Unknown infection scans don't work - acting strange

Hi this is has also been mentioned at the following post- this is the vista machine

http://www.bleepingcomputer.com/forums/t/272251/stop-cross-infection-from-external-hard-drive/

I placed a hack this log up for here but have pulled the thread as the machine has been clean installed and doesn't seem to have any issues I will copy and paste the rundown from this thread and add to it. This is the first infection machine. This machine most likely hasn't been connected to the internet since September. Just before i gave it to a friend it was running normally at this time. I did uninstall a whole lot of programs at that time so if you need to know what they are let me know.

http://www.bleepingcomputer.com/forums/topic272935.html

What the infection does

It travels through usb and cd or dvd. It will autorun on the drive and attach itself to everything that enters the drive. It will cause the computer to type backwards and you are unable to select and open everything the high lighting will flash backwards and forward between several things makes it hard to run things. The infection first appeared when i plugged in a usb to back some data up quickly on another machine after i spelt water on the keyboard. I put the behavior down to the water not an infection. (this is the vista machine is very sick which we will deal with after this one) Unaware i stupidly plugged the usb into this computer a couple of weeks ago with an external hard drive attached.


Scans that i have used with no detection at all

Malwarebytes
Kapersky online scanner
trendmirco housecall
spyblot
avast



I tried using the rootrepeal on this machine but has encounted and error


i have had to type these logs off so if you question something i will doublecheck i have typed it correctly

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (ver_09-10-26.01)

Microsoft windows Vista Home Basic
Boot Device: \Device\Harddiskvolume1
Intall Date: 4/03/2009 11:08:41 PM
System uptime 21/11/2009 4:57:16 PM (1 hours ago)

Motherboard: Acer, Inc | | Prespa1
Processor: Intel ® Celeron M CPU 430 @ 1.73GHz | U2E1 | 1733/133mhz


=====Disk Partitions============================

C: is FIXED (NTFS) - 75 gIb total 47.692 GiB free.
D: is CDROM ()

=====Disabled Device Manager Items=============

=====System Restore Points=======

=====Installed Programs=====================

Acer Arcade
Acer Empowering Technology
Acer eNet Management
Acer ePower Management
Acer ePresentation Management
Acer Gridvista
Acer Mobility Centre Plug-In
Acer OrbiCam
Acer Orbicam
Acrobat.com
Ad-Aware
Adobe Flash Player 10 Activex
Adobe Flash player 10 Plugin
Adobe Reader 9.1.3
Agere Systems HDA Modem
avast! Antivirus
CCleaner (remove only)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (kb+58484
Java™ 6 Update 15
LightScribe 1.4.136.1
Malwarebytes Anti-Malware
Microsoft .Net Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Office Access MUI (English)2007
Microsoft Office Access Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Metadata MUI (English) 2007
Microsoft Office Infopath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (Frence) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Mozilla Firefox (3.5.2)
MSXML 4.0 SP2 (KB954430)
NTI Backup Now! 4.7
NTI CD & DVD-Maker
Realtek High Definition Audio Driver
Security Update for CAPICOM (KB931906)
Spelling Dictonary Support For Adobe Reader 9
Spy - Search & Destroy
Synaptics Pointer Device Driver
Texas Instrument PCIxx21/x515/xx12 drivers.
TIPCI
Update for Microsoft .NET Framework 3.5 SP1
VC 9.0 Runtime
Visual C++ 2008 X86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01

DDS (ver_09-10-26.01) NTFSx86
Run by Vickie at 16:59:57.14 on Sat 21/11/2009
Internet Explorer: 8.0.6001.18813 BrowersJavaVersion: 1.6.0_15
Microsoft Windows Vista Home Basic 6.0.6000.0.1252.61.1033.18.2038.1343 [GMT 11:00]

AV: avast! antivirus 4.81229 [VPS 091120-1] *On-access scanning enabled* (Updated) {7591db91-41FO-48A3-B128-1A293FD8233D}
SP: Spyblot - Search and Destroy *disabled* (outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Lavasoft AD-Watch Live! *enabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (outdated) {d68ddc3a-831f-4FAE-9E44-DA132C1ACF46}
SP: avast! antivirus 4.8.1229 [VPS 091120-1] *enabled* (updated) {759DB91-41FO-48A3-B128-1A293FD8233D}

============Running Processes ================
c:\windows\system32\wininit.exe
c:\windows\system32\lsm.exe
c:\windows\system32\svchost.exe -k DcomLaunch
c:\windows\system32\svchost.exe -k rpcss
c:\windows\system32\svchost.exe -k secsvcs
c:\windows\system32\svchost.exe -k LocalserviceNetworkRestricted
c:\windows\system32\svchost.exe -k LocalSystemNetworkrestricted
c:\windows\system32\svchost.exe -k netsvcs
c:\windows\system32\svchost.exe -k GPSvcGroup
c:\windows\system32\SLsvc.exe
c:\windows\servicing\TrustedInstaller.exe
C:\windows\system32\svchost.exe -k LocalService
c:\windows\system32\svchost.exe -k Networkservice
c:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
c:\Program Files\Alwil Software\Avast4\ashServ.exe
c:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
c:\windows\system32\spoolsv.exe
c:\windows\system32/svhost.exe -k LocalServiceNoNetwork
c:\Program Files\Alwil Software\Avast4\setup\avast.setup
c:windows\system32\agrsmsvc.exe
c:\Acer\mobility Centre\MobilityService.exe
c:\windows\system32\SearchIndexer.exe
c:\Program Files\Spyblot - Search & Destroy\SDWinSec.exe
c:\Program Files\Alwil software\Avast4\ashwebSv.exe
c:\windows\system32\wbem\unsecappp.exe
c:\Program Files\Alwil software\Avast4\ashwebSv.exe
c:\windows\system32\wbem\wmiprvse.exe
c:\windows\system32\userinit.exe
c:\windows\system32\Dwn.exe
c:\windows\Explorer.EXE
c:\Program Files\Alwil Software\Avast4\ashDisp.exe
c:\Program Files\Synaptics\SynTP\SyTPEnh.exe
c:\windows\RtHDVCpl.exe
c:\windows\System32\igfxpers.exe
c:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
c:\Program Files\Java\jre6\bin\jusched.exe
c:\windows\sustem32\taskeng.exe
c:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
c:windows\system32\igfxsrvc.exe
c:windows\system32\DllHost.exe
c:windows\system32\DllHost.exe
c:User\vickie\Desktop\dds.scr
c:\windows\system32\wbem\wmiprvse.exe


=========================Pseudo HJT Report=============
uStart Page = hxxp://ninemsn.com.au/
uSEARCH PAGE = hxxp://us.rd.yahoo.com/customize/ycomp/defaults\sp/*http://www.yahoo.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uDefault_Page_URL = Hxxp://www.ninemsn.com.au
mStart Page = hxxp://en.us.acer.yahoo.com
mDefault_Page_URL = hxxp://en.us.acer.yahoo.com
uInternet settings ,ProxyOverride = .local
uSearchURL, (Default)= Hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://ww.yahoo.com
uURLSearchHooks:Yahoo! Toolbar: {ef99bd32-c1fb-892f-0090271d4f88} -
BHO: Adobe PDF Link Helper:{18ddf081c-e8ad-4283-a596-fa578c2ebdc3} -C:\program files\common files\adobe\acrobat\activex\AcroIEHelpShin.dll
BHO: Spyblot-S&D IE protection: {53707962-6f74-2d53-2644-206d7942484f} -c:program files\spybot - search & destroy\SDHelper.dll
BHO: {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - No File
BHO: Jave™Plug-In 2 ssv Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
mRun: [avast!] c:/progra-1\alwils-1\avast4\ashDisp.exe
mRun: [MSConfig] "c:windows\system32\msconfig.exe" /auto
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IgfxTray] c:windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Acer product Registration] "c:\program files\acer registration\ACE1. exe" /startup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
IE: E&xport to Microsoft Excel - c:\progra-1\micros-2\office12\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdpscamdel.exe
IE: {2670000a-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\proga-1\micros-2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\proga-1\micros-2\office12\BEFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB39FD2A2} - [53707962-6F74-2D53-2644-206D7942484F} - C:\program files\spyblot - search & destroy\SDHelp.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update.1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Notify: igfxcui - igfxdev.dll


==============FIREFOX================================
FF - Profilepath - c:\users\vickie\appdata\roaming\mozilla\firefox\profiles
FF - Plugin: c:\program files\ mozilla firefox\plugins\nppdf32 (2).dll
FF - Hiddenextension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassisstextension\
FF - Hiddenextension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - Hiddenextension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Hiddenextension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

------FIREFOX POLICIES-------------
FF - user.js: yahoo.homepage.dontask - true
===========SERVICES / DRIVERS

R0 Lbd;Lbd; c:\windows\system32\drivers\Lbd.sys [2009-7-6 64161]
R1 aswSP;abast! Self Protection;c:windows\system32\drivers\aswSP.sys[2009-3-4 78416]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-3-4 51280]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMONFlt.sys [2009-3-4 51280}
S3 s0017bus;sony Ericsson Device 0017 driver (wdm);c:\windows\system32\drivers\s0017bus.sys [2009-3-4 90536]
S3 s0017mdfl;Sony Ericsson Device 0017 USB WMC Modem Filter;c:\windows\system32\drivers\s0017mdfl.sys [2009-3-4 15016]
S3 s0017mdm;Sony Ericsson Device 0017 USB WMC Modem driver;c:\windows\system32\drivers\s0017mdm.sys [2009-3-4 122152]
S3 s0017mgmt;sony Ericsson Device 0017 USB Device Management Drivers (WDM);C:\windows\system32\drivers\s0017mgmt.sys [2009-3-4 115496]
S3 s0017nd5;sony Ericsson Device 0017 USB Etherenet Emulation SEMc0017 (NDIS);c:\windows\system32drivers\s0017nd5.sys [2009-3-4 25768]
s3 s0017obex;Sony Ericsson Decice 0017 USB WMC OBEX Interface;c:\windows\system32\drivers\s0017obex.sys [2009-3-4 111912]
S3 s0017unic;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (WDM);C:\windows\system32\drivers\s0017unic.sys [2009-3-4 117672]

===============Created Last 30===============

2009-11-20 00:00:27 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-11-19 23:59:56 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-11-19 23:59:39 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-11-19 23:59:39 171608 ----a-w- c:\windows\system32\wuwebv.dll

===============Find3M=======================

2009-09-09 05:03:59 86016 ----a-w- c:\windows\inf\infstor.dat
2009-09-09 05:03:59 56016 ----a-w- c:\windows\inf\infpub.dat
2009-09-09 05:03:59 143360 ----a-w- c:\windows\infstrin.dat
2009-08-29 03:41:42 1686528 ----a-w- c:\windows\gameux.dll
2009-08-29 03:40:31 28672 ----a-w- c:\windows\systemsApphlpdm.dll
2009-08-28 23:21:54 4247552 ----a-w- c:\windows\Apphlpdm.dll
2009-03-04 03:17:41 174 --sha-w- c:\windows\destop.ini
2009-03-04 03:14:00 665600 ----a-w- c:\windows\drvindex.dat
2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-04-28 00:44:42 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history\.ie5\index.dat
2009-04-28 00:44:42 32768 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-04-28 00:44:42 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2009-04-26 05:11:19 16384 --sha-w- C:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-04-26 05:11:19 32768 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\temporary internet files\content.ie5\index.dat
2009-04-26 05:11:19 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\cookies\index.dat
2009-04-26 05:11:19 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\ietdcache\index.dat
2009-06-11 05:07:59 245760 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat

=========FINISH 17:02:01.77===============================

cheers

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:

• Download DDS by sUBs from one of the following links. Save it to your desktop.
  • DDS.scr
  • DDS.pif
• Double click on the DDS icon, allow it to run.
• A small box will open, with an explaination about the tool. No input is needed, the scan is running.
• Notepad will open with the results.
• Follow the instructions that pop up for posting the results.
• Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

ok that was a nightmare. Final got the logs in safe mode. the machine is typing backwards and flashing when selecting. You won't open what is intended and i am having problems getting past uac or can't select run as administrator. when i go to click allow it will click cancel. i have had to email the logs off the computer can't access any thing on a webpage unless it is on the top of the page as it won't allow me to scroll down..

Here are the logs

thanks you in advance

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-10-26.01)

Microsoft® Windows Vista™ Home Basic
Boot Device: \Device\HarddiskVolume1
Install Date: 4/03/2009 11:08:41 PM
System Uptime: 30/11/2009 8:09:28 PM (0 hours ago)

Motherboard: Acer, Inc. | | Prespa1
Processor: Intel® Celeron® M CPU 430 @ 1.73GHz | U2E1 | 1733/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 75 GiB total, 49.04 GiB free.
D: is CDROM (UDF)

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP326: 9/09/2009 4:12:39 PM - Windows Update
RP328: 9/09/2009 5:08:06 PM - Installed Microsoft Office Enterprise 2007
RP329: 20/11/2009 10:59:26 AM - Windows Update
RP330: 24/11/2009 4:27:05 PM - Scheduled Checkpoint

==== Installed Programs ======================

Acer Arcade
Acer Empowering Technology
Acer eNet Management
Acer ePower Management
Acer ePresentation Management
Acer eSettings Management
Acer GridVista
Acer Mobility Center Plug-In
Acer OrbiCam
Acer OrbiCam
Acer Registration
Acrobat.com
Ad-Aware
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.1.3
Agere Systems HDA Modem
avast! Antivirus
CCleaner (remove only)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Intel® Graphics Media Accelerator Driver
Java™ 6 Update 15
LightScribe 1.4.136.1
Malwarebytes' Anti-Malware
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.5.2)
MSXML 4.0 SP2 (KB954430)
NTI Backup NOW! 4.7
NTI CD & DVD-Maker
Realtek High Definition Audio Driver
Security Update for CAPICOM (KB931906)
Spelling Dictionaries Support For Adobe Reader 9
Spybot - Search & Destroy
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515/xx12 drivers.
TIPCI
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
VC 9.0 Runtime
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01

==== Event Viewer Messages From Past Week ========

30/11/2009 8:11:04 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
30/11/2009 8:10:57 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
30/11/2009 8:10:54 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: aswSP spldr Wanarpv6
30/11/2009 8:10:48 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
24/11/2009 12:53:20 PM, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

==== End Of File ==============


DDS (Ver_09-10-26.01) - NTFSx86 NETWORK
Run by Vickie at 20:11:20.13 on Mon 30/11/2009
Internet Explorer: 8.0.6001.18813 BrowserJavaVersion: 1.6.0_15
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.61.1033.18.2038.1602 [GMT 11:00]

AV: avast! antivirus 4.8.1229 [VPS 091129-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Lavasoft Ad-Watch Live! *enabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: avast! antivirus 4.8.1229 [VPS 091129-1] *enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Vickie\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://ninemsn.com.au/
uSEARCH PAGE = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uDefault_Page_URL = hxxp://www.ninemsn.com.au
mStart Page = hxxp://en.us.acer.yahoo.com
mDefault_Page_URL = hxxp://en.us.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [MSConfig] "c:\windows\system32\msconfig.exe" /auto
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Acer Product Registration] "c:\program files\acer registration\ACE1.exe" /startup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\vickie\appdata\roaming\mozilla\firefox\profiles\b9cq3z92.default\
FF - plugin: c:\program files\mozilla firefox\plugins\nppdf32 (2).dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-7-6 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-10 1029456]
S1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-3-4 78416]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-3-4 20560]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-3-4 51280]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-7-5 1153368]
S3 s0017bus;Sony Ericsson Device 0017 driver (WDM);c:\windows\system32\drivers\s0017bus.sys [2009-3-4 90536]
S3 s0017mdfl;Sony Ericsson Device 0017 USB WMC Modem Filter;c:\windows\system32\drivers\s0017mdfl.sys [2009-3-4 15016]
S3 s0017mdm;Sony Ericsson Device 0017 USB WMC Modem Driver;c:\windows\system32\drivers\s0017mdm.sys [2009-3-4 122152]
S3 s0017mgmt;Sony Ericsson Device 0017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0017mgmt.sys [2009-3-4 115496]
S3 s0017nd5;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (NDIS);c:\windows\system32\drivers\s0017nd5.sys [2009-3-4 25768]
S3 s0017obex;Sony Ericsson Device 0017 USB WMC OBEX Interface;c:\windows\system32\drivers\s0017obex.sys [2009-3-4 111912]
S3 s0017unic;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (WDM);c:\windows\system32\drivers\s0017unic.sys [2009-3-4 117672]

=============== Created Last 30 ================

2009-11-20 00:00:27 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-11-19 23:59:56 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-11-19 23:59:39 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-11-19 23:59:39 171608 ----a-w- c:\windows\system32\wuwebv.dll

==================== Find3M ====================

2009-09-09 05:03:59 86016 ----a-w- c:\windows\inf\infstor.dat
2009-09-09 05:03:59 86016 ----a-w- c:\windows\inf\infpub.dat
2009-09-09 05:03:59 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-03-04 03:17:41 174 --sha-w- c:\program files\desktop.ini
2009-03-04 03:14:00 665600 ----a-w- c:\windows\inf\drvindex.dat
2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-04-28 00:44:42 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-04-28 00:44:42 32768 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-04-28 00:44:42 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2009-04-26 05:11:19 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-04-26 05:11:19 32768 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-04-26 05:11:19 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat
2009-04-26 05:11:19 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-06-11 05:07:59 245760 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat

============= FINISH: 20:13:02.47 ===============

Hello, vicvic2 and again
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

If you do not make a reply in 5 days, we will have to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:

• Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
• If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
• Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
• Please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
• Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
• Please set your system to show all files.
  Click Start, open My Computer, select the Tools menu and click Folder Options.
  Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
  Uncheck: Hide file extensions for known file types
  Uncheck the Hide protected operating system files (recommended) option.
  Click Yes to confirm.

Please download GMER from one of the following locations and save it to your desktop:

• Main Mirror
  This version will download a randomly named file (Recommended)
• Zipped Mirror
  This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

• Disconnect from the Internet and close all running programs.
• Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
• Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
• Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
  
  
  
• GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
• If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
• Now click the Scan button. If you see a rootkit warning window, click OK.
• When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
• Click the Copy button and paste the results into your next reply.
• Exit GMER and re-enable all active protection when done.

-- If you encounter any problems, try running GMER in Safe Mode.

i will post the logs tomorrow after 5 oz time when i get home from work

how do i set vista to show all files. Is it the same as windows 7 and can i do it in safe mode

thank you so much schrauber

Edited by vicvic2, 01 December 2009 - 06:39 AM.

OK, thanks for letting me know .

Hi Tom

Ok i ran the gmer scan. I had to do it in safe mode. I am a little unsure if i managed to turn off avast, as there was no icon on the task bar to turn it off, I can't access services to turn it off there. I did manage to show all files and there a document sitting on my desktop called ~$ndilan.doc

There are a couple of other things you should know.

The computer is emergency beeping at start up and windows firewalls isn't start straight up. When i turn it on it will then get no internet access. I don't know if the firewall has anything to do with it but i use to run Zonealarm free and i removed it with the removal tool before i gave the computer to my friend.

thanks again for your help

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-12-02 06:02:47
Windows 6.0.6000
Running: x7wegfjf.exe; Driver: C:\Users\Vickie\AppData\Local\Temp\kwldqpow.sys


---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792

---- EOF - GMER 1.0.15 ----

Edited by vicvic2, 01 December 2009 - 03:15 PM.

Hi,



Step 1

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.

• The application window will appear
• Click the Disable button to disable your CD Emulation drivers
• Click Yes to continue
• A 'Finished!' message will appear
• Click OK
• DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.





Step 2

Please go here and have a look how you can disable your security software.

Download Combofix from any of the links below but rename it to before saving it to your desktop.

Link 1
Link 2



--------------------------------------------------------------------

Double click on the renamed Combofix.exe & follow the prompts.

• When finished, it will produce a report for you.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Tom

if i disable the cd drives i can't get the programs on the computer i have been downloading them on a clean machine and transfering them. I can't download to the machine as i can't scroll down a internet page . If i do scroll down an internet page. It will stay at the top only. I can only just see the top of this thread can't access anything below that.

I also can't run the programs in normal mode as i can't get through administrator it will always select cancel. In safe mood i by pass this but don't know how to turn avast off. Because it won't let me select avast in either defender or service to shut it down.

I have been able to run the programs by moving them to the top left hand corner of my desktop then they willl select. Nothing else will, on the desktop will run until it is in this position.

thanks for your help

I worked out how to get down the web page

I turned on caret browsing - ( i enabled yesterday by mistake on another computer by mistake) it allows me to use the curser to get down the page

managed to check service by using run. Avast isn't listed as start and in task manager the same thing so i will do the logs now

cheers

vic

Hi Tom

final go avast off i think after about 2 hours of trying

I am having problems with turning avast of in safe mode
Tried disabling in start up - still ran. Can't stop in services as can't select the avast line. There is no blue thing on the task bar in safe mode. I tried to change the lauch setting but can't select the avast on to change to always show. I turned it off in normal then rebooted into safe mode ( can't run combofix in normal mode due to uac. I then just stopped it in normal mode then restarted in safe mode

ran combofix didn't get the warning screens when about paying - got an error about the cd driver click ok and the machine restarted

error is Warning CD emulation drivers are running on this machine. Combofix needs to temporarily disable them

click ok

I then reentered safe mode tried running it again get a c.bat window with

the system cannot find message text for message numbe 0x8 in the message ( off screen the next bit)

sitting on task bar is CD-emulation !!


i have turned the computer off


just found a log for defogg

this is what it saids

defogger_disable by jpshortstuff (28.11.09.2)
Log created at 08.05 on 03/12/2009 (vickie)

checking for autostart Values......
HKCU\~\Run values retrieved
HKLM\~\Run values retrieved

checking for services / drivers.....


any ideas

cheers Vic

Edited by vicvic2, 02 December 2009 - 07:32 PM.

Sorry, cannot follow you really

Can you boot your system in normal mode?

HI

yes i can boot in both modes - I am getting emergency beeping when the drivers are loading. I have prepared some images on another machine to show you what it is doing. To hard to explain in words. Sorry i am only able to supply the links to photobucket - ( I have had this on 3 computers- I have reformatted the other 2)

One other thing it is typing backwards. So if i type " Services" i get " secivreS"

This image is what happens when i try to click anything to open - I have used the control panel as an example but it is the same for the desktop.

http://s857.photobucket.com/albums/ab133/m...sktopupload.png


This image is what happens when i try to select something in a menu

http://s857.photobucket.com/albums/ab133/m...rent=menuup.png

This image is why i can't run combfix etc in normal mode. When i boot into safe mode i by pass this thing. Which allows me to run the program.

http://s857.photobucket.com/albums/ab133/m...loadpicture.png

This image is an example of how far i can scroll down a page ( It is letting me scroll at the moment). It is the same for ie, firefox or a notepad

website screen snap

Hope this helps explain what is going on.

Thank you so much for your help


cheers vicvic2

Edited by vicvic2, 03 December 2009 - 09:28 PM.

Weird

Please have a look if you can find C:\Combofix.txt and post back with the content of the logfile.

This is the only log i could find. There are 2 folders one called "schrauer" the other called "schrauer24681s". In schrauer24681s there was the only txt file i could find called "Resident.txt" I have posted this txt



AV: avast! antivirus 4.8.1229 [VPS 091202-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: avast! antivirus 4.8.1229 [VPS 091202-1] *disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

thanks

Edited by vicvic2, 04 December 2009 - 08:13 PM.