Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Infected with Alureon and probably a whole lot more!

  • This topic is locked This topic is locked
17 replies to this topic

#1 Aprylle


  • Members
  • 9 posts
  • Local time:12:22 AM

Posted 13 July 2011 - 06:24 PM

Hi there and thanks for your assistance! My wonderful, somewhat elderly parents who LOVE to play cards on their computer brought it by to me a few weeks ago to take a look at it because it kept shutting down. After several questions, I have discovered that they received the wonderful Internet Security 2010 virus, believe it or not my parents almost gave their credit card as well. Sigh.

When I received the PC, all of their registry's were not working on their programs. Assuming that was caused by the virus. I put the PC in safemode and used a disk that I burned of MBAM. That seemed to have gotten me a bit further.

Anyhow, Ive ran all the suggestions on the site and then some. At one time their Mcafee did detect the Alureon virus. However, I cannot get it to detect it at this time. Sometimes their AV shows that there hasnt been a check in over 30 days, and sometimes it says its not needed. Im not sure why it does that.

I am unable to upgrade them to SP3 either. It wont allow me to install it, I get the awful blue screen when I do. And they have these funky toolbars on their IE that I have been trying to get rid of. When I look in their history after I have completely deleted it and reloaded IE, it shows a couple of websites - Im assuming its from the toolbar. However I cannot remove the toolbar.

They are on MSN dial up, I have it connected into my high speed internet. When I am on the high speed, it doesnt shut down on me however when I log onto dial up, it does. Their MSN window keeps popping up no matter how many times you close it.

When I ran SuperAntiSpyware, it detected a broken system file HKCR\.exe

I did run combofix, it was showing that another real time scanner was currently active, antivirus AVIRA Antivir PersonalEdition however I dont see that anywhere on their PC even if I was go into the control panel to remove the program, it isnt there. However the logs show it to be on the PC.

When I ran RootRepeal it gave me the error message of "could not read our index block" then it appeared to have scanned however when I attempted to save the log I got the following error "attempt to write to address:0x77d3f00". I then received the windows virutal memory being low message. Not sure if those two are in correlation or not.

When I ran MSN Spy Sweeper, (haha, told you I tried everything) it had found adware-adkubru hijack as well as 7 other tracking cookies.

MBAM, didnt find anything when I ran it again in safe mode as well as regular.

When I ran GMER, it scanned regularly however when it was complete I received a "work offline" message and lost all usage of my mouse and was not able to save it. The work offline message was interesting since I am working through high speed internet and the other PC's didnt get affected.

Im almost to the point of reinstalling windows to wipe it however my father enjoys his music and has spent endless hours downloading it onto his PC.

Here is the logs, hopefully someone can give me assistance in helping my poor parents PC.
Thanks a million!

DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Compaq_Owner at 7:12:11 on 2011-07-13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.895.204 [GMT -7:00]
AV: Avira AntiVir PersonalEdition Classic *Enabled/Outdated* {00000000-0000-0000-0000-000000000000}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {804FD0EC-FFA4-00DA-0D24-347CA8A3377C}
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled*
============== Running Processes ===============
C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Logitech\Gaming Software\LWEMon.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
C:\Program Files\McAfee Security Scan\2.1.121\SSScheduler.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
C:\Program Files\MSN\MSNIA\CC\MSNCC\logonmgr.exe
C:\Program Files\MSN\MSNIA\CC\MSNCC\msncc.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\Program Files\internet explorer\iexplore.exe
============== Pseudo HJT Report ===============
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uURLSearchHooks: Online Radio 1.1 Toolbar: {343db173-0e5a-4f2a-b7bb-71a49085d70e} - c:\program files\online_radio_1.1\prxtbOnl2.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
BHO: Online Radio 1.1 Toolbar: {343db173-0e5a-4f2a-b7bb-71a49085d70e} - c:\program files\online_radio_1.1\prxtbOnl2.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110528100051.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: MSN Toolbar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\4.0.0379.0\npwinext.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: MSN Toolbar: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\4.0.0379.0\npwinext.dll
TB: Online Radio 1.1 Toolbar: {343db173-0e5a-4f2a-b7bb-71a49085d70e} - c:\program files\online_radio_1.1\prxtbOnl2.dll
TB: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] "c:\windows\system32\ctfmon.exe"
uRun: [SpybotSD TeaTimer] "c:\program files\spybot - search & destroy\TeaTimer.exe"
mRun: [SiSPower] "Rundll32.exe" SiSPower.dll,ModeAgent
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [LSBWatcher] "c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe"
mRun: [AlcxMonitor] "ALCXMNTR.EXE"
mRun: [NeroFilterCheck] "c:\windows\system32\NeroCheck.exe"
mRun: [ISUSPM Startup] "c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe" -startup
mRun: [HPDJ Taskbar Utility] "c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe"
mRun: [ISUSScheduler] "c:\progra~1\common~1\instal~1\update~1\issch.exe" -start
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [MSN Toolbar] "c:\program files\msn toolbar\platform\4.0.0379.0\mswinext.exe"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Start WingMan Profiler] "c:\program files\logitech\gaming software\LWEMon.exe" /noui
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SpySweeper] "c:\program files\webroot\webrootsecurity\SpySweeperUI.exe" /startintray
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\compaq~1.lnk - c:\program files\compaq connections\6750491\program\Compaq Connections.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.1.121\SSScheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\zdwlan~1.lnk - c:\program files\zydas technology corporation\zydas_802.11g_utility\ZDWlan.exe
IE: Add To Compaq Organize... - c:\progra~1\hewlet~1\compaq~1\bin/module.main/favorites\ie_add_to.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: Update Page Content - c:\program files\msn\msnia\cc\msncc\wa\refreshpage.htm
IE: View All Originals On Page - c:\program files\msn\msnia\cc\msncc\wa\getoriginal.htm
IE: View Original Image - c:\program files\msn\msnia\cc\msncc\wa\getoriginal.htm
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1222752881140
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} - hxxp://zone.msn.com/bingame/zpagames/zpa_hrtz.cab70018.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer =
TCP: Interfaces\{9DC88EB6-9153-47AC-B63A-3CA06D0D9D2E} : DhcpNameServer =
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
============= SERVICES / DRIVERS ===============
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-7-2 64512]
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-9-20 459728]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2011-3-22 29832]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-4-27 89368]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-11-10 54752]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-9-20 88176]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-4-27 214904]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-4-27 214904]
R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-4-27 214904]
R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-4-27 165000]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-4-27 159832]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-4-27 148520]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-3-3 833168]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\webrootsecurity\SpySweeper.exe [2011-3-22 4048256]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\webrootsecurity\WRConsumerService.exe [2011-7-12 1201656]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-4-27 57432]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-9-20 179248]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-9-20 59288]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-4-27 337912]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-4-27 83688]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-3 135664]
S3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\system32\drivers\BRGSp50.sys [2006-12-25 20608]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-3 135664]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.1.121\McCHSvc.exe [2010-9-2 227232]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-4-27 83688]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-4-27 85984]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-9-20 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-9-20 40552]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]
=============== Created Last 30 ================
2011-07-12 20:27:52 775168 ----a-w- c:\windows\isRS-000.tmp
2011-07-12 20:27:22 1563024 ----a-w- c:\windows\WRSetup.dll
2011-07-12 20:27:21 -------- d-----w- c:\documents and settings\compaq_owner\application data\Webroot
2011-07-12 20:27:21 -------- d-----w- c:\documents and settings\all users\application data\Webroot
2011-07-11 23:58:15 -------- d-----w- c:\program files\Webroot
2011-07-11 15:27:02 16409960 ----a-w- C:\spybotsd162.exe
2011-07-09 03:31:00 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-07-09 03:31:00 -------- d-----w- c:\windows\system32\wbem\Repository
2011-07-09 03:07:58 -------- d-----w- c:\windows\system32\CatRoot_bak
2011-07-08 22:19:37 0 ----atw- c:\windows\006129_.tmp
2011-07-08 12:35:41 -------- d-----w- C:\MGtools
2011-07-07 21:28:13 98816 ----a-w- c:\windows\sed.exe
2011-07-07 21:28:13 518144 ----a-w- c:\windows\SWREG.exe
2011-07-07 21:28:13 256000 ----a-w- c:\windows\PEV.exe
2011-07-07 21:28:13 208896 ----a-w- c:\windows\MBR.exe
2011-07-07 21:28:06 -------- d-----w- C:\ComboFix
2011-07-07 18:02:49 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-07 18:02:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-07 18:02:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-07 00:01:28 -------- d-----w- c:\documents and settings\compaq_owner\application data\SUPERAntiSpyware.com
2011-07-06 23:46:51 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-07-06 21:14:25 -------- d-----w- c:\documents and settings\all users\application data\{AB2D8F2E-F7AD-4446-A11A-50D846B2CF2A}
2011-07-06 17:10:02 -------- d-----w- c:\documents and settings\compaq_owner\local settings\application data\PackageAware
2011-07-05 23:01:15 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-07-05 18:50:40 -------- d-----w- C:\found.000
2011-07-05 13:43:39 2419140 ----a-w- C:\MGtools.exe
2011-07-05 13:25:06 -------- d-----w- c:\windows\pss
2011-07-05 00:31:37 0 ----atw- c:\windows\006114_.tmp
2011-07-04 23:40:40 -------- d-----w- c:\program files\common files\Java(2)
2011-07-04 23:32:17 -------- d-----w- c:\program files\Java(2)
2011-07-04 18:16:38 87552 ----a-w- c:\windows\system32\VACFix.exe
2011-07-04 18:16:38 82944 ----a-w- c:\windows\system32\IEDFix.exe
2011-07-04 18:16:38 82944 ----a-w- c:\windows\system32\IEDFix.C.exe
2011-07-04 18:16:38 82432 ----a-w- c:\windows\system32\404Fix.exe
2011-07-04 18:16:38 80384 ----a-w- c:\windows\system32\o4Patch.exe
2011-07-04 18:16:38 78336 ----a-w- c:\windows\system32\Agent.OMZ.Fix.exe
2011-07-04 18:16:38 75776 ----a-w- c:\windows\system32\WS2Fix.exe
2011-07-04 18:16:37 53248 ----a-w- c:\windows\system32\Process.exe
2011-07-04 18:16:37 51200 ----a-w- c:\windows\system32\dumphive.exe
2011-07-04 18:16:37 289144 ----a-w- c:\windows\system32\VCCLSID.exe
2011-07-04 18:16:37 288417 ----a-w- c:\windows\system32\SrchSTS.exe
2011-07-03 16:52:41 190032 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-07-03 05:45:44 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-07-02 21:31:39 1409 ----a-w- c:\windows\QTFont.for
==================== Find3M ====================
2011-07-06 23:46:00 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-31 23:52:31 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
============= FINISH: 7:14:55.79 ===============

Attached Files

BC AdBot (Login to Remove)


#2 rigacci



  • Members
  • 2,604 posts
  • Gender:Male
  • Local time:03:22 AM

Posted 25 July 2011 - 03:05 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

  • If you have since resolved the original problem you were having, we would appreciate you letting us know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log

Thanks and again sorry for the delay.


#3 Aprylle

  • Topic Starter

  • Members
  • 9 posts
  • Local time:12:22 AM

Posted 28 July 2011 - 07:00 PM

Hello and thanks for the response. I have attempted to clean some of their computer up. Here is the information you have requested:

Please take note:

1.If you have since resolved the original problem you were having, we would appreciate you letting us know. Im unsure at this point, I would like someone to look at my logs to determine if Im all clear :)

2.If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system. I was able to create a log, I am running on XP SP3 32 bit

3.Please tell us if you have your original Windows CD/DVD available. No, unfortunately I do not.

Looking at the logs, I have attempted without success in removing the AV Avira. It is showing that it is still enabled - however it is no where on my control panel to remove programs.

Attached Files

#4 sundavis


  • Malware Response Team
  • 2,708 posts
  • Gender:Not Telling
  • Local time:02:22 AM

Posted 29 July 2011 - 05:01 AM

Hi Aprylle,

Welcome to BleepingComputer Virus, Trojan, Spyware, and Malware Removal Logs Forum. :welcome:
My name is sundavis, I will be helping you to deal with your Malware problems today.

Please uninstall the following antimalware programs via Add/Remove Programs for temporarily, it may interfere with our fix during the clean process.

Lavasoft Ad-Watch Live! Anti-Virus

After that, please go to this thread to download Avira Antivirus removal tool to clean the leftovers. One system should not install more than one antivirus program. It is advisable that you have ONLY one AntiVirus installed. After that, proceed the following:


  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\TDSSKiller folder). Please copy and paste the contents of that file here.


  • Please download OTL and save it to your desktop.
  • Double click on the icon on your desktop.
  • Under the Standard Registry box change it to All
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste the following bolded text:

    %ALLUSERSPROFILE%\Application Data\*.
    %ALLUSERSPROFILE%\Application Data\*.exe /s
    %APPDATA%\*.exe /s
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    C:\program files\common files\data\* /s
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\system32\drivers\*.sys /90

  • Click the "Quick Scan" button.
  • The scan should take just a few minutes.
  • OTListIt.txt <-- Will be opened and Extra.txt <-- Will be minimized
  • Copy and paste both logs back here in your next reply.


Go to Start > Run and copy/paste the following bolded text into the Run box and click OK:


A ComboFix text file should open. Please post the contents of that file in your next reply.

In your next reply, please post back:

1.TDSSKiller log
2.ComboFix log
3.OTListIt.txt and Extra.txt

Tell me what symptoms you're still experiencing now.

Edited by sundavis, 30 July 2011 - 12:09 AM.

#5 Aprylle

  • Topic Starter

  • Members
  • 9 posts
  • Local time:12:22 AM

Posted 29 July 2011 - 01:22 PM

Hi there Sundavis! Thank you so much for the response and the much needed help!

Looking under the control panel under add/remove programs - these 2 programs are not available there.
  • SpybotSD
  • Lavasoft Ad-Watch Live! Anti-Virus

Is there any other method that I can remove these? Should I continue on or should I attempt to remove these another method? I agree completely with you on only running one AV, however I have not been successful on removing the other AV programs.

Thanks so much for all of your help!

#6 sundavis


  • Malware Response Team
  • 2,708 posts
  • Gender:Not Telling
  • Local time:02:22 AM

Posted 29 July 2011 - 01:31 PM

Hi Aprylle,

Spybot - Search & Destroy seems still on board. You may check it one more time. If not, please proceed the instructons and post the logs in your next reply. :thumbup2:

#7 Aprylle

  • Topic Starter

  • Members
  • 9 posts
  • Local time:12:22 AM

Posted 29 July 2011 - 03:32 PM

Hi there!

Here is the logs that you have requested. I must have deleted the combofix log from when I first started having problems, so I have re-ran it this afternoon. Hopefully that is ok.

I still for the life of me cannot remove that AV - any suggestions on how to remove that? My concern is that it is impacting their current AV and could put their computer at risk.

Thank you for looking at my logs. I greatly appreciate all of your help.

Attached Files

#8 sundavis


  • Malware Response Team
  • 2,708 posts
  • Gender:Not Telling
  • Local time:02:22 AM

Posted 29 July 2011 - 07:56 PM

Hi Aprylle,

Go into the Control Panel (Classic View) and double-click the Java Icon. (looks like a coffee cup)

On the Update tab, click on Update Now buttons. When done, press Apply and OK the button.


  • Go into the Control Panel (Classic View) and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave both Checked

    Applications and Applets
    Trace and Log Files
  • Click OK on Delete Temporary Files Window
  • Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.


  • If you already have Combofix, please delete that copy and download it again as it's being updated regularly.
  • Please visit this webpage for download links, and instructions for running the tool:
  • Close any open browsers
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Go to Here for your reference.
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text inside the code box below:
AV: Avira AntiVir PersonalEdition Classic *Enabled/Outdated* {00000000-0000-0000-0000-000000000000}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {804FD0EC-FFA4-00DA-0D24-347CA8A3377C}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

c:\documents and settings\Compaq_Owner\Local Settings\Application Data\BIT8.tmp
c:\documents and settings\Compaq_Owner\Local Settings\Application Data\BIT7.tmp
c:\documents and settings\Compaq_Owner\Local Settings\Application Data\BIT5.tmp
c:\documents and settings\Compaq_Owner\Local Settings\Application Data\BIT4.tmp
c:\documents and settings\Compaq_Owner\Local Settings\Application Data\BIT6.tmp

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop
uInternet Connection Wizard,ShellNext = iexplore

Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop

Posted Image

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


Please download Malwarebytes' Anti-Malware from Here or Here

  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.or you can find from here:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • You can refer to this tutorial

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

In your next reply, please post back:

1.ComboFix log
2.MBAM log

Let me know if you have any remaining issues on your pc.

#9 Aprylle

  • Topic Starter

  • Members
  • 9 posts
  • Local time:12:22 AM

Posted 30 July 2011 - 03:23 PM

Hi there -

Here is the logs that you have requested. As far as how the computer is running, it seems to be running smooth, although I havent attempted to connect it with MSN dial up. Thats when they initially noticed something was wrong with it, when the pc kept rebooting. So I will attach these logs and then attempt to utilize dial up to see if it creates the same problem.

Thank you for all of your help, I will repost after I attempt dial up.


Attached Files

#10 sundavis


  • Malware Response Team
  • 2,708 posts
  • Gender:Not Telling
  • Local time:02:22 AM

Posted 30 July 2011 - 03:41 PM

Hi Aprylle,

Looks better. Do you have any remaining issues? Let me know if you still need assistance. :thumbup2:

#11 Aprylle

  • Topic Starter

  • Members
  • 9 posts
  • Local time:12:22 AM

Posted 31 July 2011 - 12:52 PM

It does look a bit better, however when I attempted to connect via dial up through msn, it reboots still. I am able to connect to msn to retrieve the dial up numbers, however when I attempt to connect to the internet, it reboots without any warning. I uninstalled MSN and reinstalled it thinking maybe it was a software issue, and that didnt resolve it either. Do you think this could be a hardware issue instead of a malware issue now?

Thanks for your assistance,

#12 Aprylle

  • Topic Starter

  • Members
  • 9 posts
  • Local time:12:22 AM

Posted 31 July 2011 - 01:04 PM

Also, I did notice that their CPU usage is pretty high - its currently utilizing 60% & 750mb - and it is running 51 processes. The CPU usage goes from 50% to 100% and back down again without me doing anything. Could it be that there is still something going on?

#13 Aprylle

  • Topic Starter

  • Members
  • 9 posts
  • Local time:12:22 AM

Posted 31 July 2011 - 03:41 PM

I think I figured it out.... the windows firewall was still enabled when signing onto MSN, I disabled it since they have a firewall with McAfee and now I can get online without the sytem rebooting. What are your thoughts?

#14 sundavis


  • Malware Response Team
  • 2,708 posts
  • Gender:Not Telling
  • Local time:02:22 AM

Posted 31 July 2011 - 07:55 PM

Hi Aprylle,

I think I figured it out...

Glad to hear it has been sorted. MSN Messenger requires full access through your Personal Firewall so that it can sign in and for other features such as Audio / Video to work. For more info: Here.

Now, your system appears to be clear of malware. :thumbsup: If you have no remaining issues on your pc, lets do some tidy up and we can send you on your way.


Click START then RUN
Now copy/paste ComboFix /Uninstall in the runbox and click OK.
Note the space between the X and the /Uninstall, it needs to be there.

Posted Image

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.


Start OTL from your desktop.
  • Double click OTL and let it run
  • Then Click the Cleanup button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.

Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:

  • Update your antivirus programs

    Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system. You can use one of these sites to check if any updates are needed for your pc.
    Secunia Software Inspector
    F-secure Health Check

  • Update all programs regularly - Make sure you update all the programs regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

  • Backup your valid registry -ERUNT (Emergency Recovery Utility NT) allows you to store a complete backup of your registry and restore if needed. Due to malware affects, a corrupt registry can prevent a system from booting. You're well advised to backup your valid registry while the system is clean now. For more info: Here and Here .

Please check out Tony Klein's article "How did I get infected in the first place?"
Read some information Here how to prevent Malware.

Glad to be of help. Safe surfing!!

#15 Aprylle

  • Topic Starter

  • Members
  • 9 posts
  • Local time:12:22 AM

Posted 31 July 2011 - 08:46 PM

You are awesome! Thanks a billion for solving all of my issues, I greatly, greatly appreciate all that you have done for me and my game playing parents! :thumbsup:

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users