Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Defender virus, redirects clicked links, pop-ups


  • This topic is locked This topic is locked
27 replies to this topic

#1 johnconley

johnconley

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:03 PM

Posted 17 November 2009 - 11:19 PM

I ran across a website that cause a force close of my browser and a windows defender notification popped up saying I has a virus. I do not have windows defender on this desktop so I closed it and other defender windows popped up. I removed the program. Now I have constant pop-ups and redirected links on my browser to places like mevio.com, registerydefender.com, gala.com, ect . . . I tried running Norton but the program would not open and I assume was disabled somehow by whatever attacked my computer. I downloaded Avira AntiVir. I have run full scans with Malware bytes, spybot and avira and fixed all problems they found. I have searched for and removed any malware in my registry and in my folders per advice from the web. However, it is still happening. I use Windows XP Professional and Firefox 3.5.5. I did everything on the "Preparation Guide for use before posting about your potential Malware problem" page except for the root repeal report because it was causing my computer to freeze up when I tried 3 times to install it. The error message involved a lack of virtual memory. Thanks for any help.


DDS (Ver_09-10-26.01) - NTFSx86
Run by John Conley at 16:11:32.73 on 11/17/09
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.98 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Norton 360 *On-access scanning enabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
FW: Norton 360 *enabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\DellSupport\DSAgnt.exe
svchost.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\John Conley\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.cnn.com/
uSearch Page =
mDefault_Page_URL = hxxp://www.dell4me.com/myway
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page =
mStart Page = hxxp://www.dell4me.com/myway
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {1e8a6170-7264-4d0f-beae-d42a53123c75} - c:\program files\common files\symantec shared\coshared\browser\1.7\NppBho.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\program files\common files\symantec shared\coshared\browser\1.7\UIBHO.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [AROReminder] c:\program files\advanced registry optimizer\aro.exe -rem
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [Dell AIO Printer A920] "c:\program files\dell aio printer a920\dlbkbmgr.exe"
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [WD Button Manager] WDBtnMgr.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [CTSysVol] c:\program files\creative\sound blaster live! 24-bit\surround mixer\CTSysVol.exe /r
mRun: [ccApp] c:\program files\common files\symantec shared\ccApp.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRunOnce: [SpybotSnD] "c:\program files\spybot - search & destroy\SpybotSD.exe" /autocheck
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\npjpi160_15.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemyfios.verizon.net/sdcCommon/download/FIOS/Verizon%20FiOS%20Installer.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {0C92900E-4D5A-4F04-ACC9-729E1767BBAE} - hxxp://www.ritzpix.com/net/Uploader/LPUploader45.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo2.walgreens.com/WalgreensActivia.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\johnco~1\applic~1\mozilla\firefox\profiles\ocsdxj6s.default\
FF - plugin: c:\program files\canon\zoombrowser ex\program\NPCIG.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-11-14 64288]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-11-13 108289]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1179232]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-30 102448]
S3 getPlusHelper;getPlus® Helper;c:\windows\system32\svchost.exe -k getPlusHelper [2004-3-19 14336]

=============== Created Last 30 ================

2009-11-17 20:07:34 0 d-----w- C:\Sun
2009-11-17 18:05:10 0 d-----w- c:\program files\Trend Micro
2009-11-15 18:10:35 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-11-15 02:17:57 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-14 21:47:13 0 d-----w- c:\docume~1\johnco~1\applic~1\Sammsoft
2009-11-14 21:45:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-11-14 21:45:31 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-14 21:45:00 0 d-----w- c:\program files\Advanced Registry Optimizer
2009-11-14 21:43:01 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-14 21:42:12 0 d-----w- c:\program files\Lavasoft
2009-11-13 19:05:14 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-13 19:05:11 0 d-----w- c:\program files\Avira
2009-11-13 19:05:11 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2009-11-12 17:50:20 0 d-----w- c:\windows\system32\wbem\Repository
2009-11-12 16:25:32 0 d-----w- c:\docume~1\johnco~1\applic~1\Windows System Defender
2009-11-09 01:04:14 0 d-----w- c:\docume~1\alluse~1\applic~1\McAfee Security Scan
2009-11-04 20:49:49 0 d-----w- c:\documents and settings\john conley\.dvdcss
2009-11-04 20:48:26 0 d-----w- c:\program files\Digiarty
2009-11-04 18:13:26 0 d-----w- c:\program files\Xilisoft
2009-11-04 07:44:51 4672 ----a-w- c:\windows\system\WOWPOST.EXE
2009-11-04 07:44:51 45056 ----a-w- c:\windows\system32\WNASPI32.DLL
2009-11-04 07:44:51 16512 ----a-w- c:\windows\system32\drivers\ASPI32.SYS
2009-11-04 07:44:50 5600 ----a-w- c:\windows\system\WINASPI.DLL
2009-11-04 07:44:49 0 d-----w- c:\program files\XviD
2009-11-04 07:44:48 641021 ----a-w- c:\windows\unins000.exe
2009-11-04 07:44:48 414 ----a-w- c:\windows\system32\Lame_acm.xml
2009-11-04 07:44:48 200192 ----a-w- c:\windows\system32\LameACM.acm
2009-11-04 07:44:48 187904 ----a-w- c:\windows\system32\Lame.exe
2009-11-04 07:44:48 1677 ----a-w- c:\windows\unins000.dat
2009-11-04 07:44:48 166912 ----a-w- c:\windows\system32\Lame_enc.dll
2009-11-04 07:44:37 0 d-----w- c:\program files\EasyDVDRip
2009-10-28 05:00:56 0 d-----w- c:\docume~1\johnco~1\applic~1\CameraWindowDC
2009-10-28 05:00:54 0 d-----w- c:\docume~1\johnco~1\applic~1\CANON INC
2009-10-28 04:59:40 0 d-----w- c:\docume~1\johnco~1\applic~1\ZoomBrowser EX
2009-10-28 04:52:02 0 d-----w- c:\docume~1\alluse~1\applic~1\ZoomBrowser
2009-10-24 03:34:16 0 d-----w- c:\program files\common files\Canon
2009-10-23 04:11:15 0 d-----w- c:\program files\iTunes

==================== Find3M ====================

2009-10-19 23:53:44 3070976 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-09-25 05:37:11 667136 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:37:11 667136 ------w- c:\windows\system32\dllcache\wininet.dll
2009-09-25 05:37:11 627712 ------w- c:\windows\system32\dllcache\urlmon.dll
2009-09-25 05:37:10 1509888 ------w- c:\windows\system32\dllcache\shdocvw.dll
2009-09-25 05:37:09 81920 ------w- c:\windows\system32\ieencode.dll
2009-09-25 05:37:09 81920 ------w- c:\windows\system32\dllcache\ieencode.dll
2009-09-22 06:46:02 53600 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2009-08-28 23:42:52 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-26 08:00:21 247326 ------w- c:\windows\system32\dllcache\strmdll.dll
2005-06-03 17:25:40 56 --sh--r- c:\windows\system32\AF0A0D3EDA.sys
2007-09-19 04:00:04 952 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 16:15:25.68 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:03 PM

Posted 25 November 2009 - 02:39 PM

Hello and welcome to Bleeping Computer.

My name is km2357 and I will be helping you to remove any infection(s) that you may have.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.

Sorry for the delay in replying, the forum is very busy. If you still need help, please post a fresh DDS Log

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#3 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:03 PM

Posted 28 November 2009 - 12:53 PM

johnconley? Do you still need help?

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#4 johnconley

johnconley
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:03 PM

Posted 28 November 2009 - 06:40 PM

Yes, I still need help, thankyou. I will be returning home to my desktop tomorrow. I will post a new log then. Thanks again.

#5 johnconley

johnconley
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:03 PM

Posted 30 November 2009 - 12:21 AM

I must say that I returned home after the holidays and booted my computer. I tried to open firefox and the system froze and I got the dreaded blue screen. I rebooted and it seems fine. Just thought you should know. Here is my new DDS result:


DDS (Ver_09-11-29.01) - NTFSx86
Run by John Conley at 0:05:11.21 on 11/30/09
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.53 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Norton 360 *On-access scanning enabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
FW: Norton 360 *enabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\John Conley\My Documents\Downloads\dds(2).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.cnn.com/
uSearch Page =
mDefault_Page_URL = hxxp://www.dell4me.com/myway
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page =
mStart Page = hxxp://www.dell4me.com/myway
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {1e8a6170-7264-4d0f-beae-d42a53123c75} - c:\program files\common files\symantec shared\coshared\browser\1.7\NppBho.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\program files\common files\symantec shared\coshared\browser\1.7\UIBHO.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [AROReminder] c:\program files\advanced registry optimizer\aro.exe -rem
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec

shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [Dell AIO Printer A920] "c:\program files\dell aio printer a920\dlbkbmgr.exe"
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [WD Button Manager] WDBtnMgr.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [CTSysVol] c:\program files\creative\sound blaster live! 24-bit\surround mixer\CTSysVol.exe /r
mRun: [ccApp] c:\program files\common files\symantec shared\ccApp.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemyfios.verizon.net/sdcCommon/download/FIOS/Verizon%20FiOS%20Installer.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {0C92900E-4D5A-4F04-ACC9-729E1767BBAE} - hxxp://www.ritzpix.com/net/Uploader/LPUploader45.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo2.walgreens.com/WalgreensActivia.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\johnco~1\applic~1\mozilla\firefox\profiles\ocsdxj6s.default\
FF - plugin: c:\program files\canon\zoombrowser ex\program\NPCIG.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation

foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-11-13 11608]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-11-13 55656]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-30 102448]

=============== Created Last 30 ================

2009-11-24 20:09:21 0 d-----w- c:\program files\Guitar Pro 5
2009-11-17 20:07:34 0 d-----w- C:\Sun
2009-11-17 18:05:10 0 d-----w- c:\program files\Trend Micro
2009-11-15 18:10:35 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-11-15 02:17:57 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-14 21:47:13 0 d-----w- c:\docume~1\johnco~1\applic~1\Sammsoft
2009-11-14 21:45:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-11-14 21:45:31 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-14 21:45:00 0 d-----w- c:\program files\Advanced Registry Optimizer
2009-11-14 21:43:01 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-14 21:42:12 0 d-----w- c:\program files\Lavasoft
2009-11-13 19:05:14 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-13 19:05:11 0 d-----w- c:\program files\Avira
2009-11-13 19:05:11 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2009-11-12 17:50:20 0 d-----w- c:\windows\system32\wbem\Repository
2009-11-09 01:04:14 0 d-----w- c:\docume~1\alluse~1\applic~1\McAfee Security Scan
2009-11-04 20:49:49 0 d-----w- c:\documents and settings\john conley\.dvdcss
2009-11-04 20:48:26 0 d-----w- c:\program files\Digiarty
2009-11-04 18:13:26 0 d-----w- c:\program files\Xilisoft
2009-11-04 07:44:51 4672 ----a-w- c:\windows\system\WOWPOST.EXE
2009-11-04 07:44:51 45056 ----a-w- c:\windows\system32\WNASPI32.DLL
2009-11-04 07:44:51 16512 ----a-w- c:\windows\system32\drivers\ASPI32.SYS
2009-11-04 07:44:50 5600 ----a-w- c:\windows\system\WINASPI.DLL
2009-11-04 07:44:49 0 d-----w- c:\program files\XviD
2009-11-04 07:44:48 641021 ----a-w- c:\windows\unins000.exe
2009-11-04 07:44:48 414 ----a-w- c:\windows\system32\Lame_acm.xml
2009-11-04 07:44:48 200192 ----a-w- c:\windows\system32\LameACM.acm
2009-11-04 07:44:48 187904 ----a-w- c:\windows\system32\Lame.exe
2009-11-04 07:44:48 1677 ----a-w- c:\windows\unins000.dat
2009-11-04 07:44:48 166912 ----a-w- c:\windows\system32\Lame_enc.dll
2009-11-04 07:44:37 0 d-----w- c:\program files\EasyDVDRip

==================== Find3M ====================

2009-10-19 23:53:44 3070976 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-09-25 05:37:11 667136 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:37:11 667136 ------w- c:\windows\system32\dllcache\wininet.dll
2009-09-25 05:37:11 627712 ------w- c:\windows\system32\dllcache\urlmon.dll
2009-09-25 05:37:10 1509888 ------w- c:\windows\system32\dllcache\shdocvw.dll
2009-09-25 05:37:09 81920 ------w- c:\windows\system32\ieencode.dll
2009-09-25 05:37:09 81920 ------w- c:\windows\system32\dllcache\ieencode.dll
2009-09-22 06:46:02 53600 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2005-06-03 17:25:40 56 --sh--r- c:\windows\system32\AF0A0D3EDA.sys
2007-09-19 04:00:04 952 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 0:13:50.31 ===============

Attached Files



#6 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:03 PM

Posted 30 November 2009 - 02:36 PM

Step # 1:Remove one of your Anti Virus programs.

You are operating your computer with multiple Anti Virus programs running in memory at once:

Avira AntiVir Personal - Free Antivirus

Norton 360


Anti-virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having two anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash.

Please remove one of them.


Step # 2: Disable Teatimer

Spybot S&D's tea timer normally provides real-time protection from spyware, however it may interfere with what we need to do. We will disable it until the machine is clean when it can be re-enabled.

This is a two step process.
First step:
  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the version 1.5 or 1.6, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident

Second step, For Either Version :
  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go To the bottom of the Vertical Panel on the Left, Click Tools
  • then, also in left panel, click Resident shows a red/white shield.
  • If your firewall raises a question, say OK
  • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.

Since you reported having problems with RootRepeal we'll try a different rootkit scanner.


Step # 3: Download and Run Gmer

Please download gmer.zip from Gmer and save it to your desktop.

***Please close any open programs ***

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst


If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click No.
  • Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.
If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked.
  • Click the Scan button and let the program do its work. GMER will produce a log.
  • Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.
DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

Please post the results from the GMER scan in your reply.

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#7 johnconley

johnconley
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:03 PM

Posted 01 December 2009 - 11:07 AM

I downloaded Avira AntiVir after I got this infection because norton was somehow disabled and would not open regardless of rebooting my computer. I thought I had removed it but I guess not. I tried to remove it three times and the unintsaller stopped responding each time when the progress bar was filled. So I removed Avira. When I ran the gmer, I got a preliminary log and a log after I pressed the scan button. I saved both:

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit quick scan 2009-12-01 02:10:02
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\JOHNCO~1\LOCALS~1\Temp\pxlirfog.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\00000357 -> \Driver\atapi \Device\Harddisk0\DR0 8334A170

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

And here is the second

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-12-01 10:55:00
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\JOHNCO~1\LOCALS~1\Temp\pxlirfog.sys


---- System - GMER 1.0.15 ----

SSDT 82DB1230 ZwConnectPort
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF868887E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF8688BFE]

---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\System32\DRIVERS\mohfilt.sys entry point in "init" section [0xF89B3760]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)

#8 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:03 PM

Posted 01 December 2009 - 02:35 PM

Step # 1: Download and Run ComboFix

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

*Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

When finished, it shall produce a log for you. Please include C:\ComboFix.txt in your next reply.

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#9 johnconley

johnconley
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:03 PM

Posted 01 December 2009 - 04:12 PM

I can't find Norton 360 anywhere on my computer except for add/remove programs and it will not remove. So, therefore, I'm not sure if I can disable it. I can't find anything that says its running but you said one of my logs identified it. I will have to try the combo fix without disabling it.

#10 johnconley

johnconley
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:03 PM

Posted 01 December 2009 - 04:26 PM

Nope, it won't let me continue. I cannot find Norton in a c:\ search, not in my system tray, not in my processes; no .exe files in my program files. I have no idea how it is still running but the combofix warning confirms it. Any ideas?

#11 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:03 PM

Posted 02 December 2009 - 12:31 AM

Let's try running ComboFix from Safe Mode.


You can go in Safe Mode by restarting your computer, then continually tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.


Once ComboFix has finished its run, post the ComboFix Log back here in your next post/reply.

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#12 johnconley

johnconley
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:03 PM

Posted 02 December 2009 - 03:44 PM

Norton is also running in safe mode, combofix will not run

#13 johnconley

johnconley
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:03 PM

Posted 02 December 2009 - 07:10 PM

I cannot disable Norton. I ran the scan anyway, here it is.

ComboFix 09-12-01.01 - John Conley 12/02/09 16:14.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.163 [GMT -5:00]
Running from: c:\documents and settings\John Conley\Desktop\ComboFix.exe
AV: Norton 360 *On-access scanning enabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
FW: Norton 360 *enabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\John Conley\My Documents\ZbThumbnail.info
c:\windows\run.log
c:\windows\system32\Data

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :(
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SVCPROC


((((((((((((((((((((((((( Files Created from 2009-11-02 to 2009-12-02 )))))))))))))))))))))))))))))))
.

2009-11-24 20:09 . 2009-11-24 20:09 -------- d-----w- c:\program files\Guitar Pro 5
2009-11-17 20:07 . 2009-11-17 20:07 -------- d-----w- C:\Sun
2009-11-17 18:05 . 2009-11-17 18:05 -------- d-----w- c:\program files\Trend Micro
2009-11-15 18:10 . 2009-11-15 18:19 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-15 02:17 . 2009-11-14 21:44 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-14 21:47 . 2009-11-14 21:47 -------- d-----w- c:\documents and settings\John Conley\Application Data\Sammsoft
2009-11-14 21:45 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-11-14 21:45 . 2009-11-14 21:44 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-14 21:45 . 2009-11-14 21:45 -------- d-----w- c:\program files\Advanced Registry Optimizer
2009-11-14 21:43 . 2009-11-14 21:43 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-14 21:43 . 2009-10-03 08:15 2924848 -c--a-w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
2009-11-14 21:42 . 2009-11-14 21:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-11-14 21:42 . 2009-11-14 21:42 -------- d-----w- c:\program files\Lavasoft
2009-11-13 19:05 . 2009-07-28 21:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-12 17:50 . 2009-11-12 17:50 -------- d-----w- c:\windows\system32\wbem\Repository
2009-11-12 17:49 . 2009-11-12 17:49 -------- d-----w- c:\program files\NOS
2009-11-12 17:49 . 2009-11-12 17:49 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-11-11 01:04 . 2009-11-11 01:04 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-11-09 01:04 . 2009-11-09 01:04 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2009-11-04 20:49 . 2009-11-04 21:20 -------- d-----w- c:\documents and settings\John Conley\.dvdcss
2009-11-04 20:48 . 2009-11-04 20:48 -------- d-----w- c:\program files\Digiarty
2009-11-04 18:14 . 2009-11-04 18:14 -------- d-----w- c:\documents and settings\John Conley\Application Data\dvdcss
2009-11-04 18:13 . 2009-11-04 18:13 -------- d-----w- c:\program files\Xilisoft
2009-11-04 07:44 . 2009-11-04 17:57 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-04 07:44 . 2009-10-23 01:33 45056 ----a-w- c:\windows\system32\WNASPI32.DLL
2009-11-04 07:44 . 2009-10-23 01:33 16512 ----a-w- c:\windows\system32\drivers\ASPI32.SYS
2009-11-04 07:44 . 1999-09-10 17:06 4672 ----a-w- c:\windows\system\WOWPOST.EXE
2009-11-04 07:44 . 1999-09-10 17:06 5600 ----a-w- c:\windows\system\WINASPI.DLL
2009-11-04 07:44 . 2009-11-04 07:44 -------- d-----w- c:\program files\XviD
2009-11-04 07:44 . 2009-11-04 07:44 1677 ----a-w- c:\windows\unins000.dat
2009-11-04 07:44 . 2009-11-04 07:44 641021 ----a-w- c:\windows\unins000.exe
2009-11-04 07:44 . 2004-07-26 17:12 166912 ----a-w- c:\windows\system32\Lame_enc.dll
2009-11-04 07:44 . 2004-07-26 17:12 187904 ----a-w- c:\windows\system32\Lame.exe
2009-11-04 07:44 . 2009-11-04 07:44 -------- d-----w- c:\program files\EasyDVDRip

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-02 20:48 . 2004-09-26 18:40 -------- d-----w- c:\program files\Symantec
2009-12-01 04:12 . 2004-09-26 18:40 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-01 04:12 . 2004-09-26 18:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-11-24 21:46 . 2009-11-14 21:44 862040 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-11-24 21:46 . 2009-11-14 21:44 390288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-11-24 21:46 . 2009-11-14 21:44 206944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-11-24 20:11 . 2004-09-26 18:48 64456 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-24 18:16 . 2005-01-13 17:52 -------- d-----w- c:\program files\Dell AIO Printer A920
2009-11-18 19:25 . 2009-10-28 05:00 -------- d-----w- c:\documents and settings\John Conley\Application Data\CameraWindowDC
2009-11-17 19:57 . 2004-09-26 18:27 -------- d-----w- c:\program files\Java
2009-11-17 19:48 . 2007-10-12 17:34 -------- d-----w- c:\documents and settings\John Conley\Application Data\Move Networks
2009-11-15 19:36 . 2004-10-01 18:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-14 21:44 . 2009-11-14 21:44 93360 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\SBREDrv.sys
2009-11-14 21:44 . 2009-11-14 21:44 554280 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\sbap.dll
2009-11-14 21:44 . 2009-11-14 21:44 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-11-14 21:44 . 2009-11-14 21:44 283944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Vipre.dll
2009-11-14 21:44 . 2009-11-14 21:44 212480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\VipreBridge.dll
2009-11-14 21:44 . 2009-11-14 21:44 1223976 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBTE.dll
2009-11-14 21:44 . 2009-11-14 21:44 242984 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBRE.dll
2009-11-14 21:44 . 2009-11-14 21:44 5908024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-11-09 03:50 . 2009-10-28 04:59 -------- d-----w- c:\documents and settings\John Conley\Application Data\ZoomBrowser EX
2009-10-28 05:00 . 2009-10-28 05:00 -------- d-----w- c:\documents and settings\John Conley\Application Data\CANON INC
2009-10-28 04:55 . 2008-08-26 17:59 -------- d-----w- c:\program files\Canon
2009-10-28 04:52 . 2009-10-28 04:52 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2009-10-24 03:34 . 2009-10-24 03:34 -------- d-----w- c:\program files\Common Files\Canon
2009-10-23 04:12 . 2009-10-23 04:11 -------- d-----w- c:\program files\iTunes
2009-10-23 04:11 . 2005-01-14 17:11 -------- d-----w- c:\program files\iPod
2009-10-23 04:11 . 2007-07-17 17:28 -------- d-----w- c:\program files\Common Files\Apple
2009-10-23 04:05 . 2009-10-23 04:05 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.1.8\SetupAdmin.exe
2009-09-25 05:37 . 2004-02-06 23:05 667136 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:37 . 2004-08-04 07:56 81920 ------w- c:\windows\system32\ieencode.dll
2009-09-22 18:45 . 2009-09-22 18:45 152576 ------w- c:\documents and settings\John Conley\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-09-22 06:46 . 2009-09-22 06:46 53600 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-11 14:18 . 2004-03-19 22:40 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 18:54 . 2009-09-22 19:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 18:53 . 2009-09-22 19:14 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03 . 2004-03-30 01:48 58880 ----a-w- c:\windows\system32\msasn1.dll
2005-06-03 17:25 . 2005-06-03 17:25 56 --sh--r- c:\windows\SYSTEM32\AF0A0D3EDA.sys
2007-09-19 04:00 . 2007-08-22 19:34 952 --sha-w- c:\windows\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"AROReminder"="c:\program files\Advanced Registry Optimizer\aro.exe" [2009-10-22 2132480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"Dell AIO Printer A920"="c:\program files\Dell AIO Printer A920\dlbkbmgr.exe" [2004-04-15 270336]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-07-18 116072]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"WD Button Manager"="WDBtnMgr.exe" - c:\windows\SYSTEM32\WDBtnMgr.exe [2008-12-20 339968]
"P17Helper"="P17.dll" - c:\windows\SYSTEM32\P17.dll [2004-06-10 60928]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"CCALib8"=2 (0x2)
"LiveUpdate Notice Service"=2 (0x2)
"LiveUpdate Notice Ex"=2 (0x2)
"LiveUpdate"=3 (0x3)
"idsvc"=3 (0x3)
"DSBrokerService"=3 (0x3)
"comHost"=3 (0x3)
"CLTNetCnService"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Symantec Core LC"=2 (0x2)
"ERSvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\SYSTEM32\\fxsclnt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [11/14/09 4:45 PM 64288]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [09/24/09 6:17 AM 1184912]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [08/30/09 1:56 PM 102448]
S3 rootrepeal2;rootrepeal2;\??\c:\windows\system32\drivers\rootrepeal2.sys --> c:\windows\system32\drivers\rootrepeal2.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2009-12-02 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 21:45]

2009-12-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.cnn.com/
mStart Page = hxxp://www.dell4me.com/myway
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
DPF: {0C92900E-4D5A-4F04-ACC9-729E1767BBAE} - hxxp://www.ritzpix.com/net/Uploader/LPUploader45.cab
FF - ProfilePath - c:\documents and settings\John Conley\Application Data\Mozilla\Firefox\Profiles\ocsdxj6s.default\
FF - plugin: c:\program files\Canon\ZoomBrowser EX\Program\NPCIG.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-DVDLauncher - c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
AddRemove-Ad-Aware - c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe REMOVE=TRUE MODIFY=FALSE
AddRemove-RealJukebox 1.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
AddRemove-RealPlayer 6.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-02 16:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\System32\CTsvcCDA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\System32\MsPMSPSv.exe
c:\windows\system32\fxssvc.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\Dell AIO Printer A920\dlbkbmon.exe
c:\windows\system32\Rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2009-12-02 17:03 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-02 22:03

Pre-Run: 52,986,871,808 bytes free
Post-Run: 53,298,872,320 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 1F16037F9E37444F235A5D0E305D0A62

#14 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:03 PM

Posted 02 December 2009 - 10:31 PM

I cannot disable Norton. I ran the scan anyway, here it is.


Ok. Its preferable when running ComboFix that the AV and other Anti-Spyware/Malware tools are disabled so that they don't interfere with ComboFix. However, I don't see anything in the ComboFix Log that shows that the enabled Norton interfered with it.



Registry Cleaners

Re. Advanced Registry Optimizer

I don't personally recommend the use of ANY registry cleaners.
Here is an excerpt from a discussion on regcleaners:

Most reg cleaners aren't "bad" as such, but they aren't perfect and even the best have been known to cause problems. The point we are trying to make is that the risk of using one far outweighs any benefit. If it does work perfectly you will not see any difference. If it doesn't work properly you may end up with an expensive doorstop.


http://forums.whatthetech.com/Regcleaner_t42862.html

I recommend that you uninstall Advanced Registry Optimizer from your computer.



Step # 1 Update Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u17.
  • Click on the link to download Windows Offline Installation and save to your desktop. Do NOT use the Sun Download Manager.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Remove the following old versions of Java:

  • Java 2 Runtime Environment, SE v1.4.2_03

    Java 2 Runtime Environment, SE v1.4.2_05

    J2SE Runtime Environment 5.0 Update 4

    J2SE Runtime Environment 5.0 Update 10

    J2SE Runtime Environment 5.0 Update 11

    Java™ 6 Update 15


  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • From your desktop double-click on the download to install the newest version.


Step # 2 Run CCleaner

CCleaner will remove everything from the temp/temporary folders but please note that it will not make back ups!
  • Before first use, select Options > Advanced and UNCHECK Only delete files in Windows Temp folder older than 24 hours
  • Then select the items you wish to clean up.
  • In the Windows Tab:
  • Clean all entries in the Internet Explorer section except Cookies
  • Clean all the entries in the Windows Explorer section
  • Clean all entries in the System section
  • Clean all entries in the Advanced section
  • Clean any others that you choose
  • In the Applications Tab:
  • Clean all except cookies in the Firefox/Mozilla section if you use it
  • Clean all in the Opera section if you use it
  • Clean Sun Java in the Internet Section
  • Clean any others that you choose
  • Click the Run Cleaner button.
  • A pop up box will appear advising this process will permanently delete files from your system.
  • Click OK and it will scan and clean your system.
  • Click exit when done.
  • If it asks you to reboot at the end, click NO


Step # 3 Run Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware.
  • Before running a scan, click the Update tab, next click Check for Updates to download any updates, if available.
  • Next click the Scanner tab and select Perform Quick Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • You can also access the log by doing the following:
  • Click on the Malwarebytes' Anti-Malware icon to launch the program.
  • Click on the Logs tab.
  • Click on the log at the bottom of those listed to highlight it.
  • Click Open.

In your next post/reply, I need to see the following:

1. MalwareBytes' Log
2. A fresh DDS Log

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#15 johnconley

johnconley
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:03 PM

Posted 03 December 2009 - 01:09 PM

Ok, all of that is done. Here is my new DDS log:


DDS (Ver_09-12-01.01) - NTFSx86
Run by John Conley at 13:06:27.93 on 12/03/09
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.178 [GMT -5:00]

AV: Norton 360 *On-access scanning enabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
FW: Norton 360 *enabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DellSupport\DSAgnt.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\John Conley\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.cnn.com/
mStart Page = hxxp://www.dell4me.com/myway
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [Dell AIO Printer A920] "c:\program files\dell aio printer a920\dlbkbmgr.exe"
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [WD Button Manager] WDBtnMgr.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [CTSysVol] c:\program files\creative\sound blaster live! 24-bit\surround mixer\CTSysVol.exe /r
mRun: [ccApp] c:\program files\common files\symantec shared\ccApp.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemyfios.verizon.net/sdcCommon/download/FIOS/Verizon%20FiOS%20Installer.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {0C92900E-4D5A-4F04-ACC9-729E1767BBAE} - hxxp://www.ritzpix.com/net/Uploader/LPUploader45.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo2.walgreens.com/WalgreensActivia.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\johnco~1\applic~1\mozilla\firefox\profiles\ocsdxj6s.default\
FF - plugin: c:\program files\canon\zoombrowser ex\program\NPCIG.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-11-14 64288]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1184912]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-30 102448]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090921.002\NAVENG.SYS [2009-9-21 84912]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090921.002\NAVEX15.SYS [2009-9-21 1323568]
S3 rootrepeal2;rootrepeal2;\??\c:\windows\system32\drivers\rootrepeal2.sys --> c:\windows\system32\drivers\rootrepeal2.sys [?]
S4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2007-7-17 108904]
S4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2007-7-17 108904]
S4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2005-12-8 1251720]

=============== Created Last 30 ================

2009-12-03 17:31:49 73728 ----a-w- c:\windows\system32\javacpl.cpl
2009-12-02 21:02:13 0 d-sha-r- C:\cmdcons
2009-12-02 20:58:20 98816 ----a-w- c:\windows\sed.exe
2009-12-02 20:58:20 77312 ----a-w- c:\windows\MBR.exe
2009-12-02 20:58:20 260608 ----a-w- c:\windows\PEV.exe
2009-12-02 20:58:20 161792 ----a-w- c:\windows\SWREG.exe
2009-12-01 19:52:41 34016314 ----a-w- C:\01 Yocomico.wav
2009-11-24 20:09:21 0 d-----w- c:\program files\Guitar Pro 5
2009-11-17 20:07:34 0 d-----w- C:\Sun
2009-11-17 18:05:10 0 d-----w- c:\program files\Trend Micro
2009-11-15 18:10:35 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-11-15 02:17:57 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-14 21:45:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-11-14 21:45:31 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-14 21:43:01 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-14 21:42:12 0 d-----w- c:\program files\Lavasoft
2009-11-13 19:05:14 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-12 17:50:20 0 d-----w- c:\windows\system32\wbem\Repository
2009-11-09 01:04:14 0 d-----w- c:\docume~1\alluse~1\applic~1\McAfee Security Scan
2009-11-04 20:49:49 0 d-----w- c:\documents and settings\john conley\.dvdcss
2009-11-04 20:48:26 0 d-----w- c:\program files\Digiarty
2009-11-04 18:13:26 0 d-----w- c:\program files\Xilisoft
2009-11-04 07:44:51 4672 ----a-w- c:\windows\system\WOWPOST.EXE
2009-11-04 07:44:51 45056 ----a-w- c:\windows\system32\WNASPI32.DLL
2009-11-04 07:44:51 16512 ----a-w- c:\windows\system32\drivers\ASPI32.SYS
2009-11-04 07:44:50 5600 ----a-w- c:\windows\system\WINASPI.DLL
2009-11-04 07:44:49 0 d-----w- c:\program files\XviD
2009-11-04 07:44:48 641021 ----a-w- c:\windows\unins000.exe
2009-11-04 07:44:48 414 ----a-w- c:\windows\system32\Lame_acm.xml
2009-11-04 07:44:48 200192 ----a-w- c:\windows\system32\LameACM.acm
2009-11-04 07:44:48 187904 ----a-w- c:\windows\system32\Lame.exe
2009-11-04 07:44:48 1677 ----a-w- c:\windows\unins000.dat
2009-11-04 07:44:48 166912 ----a-w- c:\windows\system32\Lame_enc.dll
2009-11-04 07:44:37 0 d-----w- c:\program files\EasyDVDRip

==================== Find3M ====================

2009-12-03 17:30:49 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-19 23:53:44 3070976 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-09-25 05:37:11 667136 ------w- c:\windows\system32\wininet.dll
2009-09-25 05:37:11 667136 ------w- c:\windows\system32\dllcache\wininet.dll
2009-09-25 05:37:11 627712 ------w- c:\windows\system32\dllcache\urlmon.dll
2009-09-25 05:37:10 1509888 ------w- c:\windows\system32\dllcache\shdocvw.dll
2009-09-25 05:37:09 81920 ------w- c:\windows\system32\ieencode.dll
2009-09-25 05:37:09 81920 ------w- c:\windows\system32\dllcache\ieencode.dll
2009-09-22 06:46:02 53600 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2005-06-03 17:25:40 56 --sh--r- c:\windows\system32\AF0A0D3EDA.sys
2007-09-19 04:00:04 952 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 13:07:20.84 ===============

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users