Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CPU running 100%, browser redirects, and other nastiness


  • This topic is locked This topic is locked
11 replies to this topic

#1 The Maddest Hatter

The Maddest Hatter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 29 June 2010 - 12:00 PM

Hello,

Yesterday afternoon, my internet starting slowing to a crawl and I received an Zone Alarm alert that a new program was trying to access the internet. Suspicious, I googled the .exe file (whose name I cannot recall, sadly, it being a bunch of gibberish) and strangely nothing came up. I checked the Task Manager to see if it was running, and noticed that my CPU was running steadily at 100%.

I closed everything, restarted, and found the same symptoms, only this time I began to have browser redirects after any attempt to click on a computer tech link relating to a google search of "CPU running 100%." Mostly they would be to shoddy-looking e-commerce sites, though one time it did take me to a Martha Stewart page with an article discussing which dog would be best for me. (?)

I ran Malwarebytes a couple of times, once with a quick scan that came up with a number of things to be fixed, and a deep scan, which came up with an additional two problems to fix. One of them mentioned was Total Security, which I'm guessing is a fake/fraudulent security suite which is probably malware. The problem persisted even after Malwarebytes scans came up clean, with the CPU still climbing and remaining steady at 100% and the browser redirecting.

I thought to take the system back to a previous restore point, but was unable to revert to any restore point in regular mode. I finally attempted to back up to a restore point while booted into Safe Mode, and it did work; however, the problem remains. The current restore point I am at is before some Microsoft security updates released earlier in the month, and when I attempt to connect to download these updates, I am now prevented from doing so with an 0x80072EFF error, which reads that I have "encountered a problem and cannot display the page you are trying to view." So somehow, this malicious little program is now blocking my Microsoft update capacity?

Very strange. Attached are the relevant logs. I look forward to your help!




DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 21:30:40.28 on Mon 06/28/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.521 [GMT -7:00]

FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\PROGRA~1\SecCopy\SecCopy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\DSL Extreme X-Dial Accelerator\PropelAC.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page =
uSearch Bar =
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = localhost;<local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: IE_PopupBlocker Class: {656ec4b7-072b-4698-b504-2a414c1f0037} - c:\program files\dsl extreme x-dial accelerator\prpl_IePopupBlocker.dll
BHO: File Print FedEx Kinko's: {9566395f-43d2-4c64-b525-b501ffa276e2} - mscoree.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: File Print FedEx Kinko's: {9566395f-43d2-4c64-b525-b501ffa276e2} - mscoree.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
TB: HP View: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\messenger\yhexbmes0521.dll
EB: hp view: {8f4902b6-6c04-4ade-8052-aa58578a21bd} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Second Copy 2000] "c:\progra~1\seccopy\SecCopy.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [Sunkist2k] c:\program files\multimedia card reader\shwicon2k.exe
mRun: [mmtask] c:\program files\musicmatch\musicmatch jukebox\mmtask.exe
mRun: [regcmdcons] c:\hp\bin\cloaker.exe c:\hp\bin\cmdcons.cmd
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [HPHUPD05] c:\program files\hp\{45b6180b-dcab-4093-8ee8-6164457517f0}\hphupd05.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HPHmon05] c:\windows\system32\hphmon05.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4.0\OpwareSE4.exe"
mRun: [Propel Accelerator] "c:\program files\dsl extreme x-dial accelerator\trayctl.exe" /STARTUPLAUNCH
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\americ~1.lnk - c:\program files\america online 9.0a\aoltray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\tabuse~1.lnk - c:\windows\system32\wtablet\TabUserW.exe
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: Allow pop-ups from this site - c:\program files\dsl extreme x-dial accelerator\pac-addwl.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Refresh Pa&ge with Full Quality - c:\program files\dsl extreme x-dial accelerator\pac-page.html
IE: Refresh Pi&cture with Full Quality - c:\program files\dsl extreme x-dial accelerator\pac-image.html
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - {4C171D40-8277-11D5-AD55-00010333D0AD} - c:\program files\yahoo!\messenger\yhexbmes0521.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\program files\dsl extreme x-dial accelerator\prplsf.dll
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
DPF: YExplorer1_8US.CAB - hxxp://photos.groups.yahoo.com/ocx/us/yexplorer1_8us.cab
DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} - hxxp://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - hxxp://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - hxxp://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {49232000-16E4-426C-A231-62846947304B} - hxxp://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} - hxxp://simcity.ea.com/update/EARTPX.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} - hxxps://as00.estara.com/UI/proxyhttps.php?a=downloads.estara.com./&hash=eb9bd6a79bd90545629244b92d314bf2&url=http%3A%2F%2Fd.69.25.47.79.downloads.estara.com.%2Fas%2FOneCCDM.php&template=62035&sessionid=1387364455_69.25.47.79_42934&=&req=1159550798343OneCC.cab
DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} - hxxp://www.bitdefender.com/scan/Msie/bitdefender.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - hxxp://acs.pandasoftware.com/activescan/as5free/asinst.cab
DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} - hxxp://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38153.4844097222
DPF: {C2B78FF1-6E5A-4854-AC24-E09A0E2411BA} - hxxp://static1.meetupstatic.com/applet/MeetUploader_200909.cab
DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} - hxxp://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - hxxp://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E9348280-2D74-4933-BE25-73D946926795} - hxxp://h20270.www2.hp.com/ediags/gmn/install/hpbasicdetection3.cab
TCP: {9F06EE57-57D1-454D-B697-163DC721F333} = 66.51.205.100,66.51.206.100
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {969B3B70-8765-11D5-9809-0050BACBF861} - rundll32.exe advpack.dll,LaunchINFSection c:\program files\cyberlink\mp3powerencoder\Cyber.inf,PerUserStub

============= SERVICES / DRIVERS ===============

R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-10-14 353672]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]

=============== Created Last 30 ================

2010-06-29 00:35:33 0 d-----w- c:\windows\system32\wbem\Repository
2010-06-24 00:08:03 0 d-----w- c:\program files\rftg

==================== Find3M ====================

2010-06-29 04:01:42 14311 ----a-w- c:\windows\system32\tablet.dat
2010-04-13 00:29:19 411368 ----a-w- c:\windows\system32\deployJava1.dll
2004-06-15 04:03:00 0 --sha-w- c:\windows\sminst\HPCD.sys
2009-11-25 05:41:28 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2009-11-25 05:41:28 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009112420091125\index.dat
2009-11-25 05:41:50 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat

============= FINISH: 21:32:34.39 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:27 AM

Posted 30 June 2010 - 05:22 AM

Hi The Maddest Hatter,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. In case of making changes I shall assume my assistance is not needed any more.

We are going to run this special tool.
  • Please download TDSSKiller.exe and save it to your desktop.
  • Run TDSSKiller.exe.
  • When it finished press any key to continue.
  • Let reboot if needed and tell me if it needed a reboot.
  • Also it makes a txt file on the C:\ directory (like TDSSKiller.2.3.2.0_Date_Time_log.txt). Please attach it to your replay.


#3 The Maddest Hatter

The Maddest Hatter
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 30 June 2010 - 03:07 PM

Hi farbar, thank you for your help here.

I downloaded and ran TDSSKiller, and it did ask me for a reboot. The reboot went successfully, and I noticed once it was done that the Windows Update in the tray at the lower right of the UI has begun to download the windows updates which I attempted to get yesterday (and which this rogue program might have blocked.)

Attached is the log generated by the program that you have requested.

Let me know what the next step is...this help is greatly appreciated!

Attached Files



#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:27 AM

Posted 30 June 2010 - 04:12 PM

The rootkit is taken care of. thumbup2.gif
  1. Run CCleaner (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked). Then click run cleaner.

  2. Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  3. Please run DDS and post a fresh DDS.txt to your reply. No need for the Attach.txt


#5 The Maddest Hatter

The Maddest Hatter
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 30 June 2010 - 05:05 PM

I ran CCleaner as requested, and updated and ran Malwarebytes as well. MBAM did find one file that would be removed on restart; I restarted as requested, and am copying/pasting the log below. Following that log is the newly run DDS log as well (without Attach.txt)...

What's the next step?

--------------------------------------------

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4262

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/30/2010 2:52:31 PM
mbam-log-2010-06-30 (14-52-31).txt

Scan type: Quick scan
Objects scanned: 142251
Time elapsed: 7 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Owner\Local Settings\Temp\dSPJ.exe (Rogue.AVSecuritySuite) -> Quarantined and deleted successfully.

----------------------------------------------

DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 14:59:00.50 on Wed 06/30/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.599 [GMT -7:00]

FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DSL Extreme X-Dial Accelerator\PropelAC.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\SecCopy\SecCopy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page =
uSearch Bar =
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = localhost;<local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: IE_PopupBlocker Class: {656ec4b7-072b-4698-b504-2a414c1f0037} - c:\program files\dsl extreme x-dial accelerator\prpl_IePopupBlocker.dll
BHO: File Print FedEx Kinko's: {9566395f-43d2-4c64-b525-b501ffa276e2} - mscoree.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: File Print FedEx Kinko's: {9566395f-43d2-4c64-b525-b501ffa276e2} - mscoree.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
TB: HP View: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\messenger\yhexbmes0521.dll
EB: hp view: {8f4902b6-6c04-4ade-8052-aa58578a21bd} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Second Copy 2000] "c:\progra~1\seccopy\SecCopy.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [Sunkist2k] c:\program files\multimedia card reader\shwicon2k.exe
mRun: [mmtask] c:\program files\musicmatch\musicmatch jukebox\mmtask.exe
mRun: [regcmdcons] c:\hp\bin\cloaker.exe c:\hp\bin\cmdcons.cmd
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [HPHUPD05] c:\program files\hp\{45b6180b-dcab-4093-8ee8-6164457517f0}\hphupd05.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HPHmon05] c:\windows\system32\hphmon05.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4.0\OpwareSE4.exe"
mRun: [Propel Accelerator] "c:\program files\dsl extreme x-dial accelerator\trayctl.exe" /STARTUPLAUNCH
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\americ~1.lnk - c:\program files\america online 9.0a\aoltray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\tabuse~1.lnk - c:\windows\system32\wtablet\TabUserW.exe
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: Allow pop-ups from this site - c:\program files\dsl extreme x-dial accelerator\pac-addwl.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Refresh Pa&ge with Full Quality - c:\program files\dsl extreme x-dial accelerator\pac-page.html
IE: Refresh Pi&cture with Full Quality - c:\program files\dsl extreme x-dial accelerator\pac-image.html
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - {4C171D40-8277-11D5-AD55-00010333D0AD} - c:\program files\yahoo!\messenger\yhexbmes0521.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\program files\dsl extreme x-dial accelerator\prplsf.dll
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
DPF: YExplorer1_8US.CAB - hxxp://photos.groups.yahoo.com/ocx/us/yexplorer1_8us.cab
DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} - hxxp://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - hxxp://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - hxxp://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {49232000-16E4-426C-A231-62846947304B} - hxxp://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} - hxxp://simcity.ea.com/update/EARTPX.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} - hxxps://as00.estara.com/UI/proxyhttps.php?a=downloads.estara.com./&hash=eb9bd6a79bd90545629244b92d314bf2&url=http%3A%2F%2Fd.69.25.47.79.downloads.estara.com.%2Fas%2FOneCCDM.php&template=62035&sessionid=1387364455_69.25.47.79_42934&=&req=1159550798343OneCC.cab
DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} - hxxp://www.bitdefender.com/scan/Msie/bitdefender.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - hxxp://acs.pandasoftware.com/activescan/as5free/asinst.cab
DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} - hxxp://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38153.4844097222
DPF: {C2B78FF1-6E5A-4854-AC24-E09A0E2411BA} - hxxp://static1.meetupstatic.com/applet/MeetUploader_200909.cab
DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} - hxxp://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - hxxp://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E9348280-2D74-4933-BE25-73D946926795} - hxxp://h20270.www2.hp.com/ediags/gmn/install/hpbasicdetection3.cab
TCP: {9F06EE57-57D1-454D-B697-163DC721F333} = 66.51.205.100,66.51.206.100
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {969B3B70-8765-11D5-9809-0050BACBF861} - rundll32.exe advpack.dll,LaunchINFSection c:\program files\cyberlink\mp3powerencoder\Cyber.inf,PerUserStub

============= SERVICES / DRIVERS ===============

R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-10-14 353672]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]

=============== Created Last 30 ================

2010-06-29 00:35:33 0 d-----w- c:\windows\system32\wbem\Repository
2010-06-24 00:08:03 0 d-----w- c:\program files\rftg

==================== Find3M ====================

2010-06-30 21:54:43 14311 ----a-w- c:\windows\system32\tablet.dat
2010-06-30 19:53:37 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2010-04-13 00:29:19 411368 ----a-w- c:\windows\system32\deployJava1.dll
2004-06-15 04:03:00 0 --sha-w- c:\windows\sminst\HPCD.sys
2009-11-25 05:41:28 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2009-11-25 05:41:28 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009112420091125\index.dat
2009-11-25 05:41:50 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat

============= FINISH: 15:00:08.26 ===============


#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:27 AM

Posted 30 June 2010 - 06:45 PM

We are almost there. The system should be secured to prevent reinfection.

You are missing one important program on that computer: An antivirus.
This is somewhat suicidal in today's digital world.
You need to install an antivirus program as soon as you can. I recommend this good free antivirus:

Avira
  • Download the installer from softpedia.com link as it has a secure download mirror. Install and update it.
  • In the left pane click Status. In the right pane click Scan system now.
  • After the scan finished let it remove what it finds and then Click Report.
  • You can get the last report also by clicking on Reports on the left pane.
  • In the right window under Action double-click on the last Scan listed (you see also the corresponding Dat/Time).
  • A window opens, click on Report file.
  • Copy and paste the content of the report to your reply.




#7 The Maddest Hatter

The Maddest Hatter
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 01 July 2010 - 05:22 PM

Yes, you're right, I had neglected the antivirus - I had free AVG up until a couple of months ago, but their latest update killed all of my internet connectivity, so much so that I had to remove it. I installed Avira as you suggested, and am attaching the log of the scan. According to the window that popped up at the end, it did find three questionable files and that it moved them to quarantine.

I find that having Avira installed "burps" my A:/ floppy drive every now and then - as if it's accessing or scanning for something there. Nothing too major, but it just seems strange because it's occuring every minute or so.

Next step? Can I go ahead and complete my windows updating?


Avira AntiVir Personal
Report file date: Thursday, July 01, 2010 12:30

Scanning for 2285317 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : ROBERT

Version information:
BUILD.DAT : 10.0.0.567 32097 Bytes 4/19/2010 15:07:00
AVSCAN.EXE : 10.0.3.0 433832 Bytes 4/1/2010 20:37:38
AVSCAN.DLL : 10.0.3.0 46440 Bytes 4/1/2010 20:57:04
LUKE.DLL : 10.0.2.3 104296 Bytes 3/8/2010 02:33:04
LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 07:40:49
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 17:05:36
VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 03:27:49
VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 01:37:42
VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 00:37:42
VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 19:29:03
VBASE005.VDF : 7.10.6.82 2494464 Bytes 4/15/2010 00:10:35
VBASE006.VDF : 7.10.7.218 2294784 Bytes 6/2/2010 00:10:47
VBASE007.VDF : 7.10.7.219 2048 Bytes 6/2/2010 00:10:47
VBASE008.VDF : 7.10.7.220 2048 Bytes 6/2/2010 00:10:47
VBASE009.VDF : 7.10.7.221 2048 Bytes 6/2/2010 00:10:47
VBASE010.VDF : 7.10.7.222 2048 Bytes 6/2/2010 00:10:48
VBASE011.VDF : 7.10.7.223 2048 Bytes 6/2/2010 00:10:48
VBASE012.VDF : 7.10.7.224 2048 Bytes 6/2/2010 00:10:48
VBASE013.VDF : 7.10.8.37 270336 Bytes 6/10/2010 00:10:50
VBASE014.VDF : 7.10.8.69 138752 Bytes 6/14/2010 00:10:51
VBASE015.VDF : 7.10.8.102 130560 Bytes 6/16/2010 00:10:52
VBASE016.VDF : 7.10.8.135 152064 Bytes 6/21/2010 00:10:54
VBASE017.VDF : 7.10.8.163 432128 Bytes 6/23/2010 00:10:56
VBASE018.VDF : 7.10.8.194 133632 Bytes 6/27/2010 00:10:57
VBASE019.VDF : 7.10.8.220 134656 Bytes 6/29/2010 00:10:59
VBASE020.VDF : 7.10.8.221 2048 Bytes 6/29/2010 00:10:59
VBASE021.VDF : 7.10.8.222 2048 Bytes 6/29/2010 00:10:59
VBASE022.VDF : 7.10.8.223 2048 Bytes 6/29/2010 00:10:59
VBASE023.VDF : 7.10.8.224 2048 Bytes 6/29/2010 00:11:00
VBASE024.VDF : 7.10.8.225 2048 Bytes 6/29/2010 00:11:00
VBASE025.VDF : 7.10.8.226 2048 Bytes 6/29/2010 00:11:00
VBASE026.VDF : 7.10.8.227 2048 Bytes 6/29/2010 00:11:00
VBASE027.VDF : 7.10.8.228 2048 Bytes 6/29/2010 00:11:01
VBASE028.VDF : 7.10.8.229 2048 Bytes 6/29/2010 00:11:01
VBASE029.VDF : 7.10.8.230 2048 Bytes 6/29/2010 00:11:01
VBASE030.VDF : 7.10.8.231 2048 Bytes 6/29/2010 00:11:01
VBASE031.VDF : 7.10.8.241 83968 Bytes 7/1/2010 19:29:25
Engineversion : 8.2.4.2
AEVDF.DLL : 8.1.2.0 106868 Bytes 7/1/2010 00:11:25
AESCRIPT.DLL : 8.1.3.33 1356155 Bytes 7/1/2010 00:11:25
AESCN.DLL : 8.1.6.1 127347 Bytes 7/1/2010 00:11:22
AESBX.DLL : 8.1.3.1 254324 Bytes 7/1/2010 00:11:26
AERDL.DLL : 8.1.4.6 541043 Bytes 7/1/2010 00:11:21
AEPACK.DLL : 8.2.2.5 430453 Bytes 7/1/2010 00:11:19
AEOFFICE.DLL : 8.1.1.0 201081 Bytes 7/1/2010 00:11:17
AEHEUR.DLL : 8.1.1.38 2724214 Bytes 7/1/2010 00:11:16
AEHELP.DLL : 8.1.11.6 242038 Bytes 7/1/2010 00:11:10
AEGEN.DLL : 8.1.3.12 377204 Bytes 7/1/2010 00:11:09
AEEMU.DLL : 8.1.2.0 393588 Bytes 7/1/2010 00:11:07
AECORE.DLL : 8.1.15.3 192886 Bytes 7/1/2010 00:11:05
AEBB.DLL : 8.1.1.0 53618 Bytes 7/1/2010 00:11:04
AVWINLL.DLL : 10.0.0.0 19304 Bytes 1/14/2010 20:03:38
AVPREF.DLL : 10.0.0.0 44904 Bytes 1/14/2010 20:03:35
AVREP.DLL : 10.0.0.8 62209 Bytes 2/19/2010 00:47:40
AVREG.DLL : 10.0.3.0 53096 Bytes 4/1/2010 20:35:46
AVSCPLR.DLL : 10.0.3.0 83816 Bytes 4/1/2010 20:39:51
AVARKT.DLL : 10.0.0.14 227176 Bytes 4/1/2010 20:22:13
AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 1/26/2010 17:53:30
SQLITE3.DLL : 3.6.19.0 355688 Bytes 1/28/2010 20:57:58
AVSMTP.DLL : 10.0.0.17 63848 Bytes 3/16/2010 23:38:56
NETNT.DLL : 10.0.0.0 11624 Bytes 2/19/2010 22:41:00
RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 1/28/2010 21:10:20
RCTEXT.DLL : 10.0.53.0 97128 Bytes 4/9/2010 22:14:29

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:, K:, L:,
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Thursday, July 01, 2010 12:30

Starting search for hidden objects.
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\RNG\seed
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NtmsSvc\Config\Standalone\drivelist
[NOTE] The registry entry is invisible.

The scan of running processes will be started
Scan process 'msdtc.exe' - '42' Module(s) have been scanned
Scan process 'dllhost.exe' - '63' Module(s) have been scanned
Scan process 'dllhost.exe' - '47' Module(s) have been scanned
Scan process 'vssvc.exe' - '50' Module(s) have been scanned
Scan process 'avscan.exe' - '66' Module(s) have been scanned
Scan process 'avcenter.exe' - '68' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '42' Module(s) have been scanned
Scan process 'speedfan.exe' - '44' Module(s) have been scanned
Scan process 'wuauclt.exe' - '39' Module(s) have been scanned
Scan process 'iPodService.exe' - '31' Module(s) have been scanned
Scan process 'TabUserW.exe' - '22' Module(s) have been scanned
Scan process 'WMPNetwk.exe' - '55' Module(s) have been scanned
Scan process 'hpqtra08.exe' - '53' Module(s) have been scanned
Scan process 'svchost.exe' - '36' Module(s) have been scanned
Scan process 'WMPNSCFG.exe' - '29' Module(s) have been scanned
Scan process 'ctfmon.exe' - '28' Module(s) have been scanned
Scan process 'PropelAC.exe' - '66' Module(s) have been scanned
Scan process 'SecCopy.exe' - '42' Module(s) have been scanned
Scan process 'avgnt.exe' - '55' Module(s) have been scanned
Scan process 'jusched.exe' - '24' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '70' Module(s) have been scanned
Scan process 'OpwareSE4.exe' - '18' Module(s) have been scanned
Scan process 'HPZipm12.exe' - '19' Module(s) have been scanned
Scan process 'BJMyPrt.exe' - '24' Module(s) have been scanned
Scan process 'issch.exe' - '13' Module(s) have been scanned
Scan process 'apdproxy.exe' - '46' Module(s) have been scanned
Scan process 'hphmon05.exe' - '30' Module(s) have been scanned
Scan process 'hpcmpmgr.exe' - '35' Module(s) have been scanned
Scan process 'hpztsb09.exe' - '24' Module(s) have been scanned
Scan process 'mmtask.exe' - '22' Module(s) have been scanned
Scan process 'shwicon2k.exe' - '24' Module(s) have been scanned
Scan process 'AGRSMMSG.exe' - '23' Module(s) have been scanned
Scan process 'hpsysdrv.exe' - '18' Module(s) have been scanned
Scan process 'alg.exe' - '36' Module(s) have been scanned
Scan process 'YahooAUService.exe' - '25' Module(s) have been scanned
Scan process 'wanmpsvc.exe' - '25' Module(s) have been scanned
Scan process 'Tablet.exe' - '31' Module(s) have been scanned
Scan process 'svchost.exe' - '41' Module(s) have been scanned
Scan process 'avshadow.exe' - '27' Module(s) have been scanned
Scan process 'jqs.exe' - '36' Module(s) have been scanned
Scan process 'DKService.exe' - '30' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '35' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '32' Module(s) have been scanned
Scan process 'acsd.exe' - '27' Module(s) have been scanned
Scan process 'avguard.exe' - '57' Module(s) have been scanned
Scan process 'PhotoshopElementsFileAgent.exe' - '27' Module(s) have been scanned
Scan process 'svchost.exe' - '36' Module(s) have been scanned
Scan process 'sched.exe' - '44' Module(s) have been scanned
Scan process 'spoolsv.exe' - '64' Module(s) have been scanned
Scan process 'Explorer.EXE' - '94' Module(s) have been scanned
Scan process 'svchost.exe' - '49' Module(s) have been scanned
Scan process 'svchost.exe' - '35' Module(s) have been scanned
Scan process 'Ati2evxx.exe' - '32' Module(s) have been scanned
Scan process 'svchost.exe' - '170' Module(s) have been scanned
Scan process 'svchost.exe' - '46' Module(s) have been scanned
Scan process 'svchost.exe' - '43' Module(s) have been scanned
Scan process 'Ati2evxx.exe' - '30' Module(s) have been scanned
Scan process 'lsass.exe' - '61' Module(s) have been scanned
Scan process 'services.exe' - '29' Module(s) have been scanned
Scan process 'winlogon.exe' - '70' Module(s) have been scanned
Scan process 'csrss.exe' - '16' Module(s) have been scanned
Scan process 'smss.exe' - '2' Module(s) have been scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
Master boot sector HD2
[INFO] No virus was found!
Master boot sector HD3
[INFO] No virus was found!
Master boot sector HD4
[INFO] No virus was found!
Master boot sector HD5
[INFO] No virus was found!
Master boot sector HD6
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!
Boot sector 'K:\'
[INFO] No virus was found!
Boot sector 'L:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '1785' files ).


Starting the file scan:

Begin scan in 'C:\' <HP_PAVILION>
C:\Documents and Settings\Owner\Application Data\msgy\bl.dat
[DETECTION] Is the TR/Dldr.WinSh.AC.01 Trojan
C:\Program Files\7-Zip\Uninstall.exe
[WARNING] Insufficient memory. The file was not scanned.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP217\A0105207.exe
[DETECTION] Is the TR/Agent.AI.7121 Trojan
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP223\A0106353.exe
[DETECTION] Is the TR/Agent.AI.7121 Trojan
Begin scan in 'D:\' <HP_RECOVERY>
Begin scan in 'K:\' <APRICORN>
Begin scan in 'L:\' <ALURATEK>

Beginning disinfection:
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP223\A0106353.exe
[DETECTION] Is the TR/Agent.AI.7121 Trojan
[NOTE] The file was moved to the quarantine directory under the name '4ed3b7c3.qua'.
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP217\A0105207.exe
[DETECTION] Is the TR/Agent.AI.7121 Trojan
[NOTE] The file was moved to the quarantine directory under the name '56449864.qua'.
C:\Documents and Settings\Owner\Application Data\msgy\bl.dat
[DETECTION] Is the TR/Dldr.WinSh.AC.01 Trojan
[NOTE] The file was moved to the quarantine directory under the name '041ec248.qua'.


End of the scan: Thursday, July 01, 2010 15:13
Used time: 2:42:00 Hour(s)

The scan has been done completely.

15997 Scanned directories
563311 Files were scanned
3 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
3 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
563308 Files not concerned
14838 Archives were scanned
1 Warnings
3 Notes
593163 Objects were scanned with rootkit scan
2 Hidden objects were found



#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:27 AM

Posted 01 July 2010 - 06:19 PM

You have still A:\ floppy drive? Are you using it?

It looks good. thumbup2.gif
  1. You may delete any tool or log we used from your computer.

  2. First Set a New Restore Point then Remove the Old Restore Points to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

    To set a new restore point:
    • Go to Start > Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

    To remove the old restore points:
    • Go to Start > Run then type: Cleanmgr in the box and click "OK".
    • You get a window to select the drive to clean, the default is already set to (C:) drive. Click OK.
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
    • Click OK and Yes.

  3. Please go ahead and update Windows and tell me how it went.


#9 The Maddest Hatter

The Maddest Hatter
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 01 July 2010 - 10:23 PM

Yeah, the floppy is there, but I never use it. Strangely enough, I did some reading online about it, and it seems Avira accesses the A:\ drive because I had SpeedFan running.

Restore point created, and previous restore points deleted. And the Windows update ran without a hitch.

Incidentally, I am thinking of switching to Firefox, as I have heard that it's more secure than IE...is this true?

Any other steps?

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:27 AM

Posted 02 July 2010 - 05:52 AM

You can disable Floppy drive from the BIOS if you don't use it.

Firefox is a good browser with many add-ons and pug-ins, but I believe IE and Firefox are comparable in terms of safety.

We are done and you are good to go. thumbup2.gif

Happy Surfing. smile.gif

#11 The Maddest Hatter

The Maddest Hatter
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 02 July 2010 - 12:14 PM

Thanks, farbar. I will look into the disabling the floppy in the BIOS, as I don't use it anymore. And I installed Firefox last night, so I will give it a test run and see if I have fewer problems compared to IE8...

Many thanks for all your help - I sent a Paypal donation in your direction as a small token of gratitude...this service you offer here at Bleepingcomputer is great!

Best,

The Maddest Hatter

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:27 AM

Posted 02 July 2010 - 12:36 PM

You are most welcome and thank you for donation The Maddest Hatter. smile.gif

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users