Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

uacd.sys virus


  • This topic is locked This topic is locked
18 replies to this topic

#1 Bogey644

Bogey644

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 12 January 2010 - 06:03 PM

I keep receiving pop-up error messages that says something along the lines of microsoft installer is not working and when I click on search online for a solution another text box with an error pops up. When I chose view what might be the problem it says uacd.sys prevented it from being run. I cannot download any anti-virus programs. Avg and anything else that goes into my firefox downloader will not open up and if it does it disappears after at the end of the installation where a generic error message appears(AVG in particular). Malwarebites exe wont even open up. I cannot system restore my computer because it says there is a problem with the disk somewhere and when I try to go onto google 75% of the links I click on send me to random search engines or sevendevils.com or some other spam website.

Any help would be extremely appreciated since I'm not very familiar with computers and viruses.

Attached Files

  • Attached File  ark.txt   76.66KB   0 downloads

Edited by Bogey644, 12 January 2010 - 07:07 PM.


BC AdBot (Login to Remove)

 


#2 Bogey644

Bogey644
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 14 January 2010 - 03:22 PM

The screen on my laptop has stopped working. I have hooked up computer up to an external monitor and that shut off last night but got it working again using registryfix. There are random commercials that come blasting out of my speaker every 20 minutes or so about random household products. The internet stopped working for a while during the middle of the night saying the connection was reset when any page was loading but got that fix temporarily I'm sure. Now there is an internet explorer is not working text box that pops up all the time. It seems every night something critically happens to the computer in the middle of the night.

DDS (Ver_09-12-01.01) - NTFSx86
Run by Douglas Notebook at 15:15:24.79 on Thu 01/14/2010
Internet Explorer: 8.0.6001.18865 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2046.842 [GMT -5:00]

AV: Malware Defense *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k NetworkService
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
c:\program files\aim toolbar\aimtbServer.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Vongo\VongoService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\explorer.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Windows\explorer.exe
H:\windows-kb890830-v3.3.exe
d:\fb43bb97688d758ea5e90745\mrtstub.exe
C:\Windows\system32\MRT.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Users\Douglas Notebook\Downloads\dds(3).scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: WormRadar.com IESiteBlocker.NavFilter: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - AVG Safe Search
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [oovoo.exe] c:\program files\oovoo\oovoo.exe /minimized
mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
mRun: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [RegistryMechanic]
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
mRunOnce: [TSC] "c:\program files\trend micro\internet security\tsc.exe" /HD
StartupFolder: c:\users\dougla~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\yuuguu.lnk - c:\users\douglas notebook\appdata\roaming\yuuguu\jre\bin\javaw.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\vongot~1.lnk - c:\windows\installer\{8c3ae2d1-854d-4650-a73d-c7cc7ee36b80}\NewShortcut2_DB7E00C96DEF489A8112D8F81614F45A.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &AIM Toolbar Search - c:\programdata\aim toolbar\ietoolbar\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949}
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\dougla~1\appdata\roaming\mozilla\firefox\profiles\qlxkztij.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=&query=
FF - component: c:\users\douglas notebook\appdata\roaming\mozilla\firefox\profiles\qlxkztij.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\users\douglas notebook\appdata\roaming\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\users\douglas notebook\appdata\roaming\mozilla\firefox\profiles\qlxkztij.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

S1 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwd6x.sys [2010-1-12 24856]

=============== Created Last 30 ================

2010-01-14 16:18:15 2388 ----a-w- c:\windows\DCEBOOT.CFG
2010-01-14 16:18:15 10752 ----a-w- c:\windows\DCEBoot.exe
2010-01-14 04:07:59 4075520 ----a-w- c:\users\douglas notebook\s-1-5-21-104634320-519327932-3474550747-1000.rrr
2010-01-14 00:48:57 0 d-----w- c:\program files\Trend Micro
2010-01-14 00:41:18 225808 ----a-w- c:\windows\system32\drivers\tmxpflt.sys
2010-01-14 00:41:18 1223832 ----a-w- c:\windows\system32\drivers\vsapint.sys
2010-01-14 00:41:17 89872 ----a-w- c:\windows\system32\drivers\tmtdi.sys
2010-01-14 00:41:17 59920 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2010-01-14 00:41:17 50704 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2010-01-14 00:41:17 36368 ----a-w- c:\windows\system32\drivers\tmpreflt.sys
2010-01-14 00:41:17 158224 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-01-13 03:17:17 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-01-13 03:17:17 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-12 19:31:30 24856 ----a-w- c:\windows\system32\drivers\avgfwd6x.sys
2010-01-12 19:07:54 0 d-----w- c:\users\dougla~1\appdata\roaming\AVG8
2010-01-07 15:18:38 0 d-----w- c:\program files\Microsoft Easy Assist
2010-01-07 15:13:42 81736 ----a-w- c:\windows\system32\lmdimon8.dll
2010-01-07 15:12:54 0 d-----w- c:\programdata\Applications
2010-01-04 19:31:14 0 d--h--w- C:\$AVG
2010-01-04 19:29:07 0 d-----w- c:\programdata\avg9
2010-01-04 18:50:15 0 d-----w- c:\programdata\NVIDIA
2010-01-04 18:43:33 0 d-----w- c:\program files\NVIDIA Corporation
2010-01-04 18:37:52 0 d-----w- C:\NVIDIA
2009-12-30 05:38:27 0 d-----w- c:\program files\Veetle

==================== Find3M ====================

2010-01-14 00:49:58 86016 ----a-w- c:\windows\inf\infpub.dat
2010-01-14 00:49:57 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-01-14 00:49:57 143360 ----a-w- c:\windows\inf\infstor.dat
2010-01-04 18:51:20 188252 ----a-w- c:\programdata\nvModes.dat
2009-11-21 06:40:20 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34:39 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34:39 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59:58 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-09 12:31:42 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-11-09 12:30:03 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-11-07 07:25:42 206732 ---ha-w- c:\windows\system32\mlfcache.dat
2009-10-29 09:17:42 2048 ----a-w- c:\windows\system32\tzres.dll
2009-08-11 11:14:37 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-06-02 01:48:57 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 15:21:16.81 ===============


#3 Bogey644

Bogey644
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 14 January 2010 - 03:39 PM

Forgot to attach the second part of the logs. DDS logs are attached to the original post. Thanks so much for any help, this thing is driving me nuts.

Attached Files



#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:03 AM

Posted 17 January 2010 - 09:10 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Also, please subscribe to this topic, so you are notified when someone replies. Please continue to check manually on occasion, as every now and then the email may be caught by your spam filter.
To enable topic notifications you should do the following:
  1. Click on the My Controls link at the top of the page to enter your control panel.
  2. Scroll down to the Options category in the left hand side menu bar and click on the Email Settings link.
  3. Put a checkmark in the checkbox labeled Enable 'Email Notification' by default?.
  4. Set the If ticked, choose default type: menu option to Immediate Email Notification to have an email sent immediately when someone replied.

Information on A/V control HERE


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 Bogey644

Bogey644
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 20 January 2010 - 02:02 PM

Hi and thanks so much for the help. I actually cannot access bleepingcomputer from the computer that the virus is on. I signed up for an account with that computer but when i try and access it now it says the server is not found. Every other website works. I am on a secondary computer right now but am not sure how to access the DDS logs etc. when I can't click on the links. Every time i restart my computer another symptom seems to pop up. I have fixed the video problem on my laptop but now random windows popup that go to spam websites and i hear a beeping noise every 30 seconds or so that comes from the computer. This is along with the other symptoms noted above.

I appreciate any help you can provide.

#6 Bogey644

Bogey644
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 20 January 2010 - 02:26 PM

I had to save the link from your post to a flash drive then run it on the other comp and then save it back to the flash drive. Nothing from bleepingcomputer will work when i try and go to it on that computer but here is the DDS. The other file is uploaded below.

DDS (Ver_09-12-01.01) - NTFSx86
Run by Douglas Notebook at 14:10:53.64 on Wed 01/20/2010
Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2046.1016 [GMT -5:00]

AV: Malware Defense *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\svchost.exe -k NetworkService
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\rundll32.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\AIM6\aim6.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\WUDFHost.exe
H:\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: WormRadar.com IESiteBlocker.NavFilter: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - AVG Safe Search
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
mRun: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [RegistryMechanic]
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
mRunOnce: [TSC] "c:\program files\trend micro\internet security\tsc.exe" /HD
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949}
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\dougla~1\appdata\roaming\mozilla\firefox\profiles\qlxkztij.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=&query=
FF - component: c:\users\douglas notebook\appdata\roaming\mozilla\firefox\profiles\qlxkztij.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\DictionaryCompressionFF.dll
FF - component: c:\users\douglas notebook\appdata\roaming\mozilla\firefox\profiles\qlxkztij.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\users\douglas notebook\appdata\roaming\mozilla\firefox\profiles\qlxkztij.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\users\douglas notebook\appdata\roaming\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\users\douglas notebook\appdata\roaming\mozilla\firefox\profiles\qlxkztij.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2010-1-13 36368]
R3 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2010-1-13 50704]
R3 TmProxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2010-1-13 689416]
S1 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwd6x.sys [2010-1-12 24856]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-11-16 24652]

=============== Created Last 30 ================

2010-01-15 12:06:01 834048 ----a-w- c:\windows\system32\wininet.dll
2010-01-15 12:05:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-14 20:35:50 0 d-----w- c:\programdata\WinZip
2010-01-14 16:18:15 10752 ----a-w- c:\windows\DCEBoot.exe
2010-01-14 04:07:59 4075520 ----a-w- c:\users\douglas notebook\s-1-5-21-104634320-519327932-3474550747-1000.rrr
2010-01-14 00:48:57 0 d-----w- c:\program files\Trend Micro
2010-01-14 00:41:18 225808 ----a-w- c:\windows\system32\drivers\tmxpflt.sys
2010-01-14 00:41:18 1223832 ----a-w- c:\windows\system32\drivers\vsapint.sys
2010-01-14 00:41:17 89872 ----a-w- c:\windows\system32\drivers\tmtdi.sys
2010-01-14 00:41:17 59920 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2010-01-14 00:41:17 50704 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2010-01-14 00:41:17 36368 ----a-w- c:\windows\system32\drivers\tmpreflt.sys
2010-01-14 00:41:17 158224 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-01-13 03:17:17 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-01-13 03:17:17 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-12 19:31:30 24856 ----a-w- c:\windows\system32\drivers\avgfwd6x.sys
2010-01-12 19:07:54 0 d-----w- c:\users\dougla~1\appdata\roaming\AVG8
2010-01-07 15:18:38 0 d-----w- c:\program files\Microsoft Easy Assist
2010-01-07 15:13:42 81736 ----a-w- c:\windows\system32\lmdimon8.dll
2010-01-07 15:12:54 0 d-----w- c:\programdata\Applications
2010-01-04 19:31:14 0 d--h--w- C:\$AVG
2010-01-04 19:29:07 0 d-----w- c:\programdata\avg9
2010-01-04 18:50:15 0 d-----w- c:\programdata\NVIDIA
2010-01-04 18:43:33 0 d-----w- c:\program files\NVIDIA Corporation
2010-01-04 18:37:52 0 d-----w- C:\NVIDIA
2009-12-30 05:38:27 0 d-----w- c:\program files\Veetle

==================== Find3M ====================

2010-01-14 00:49:58 86016 ----a-w- c:\windows\inf\infpub.dat
2010-01-14 00:49:57 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-01-14 00:49:57 143360 ----a-w- c:\windows\inf\infstor.dat
2010-01-04 18:51:20 188252 ----a-w- c:\programdata\nvModes.dat
2009-11-09 12:31:42 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-11-09 12:30:03 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-11-07 07:25:42 206732 ---ha-w- c:\windows\system32\mlfcache.dat
2009-10-29 09:17:42 2048 ----a-w- c:\windows\system32\tzres.dll
2009-08-11 11:14:37 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-06-02 01:48:57 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-10-22 06:39:34 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat

============= FINISH: 14:14:14.25 ===============

Attached Files



#7 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:03 AM

Posted 21 January 2010 - 08:51 AM

Hi Bogey644,



Welcome to BleepingComputer HijackThis Logs and Malware Removal, welcome.gif
My name is sundavis, I will be helping you to deal with your Malware problems today.

It seems that the infected computer can't access to the internet. You may tranfer the necessary files via usb or flash drive to the infected one.

Step1
  1. Go to this thread and Download TDSSKiller.zip to your Desktop.
  2. Extract its contents to your desktop and drag TDSSKiller.exe on the desktop, not in the folder.
  3. Start > Run and copy/paste the following bolded command into run box and hit Enter.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  4. If TDSSKiller alerts you that the system needs to reboot, please consent.
  5. When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.

Step2
  1. If you already have Combofix, please delete that copy and download it again as it's being updated regularly.
  2. Please visit this webpage for download links, and instructions for running the tool:
    http://www.bleepingcomputer.com/combofix/how-to-use-combofix
  3. Note: If you have Windows Vista, you can skip the recovery console step...in Vista it's in the System Recovery Options menu.
    The System Recovery Options menu is on the Windows Vista installation disc. If Windows doesn't start correctly, you can use these tools to repair startup problems.
  4. Close/disable all antivirus and antimalware programs so they do not interfere with the running of ComboFix.
  5. Click Yes to allow Combofix to continue scanning for malware.
  6. When done, a log will be produced (or locate it in C:\ComboFix.txt). Please post that log in your next reply.
  7. Do not mouse click on Combofix while it is running. That may cause it to stall.

Step3

Please download Malwarebytes' Anti-Malware from Here or Here
  1. Double Click mbam-setup.exe to install the application.
  2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  3. If an update is found, it will download and install the latest version.
  4. Once the program has loaded, select "Perform Quick Scan", then click Scan.
  5. The scan may take some time to finish,so please be patient.
  6. When the scan is complete, click OK, then Show Results to view the results.
  7. Make sure that everything is checked, and click Remove Selected.
  8. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
  9. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.or you can find from here:
  10. C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  11. You can refer to this tutorial

Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


In your next reply, please post back:


1.TDSSKiller.txtlog
2.ComboFix log
3.MBAM log Thanks.


#8 Bogey644

Bogey644
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 22 January 2010 - 03:04 AM

I did not see the file for the rootfix on my C drive and when i ran it again there were no infections found but the first time there were 8. Not sure how to retrieve those first logs before my comp started if they werent saved.

The combofix logs:

ComboFix 10-01-21.02 - Douglas Notebook 01/21/2010 23:50:28.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2046.871 [GMT -5:00]
Running from: c:\users\Douglas Notebook\Downloads\ComboFix.exe
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-104634320-519327932-3474550747-500
c:\$recycle.bin\S-1-5-21-3479462204-694337797-2008332907-500
c:\windows\system32\h8srtkrl32mainweq.dll
c:\windows\system32\h8srtshsyst.dll
c:\windows\system32\service
c:\windows\system32\service\03012010_TIS17_SfFniAU.log
c:\windows\system32\service\04012010_TIS17_SfFniAU.log
c:\windows\system32\service\10102009_TIS17_SfFniAU.log
c:\windows\system32\service\15092009_TIS17_SfFniAU.log
c:\windows\system32\service\17102009_TIS17_SfFniAU.log
c:\windows\system32\service\20062009_TIS17_SfFniAU.log
c:\windows\system32\service\21112009_TIS17_SfFniAU.log
c:\windows\system32\service\24092009_TIS17_SfFniAU.log
c:\windows\system32\service\25072009_TIS17_SfFniAU.log
c:\windows\system32\service\29122009_TIS17_SfFniAU.log
c:\windows\system32\service\31122009_TIS17_SfFniAU.log

.
((((((((((((((((((((((((( Files Created from 2009-12-22 to 2010-01-22 )))))))))))))))))))))))))))))))
.

2010-01-22 05:00 . 2010-01-22 05:00 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-15 12:06 . 2009-10-27 14:11 834048 ----a-w- c:\windows\system32\wininet.dll
2010-01-15 12:05 . 2009-10-27 13:16 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-15 02:41 . 2009-12-16 21:05 340992 ----a-w- c:\users\Douglas Notebook\AppData\Roaming\Mozilla\Firefox\Profiles\qlxkztij.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-01-15 02:41 . 2009-12-16 21:05 43008 ----a-w- c:\users\Douglas Notebook\AppData\Roaming\Mozilla\Firefox\Profiles\qlxkztij.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-01-15 02:41 . 2009-12-16 21:05 471040 ----a-w- c:\users\Douglas Notebook\AppData\Roaming\Mozilla\Firefox\Profiles\qlxkztij.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\DictionaryCompressionFF.dll
2010-01-15 02:41 . 2009-12-16 21:05 347136 ----a-w- c:\users\Douglas Notebook\AppData\Roaming\Mozilla\Firefox\Profiles\qlxkztij.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-01-15 02:41 . 2009-12-16 21:05 1452032 ----a-w- c:\users\Douglas Notebook\AppData\Roaming\Mozilla\Firefox\Profiles\qlxkztij.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-01-14 20:35 . 2010-01-14 20:37 -------- d-----w- c:\programdata\WinZip
2010-01-14 17:38 . 2007-10-11 06:06 1140056 ------w- c:\programdata\HP\Installer\Temp\hpzmsi01.exe
2010-01-14 17:38 . 2007-10-11 06:02 1107288 ------w- c:\programdata\HP\Installer\Temp\hpzscr01.EXE
2010-01-14 16:18 . 2010-01-21 20:44 10752 ----a-w- c:\windows\DCEBoot.exe
2010-01-14 00:48 . 2010-01-14 00:49 -------- d-----w- c:\program files\Trend Micro
2010-01-14 00:41 . 2010-01-14 00:41 225808 ----a-w- c:\windows\system32\drivers\tmxpflt.sys
2010-01-14 00:41 . 2010-01-14 00:41 1223832 ----a-w- c:\windows\system32\drivers\vsapint.sys
2010-01-14 00:41 . 2010-01-14 00:41 89872 ----a-w- c:\windows\system32\drivers\tmtdi.sys
2010-01-14 00:41 . 2010-01-14 00:41 59920 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2010-01-14 00:41 . 2010-01-14 00:41 50704 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2010-01-14 00:41 . 2010-01-14 00:41 36368 ----a-w- c:\windows\system32\drivers\tmpreflt.sys
2010-01-14 00:41 . 2010-01-14 00:41 158224 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-01-14 00:12 . 2010-01-14 00:12 -------- d-----w- c:\users\Douglas Notebook\AppData\Roaming\U3
2010-01-13 03:17 . 2009-10-19 13:38 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-13 03:17 . 2009-10-19 13:35 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-01-12 19:31 . 2010-01-12 21:25 24856 ----a-w- c:\windows\system32\drivers\avgfwd6x.sys
2010-01-12 19:07 . 2010-01-12 19:07 -------- d-----w- c:\users\Douglas Notebook\AppData\Roaming\AVG8
2010-01-07 15:18 . 2010-01-07 15:18 -------- d-----w- c:\program files\Microsoft Easy Assist
2010-01-07 15:13 . 2009-09-20 20:43 81224 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\lmdippr8.dll
2010-01-07 15:13 . 2009-09-20 20:43 81736 ----a-w- c:\windows\system32\lmdimon8.dll
2010-01-07 15:12 . 2010-01-07 15:12 -------- d-----w- c:\programdata\Applications
2010-01-04 19:31 . 2010-01-04 19:31 -------- d-----w- C:\$AVG
2010-01-04 19:29 . 2010-01-12 21:26 -------- d-----w- c:\programdata\avg9
2010-01-04 18:50 . 2010-01-04 18:50 -------- d-----w- c:\programdata\NVIDIA
2010-01-04 18:44 . 2010-01-04 18:45 -------- d-----w- c:\program files\AGEIA Technologies
2010-01-04 18:43 . 2010-01-04 18:46 -------- d-----w- c:\program files\NVIDIA Corporation
2010-01-04 18:37 . 2010-01-04 18:47 -------- d-----w- C:\NVIDIA
2009-12-30 05:38 . 2010-01-04 21:03 -------- d-----w- c:\program files\Veetle

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-21 20:46 . 2008-03-18 19:01 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-21 20:44 . 2007-12-29 23:15 12 ----a-w- c:\windows\bthservsdp.dat
2010-01-15 03:11 . 2007-05-19 10:39 -------- d-----w- c:\programdata\WildTangent
2010-01-15 03:09 . 2007-07-20 15:11 -------- d-----w- c:\program files\Viewpoint
2010-01-15 03:04 . 2009-06-10 18:00 -------- d-----w- c:\program files\AIM Toolbar
2010-01-15 03:04 . 2007-05-19 10:47 -------- d-----w- c:\program files\Vongo
2010-01-15 03:03 . 2007-10-10 23:12 -------- d-----w- c:\program files\Steam
2010-01-15 03:02 . 2009-09-03 03:34 -------- d-----w- c:\program files\ooVoo
2010-01-15 03:02 . 2007-05-19 09:48 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-15 02:46 . 2008-03-08 17:56 7592 ----a-w- c:\users\Douglas Notebook\AppData\Local\d3d9caps.dat
2010-01-14 17:37 . 2007-05-19 09:45 -------- d-----w- c:\program files\Hewlett-Packard
2010-01-14 00:51 . 2007-07-21 06:38 -------- d-----w- c:\programdata\Trend Micro
2010-01-13 08:04 . 2007-05-19 10:22 -------- d-----w- c:\programdata\Microsoft Help
2010-01-12 21:08 . 2009-02-16 21:13 -------- d-----w- c:\programdata\avg8
2010-01-04 21:08 . 2009-06-21 23:32 -------- d-----w- c:\program files\Bonjour
2010-01-04 21:03 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-01-04 21:03 . 2009-09-22 17:25 -------- d-----w- c:\program files\iTunes
2010-01-04 21:03 . 2008-11-17 00:56 -------- d-----w- c:\program files\AIM6
2010-01-04 21:02 . 2009-06-08 21:56 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-01-04 21:02 . 2009-09-02 02:37 -------- d-----w- c:\program files\Common Files\Canon
2010-01-04 20:39 . 2007-07-21 06:38 -------- d-----w- c:\programdata\Trend Micro(76)
2010-01-04 20:39 . 2009-06-21 17:21 -------- d-----w- c:\program files\Trend Micro(32)
2010-01-04 20:10 . 2007-07-21 06:38 -------- d-----w- c:\programdata\Trend Micro(67)
2010-01-04 20:10 . 2009-06-21 17:21 -------- d-----w- c:\program files\Trend Micro(31)
2010-01-04 18:51 . 2009-08-25 06:08 188252 ----a-w- c:\programdata\nvModes.dat
2010-01-04 18:44 . 2007-07-26 03:26 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-14 18:15 . 2009-10-10 20:21 143976 ----a-w- c:\users\Douglas Notebook\AppData\Roaming\Move Networks\uninstall.exe
2009-11-14 18:15 . 2009-10-15 00:50 5642688 ----a-w- c:\users\Douglas Notebook\AppData\Roaming\Move Networks\plugins\npqmp071701000002.dll
2009-11-09 12:31 . 2009-12-09 08:35 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-11-09 12:30 . 2009-12-09 08:35 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-11-09 10:36 . 2009-12-09 08:35 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-11-07 07:25 . 2009-11-07 07:25 206732 ---ha-w- c:\windows\system32\mlfcache.dat
2009-10-29 09:17 . 2009-11-25 08:02 2048 ----a-w- c:\windows\system32\tzres.dll
2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-13 827392]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 472776]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 317128]
"RtHDVCpl"="RtHDVCpl.exe" [2007-07-06 4669440]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-05-01 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-01 8429568]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-05-01 81920]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2010-01-14 1020248]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-08 44128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=c:\windows\pss\Adobe Reader Synchronizer.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Douglas Notebook^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^MLB.TV NexDef Plug-in.lnk]
backup=c:\windows\pss\MLB.TV NexDef Plug-in.lnk.Startup
backupExtension=.Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 05:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
2009-05-19 05:23 49968 ----a-w- c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 15:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Health Check Scheduler]
2007-06-05 13:12 71176 ----a-w- c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2008-04-15 22:54 178712 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-09-09 01:09 305440 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]
2008-01-07 20:02 495616 ----a-w- c:\program files\Winamp Remote\bin\OrbTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
2007-04-24 01:11 176128 ----a-w- c:\program files\HP\QuickPlay\QPService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 05:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
2007-01-17 03:34 634880 ----a-w- c:\program files\Motorola\SMSERIAL\sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-01-15 03:03 1217808 ----a-w- c:\program files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-06-21 02:16 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-11-20 22:34 185872 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2008-01-15 22:54 37376 ----a-w- c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:87,de,9c,14,76,1a,ca,01

R2 tmpreflt;tmpreflt;c:\windows\System32\drivers\tmpreflt.sys [1/13/2010 7:41 PM 36368]
R3 tmevtmgr;tmevtmgr;c:\windows\System32\drivers\tmevtmgr.sys [1/13/2010 7:41 PM 50704]
S1 Avgfwfd;AVG network filter service;c:\windows\System32\drivers\avgfwd6x.sys [1/12/2010 2:31 PM 24856]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - KLMDB
*Deregistered* - klmd21
*Deregistered* - klmdb

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
Contents of the 'Scheduled Tasks' folder

2010-01-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-104634320-519327932-3474550747-1000Core.job
- c:\users\Douglas Notebook\AppData\Local\Google\Update\GoogleUpdate.exe [2009-06-02 19:52]

2010-01-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-104634320-519327932-3474550747-1000UA.job
- c:\users\Douglas Notebook\AppData\Local\Google\Update\GoogleUpdate.exe [2009-06-02 19:52]

2010-01-22 c:\windows\Tasks\User_Feed_Synchronization-{EE2DF973-7404-4E3F-B6BD-CFC0C30FF200}.job
- c:\windows\system32\msfeedssync.exe [2008-06-12 07:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949}
FF - ProfilePath - c:\users\Douglas Notebook\AppData\Roaming\Mozilla\Firefox\Profiles\qlxkztij.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=&query=
FF - component: c:\users\Douglas Notebook\AppData\Roaming\Mozilla\Firefox\Profiles\qlxkztij.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\DictionaryCompressionFF.dll
FF - component: c:\users\Douglas Notebook\AppData\Roaming\Mozilla\Firefox\Profiles\qlxkztij.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\users\Douglas Notebook\AppData\Roaming\Mozilla\Firefox\Profiles\qlxkztij.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\users\Douglas Notebook\AppData\Roaming\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\users\Douglas Notebook\AppData\Roaming\Mozilla\Firefox\Profiles\qlxkztij.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-RegistryMechanic - (no file)
MSConfigStartUp-AppleSyncNotifier - c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
MSConfigStartUp-HPAdvisor - c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
MSConfigStartUp-QlbCtrl - c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
MSConfigStartUp-twunk_32x - c:\users\DOUGLA~1\AppData\Local\Temp\twunk_32x.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-22 00:02
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2010-01-22 00:08:30
ComboFix-quarantined-files.txt 2010-01-22 05:08

Pre-Run: 23,577,030,656 bytes free
Post-Run: 26,851,106,816 bytes free

- - End Of File - - 36AC148D45CA4035F70B8D27578A73D2




Malwarebytes' Anti-Malware 1.44
Database version: 3613
Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

1/22/2010 3:20:12 AM
mbam-log-2010-01-22 (03-20-12).txt

Scan type: Quick Scan
Objects scanned: 106783
Time elapsed: 11 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000005-0000-0000-0000-100011000004} (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by Bogey644, 22 January 2010 - 03:20 AM.


#9 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:03 AM

Posted 22 January 2010 - 03:42 AM

Hi Bogey644,


QUOTE
Not sure how to retrieve those first logs before my comp started

That's OK. Since the culprit is gone, we need to scan the remnants with Kas Online Scannrer. It will take some time to run the full course. Please be patient and do the following:

Step1

Please drag ComboFix.exe from download folder to your desktop.
  1. Close any open browsers
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Go to Here for your reference.
  3. Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text inside the code box below:
CODE
DDS::
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949}
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000000


Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop



Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


Step2


Older versions Java have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 18...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) the following Java Runtime Environment (JRE or J2SE) in the name, and the following update:
    Java™ 6 Update 2
    Java™ 6 Update 3
    Java™ SE Runtime Environment 6
    Java™ 6 Update 13

  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u18-windows-i586-p.exe to install the newest version.
  • After that, please clear your java cache as instructed in this thread .



Step3


Let's clean some temp files. Please do the following:

Please download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.


If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.


Step4


Please perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner.
  1. Please go to Kaspersky Online Scanner and perform an online antivirus scan.
  2. Click Accept button on the "Requirements and limitations".
  3. When Java warning " The applcation digital signature has been verified. Do you want to run the application " appears, Click on "Run" button.
  4. It will be Downloading and installing the program and Updating the database.
  5. When Updating the database have finished, click on Settings.
  6. Make sure all boxes are checked. then click on the Save button.
  7. Click on My Computer under Scan menu. It will start scanning, so be patient and let it run.
  8. Once the scan is completed, Click on View Scan Report.
  9. You may see a list of infected items over there. Click on Save Report As.
  10. Click "Desktop" , Name the file as "KAS", Change the Files of type to Text file (.txt) and Click on Save button.
  11. Please post the contents in your next reply.
  12. You can refer to this animation

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.



Please post back the logs in your next reply.

1.ComboFix log
2.Kas Online Scan Report

Tell me if you have any remaining issues on your pc.

#10 Bogey644

Bogey644
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 22 January 2010 - 02:50 PM

I ran combofix with the text in the notepad script when trying to restart firefox to post the logs I got an error that says: illegal operation attempted on a registry key that has been marked for deletion. This happens with explorer and any other program I try to run even system restore. Not sure what to do or how to post the logs.

Appreciate any help you can give to fix this problem.

#11 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:03 AM

Posted 22 January 2010 - 04:51 PM

Hi Bogey644,


Let's try to revert one file to its previous state and check if your system can run normally.

Step1
  1. Close any open browsers
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Go to Here for your reference.
  3. Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text inside the code box below:
CODE
DeQuarantine::
c:\windows\system32\service


Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop



Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

If things go smoothly, please proceed the process as instructed in my previous post. Let me know if you still need further assistance.


#12 Bogey644

Bogey644
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 24 January 2010 - 02:06 AM

When I try to open notepad I get the same error about the registry file being marked for deletion. Not sure what to do.

Thanks for the help.

#13 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:03 AM

Posted 24 January 2010 - 04:52 AM

Hi Bogey644,


QUOTE
I get the same error about the registry file being marked for deletion.

Can you close that message? and proceed the next move? Do you have Vista DVD handy? Advise me in your next reply.

I noticed that you may have selectively removed some items in the past from the startup procedure. This can be bad if they are malware, so we would like you to enable those startup entries by doing the following:
  1. Start > Run, and type: MSConfig . Press Enter
  2. In the General tab, Startup Selection, choose: Normal Startup-load all device drivers and services
  3. Press OK until you are out of the program.
  4. Reboot your pc.

After that, please go to safe mode to run it or try to make that CFScript from another computer then transfer it and run it. Post the contents in your next reply. Thanks

Edited by sundavis, 24 January 2010 - 05:23 AM.


#14 Bogey644

Bogey644
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 24 January 2010 - 07:08 PM

went into msconfig and restarted and now all programs work once again. Thank you for the advice. I am going to proceed with step 3 the ATF cleaner above.

#15 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:03 AM

Posted 24 January 2010 - 11:26 PM

Hi Bogey644,


QUOTE
went into msconfig and restarted and now all programs work once again

Glad to hear things are running properly. You may skip the process in my previous post of # 11. Please post the logs as instructed in my previous post of#9 in your next reply. Thanks.

Edited by sundavis, 24 January 2010 - 11:27 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users