:12]

2009-09-08 c:\windows\Tasks\NatSpeak Periodic Acoustic Optimization.job
- c:\program files\Nuance\NaturallySpeaking10\Program\schedmgr.exe [2008-10-08 09:48]

2009-09-08 c:\windows\Tasks\NatSpeak Periodic Data Collection.job
- c:\program files\Nuance\NaturallySpeaking10\Program\datacollector.exe [2008-10-08 09:48]

2009-09-08 c:\windows\Tasks\NatSpeak Periodic Language Model Optimization.job
- c:\program files\Nuance\NaturallySpeaking10\Program\schedmgr.exe [2008-10-08 09:48]
.
.
------- Supplementary Scan -------
.
mWindow Title = Microsoft Internet Explorer provided by CenturyTel
uInternet Connection Wizard,ShellNext = iexplore
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-*{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - (no file)
HKLM-Run-realteks - c:\documents and settings\Larry Gray.PC325862970629\Application Data\Google\sxkzw965566.exe
HKLM-Run-TerNa - c:\windows\system32\TerNa.exe
SharedTaskScheduler-IPC Configuration Utility - (no file)
AddRemove-HP Rhapsody - c:\progra~1\HPRHAP~1\Unwise32.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-18 14:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????????n??|?P???? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(708)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(6028)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\kahdah\CF2602.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\searchindexer.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\dllhost.exe
c:\progra~1\HPQ\shared\HPQTOA~1.EXE
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
.
**************************************************************************
.
Completion time: 2009-10-18 14:44 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-18 19:44

Pre-Run: 28,459,163,648 bytes free
Post-Run: 28,506,431,488 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

304 --- E O F --- 2009-10-11 15:55

#9 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:23 AM

Posted 18 October 2009 - 02:54 PM

Update Run Malwarebytes

Please update\run Malwarebytes' Anti-Malware.

Double Click the Malwarebytes Anti-Malware icon to run the application.
  • Click on the update tab then click on Check for updates.
  • If an update is found, it will download and install the latest version.
  • Once the update has loaded, go to the Scanner tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
=====
Online Scanner

* Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Check next options: Remove found threats and Scan unwanted applications.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#10 katydidonline

katydidonline
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Midwest USA
  • Local time:09:23 AM

Posted 18 October 2009 - 03:25 PM

I connected the corrupted computer to the internet so I could do the online scan. I was just starting when I got a light blue screen that said windows has detected a problem and needs to shut down to prevent damage to the computer

Technical info

STOP: 0x0000008E (0xC0000005, 0xBF952C39, 0xF64A9C00, 0x00000000)

win32Ksys - address BF952C39 and was saying ssoething about dumping physical memory so I shut it down

#11 katydidonline

katydidonline
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Midwest USA
  • Local time:09:23 AM

Posted 18 October 2009 - 03:30 PM

Here is the Malwarebytes log



Malwarebytes' Anti-Malware 1.41
Database version: 2981
Windows 5.1.2600 Service Pack 3

10/18/2009 3:09:16 PM
mbam-log-2009-10-18 (15-09-16).txt

Scan type: Quick Scan
Objects scanned: 122028
Time elapsed: 5 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#12 katydidonline

katydidonline
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Midwest USA
  • Local time:09:23 AM

Posted 18 October 2009 - 03:43 PM

Sorry, I was not in IE as required, the scan is running now

#13 katydidonline

katydidonline
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Midwest USA
  • Local time:09:23 AM

Posted 18 October 2009 - 04:10 PM

Here is the Online Scan log

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=7.00.6000.16876 (vista_gdr.090625-2339)
# OnlineScanner.ocx=1.0.0.6208
# api_version=3.0.2
# EOSSerial=456bfbb344341549b9e7ee88eace2ea9
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-10-18 09:00:12
# local_time=2009-10-18 04:00:12 (-0600, Central Daylight Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1279 16777215 0 0 0 0 0 0
# compatibility_mode=3839 16777215 0 0 0 0 0 0
# compatibility_mode=4351 16777215 0 0 0 0 0 0
# compatibility_mode=5890 16777214 0 0 0 0 0 0
# compatibility_mode=8447 16777215 0 0 0 0 0 0
# scanned=10966
# found=1
# cleaned=1
# scan_time=712
C:\Documents and Settings\Larry Gray.PC325862970629\DoctorWeb\Quarantine\hosts Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

#14 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:23 AM

Posted 18 October 2009 - 05:51 PM

Ok please uninstall one of the Internet security suite's you have.
Webroot or AVG having both will cause issues with the computer.

AFter that let me know how things are running?
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#15 katydidonline

katydidonline
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Midwest USA
  • Local time:09:23 AM

Posted 18 October 2009 - 08:13 PM

I had trouble installing Webroot before I posted my problem on this site. Now I have uninstalled AVG but I still can't install Webroot.

I get the message the following message:
Aborting installation, Error (1638): Another version of this product is already installed. Installation of this product cannot continue. To configure or remove the existing version of this product, use Add/Remove programs on the control Panel.

Problem is Webroot does not show up in Add/remove programs.?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users